December 3, 2008

A Shout-out to Records Managers: Don’t forget the lecords and becords

by Cary J. Calderone, Esquire

No, this was not an attempt to increase my Blog’s page visit time by using a few strange typos in the title. Rather it is my well-intentioned plan to add some new words to our Electronic Discovery language. Records managers have been using the term RECORD for decades to separate a mere copy, draft or scribble from an important company document that needs special attention. The RECORD copy was subject to retention schedules and possibly higher security and archiving protocols as well. Non-RECORDS were largely considered unimportant. Two things have changed to make Record and Information Managers' (RIM) jobs a bit less fun.

Firstly, we have the introduction of the desktop computer as an office productivity tool and with it, email. RECORD and Non-RECORD distinctions simply do not work very well with email. For example, does an email that has a RECORD attached to it, or a copy of a RECORD attached to it, and may discuss the subject matter of the RECORD, get the same treatment under the Retention Schedule? Secondly, the lawyers got involved (do we ever make things any easier?) and have been directed by State Courts and the Federal Rules of Civil Procedure to work with Electronically Stored Information (“ESI”). To the Courts and the litigants what is important is not whether an email is a RECORD or non-RECORD but whether it might be a “business record” or “legal record.” If it falls in either of those two categories a company may need to preserve it as part of its reasonable computer record keeping practices. This is especially true when a particular industry is highly regulated or the company is preserving data pursuant to a Legal or Litigation Hold. Hence, I thought it was time for newly invented ESI Retention words to use because when legal discovery documents refer to “Records” they mean lecords (legal records) and becords (business records).

These new words work well with the modern rule that says anything that documents how a company makes business or legal decisions, i.e., lecords and becords, are determined by content and not whether they are a word document, an email message or an old fashioned piece of paper. They may even include telephone voicemail messages that are stored on a computer or PDA. Also, lecords and becords may include all copies that appear to be identical and previously would have been distinguished and separated from the RECORD copy but now need to be treated as potentially important evidence. Sometimes this is because of the content and the distribution list, but other times copies may be important because they contain hidden meta-data that reveals things like who opened or edited the document and when. The world of RIM was never designed to capture this type or volume of information. Even a separate log document to determine who checked out or edited a RECORD will not work nearly well enough.

Moreover, thinking about lecords and becords helps one to understand why an Instant Message, where one co-worker asks another co-worker out to lunch might be important enough to keep. There is not RECORD category for seemingly innocent chit chat between co-workers. There is no Retention Schedule covering Instant Messages about lunch dates. However, if the message said, “want to get together for lunch to talk about why we might miss our quarterly numbers” it may certainly be considered a becord. Or, if it was the 4th IM from the same employee asking out another employee who complained to a supervisor about sexual harassment, then it would be a lecord. As a becord or lecord there could arguably be a duty to preserve these messages, even if according to the rules of RECORDS and non-RECORDS and the Retention Schedule, these messages do not merit special attention. By thinking about becords and lecords, a company can stay a little safer. I have used both these examples with Records managers to illustrate my point, and while they do not necessarily like the new perspective, and obligations it creates, it does make sense to them given our usage of email and IMs.

In my dealings with Records Managers, this has been a very difficult distinction to comprehend and appreciate. I understand their frustration and hope that the idea of RECORDS, lecords and becords may make their jobs easier. I want to keep Records Managers involved in the retention management process because there is nobody in a corporation, who has more experience tagging and organizing information. True, the tagging and organizing processes have changed from paper to the new world of ESI, but I believe RIMs will be the most important part of the solution moving forward.

August 14, 2008

How to Modify a Form Data Retention Policy for Your Company's Use

By Cary J. Calderone, Esquire

Do you have a Records Retention Policy (“RRP”) form we can work from? Without question, this is the most frequent favor request from friends and associates and occasionally, even from relative strangers. So this article explains five steps to follow to take some other company’s form and make it your own without having to use an attorney, like myself, or a reputable document and management or eDiscovery consulting firm to assist you in the process.

1) Start by finding a form that might be a relatively good fit.
While RRPs all generally look similar and contain descriptions of computer content and timelines for retention, the ideal situation would be to have a form from someone in your industry that is about your size, with offices and products that cover the same legal jurisdictions. Also, they should have about the same technology as your company. Some may consider looking at forms used by a competitor.

2) If it is well written and thorough then you will need to make sure your other company documents that may overlap with or refer to information in this form, conform to it. Check your employee manuals, your technology, Email, Instant Messaging, PDA and cell phone policies to make sure they are consistent with the language of your new RRP. If not, you may need to acquire copies of those documents from the same source as the RRP. Also, be sure to replace the custodian names from the source document with the people from your company, who are likely to be called as witnesses and placed under oath to verify that the retention procedures are regularly followed. Be forewarned, some of your co-workers may feel uncomfortable with accepting this new responsibility.

3) Upper management needs to sign off on your new documents. The CEO, CFO, General Counsel and other high-ranking executives will be the ones who may face criminal penalties if the new policies do not pass muster in a court or audit proceeding-so get their signatures. Caution-they may not really want to know all the details of the source of the new RRP.

4) Now that you have your policy paperwork in order you need to make sure all the employees will understand and follow it. This may involve re-arranging your company’s current data file structure on the network and any current retention and records review habits, but it is a necessary step. It would also be preferable if you have the same archiving and backup procedures to match your form.

5) Warning Warning Warning. Now that you have saved money by modifying someone else’s forms all you need to do to complete the procedure is protect against the following missteps: a) Your company’s software applications must work the way the source company’s do. So if your applications are less capable you will need to purchase upgrades, or if you have better software, you may need to disable some of the features to comply with your new RRP. b) Check that your electronic storage also matches in capacity and security features, otherwise, follow the same routine as for software and upgrade or disable accordingly. c) Make sure your business group leaders understand that any growth plans or upgrades may need to be delayed unless they match those of your source company. d) Always a good idea to check your source company to find out if the form you have borrowed was successfully tested in court and did not lead to sanctions of a few million dollars. e) If it was tested in court than verify that the source company is the source company and used best practices to develop their Policy. Otherwise, it may have been copied and adopted from a dubious source and not be all that great a starter form. f) Lastly, make sure you do a very good job with search and replace for the source company and your company’s name because there is a good chance that this policy form contains confidential and privileged and/or trade secret information that may make it a crime for your company to have it in its possession. This would be especially bothersome if the form did come from one of your competitors.

In conclusion, my writing approach for this post was in honor of the late professor Dr. Randy Pausch who’s YouTube video, The Last Lecture, made him a celebrity. In following with his style of teaching, did you catch the head-fake? This was not really a way for you to work off somebody else’s form but rather a list of real-world reasons why you should not even attempt it. Records Retention Policies and Legal Hold Policies are like fire escapes and exit procedures for emergency evacuations. They really need to meet the needs of your particular building, layout and people. This is simply not an area where cookie-cutter form documents will do the job very well, if at all.

August 1, 2008

Industry Blurb: Smart Move by Symantec

by Cary J. Calderone, Esquire

Symantec has made a very interesting move in creating a new Discovery Counsel position to work with the Enterprise Vault team. Annie Goranson, an attorney from their legal department, has been promoted to this position. She will work with the Systems Engineers and Enterprise Vault clients to help with system design and implementation. This is a bold strategic move in an effort to address....
the legal issues around email archiving that typical Systems Engineers and consultants can not or may not handle. Her real-world e-discovery experience should help Symantec keep their people operating within the rules that prohibit non-lawyers from practicing law while providing clearer advice to the customers who want to use E-Vault to be better prepared. I would not be surprised to see other companies in the electronic information management space follow suit and utilize more knowledgeable legal personnel to avoid potential problems in this area. While we lawyers do deserve some of the criticism directed at us, sidestepping legal traps and distinguishing critical legal facts and issues is not usually handled best by sales people and systems engineers without extensive legal backgrounds. Score one for the lawyers!

July 21, 2008

Who Makes the Decision: Or, why I sometimes feel like Dr. Phil

By Cary J. Calderone, Esquire

Sometimes I miss just being “the lawyer.” Working as a pure lawyer, I outline the facts and the issues, the laws provide the foundation for my analysis and whenever possible, I explain the conclusions we may reach. And, with very few exceptions, that is that.

Largely, the lawyer is focused on the facts, the rules and precedence. There are certain requirements and frequently, there is little room for variance. In this rather new area of Document Retention and Electronic Discovery (“DRED” for short) this is changing.

More frequently the law around DRED has set forth guidelines of “reasonableness” and then, depending on the particular company structure, industry, and the current state of technology, there may be more than one approach that would bring about an acceptable level of risk for the desired legal compliance. With DRED consulting, I have to play the role of a consultant, which means I need to know and understand why things are the way they are on a technological and business level, before I can suggest a path for change. Good lawyers in this space recognize that they have to take on some of the tasks of consultants, even if we do not like it.

So who decides what is reasonable? In practice, a judge would want to see a set of policies that have been created by considering structure, industry, technology, and business needs. As I mentioned in Best Practices for Managing Electronic Data: Chickens or Eggs whatever the policy, it needs to be followed and enforced company-wide for it to withstand legal scrutiny. So now instead of a lawyer dictating the rules, the consultant must elicit information from various department heads and members. Collaboration, which may be a common realm for Dr. Phil lead counseling may not be with the newly enlisted stakeholders in corporate document management, and it is crucial.

Many books and articles that describe best practices for management consulting explain methods and available tools for collaborative creation. And while I believe that “negotiated implementation” a specific form of collaboration brings about higher rates of adoption, i.e., success, too many consultants, management gurus, and how-to books fail to adequately examine and/or describe the people at the table. Let me explain. The best example I have came from a Business School professor Dr. Terri Griffith ( one who focuses on negotiated implementation). She presented an exercise to her class where they were divided into teams and each team was to work together to create a jungle survival plan. Everyone felt they needed to contribute and share their opinions or collaborate. However, in one group, no one asked about the experience and background of their members. It turns out, one student was a Navy SEAL with survival training expertise and the rest of the group members had absolutely no real-world experience in wilderness survival and quite possibly had never even been camping. So, why did everyone need to share their opinions equally in this collaborative exercise?

In the world of document management, we have a minimum of two worlds colliding, and frequently 3 or more. Authors Randolph A. Kahn and Barclay Blair describe 4 quadrants in their highly regarded book Information Nation. We have legal and IT and depending on the size of the organization and the particular industry, perhaps compliance and records management departments. Regardless of the number of people at the table, when it comes to designing a company-wide policy there will be no initial consensus on even the basic policy terms. For example, “Dr. Phil, how long should we keep email?” Legal might say 3 months is plenty of time if it is not something that needs to be retained according to a Records Retention Schedule. Knowledge managers would like to keep good stuff for many years, if not for ever. Most others will have ideas somewhere in between those two extremes.

For negotiated implementation to work best, I believe we need to know the “whys” and realistic limitations of any policy. The “whys” are important because when people know “why” it makes it easier for them to remember and because they can see that their and the organization’s needs have been considered they are more likely to adhere to the policy. Somebody who has made a valid suggestion for improvement feels better knowing it was not adopted because the technology was not able to accomplish it or it was cost-prohibitive, as opposed to feeling like their idea was not seriously considered.

There are many advantages to collaboration, but it may not be necessary or even advisable if you have the document management version of a Navy SEAL in your group. If you do, then the most efficient way to move forward is by starting with their best idea, understanding why it works, and fine-tuning it or not, with your group’s suggestions – these will be based on their needs so even by merely listening you are increasing their motivation for compliance. Dr. Phil might refer to this as “being heard.” It is still negotiated implementation but it is a shortcut to good results and will avoid protracted fruitless meetings and the need for someone to sooth over hurt feelings. We know that department heads who previously were separate and isolated must be involved and sign off on this process, sometimes because the law actually requires it. We know these participants may not have previously worked together or get along very well. So if we can get good results quickly, everyone will benefit by saving the company money and, being able to get away from the document management negotiations table, and back to their separate, primary job functions.

July 1, 2008

Last From Legal Tech West 2008-Keynote by Magistrate Judge Laporte

By Cary J. Calderone, Esquire

Judicial perspective on E-Discovery- by the Honorable Elizabeth D. Laporte, Magistrate Judge, U.S. District Court, Northern District of California

Judge Laporte addressed an audience that understood that in the last year about 100 billion gigabytes of business information was subject to compliance regulation. Emails, which included business and personal email, were now fodder for lawsuits and criminal indictments. So, the Judge noted, “litigation readiness is more important than ever.” She gave examples that explained when meta-data should probably be produced and examples of when native versus non-native formats might be necessary. My favorite observation the Judge shared was that, if you are going to claim you were surprised by this litigation matter,
and that was why you did not have a litigation hold in place and any data that was destroyed or altered hold was purely accidental…you should not also try to make the argument that you should not be required to produce data because it is protected as attorney work product, prepared in anticipation of a legal matter. Scary that Judge Laporte believed she should remind the audience that while these were two legitimate points they should be raised separately. If argued together they become an oxymoron and cancel each other out. Perhaps all lawyers need the occasional reminder not to suspend logic and common sense when making multiple arguments in their efforts to aggressively and completely represent the interests of their litigation clients.

The Judge commented that the obligation for when a party must start to preserve evidence is when litigation is “reasonably anticipated” and that this was not a “bright line.” She also reminded the audience to review the Local Rules for each Federal District Court as they would likely contain important e-discovery information. For example, in the Northern District of California local rules require that parties at the Meet and Confer discuss whether voice mail needs to be preserved. She also quotes another Judge explaining that there will be no “drive-by” Meet and Confers and that real effort of all parties is expected to meet and resolve any discovery challenges. To accomplish this Judge Laporte recommends the parties be: 1) reasonable, 2) candid, and 3) credible, in their e-discovery efforts. For the Meet and Confer she pressed for lawyers to know enough to make accurate representations to the court and have alternatives for collection of discoverable materials. This can involve the in-house IT personnel, outside experts and the in-house General Counsel and sometimes the outside lawyers will bring outside IT experts to the Meet and Confer. There should be no uncertain terms and lead counsel must be acquainted with what they need to know, which includes what data is in your custody and control and what data is likely to be relevant. Furthermore, you must be willing to make mid-course corrections and adjustments to the legal hold as the case unfolds. Otherwise, she believes Courts will continue to use sanctions to keep the litigants “honest and trying to do their best.” Although I had not visited Judge Laporte’s courtroom while researching my “Federal Court for Discovery? Be a Boy Scout!” article, I am happy to note that doing so would not have altered the conclusions I reached and most likely would have bolstered my arguments for litigants to “be prepared.”

More Legal Tech West 2008

By Cary J. Calderone

Data Privacy Issues for Multinational Corporations. Or, what kind of food do they serve at your jail?

Data compliance in the USA and EU is an important and evolving area of document retention and electronic discovery law. One of my first research projects involving electronic data was for a company looking to pro-actively set and maintain good e-document retention policies and plans for their multi-national company which included a publicly traded US Corporation. On the one hand, we have Sarbanes-Oxley requirements for managing corporate computer data that contains content and processes of a company’s financial record keeping and technology systems. On the other hand, we have European Union privacy-protection rules prohibiting even the collection and review of emails which contain personal information.


So I raised my hand and asked a question. The very informed panel, which included Amor Esteban, Partner, Shook Hardy & Bacon LLP, Mark Smith, Senior Associate, Winston & Strawn LLP, Tom Hopkinson, Director, Forensic Technology, KPMG Europe LLP and Moderator, Omid Yazdi, Managing Director, Forensic, KPMG LLP explained part of the reason for this divergence was due to the history of European countries and their experiences with Totalitarian governments. They commented that I raised a good question, even though I added my tongue-in-cheek observation to advise General Counsel to pick the countries with the harshest jails, and follow their rules first. I expected they would laugh and then propose a valid work-around. They sort of agreed that it was virtually impossible to be totally compliant with the letter of the law in the EU and US in the area of email retention. One noted that recently a French lawyer was criminally charged for violating French Blocking statutes and faced jail time for working with US lawyers to produce materials in a way that violated French law. So apparently considering the jails and penalties is a valid approach to setting a Multi-National electronic document policy. Yikes!

June 30, 2008

More from Legal Tech West 2008

by Cary J. Calderone, Esquire

1) Best Practices for Email Retention and eDiscovery Seminar sponsored by Mimosa Systems, Inc.
2) Index Engines Inc.-Technology can change the law.


June 26, 2008

Legal Tech West

by Cary Calderone, Esquire

Electronic discovery, electronic document and email management, strategies and technology are all hot topics of discussion at Legal Tech West Coast 2008 in Los Angeles. More reports will be posted but for starters, it was most enjoyable to hear the keynote delivered by Charles A. James, Vice President and General Counsel, Chevron Corporation. He openly described the trials and tribulations his department experienced while successfully growing Chevron's award-winning legal technology systems. He humbly noted that he had been overly seduced by the idea of automation while under-estimating the value of change management to lead to successful implementations. He even described that now they are reaping other rewards like being able to use data collected from their web, litigation management, and direct payment systems to streamline and focus their resources in cost-effective and efficient ways. If industry vendors listen to his advice and address his "Three Vendor Gripes" every worker in a corporate legal department around the country will be happier. Gripe number 1, ("G1"), is that vendors are overselling
the practical, compatible and functional capabilities of their products. This can lead to delusions of "automated" systems that replace the people in the process but in reality, Mr. James teaches that people need to work with the technology to have the best results. For G2 Mr. James paraphrased Rodney King's famous plea, "Can't we all just get along." Phrases like "complete solution,""enterprise" and "seamlessly" should be banned from all sales literature until the multitudes of products that are advertised as "open" and touted as part of "inter-operable solutions" do, in fact, work together in more than a limited and concocted fashion. My personal experience in the world of "enterprise solutions" had me nodding my head in agreement with Mr. James, along with many other members of the audience. For G3 a challenge was proposed that there would no longer be a need for e-discovery for lawsuits, Attorney General actions and other legal and criminal inquiries because compliance rules would be logical and specific, and technology would serve to illuminate electronic data to the point where people in corporations would simply do their jobs while staying fully compliant. In other words, there would be no need for e-discovery if technology worked pro-actively with automatic audits and controls for content and process. One of my favorite sayings is appropriate here: if you are going to dream, dream big. I hope your wish is granted soon Mr. James.

May 16, 2008

Best Practices for Managing Electronic Data: Chickens and Eggs

Policies first then procedures or procedures then policies: Or, what comes first -- the chicken or the egg of document retention?

By Cary J. Calderone, Esquire

“Should we create our policies or our technology procedures first?” This is a question I am asked frequently by data consultants, lawyers, and IT people. At first I believed the question was a sign that people were looking to shift responsibility for document retention management away from themselves and onto someone else. (Who could blame them given all the new regulations and rules now in effect? See FRCP Changes) While shifting responsibility is a valid real-world motivation, in reality, the question itself raises good issues to consider by anybody considering implementing or updating an electronically stored data retention policy . Like many good questions, the answer is not a simple one.

My general rule would be to create a good policy according to your legal and compliance requirements and then coordinate personnel and technology to support that policy. This would put the burden on Legal and/or Compliance to set the policy and then IT to deliver it. However, by “good” policy I mean something that should take into consideration the capabilities of the current hardware, software, and usage. Too many times in my early technology consulting days I would be retained to find and recommend a software program that could do XYZ and I would research the client’s existing applications and discover they already had programs with the ability to do XYZ, or something extremely close to it. However, nobody knew enough about their own applications to work towards the desired result. So, I saved them some good chunks of money and everyone would conclude that I had brought value-added service to the gig.

Given that background, setting policies without looking at current systems, usage, and the reasons behind them is not a prudent practice. One could argue that Google provides a good example of one end of the spectrum. Their overriding company policy is “don’t be evil .” It follows that every action by every employee would be in an effort to support that policy. Sure must be nice for an attorney to represent a client with that honorable and well-published policy in place…makes for a great opening argument in any case or hearing. On the other hand, what might be an acceptable policy for your current “technology” (or lack thereof) may not fit well with your company’s plans for growth and innovation, and as I like to recommend, becoming a “lean, mean, litigation-ready fighting machine .” If the drivers behind policy are more related to operations, company image, security and other non-technology factors then you may indeed need to make an investment in new software and hardware and possibly personnel and training too in order to adequately support any re-aligned policies. And until the infrastructure is in place, changing your existing policies would not make sense, especially if they have already been approved, followed, and battle tested.

Furthermore, the ultimate goal is to manage your electronic data according to reasonable standards for your industry and under the legal requirements that govern it. The greatest sounding “policy” in the world will not help you if your practices and procedures do not support it or, at worst, conflict with it. If one policy statement says “X” and another policy describes, “Not X but Y”it will not withstand even a cursory legal challenge and therefore will have failed you in one of its basic functions. And, while I would not ever champion a mediocre policy, one that is strictly followed and supported would probably protect you more than a grandiose policy that is thrown out as a sham because it was not followed or was contradicted by other company documents and policies.

In conclusion, the answer to the question of what comes first is: it does not matter – and it does. Both Legal and IT, and other supporting departments will need to work together to make any policy legitimate. So, bringing both/all groups into the process early is the best and most prudent practice. Start by determining what your current policies are, where they are published, and why they were created. Then you can work to edit/modify/replace them with joint understanding of the likely overall costs and benefits.

April 30, 2008

Federal Court for Discovery? Be a Boy Scout!

By Cary J. Calderone, Esquire

During a recent lull between my legal business and document retention consulting, I visited my nearby Federal Court for an afternoon’s entertainment and to once again witness live the trench warfare litigants know as discovery disputes. I sat and observed a few discovery and case management hearings and in addition to being thoroughly entertained I found I had some very interesting things to report to those who would like to be prepared should litigation or a government hearing come their way.

Federal Court is still run as a dictatorship (notice I did not use the word benevolent as an adjective before dictatorship). For example, one judge explained that if there was a discovery dispute between the parties and the parties could not work it out themselves, he would allow them to file a joint letter no longer than 4 pages in length describing their respective arguments and then he would decide the outcome and which party would be sanctioned. I could not help but wonder what this judge might be like on a bad day after somebody perhaps submitted a 6 page letter to describe their dispute.

In another matter, lead counsel sent in a surrogate or “pinch-hitter-attorney” to take his place for the case management hearing. This resulted in a visibly irritated judge and an immediate issuance of an Order to Show Cause as to why that absent attorney should not be sanctioned. Ah, I remember what it felt like to appear in Federal Court…even as I quietly sat in the audience I started to feel a little of that old familiar stress in the pit of my stomach.

Much to my chagrin, I did not get to hear the arguments in a big discovery dispute over disclosing information about document retention policies and litigation hold practices because the parties were sent out like school children and told not to return to the judge until they could learn to get along and share their toys properly. In other words, when there were “issues” of contention presented by opposing parties, the judges immediately sent them off to “meet and confer” in the nearest available conference room. We are talking about seasoned, confident and high-priced attorneys getting ordered about and when they scurried out of the courtroom, one could not help but imagine that if they had tails, they would be drooped down between their legs like a family dog that had just been sternly reprimanded and sent off to the kennel.

If the end result of the hearing was that the Judge determined a follow-up hearing/conference was necessary, it was scheduled for 10 days out. Not a lot of time.

Now that you are more convinced than ever that you need to be prepared to head into litigation, I noticed one additional item that may serve you well when you undertake to map your company's electronically stored information. There is no set format required for this procedure. Some find it easier to work with word-processed documents. Others prefer to prepare spreadsheets and others might run a report from a database. After reviewing approximately 60 pages of the moving and response papers to see how these particular disputes concerning disclosure of retention and compliance policies would be argued I noted that they discussed transferring information between the parties via "spreadsheets." So apparently spreadsheets were the preferred format for this large case, and might serve you well if you are searching for a format for your own company's data map. Of course this does not mean you do not need to seek out your own local counsel to make sure they are happy with your format. After all, they are charged with the affirmative duty to become “familiar” with your computer systems so that they do not mislead the opposing party and the court when they propose discovery scope and methods.

Could There Be Even More Lessons?

The only hope for a party not entirely prepared to discuss the what, where, how much and the protection and collection of their discoverable material is that the other side is equally or preferably worst “not prepared.” Otherwise, if sanctions don’t immediately issue, Rule 30(b) (6) depositions will be scheduled expeditiously to find out specifically who knows where to look for discoverable material and how it is and will be protected from alteration and deletion. Although I did not witness a party getting sanctioned, sanctions were frequently mentioned. There was a study recently that found sanctions and/or inappropriate discovery conduct was found in almost 25% of cases of their survey sample. I don't need to run down a list of million dollar discovery sanctions here...a simple Google search of "million dollar discovery sanctions" will provide you with ample examples and words like "continuing trend" will often be found in the articles.

It also became apparent that companies contemplating their retention plans and policies need to understand better (especially if they have not previously spent time in Federal Court) that if you try to take an easy way out and present minimal information and hope for the best, there will be another high-priced lawyer or team of lawyers there to expose your efforts to the judge. And, if the judge is persuaded you have not taken your discovery obligations under the Federal Rules absolutely seriously, you will be in serious trouble. Federal judges were never known to have an abundance of patience. And now, the Federal Courts are extremely understaffed and at the point where one judge recently quit his post on the Federal bench to take a position with a state appellate court. I had the distinct feeling that the Judge relaying this story from the bench completely understood and related to the motivations of the defector. If you don’t believe this is an accurate observation please look at the size of the discovery sanctions being handed down (did you perform that Google search mentioned above?) and rethink your position. Defenses of negligence, oversight and malfunctioning technology have not saved litigants from multi-million dollar sanctions from mishandling their electronic discovery and those defenses will not work for you either. Especially now that with every new headline-grabbing sanction reported it makes it even more difficult for you to claim ignorance of the consequences.
Conclusion
As an attorney who appeared in Federal and State court many times to argue discovery motions, it was really fun to be able to listen and observe for an afternoon, and not have to think about making my own arguments on behalf of a client. It made me reflect about many companies I have worked with as legal counsel or as a consultant. Without question, some companies from my past would be prepared and would be easy to represent during discovery proceedings. Then there were those I would prefer to refer to other counsel rather than represent them in a crisis-reactive-mode to dig them out of an otherwise avoidable discovery mess. On balance, the most important lesson learned from my afternoon of observation to relay to you can best be described by the motto of the Boy Scouts of America, “be prepared.”

February 1, 2008

Instant Messages as Business Records

Instant Messages as Business Records-A Common Sense Approach to Instant Messaging and Electronic Document Retention Policies

By Cary J. Calderone, Esquire

January 7, 2008

The motivation for this article occurred few weeks ago. I was sitting in the audience of a continuing legal education seminar on patent strategies. One topic that was of interest to me was a discussion of document retention policies and electronic discovery related to patents. A panelist, a senior attorney for a very large technology company, addressed email management as it related to litigation discovery. I raised my hand for clarification and asked, “When you say email, are you including instant messages in that definition or will you discuss them separately?” One of the most well regarded and experienced patent litigators in Europe, who was sitting nearby, leaned over and whispered to me, “excellent question!” The panelist however, rolled his eyes and said quickly, “we just don’t believe IMs are business records and don’t treat them as such.” My jaw dropped. According to the most recent Federal Rules of Civil Procedure (“FRCP”), instant messages certainly can and should be considered ESI “electronically stored information.” (See, FRCP Rule 26(f).) What constitutes a “Business Record” is defined by its content as well as its form and industry business practices. Current email retention policies were developed because using email to conduct business became a standard operating procedure. Similarly, use of facsimiles to create binding legal agreements developed over time. Although IM is not yet at that level of acceptance, some industries (just talk to your friendly stockbroker) already specifically track and retain IM to remain compliant with SEC and other regulations. In fact, many email applications track or “journal” instant messages in the same manner as email and in the same in-boxes.

I approached the panelist at the lunch break. He recognized me and quickly said, “maybe I misspoke.” He claimed that his company had just set a policy to not conduct any business via IM so they would not have to worry about managing or retaining IM messages for compliance and litigation purposes. This raises an important question: Is banning or severely limiting IM usage the best way to avoid having to manage it for document retention and legal discovery purposes? I don’t think so and here’s why:

IM is becoming more prevalent in research and development, marketing, sales and customer service. In fact, there are those who would argue vehemently that IM is becoming the most important business productivity tool within corporate enterprises. Perhaps you do not believe that IM is important to your organization. Here is a quick test. Have your legal department send an email to your department heads requesting comments on whether you should just discontinue or severely limit the use of all Instant Messaging applications on your corporate network given the complexity of the document retention and potential legal issues. A General Counsel I know did just that. Within 30 minutes responses indicated the regular use of 10 different IM applications, in addition to the company provided and managed application -- and that it would be very disruptive, if not impossible to prohibit IM use. These emails responses were real eye openers. Her reply was, what if we just did not have an IM policy, and we let people use whatever they desired and just told them nothing was to be used for official business and nothing should be saved. (In essence treating IM chat sessions just like a phone call, and when you hang up from a phone conversation, there is no written record.) Not even considering that the likely response from your IT director and other employees responsible for network security would want to quit their jobs rather than try to manage security for your new “open” (read exposed to viruses and security breaches) network, there is an overriding problem that IM deletion is not under the sole control of your organization. Trying to prohibit the use of IM to avoid having to manage IM does not work in the real world. The use of 3rd party IMs through, Yahoo, AOL, and Microsoft are a potential loophole to this type of IM policy because stopping their use is incredibly difficult (think about trying to control all applications on all network computers, laptops, smartphones, and PDAs) and data and journals for these IMs can also be stored on the 3rd party servers. This data can be brought in as evidence via a 3rd party subpoena. Moreover, the other parties to the IM chat, whether a co-worker from your organization or someone outside your organization, can save the IM chat thread to their local hard drive. As one very experienced and technology adept litigator friend of mine likes to say about his cases, “If there is an IM out there, we will find it, and we will get it admitted into evidence.” (This highlights issues in my next article: the too often neglected practice of scrubbing or wiping server and local hard drives so computer forensics will not be able to easily “undelete” even properly deleted IM and other electronic data. Perhaps I should title it, “Don’t Worry About Monitoring Deleted Stuff -- The Easy Route to Losing a Lawsuit or Being Invited to Club Fed.”) Based on these issues, you will be best served by an IM policy that considers realistic corporate employee IM usage and a plan for effectively managing that policy.

So the question remains: can you implement an official IM policy where all IMs are deleted immediately and avoid any IMs from becoming a part of your business records -- In effect treating them like a phone conversation that isn’t worth the paper it isn’t written on? Possibly. But here are some of the arguments against taking this approach.

Firstly, I like to refer to IMs as “Instant Emails.” This is because if you print out an IM thread, it looks pretty much just like an email thread. You can readily identify the parties, the subject matter, and the time of the messages. Pretty good to excellent foundation for having that IM or a printout of it submitted as evidence in a legal proceeding, especially when it contains critical evidence (old trial lawyer taught me a valuable lesson for litigation, never lose sight of the forest for the trees -- Judges can really bend the rules in favor of just results.) Do you think your lawyer wants to stand in front of a judge and argue that the IM thread in question, which contains critical evidence to your legal proceeding, is not admissible because it was created and kept against corporate policy? The answer is no. And as more and more of our younger attorneys come on board experienced with IM technology, and more and more judges understand the use of IMs in the workplace, this argument to exclude IMs as evidence is going to be more and more difficult to win.

Secondly, even if the content would not be considered critical, or a smoking gun, and appears only moderately negative to your case, you now have a problem because you have made it look more important than it is. If you have submitted that your policy is to immediately delete all IMs, and a printout of an IM thread is submitted based on the fact that one of your employees or a third party thought it might be important enough to warrant saving on their hard drive, it will appear like you have a sham policy which can no longer be trusted. The evidence looks more damning because you tried to delete it, and someone saved it in spite of your efforts to keep it from the trier of fact. You have now opened the door to opposing counsel or investigators making a motion to expand the scope of discovery to examine more of your electronic data in search of material reasonably likely to lead to the discovery of admissible evidence because your electronic data disclosure cannot be trusted.

It is not hard for counsel to raise this issue. One simple deposition or interrogatory will ask if the answering party knows of anyone who perhaps saves IMs or emails that are supposed to be deleted. When, under penalty of perjury, someone answers yes, the door is nudged open, and additional discovery will likely be ordered. Your usual arguments in defense of limiting expanded discovery (i.e. it is overly burdensome and too costly) could be outweighed and defeated when to the judge it looks like you have either negligently or intentionally failed to produce requested materials that you should have. In the discovery battle, or as attorneys sometimes refer to it, the war within the war, you are now in a weakened position.

Lastly, IM technology is progressing and converging towards a single ubiquitous user interface. It will become more common that a single application will handle all your email, IM, phone chat and perhaps even video chat based on a simple click of a mouse on a tab on your computer screen. So eventually your counsel might be forced to argue, “well your honor, we agree that if this employee had been having an email thread, this information would be readily admissible and we would have needed to save and produce it to the other side, but because our employee had selected the IM chat button instead of the email button, this information is not admissible.” Good luck with that argument!

Now that you better understand why you need an IM policy, even if it is to strictly limit its usage, and can recognize the many pitfalls in implementing a sound policy, I will leave you with one last bit of free and non-legal-relationship-forming advice. It is true that IMs are more difficult to manage due to the variety of 3rd party IM applications, and the lack of management software designed to handle all the different options, but there are tools available that can help with this. The important thing to keep in mind is that in order for any good electronic document plan to be effective and provide your best protection, it must be created with attention to documentation, the people responsible for maintaining it, the technology tools you will use, and, your schedule to review and test your plan on a regular basis. Is this the best approach for managing IMs? Yes. On balance, even if the standards for your document retention plan are not specifically covered by the SEC, HIPAA, Sarbanes-Oxley or other industry-specific regulations they will still be controlled by the FRCP Rule 26(f) and general state or local discovery and evidentiary rules. These frequently include balancing tests based on standards of reasonableness. Therefore, as the technology to manage IM and the rest of your electronically stored information becomes easier, faster, cheaper, and more readily adopted, it will be less reasonable and more potentially dangerous for you not to manage it in a similar fashion. The last bit of good news is that your competitors, and potential litigation adversaries, will face this same burden.

January 16, 2008

Welcome to my blog.

Company electronic data management has changed dramatically. As companies adopted technology to move from paper documents to electronic data stored on company servers, the main concerns were safekeeping their data and growing and managing their electronic "knowledge. " Now, they must actively monitor their electronic data so they will be able to comply with government regulations and the Federal Rules of Civil Procedure. Information techies used to worry about guaranteed uptime and having plenty of space to store years and years worth of emails and memos. Now, legal is making them delete the excesses as soon as practical, and lawful, so in the event they have to, they can cost-effectively search and retrieve relevant material. This blog is going to examine how the IT, legal, and other departments can work together in this new world of electronic information management.