Skip Records Management and Start Governing Your Information

Are Your Information Governance  Policies Still Based On This?

2014 © Cary J. Calderone

Since 2007, in spite of my best efforts, I have watched as organizations lost control of their electronic data and struggled to implement classification systems and other good information governance protocols. And yet, it might not be entirely their fault.  I routinely see advertisements from "expert" consulting groups that offer a “solution” for records and information management based on the ancient approach of retention policies and schedules. This is like having a modern steel and glass building and hiring a carpenter with wood and nails to help you expand. The usual advice starts with “the foundation” that includes a records plan or policy and then attempts to expand it to cover electronically stored information (ESI).   Why?  Is it because existing records programs have been performing so well?  I doubt it.  Ask employees at most organizations about the adequacy of their current records policy and you will receive the same response, “what records policy?”   So, if it really was not working for paper, why would consultants suggest that you just update it to handle ESI? Classification and retention programs that achieved barely adequate to horrendous results historically with paper, are not going to work with your expanding email, instant messaging, social media, and new media applications.    How about an approach that will work? 

The Exchange-Still Very Good

by Cary J. Calderone, Esq.

Click here for information on future Exchanges!

Even without Browning Marean moderating (best wishes for a speedy recovery to Browning) the Exchange stayed fun and interesting.  In the years that I have attended, I have noticed that eliciting audience participation has become easier for the moderators.  The audience chimes in faster, and with more real-world examples and issues.  It is obvious that the attendees appreciate the roundtable and open discussion format as much as I do. 

Review of Data Crush-Sometimes You Can Judge A Book By Its Title

By Cary J. Calderone, Esq.

My quick summary of the book:  Either crush, or be crushed.  The amount of data is growing faster than ever.  Data Crush by Chris Surdak explains why this is happening and provides a roadmap for keeping your business on the right side of the tidal wave of data.   A key observation Surdak shares is that:

The Internet used to be a tool for telling your customers about your business. Now its real value lies in what it tells you about them.

 In other words, you either take advantage of new technology and new data, or, your competitors will, and you may be out of business.  

I Was So Wrong-My Review Of "The Plugged-In Manager"

by Cary J. Calderone, Esq.

It is difficult for anybody to admit they were wrong.  Perhaps even more so for an attorney skilled at arguing to the contrary, but I have to admit it now because the more I learn, the more I realize just how wrong I was.  Flash back to the year 2000, when I was becoming friends with author Dr. Terri L. Griffith.  She explained that the focus of her work was around "Organizational Behavior" and "Virtual Teams."   She even described it as arguably the most critical part of the MBA curriculum.  Are you rolling your eyes?  I know I sure did.  She went on to say that while in school, MBA students believe Finance and other core subjects are the most important.  However, once they graduate and have been out in the workforce for a few years, their opinions change.  Then, OB and VT courses have the highest priority and are the first they take when they return for Executive Education.  Apparently, the MBA students were initially wrong too.  As I read her book, I could not help but reflect on my past seven years of record and information management counseling and just how much more my "organizational behavior" skills and knowledge  outweighed my legal skills when it came to getting results.  

ARMA Tri-Chapter Conference-RIM On A Shoestring

I had the pleasure of stopping by the ARMA Tri-Chapter Conference-RIM On A Shoestring, to see if there might be something blog-worthy.  Last year, I spoke on a panel.  In fair turnabout, I was in the audience for the talk given by R. Scott Murchison of Kaizen InfoSource LLC.  Scott has called on me to speak numerous times in the past, and after watching him present, I understand exactly why.  We both are hands-on experienced professionals who like to share practical tips we have learned from doing work for clients.  This is a direct contradiction to those on the other end of the spectrum, who call themselves, "thought leaders."  If you were looking for high lofty thoughts (think SNL Deep Thoughts), that may not apply at all to your real world Data Rules and Electronic Discovery challenges, then this talk was not for you.  If however, you appreciate real examples of issues and solutions, then you would have been paying attention and taking notes.  I thought it was definitely worthy of a blog post.

"ISSA: Emails Prove Holder Knew" and Other DRED Headlines

Sometimes a headline can be a DRED story in and of itself.  Today, while browsing the internet, I saw a headline that said "Issa: Emails Prove Holder Told About Fast And Furious."   I could not help noticing how frequently we see those two words, emails and prove, together in a headline?   By Googling "emails prove" it came up with 45,900 results.  The list included story headlines with names like, Eric Holder, President Obama, Sarah Palin, Mark Zuckerberg and British Petroleum-and that was just on the first page of results.  Do you still think it is acceptable to treat your email as non-records, non-information, and, nonchalantly?

Who are you talking to? You talking to me?

by Cary J. Calderone, Esquire

Here comes a little rant.  I try to be nice, really I do.  But it is very frustrating when my energy and efforts to help a client are thwarted or, challenged by more aggressive and "less informed" consultants and sales representatives posing as consultants.  Attorneys, sales reps and consultants usually have different education backgrounds, different experiences, and different motivations.  So I wanted to devote this blog post to summarize and distinguish these three professionals who may be employed to assist you with your DRED project. 

First, there is the sales representative who makes some or all of their salary by making a sale.  They have to get you to say "yes" to their product or service in order to earn their commission.  Accordingly, they are not the most motivated when it comes to telling you how their product might fail you or how over-simplified their "form data retention policy" might be.  Most seasoned customers recognize the motivation of the nice and helpful sales rep and view their information as potentially inaccurate. 

Next there is the consultant, (and not one that is really tied to a specific product which makes them a sales rep disguised as a consultant) offering you "best practices." The consultant needs to make you happy with the service and/or product they select so getting you to say "yes," is not always enough.  If it doesn't work out as advertised, you probably will not want to pay for it.  So, where a sales rep might proclaim a product definitely can handle your needs, the experienced consultant will hedge a bit, to avoid possible fallout later on.  I get quite a few questions from "consultants" asking me to explain some point of law to them so they can explain it to their client. I typically do not help them.  It is their intention to take complex legal points and simplify them because, "that is what their clients like." Needless to say, simple is not accurate and frequently will cause their client more harm than good.  A little information truly can be a dangerous thing.

Lastly, there is the attorney (cue dramatic background music).  The attorney is risk-adverse and picky about simple statements of the law.  We learn that words have meaning and appreciate that even when sales reps and consultants use our words or case law appropriately, they often find a way to mess up the scope or analysis of the legal principle. While attorneys are often derided for making the simple seem complex, in our defense,  frequently things that appear simple, are simply not.  And, when it comes to your legal obigations, we attorneys are the ultimate and best source to evaluate your legal hold, data retention and eDiscovery policies and procedures.  Most good sales reps and consultants agree with this.  even if they occasionally forget it while they try to "help" their client.

So, who are you talking to?   When it comes to legal points, I hope it is your very wise and well-informed attorney. Can you hear me now?

IQPC Judges Panel on eDiscovery

by Cary J. Calderone, Esquire



Readers of this blog know that I am always happy when we have the opportunity to learn about DRED issues directly from judges.  I had the privilege of attending the Judges Panel on eDiscovery at the IQPC eDiscovery Conference in San Francisco.  This was a very worthwhile session and attendees learned some great insights about the "Real World" of eDiscovery that occurs in actual court cases.  And, by actual court cases, I mean the majority of cases you will probably never read about because they do not involve extreme examples of eDiscovery misconduct and multi-million dollar sanctions.  Hopefully, these are the cases that your legal matter will most closely resemble.  Moderated by Craig Carpenter, V.P. and General Counsel, Recommind, Inc., U.S. Magistrate Judge Robert B. Collings, District of Massachusetts, and U.S. Magistrate Judge Elizabeth D. Laporte, Northern District of California, provided updates to the law.  I am happy to report that in the 3-plus years since I have been working almost exclusively with eDiscovery issues, there has been evolution and progress, and there are now better guidelines to help keep your business or department DRED-ready.


Some of Judge Collings recommendations included:

• Reading the article by Judge Facciola-Federal Courts Law Review on privilege review   
• Urging counsel get a court order with respect to a Section 502 waiver
• Whittle eDiscovery down the the issues you have actually have in dispute
• As an Observer to the Sedona Judicial Working Group-Courts are looking for more cooperation between counsel and less adversarial posturing during the Meet and Confer process
• Parties need to be more transparent about what, how, and where their data is located
• Don't take expensive 30(b)6 depositions unless necessary
• Bring your IT experts to the Meet and Confers
• A reasonable proposal and approach will get the Judge's support
• Settling cases for purely economic reasons has always occurred -eDiscovery is exacerbating this

Judge Laporte also provided some important insights:

• There is a wide range of parties and sophistication-She has given attorneys eDiscovery homework
• Lawyers who typically do not deal with eDiscovery now have to learn it
• Client is responsible for getting it right-Courts look to see who is really engaged in the wrong-doing (citing Qualcomm case where the court found no bad faith on the part of outside counsel)
• Standard is what is reasonable at the time
• If you agree with opposing counsel as to procedures, and reduce it to writing, you should be safe from sanctions
• Get a section 502 claw-back provision embodied in a court order
• Sanction cases-Repeated misrepresentations and a failure to be careful cause most of the sanctions, regardless of the provision the Judge may cite as authority for imposing sanctions.

The best practice comments were interrupted when Wayne C. Matus,  Partner, Pillsbury Law Firm, asked a question from the audience that caused a noticeable "pause for reflection" by the Judges before they could answer.  He asked if there was ever a situation where the standard for Legal Holds was going to be always on hold?  He gave the hypothetical of a construction company that knows there will always be litigation with a certain size development project, so from the beginning, they can "reasonably anticipate litigation."  After giving it some thought the Judges, while not answering the hypothetical directly, did point to similar industries, like pharmaceuticals, and technology development, where future litigation is always a consideration.  Since I have advised clients in this area, I commented to Wayne afterward that it was almost an "unanswerable question" and jokingly asked if he had ever been banned from participating in Q&A with Judges Panels because he asked such tough questions?  The truth is, tough questions like that are the best part of these panel discussions.


Judge Collings clarified the role of inside versus outside counsel: "What is subject to legal review is the role of outside counsel."  He recognized that making money for the corporation and keeping money for the corporation (a penny saved is a penny earned) is a major goal of inside counsel, but noted they will run into problems if Legal Hold notices are not going to the correct custodians or they are not being issued on time.

Judge Laporte referred to the Pension Committee case to remind us that Circuits have different standards for issuing Legal Holds.  She also commented on Judge Shira Scheindlin's recent dicta about always issuing a written hold.  Judge Laporte observed that "when you have a small family or small business litigant, it could be a very different situation and standard.  On the other hand, why wouldn't you issue a Legal Hold?"

Patrick Oot, a well-known eDiscovery expert and Sedona Conference participant made an interesting point from the audience about wage and hour disputes and when you may not want to issue Legal Holds in the standard fashion but might choose to separate the Legal Hold policy from the class certification.

Great point from the Judges on reviewing your own Legal Hold procedures:  "Imagine if you have to explain what you are doing to the Judge later."  For example, even an email is now a written record of what you did to issue a Legal Hold and it creates a trail.  Discussing the Quan case and text messaging, there were conflicting views on what the company policy was.  The Judges recommended audits regarding private versus company usage.  Best practice, "Have a clear cut policy" and people need to know it!

I had one what I like to call "cringe moment" when Judge Collings mentioned that lawyers are going to have to learn about technology to adequately represent their clients in court.  He mentioned the long tradition and ability of lawyers to be able to learn a great deal about a particular subject matter in order to prepare for trial.  They can study and learn an amazing amount of information in order to explain the subject to a judge and jury.  While judges are never "wrong," they are only "misinterpreted," my worry is that too many techno-deficient lawyers will believe they can learn the technology and its language in a few weeks.  They can not.  To them, in addition to offering my expert services (shameless plug), I suggest a more appropriate analogy would be like trying to learn to speak French in a few weeks.  In other words, learn what you can, but bring your expert interpreter along.  Merci beau coup...

Legal Tech 2010-Best Practices in Compliance and Email Management in the Cloud

by Cary J. Calderone, Esquire

The participants (listed at end) on this panel had many years of eDiscovery experience and came from a variety of backgrounds including legal, consulting and product vendor. This was like getting a "Quick Tips" guide to eDiscovery because they chose to a conversational approach instead of doing a lecture and presentation. They started off first, by agreeing with Malcolm Gladwell's keynote comment, "we are in massive information overload." Then they got right at some important distinctions for the new language describing eDiscovery and, in some cases, updated the definitions for some of the old labels. For example, they talked about the "Cloud" and basic definitions, but the panel thought it was necessary to be more specific now and gave examples:

1. Public cloud-3rd party provider
2. Private cloud-you set it up yourself
   
3. Storage Cloud-as opposed to applications
   
4. Infrastructure-the network behind the Cloud

The driving force behind the use of the Cloud is that "head count is expensive."
Peter Lesser believed that private cloud is the safest way to store and use data because then users keep it off their laptops, etc.

The panel drilled down on Infrastructure and asked about variables like:

• International considerations.
• Where is the data really stored?
• What about Virtualization?
• Can you identify and distinguish between "primary" and "backup" data?

Tom Gelbman commented that the de facto Policy might be just to keep everything forever.

They noted some of the really difficult questions. How are you going to apply your Retention Policy? Where is the data? For example, a Swiss based parent company with data kept in Arizona? Is it now subject to Arizona and US jurisdiction?

What happens when a broker-dealer uses Facebook but can't capture the Facebook data-that is a problem under the current rules. And, if Corporations think they are just going to shut these things down “they are delusional.” Between, Twitter feeds and text messages etc., even with policies in place, they may be unenforceable. "Behavior does not change because you have a policy." This author would disagree. I believe that you can change some behavior with a well designed policy and training but agree that just having a policy, is seldom enough.

They claimed that without some sort of auto-classification tool, the management of the data is impossible due to the volume. They also recognized the sobering fact that it is much easier to get money budgeted for eDiscovery than it is for Retention. No arguments from me! Oil changes and routine maintenance seem to get quickly cut from budgets, but once the car breaks down, you have no choice but to call the tow truck and prepare for a big bill from the mechanic. Is your company being "proactive," with litigation preparedness, or, will they have to be "reactive" and pay for the blown engine when litigation erupts?

Tom Allman's Cloud checklist:

• Can you suspend all auto deletion and move the data to an eDiscovery location?
• What about meta-data?
• Do you have backups to the cloud?
• Neither Google nor Microsoft will implement legal holds. There is no Microsoft product to stop users from deleting a message. Journaling is the only option. Do you have it?
  
• Does the Cloud help with cleanup of the digital landfill? Yes, it can.

Rosenthal and Lesser noted that the move to the Cloud has a positive effect in that it “Forces companies to engage in legacy retirement programs.”

Allman added one of his favorite funny-but-true tips, If you have backup tapes that are 25 years old, make sure when you sell a division, all the tapes go with it!

Weiss believed for many instances of email, you keep it 10 years then delete it, because access to it becomes more and more difficult.

Rosenthal added that legacy program are linked to applications and clients. So how would you ever be able to sample, search and analyze the data?

They posed another great question: Can you determine the value of the data?
Lesser-Storage is getting cheaper every year but the cost of the people to organize it far outweighs the cost of storage.
Brian Weiss added that yes, storage is cheap, but retrieval is expensive. Moreover, to scale up to index large amounts of data is still very expensive.

The final thoughts or hopes were that in five years from now, there would be no applications stored locally on computers and there would be much better search tools.

We shall see!

Panel participants:
Tom Gelbmann, Managing Director, Gelbmann & Associates
Tom Y. Allman, Editor, The Sedona Principles
Peter Lesser, Director of Global Technology, Skadden, Arps, Slate, Meagher & Flom, LLP
John J. Rosenthal, Partner, Winston and Strawn, LLP
Barry Murphy, Principal, Murphy's Insights
Moderator:
Brian Weiss, VP eDiscovery and Information Governance, Autonomy

Legal Tech 2010 Begins-First Keynote

By Cary J. Calderone, Esquire

This is the first post from Legal Tech 2010 in New York. Russell Stalters delivered the first keynote entitled "Don't build your E-Discovery Program on a Digital Landfill." Mr. Stalters discussed some of the very real-world issues that occur when companies try to manage their data better. More and more, companies realize their attorneys and IT professionals do not have the necessary skills to manage data from the other's perspective. They often lack an understanding of the technology, law or the business reasons and realities around information management. Mr. Stalters believes companies would be wise to create a new C level position specifically in charge of RIM. Others have commented that Discovery Counsel or Information Czar types of positions are critical to success but he insists that they be at the C Level to get the job done well. He claims that even CIO's have had a different focus than what is necessary to apply best practices to managing information company-wide. He gave a brief overview of the Greenfield approach and how it can be employed. In conclusion, he never mentions the word "easy" but he insists that a fully compliant and functioning system can be achieved.

New E-Discovery Rules in California: What does this mean for you?

by Cary J. Calderone, Esquire

With no fanfare our Governor, Arnold Schwarzenegger, signed into law AB 5, the California Electronic Discovery Act ("CEDA") (Full Text). The only surprise to those of us who practice in this area was that it did not get signed into law last year. Most believe it was delayed solely due to California's pressing budget problems. California is the home of Silicon Valley and the High Tech industry so the laws in our state typically lead the way when it comes to considering their effect on technology and business. In California email correspondence has been legally enforceable as a "written instrument" since the mid 1990s. It made no sense that one state after another, except California, was adopting rules to mirror the e-discovery rules contained in the Federal Rules of Civil Procedure and thereby, acknowledging that business disputes were now dominated by Electronically Stored Information ("ESI") such as email, word-processed documents and databases etc. These states recognized the importance of having specific discovery rules around ESI and yet, California did not. Now that California has acted what does this mean for your company when it operates in, or is subject to legal proceedings in state courts in California?

First, all those stubborn attorneys who used to tell me that they did not need to worry about Legal Hold Notices, Email Procedures and Record Retention Schedules, because they never were involved in Federal disputes, no longer have that weak excuse. It was a weak excuse because under the old California discovery rules, litigants and their lawyers were affirmatively charged with the duty to protect potentially discoverable materials. In most cases, destroying "evidence" can be charged separately as a crime. There was never any exclusion for emails and ESI and in fact, emails and ESI have been critical pieces of evidence in many criminal and civil matters for at least a decade.

Second, not only is that lame excuse gone, the California rule requires that attorneys from all sides of a litigation matter will need to "meet and confer" 30 days prior to the Case Management Conference. This means they will need to discuss ESI and what/how it will be preserved and exchanged during the discovery process for state legal matters, just like they already must do for Federal matters. Do you know how much ESI you have on your network and in other places you control? Do you know where it is? Can you search it? You should be able to answer a resounding "YES" to these questions. Otherwise, it means you may end up litigating from a weakened position.

Some commentators believe the CEDA modifies the Federal Rule around "inaccessibility" of data as it may be used to defend from producing materials in a litigation matter. I believe the CEDA merely does a better job of explaining the real world arguments that occur in front of the judge. Namely, the judge will ultimately decide whether or not the information is "reasonably accessible" on a case by case basis. Judges have never been fans of an attorney conducting a cost escalating "fishing" expedition during discovery, but if there is a likelihood that important information is only available in one location, there are very few circumstances when a judge will not want that information to be retrieved and searched. The idea is that "Justice" is about finding the truth, not about being able to hide the truth from the judge.

Now it pains me to admit this, but in some ways, if your company has procrastinated and delayed having an Assessment Report and updating its ESI policies and procedures, you have benefited in that the software programs and procedures for accomplishing these tasks are better now and, in some cases, even cheaper. The bad news is that you have at least 2 more years of data to organize, review and remediate. So the longer you wait, the more likely the process will become more difficult and more costly. Will your company be like so many others out there that waited until they got tagged by losing a legal matter or got sanctioned for mishandling ESI? Or, those that had to settle a matter because they could not find their evidence to prove their case, or, they could find it but it would be cost-prohibitive to produce it in a defensible manner? Or, will your company need to feel the sting of a hefty discovery sanction to be motivated to organize their ESI? In a prior post, I mentioned performing a Google search for "million dollar discovery sanctions." There are even more now than there were the last time I mentioned it!

Kermit was right: It’s not that easy, being green

by Cary J. Calderone, Esquire

At a recent ARMA Golden Gate chapter meeting presenters gave real-life accounts of two law firms that had taken on the challenge to become “Green Certified.” Even if you do not believe Al Gore’s reasoning for going Green and that “the debate is over,” going Green may serve an unintended but very useful purpose. It is one more justification for updating the document retention practices and policies in your organization. One obvious and continuing hurdle to becoming document retention and electronic discovery (“Dred”) ready is the cost. IT, Legal, Compliance may need to make significant investments in new technology to better manage electronic data. Even if you have adequate hardware and software, employees may have to devote more time and effort to help the company achieve and maintain this goal. Even though it is less obvious, the work involved can be substantial and it may affect HR, IT, Legal, Compliance and every other department in your organization. Unless your company is currently operating with under-worked and under-utilized employees (LOL-very doubtful) the people in these departments already have full-time responsibilities and making the move towards Dred-ready means a lot of extra time involved in reviewing and updating retention schedules, policies and procedures. It would be nice to be able to dangle another reward carrot and justification for doing the work. Going Green can really help justify the cost and effort of this often arduous undertaking.

At this talk, I expected to learn of great new paperless approaches to records management but instead the “real-life” examples centered on trying to save paper by mandating duplex printing, while at the same time demanding that 100% consumer recyclable paper was being used. I was surprised to learn that this type of recycled paper can cost 3-4 times more than standard copy/printer paper. This conflicted with my stated purpose of using “greening” in connection with Dred to make it more compelling. However, from my perspective, pushing towards Dred compliant and avoiding most of the printing of electronic documents would make for a much “Greener” approach and avoids the issue of spending extra money for more expensive paper. I certainly can respect that law firms would have an awful lot of time, money and focus on paper, so firms in less paper dominated fields should find it easier to pursue Green Certification.

And, although I was hoping to learn about some new groundbreaking scanning technologies or other methods to avoid using paper, we all should recognize that paper will continue to fade away in importance as better electronic document and email management systems are adopted. These types of systems work pro-actively which is by far the best way to avoid the need to print and store information on paper. For example, the Federal Courts have used the Pacer system for electronic filing for a number of years. California law has recognized email is the equivalent of a “writing” since about 1998. California has been considering adopting rules simlar to the Federal Rules of Civial Procedure demanding that Electronically Stored Information ("ESI") is exchanged to perform litigation discovery. These changes to the law, and the practices that are modified to comply with these changes to the law, will continue to reduce the need to focus much time and investment on scanning and other paper management technologies. The obvious flip-side to this is that file and email management and archiving will continue to grow in importance.

Since this blog is focused on Dred, I will not bore or disgust you with the helpful hints about recycling and composting office waste for the achieving a rating of Green. It is always nice to avoid waste but in a word, yuck. And you thought keeping the company lunch area clean and odor-free was difficult before! Given the volume of articles written and the number of presentations scheduled at trade shows, one thing becomes certain; in this day and age going Green has become hip. In summary, I will close with more of the insightful and, as it turns out, prophetic lyrics sung by Kermit the Frog, “Green can be cool and friendly-like.” (For Kermit singing on you tube : ) .

"Reasonable" is graded on a scale

by Cary J. Calderone, Esquire

The Silicon Valley chapter of ARMA International held an ITRIM (Trim your data) one-day conference recently and I was fortunate to attend the lunch panel discussion. The panel members, Grant Law, Esquire of Shook Hardy & Bacon, Nathan Walker, Senior Technical Marketing Engineer of NetApp Corporation, Lisa Ripley, CISSP, Electronic Discovery Manager of Sun Microsystems, Inc., and Greg Lipptez, Esquire of the Jones Day law firm, gave brief presentations covering many familiar data retention and electronic discovery ("DRED") themes: 1) You will get sued therefore having a Data Map that explains what you have and where you have it is critical.. 2) Legal needs to be able to listen to IT and vice versa.
3) There is a constant struggle between lawyers who prefer to keep very little data and IT personnel who keep as much as possible. 4) Too many organizations have too many employees who are “surprised” to learn they actually have a record retention policy (and this is especially bad when their legal team learns of this fact during sworn testimony). And finally, 5) the law requiring what you need to keep, is not static, it changes. While it is nice to know that concepts that I have previously covered in this blog are out there being discussed and adopted by more data managers and professionals, I would almost have declined to write about the discussion but for one really great quote from Nathan Walker. Answering a question on "how best to avoid getting into trouble" with the production of Electronic Discovery for Meet and Confer conferences and motions to compel hearings, Nathan said: “The more you appear to know what you have and where you have it, the more your threshold for “reasonable” goes down.” This comment was cheered by the audience and maybe the best simple explanation for why Records and Information Managers, IT, Compliance and Legal departments need to make retention schedules, train people to follow them, and continually monitor them. To paraphrase the famous Billy Crystal character Nando, on Saturday Night Live, when it comes to electronic discovery, it is more important to appear to “look absolutely marvelous” than actually "feel absolutely marvelous." Bottom line-it is always best to know what you have and where you have it.

How to Modify a Form Data Retention Policy for Your Company's Use

By Cary J. Calderone, Esquire

Do you have a Records Retention Policy (“RRP”) form we can work from? Without question, this is the most frequent favor request from friends and associates and occasionally, even from relative strangers. So this article explains five steps to follow to take some other company’s form and make it your own without having to use an attorney, like myself, or a reputable document and management or eDiscovery consulting firm to assist you in the process.

1) Start by finding a form that might be a relatively good fit. While RRPs all generally look similar and contain descriptions of computer content and timelines for retention, the ideal situation would be to have a form from someone in your industry that is about your size, with offices and products that cover the same legal jurisdictions. Also, they should have about the same technology as your company. Some may consider looking at forms used by a competitor.

2) If it is well written and thorough then you will need to make sure your other company documents that may overlap with or refer to information in this form, conform to it. Check your employee manuals, your technology, Email, Instant Messaging, PDA and cell phone policies to make sure they are consistent with the language of your new RRP. If not, you may need to acquire copies of those documents from the same source as the RRP. Also, be sure to replace the custodian names from the source document with the people from your company, who are likely to be called as witnesses and placed under oath to verify that the retention procedures are regularly followed. Be forewarned, some of your co-workers may feel uncomfortable with accepting this new responsibility.

3) Upper management needs to sign off on your new documents. The CEO, CFO, General Counsel and other high-ranking executives will be the ones who may face criminal penalties if the new policies do not pass muster in a court or audit proceeding-so get their signatures. Caution-they may not really want to know all the details of the source of the new RRP.

4) Now that you have your policy paperwork in order you need to make sure all the employees will understand and follow it. This may involve re-arranging your company’s current data file structure on the network and any current retention and records review habits, but it is a necessary step. It would also be preferable if you have the same archiving and backup procedures to match your form.

5) Warning Warning Warning. Now that you have saved money by modifying someone else’s forms all you need to do to complete the procedure is protect against the following missteps: a) Your company’s software applications must work the way the source company’s do. So if your applications are less capable you will need to purchase upgrades, or if you have better software, you may need to disable some of the features to comply with your new RRP. b) Check that your electronic storage also matches in capacity and security features, otherwise, follow the same routine as for software and upgrade or disable accordingly. c) Make sure your business group leaders understand that any growth plans or upgrades may need to be delayed unless they match those of your source company. d) Always a good idea to check your source company to find out if the form you have borrowed was successfully tested in court and did not lead to sanctions of a few million dollars. e) If it was tested in court than verify that the source company is the source company and used best practices to develop their Policy. Otherwise, it may have been copied and adopted from a dubious source and not be all that great a starter form. f) Lastly, make sure you do a very good job with search and replace for the source company and your company’s name because there is a good chance that this policy form contains confidential and privileged and/or trade secret information that may make it a crime for your company to have it in its possession. This would be especially bothersome if the form did come from one of your competitors.

In conclusion, my writing approach for this post was in honor of the late professor Dr. Randy Pausch who’s YouTube video, The Last Lecture, made him a celebrity. In following with his style of teaching, did you catch the head-fake? This was not really a way for you to work off somebody else’s form but rather a list of real-world reasons why you should not even attempt it. Records Retention Policies and Legal Hold Policies are like fire escapes and exit procedures for emergency evacuations. They really need to meet the needs of your particular building, layout and people. This is simply not an area where cookie-cutter form documents will do the job very well, if at all.

More Legal Tech West 2008

By Cary J. Calderone

Data Privacy Issues for Multinational Corporations. Or, what kind of food do they serve at your jail?

Data compliance in the USA and EU is an important and evolving area of document retention and electronic discovery law. One of my first research projects involving electronic data was for a company looking to pro-actively set and maintain good e-document retention policies and plans for their multi-national company which included a publicly traded US Corporation. On the one hand, we have Sarbanes-Oxley requirements for managing corporate computer data that contains content and processes of a company’s financial record keeping and technology systems. On the other hand, we have European Union privacy-protection rules prohibiting even the collection and review of emails which contain personal information.


So I raised my hand and asked a question. The very informed panel, which included Amor Esteban, Partner, Shook Hardy & Bacon LLP, Mark Smith, Senior Associate, Winston & Strawn LLP, Tom Hopkinson, Director, Forensic Technology, KPMG Europe LLP and Moderator, Omid Yazdi, Managing Director, Forensic, KPMG LLP explained part of the reason for this divergence was due to the history of European countries and their experiences with Totalitarian governments. They commented that I raised a good question, even though I added my tongue-in-cheek observation to advise General Counsel to pick the countries with the harshest jails, and follow their rules first. I expected they would laugh and then propose a valid work-around. They sort of agreed that it was virtually impossible to be totally compliant with the letter of the law in the EU and US in the area of email retention. One noted that recently a French lawyer was criminally charged for violating French Blocking statutes and faced jail time for working with US lawyers to produce materials in a way that violated French law. So apparently considering the jails and penalties is a valid approach to setting a Multi-National electronic document policy. Yikes!

Best Practices for Managing Electronic Data: Chickens and Eggs

Policies first then procedures or procedures then policies: Or, what comes first -- the chicken or the egg of document retention?

By Cary J. Calderone, Esquire

“Should we create our policies or our technology procedures first?” This is a question I am asked frequently by data consultants, lawyers, and IT people. At first I believed the question was a sign that people were looking to shift responsibility for document retention management away from themselves and onto someone else. (Who could blame them given all the new regulations and rules now in effect? See FRCP Changes) While shifting responsibility is a valid real-world motivation, in reality, the question itself raises good issues to consider by anybody considering implementing or updating an electronically stored data retention policy . Like many good questions, the answer is not a simple one.

My general rule would be to create a good policy according to your legal and compliance requirements and then coordinate personnel and technology to support that policy. This would put the burden on Legal and/or Compliance to set the policy and then IT to deliver it. However, by “good” policy I mean something that should take into consideration the capabilities of the current hardware, software, and usage. Too many times in my early technology consulting days I would be retained to find and recommend a software program that could do XYZ and I would research the client’s existing applications and discover they already had programs with the ability to do XYZ, or something extremely close to it. However, nobody knew enough about their own applications to work towards the desired result. So, I saved them some good chunks of money and everyone would conclude that I had brought value-added service to the gig.

Given that background, setting policies without looking at current systems, usage, and the reasons behind them is not a prudent practice. One could argue that Google provides a good example of one end of the spectrum. Their overriding company policy is “don’t be evil .” It follows that every action by every employee would be in an effort to support that policy. Sure must be nice for an attorney to represent a client with that honorable and well-published policy in place…makes for a great opening argument in any case or hearing. On the other hand, what might be an acceptable policy for your current “technology” (or lack thereof) may not fit well with your company’s plans for growth and innovation, and as I like to recommend, becoming a “lean, mean, litigation-ready fighting machine .” If the drivers behind policy are more related to operations, company image, security and other non-technology factors then you may indeed need to make an investment in new software and hardware and possibly personnel and training too in order to adequately support any re-aligned policies. And until the infrastructure is in place, changing your existing policies would not make sense, especially if they have already been approved, followed, and battle tested.

Furthermore, the ultimate goal is to manage your electronic data according to reasonable standards for your industry and under the legal requirements that govern it. The greatest sounding “policy” in the world will not help you if your practices and procedures do not support it or, at worst, conflict with it. If one policy statement says “X” and another policy describes, “Not X but Y”it will not withstand even a cursory legal challenge and therefore will have failed you in one of its basic functions. And, while I would not ever champion a mediocre policy, one that is strictly followed and supported would probably protect you more than a grandiose policy that is thrown out as a sham because it was not followed or was contradicted by other company documents and policies.

In conclusion, the answer to the question of what comes first is: it does not matter – and it does. Both Legal and IT, and other supporting departments will need to work together to make any policy legitimate. So, bringing both/all groups into the process early is the best and most prudent practice. Start by determining what your current policies are, where they are published, and why they were created. Then you can work to edit/modify/replace them with joint understanding of the likely overall costs and benefits.