Skip Records Management and Start Governing Your Information

Are Your Information Governance  Policies Still Based On This?

2014 © Cary J. Calderone

Since 2007, in spite of my best efforts, I have watched as organizations lost control of their electronic data and struggled to implement classification systems and other good information governance protocols. And yet, it might not be entirely their fault.  I routinely see advertisements from "expert" consulting groups that offer a “solution” for records and information management based on the ancient approach of retention policies and schedules. This is like having a modern steel and glass building and hiring a carpenter with wood and nails to help you expand. The usual advice starts with “the foundation” that includes a records plan or policy and then attempts to expand it to cover electronically stored information (ESI).   Why?  Is it because existing records programs have been performing so well?  I doubt it.  Ask employees at most organizations about the adequacy of their current records policy and you will receive the same response, “what records policy?”   So, if it really was not working for paper, why would consultants suggest that you just update it to handle ESI? Classification and retention programs that achieved barely adequate to horrendous results historically with paper, are not going to work with your expanding email, instant messaging, social media, and new media applications.    How about an approach that will work? 

Geek vs. Geek-What Do You Mean Backup?

© 2013 By Cary J. Calderone, Esquire

Geek vs. Geek

This is the first in a new series of blog posts that will illuminate the communication gap between Legal Geeks and Technology Geeks.  For these "Geek vs. Geek" posts, the basic assumptions will always be the same:  1) Both types of geeks, T-Geeks and L-Geeks, are pretty darn smart. 2)  Both know quite a bit about their own unique tasks, tools, and responsibilities.  3)  Both can be a bit defensive, if not downright surly, when they sense a challenge to their authority coming from a competing "Geekdom."  Now that we have the ground rules, the sample hypothetical for this post is about the company Backup or Disaster Recovery Policy.  Do you have one?  Do you think it is being followed?  Maybe.  Maybe not.

Review of Zubulake's e-Discovery

by Cary J. Calderone, Esq.

For the second time now, Laura A. Zubulake has really exceeded my expectations.  I wrote a piece about her keynote at the 2011 Carmel Valley e-Discovery Retreat (link) where she surprised me by sharing some of the details of her famous sexual discrimination lawsuit against UBS.  Her lawsuit lead to five powerful written opinions about email evidence and electronic discovery.  In her well-written book, Zubulake's e-Discovery-The Untold Story Of My Quest For Justice, she covers this material and more about her ups and downs during litigation from her unique perspective as the plaintiff.  What I enjoyed the most is that this is not a litigation story as typically portrayed in the movies or on television.  This is not litigation as it is taught in law school, covering just the black letter law and exceptions to the legal rules.  This is, as the commercial used to say, "as real as it gets."

New E-Discovery Rules in California: What does this mean for you?

by Cary J. Calderone, Esquire

With no fanfare our Governor, Arnold Schwarzenegger, signed into law AB 5, the California Electronic Discovery Act ("CEDA") (Full Text). The only surprise to those of us who practice in this area was that it did not get signed into law last year. Most believe it was delayed solely due to California's pressing budget problems. California is the home of Silicon Valley and the High Tech industry so the laws in our state typically lead the way when it comes to considering their effect on technology and business. In California email correspondence has been legally enforceable as a "written instrument" since the mid 1990s. It made no sense that one state after another, except California, was adopting rules to mirror the e-discovery rules contained in the Federal Rules of Civil Procedure and thereby, acknowledging that business disputes were now dominated by Electronically Stored Information ("ESI") such as email, word-processed documents and databases etc. These states recognized the importance of having specific discovery rules around ESI and yet, California did not. Now that California has acted what does this mean for your company when it operates in, or is subject to legal proceedings in state courts in California?

First, all those stubborn attorneys who used to tell me that they did not need to worry about Legal Hold Notices, Email Procedures and Record Retention Schedules, because they never were involved in Federal disputes, no longer have that weak excuse. It was a weak excuse because under the old California discovery rules, litigants and their lawyers were affirmatively charged with the duty to protect potentially discoverable materials. In most cases, destroying "evidence" can be charged separately as a crime. There was never any exclusion for emails and ESI and in fact, emails and ESI have been critical pieces of evidence in many criminal and civil matters for at least a decade.

Second, not only is that lame excuse gone, the California rule requires that attorneys from all sides of a litigation matter will need to "meet and confer" 30 days prior to the Case Management Conference. This means they will need to discuss ESI and what/how it will be preserved and exchanged during the discovery process for state legal matters, just like they already must do for Federal matters. Do you know how much ESI you have on your network and in other places you control? Do you know where it is? Can you search it? You should be able to answer a resounding "YES" to these questions. Otherwise, it means you may end up litigating from a weakened position.

Some commentators believe the CEDA modifies the Federal Rule around "inaccessibility" of data as it may be used to defend from producing materials in a litigation matter. I believe the CEDA merely does a better job of explaining the real world arguments that occur in front of the judge. Namely, the judge will ultimately decide whether or not the information is "reasonably accessible" on a case by case basis. Judges have never been fans of an attorney conducting a cost escalating "fishing" expedition during discovery, but if there is a likelihood that important information is only available in one location, there are very few circumstances when a judge will not want that information to be retrieved and searched. The idea is that "Justice" is about finding the truth, not about being able to hide the truth from the judge.

Now it pains me to admit this, but in some ways, if your company has procrastinated and delayed having an Assessment Report and updating its ESI policies and procedures, you have benefited in that the software programs and procedures for accomplishing these tasks are better now and, in some cases, even cheaper. The bad news is that you have at least 2 more years of data to organize, review and remediate. So the longer you wait, the more likely the process will become more difficult and more costly. Will your company be like so many others out there that waited until they got tagged by losing a legal matter or got sanctioned for mishandling ESI? Or, those that had to settle a matter because they could not find their evidence to prove their case, or, they could find it but it would be cost-prohibitive to produce it in a defensible manner? Or, will your company need to feel the sting of a hefty discovery sanction to be motivated to organize their ESI? In a prior post, I mentioned performing a Google search for "million dollar discovery sanctions." There are even more now than there were the last time I mentioned it!

How to Modify a Form Data Retention Policy for Your Company's Use

By Cary J. Calderone, Esquire

Do you have a Records Retention Policy (“RRP”) form we can work from? Without question, this is the most frequent favor request from friends and associates and occasionally, even from relative strangers. So this article explains five steps to follow to take some other company’s form and make it your own without having to use an attorney, like myself, or a reputable document and management or eDiscovery consulting firm to assist you in the process.

1) Start by finding a form that might be a relatively good fit. While RRPs all generally look similar and contain descriptions of computer content and timelines for retention, the ideal situation would be to have a form from someone in your industry that is about your size, with offices and products that cover the same legal jurisdictions. Also, they should have about the same technology as your company. Some may consider looking at forms used by a competitor.

2) If it is well written and thorough then you will need to make sure your other company documents that may overlap with or refer to information in this form, conform to it. Check your employee manuals, your technology, Email, Instant Messaging, PDA and cell phone policies to make sure they are consistent with the language of your new RRP. If not, you may need to acquire copies of those documents from the same source as the RRP. Also, be sure to replace the custodian names from the source document with the people from your company, who are likely to be called as witnesses and placed under oath to verify that the retention procedures are regularly followed. Be forewarned, some of your co-workers may feel uncomfortable with accepting this new responsibility.

3) Upper management needs to sign off on your new documents. The CEO, CFO, General Counsel and other high-ranking executives will be the ones who may face criminal penalties if the new policies do not pass muster in a court or audit proceeding-so get their signatures. Caution-they may not really want to know all the details of the source of the new RRP.

4) Now that you have your policy paperwork in order you need to make sure all the employees will understand and follow it. This may involve re-arranging your company’s current data file structure on the network and any current retention and records review habits, but it is a necessary step. It would also be preferable if you have the same archiving and backup procedures to match your form.

5) Warning Warning Warning. Now that you have saved money by modifying someone else’s forms all you need to do to complete the procedure is protect against the following missteps: a) Your company’s software applications must work the way the source company’s do. So if your applications are less capable you will need to purchase upgrades, or if you have better software, you may need to disable some of the features to comply with your new RRP. b) Check that your electronic storage also matches in capacity and security features, otherwise, follow the same routine as for software and upgrade or disable accordingly. c) Make sure your business group leaders understand that any growth plans or upgrades may need to be delayed unless they match those of your source company. d) Always a good idea to check your source company to find out if the form you have borrowed was successfully tested in court and did not lead to sanctions of a few million dollars. e) If it was tested in court than verify that the source company is the source company and used best practices to develop their Policy. Otherwise, it may have been copied and adopted from a dubious source and not be all that great a starter form. f) Lastly, make sure you do a very good job with search and replace for the source company and your company’s name because there is a good chance that this policy form contains confidential and privileged and/or trade secret information that may make it a crime for your company to have it in its possession. This would be especially bothersome if the form did come from one of your competitors.

In conclusion, my writing approach for this post was in honor of the late professor Dr. Randy Pausch who’s YouTube video, The Last Lecture, made him a celebrity. In following with his style of teaching, did you catch the head-fake? This was not really a way for you to work off somebody else’s form but rather a list of real-world reasons why you should not even attempt it. Records Retention Policies and Legal Hold Policies are like fire escapes and exit procedures for emergency evacuations. They really need to meet the needs of your particular building, layout and people. This is simply not an area where cookie-cutter form documents will do the job very well, if at all.