| |
|
|
Litigation
Support and Risk Management for Pretrial Discovery of Electronically
Stored Information
By John Ruhnka and John W. Bagby
MAY 2007 - Most
organizations are eventually involved in litigation, and the increasing
frequency of litigation often requires litigation support and careful
records management. Familiarity with electronic data discovery (EDD)
is necessary to conduct internal investigations, as well as to identify
and disclose electronically stored information (ESI) to litigation
opponents, regulators, or prosecutors. Many potential parties to
a lawsuit are not knowledgeable about electronic records management
(ERM) practices or their legal obligations when served with a discovery
request. Accountants often serve important roles in litigation support
and as expert witnesses. Indeed, Deloitte and KPMG are among the
top 10 EDD service providers (see the 2006 Socha-Gelbmann Electronic
Discovery Survey, www.sochaconsulting.com/2006surveyresults.htm).
Electronic
discovery is steadily increasing in importance. Several landmark
cases have dramatically illustrated the need for clearer, balanced
standards of EDD, and the federal judiciary recently revised the
Federal Rules of Civil Procedure (FRCP) to recognize the special
problems of electronic discovery. These rule revisions are likely
to reduce pretrial motion delays, require advance EDD planning,
clarify the forms of electronic records that are discoverable,
and balance the burdens among litigants. The following is an overview
of the variety of discoverable electronic records, the legal responsibilities
accompanying a litigation hold, and the strategies and costs of
EDD in litigation support and litigation risk management.
Discovery
of Electronically Stored Information
EDD is the
modern version of document production traditionally required of
all litigants during the pretrial discovery phase. Often, litigating
parties and government agencies do not possess enough evidence
to prove their cases. Civil litigants traditionally have the right
to request “documents” and “data compilations”
from opposing parties if relevant to the issues or their defense.
Subpoenas are used to access such materials in regulatory investigations
and criminal prosecutions.
Federal courts
can order opponents to produce potentially incriminating internal
files and communications. Most states also have parallel discovery
rules. The recent growth of EDD reflects how much modern business
and government activity is conducted electronically. Under various
estimates, 92% to 99% of all records and data are created and/or
stored electronically [see Stephen D. Whetstone and Michael S.
Simon, National Law Journal, July 17, 2006, at p. S1
(99%); Peter Lyman and Hal R. Varian, “How Much Information,”
Technical Report, School of Information Management, University
of California–Berkeley, 2000, reprinted in Wirtschafts
Politische Blatter, 48, Jahrgang 2001 (over 90%)].
Typically,
requesters first query about various repositories of ESI and print
documents by serving “interrogatories,” questions
that opposing parties must answer. Interrogatories can compel
important facts about ESI, such as its existence, its custodians’
identity, its form, and its various locations. It is difficult
to exhaustively inventory portable storage devices like personal
data assistants (PDA), laptop computers, cellphones, iPods, and
flash memory devices. The new FRCP removes any question that all
such ESI is discoverable and subpoenable, just like other business
records. ESI includes both the content and metadata of word-processed
documents, spreadsheets, e-mail, e-mail attachments, instant messages,
voice-over-Internet protocol (VOIP), information on PDAs and BlackBerries,
reports, correspondence, memos, text files, PowerPoint presentations,
digital photos, graphs, and any other data that are created or
stored on a computer or computer network or other electronic storage
media.
Any ESI,
documents, files, or records are discoverable if they are plausibly
relevant to issues in upcoming litigation or the subject of a
governmental investigation. A primary target of electronic data
discovery is often e-mail on the organization’s servers,
because of its central role in organizational communications.
Also potentially discoverable are employees’ personal e-mail
residing with third-party Internet service providers (ISP), cellphone
data, PC/laptop storage (hard drives, optical disks), and other
personal storage media such as digital camera memory sticks. Voicemail
messages and other call records are also discoverable. Even archives
of websites and webpages that have been taken down are often still
available from web archives such as the Wayback Machine. Litigators
often “do a Wayback” to discover potential trademark
infringement from the Wayback’s archives of more than 40
billion webpages.
E-mails include
electronic records of the message content, file attachment content
and metadata. Metadata can reveal the participants’ identity,
can note the timing and routing of communications that show interactions
between parties, and can be used to infer motive and intent. For
example, insider-trading tips can be inferred from phone or e-mail
communications made just prior to the tip-recipient’s trades
that are then proved from brokerage records. Phone logs are retained
by telephone companies, inside cellphones, and in wireline systems,
and are archived automatically. For example, Martha Stewart’s
erasure of an electronic office diary of a phone call was the
subject of her federal obstruction-of-justice conviction. Although
Stewart allegedly had an immediate change of heart and reentered
the data herself, metadata revealed the attempt, and this was
sufficient to constitute tampering with evidence. Of course, there
are limitations on accessing phone records outside of the litigation
context—as by “pretexting,” the impersonation
of phone customers in order to access their personal calling records.
Electronic
information other than e-mail can include current and prior website
content or access card logs showing employee site egress (e.g.,
timing, duration, location). Such records are then correlated
with camera surveillance tapes or digital video archives. The
New York State Thruway annually responds to over 250 subpoenas
for EZ Pass records, many from matrimonial lawyers documenting
the movements of errant spouses. When surfing the Internet, a
user’s IP address is posted to the servers queried via an
ISP’s server. Some ISPs have initially resisted production
of such IP addresses when subpoenaed, but they must eventually
reveal them. Archived electronic information enables litigants
and investigators to retroactively eavesdrop on formerly private
communications and activities.
There is
generally no right to confidentiality of ESI that is arguably
relevant to an investigation or litigation. There are some limited
exceptions for privileged communications, such as the privileges
for attorney-client work product and certain communications such
as spousal, doctor-patient, and priest-penitent. There is a more
limited scope for accountant-client and self-evaluation privileges.
Care is needed in responding to EDD requests because the revised
FRCP rules require a faster pace of discovery, increasing the
risk that privileged information might be inadvertently produced.
Mistakes in disclosing privileged information do not, however,
imply a waiver of privilege under new clawback provisions that
enable the target to retrieve privileged information that was
inadvertently disclosed. While clawback does not apply to inadvertently
produced trade secrets, they can still be addressed by agreement
among litigants.
Electronic
Data Discovery Process
There are
several steps in the EDD process, from creation, archiving, management,
and review, to production and presentation.
First, there
is electronic records management (ERM), in which document retention
programs are formalized. These are internal policies governing
the preservation of needed and destruction of unneeded business
records. Eliminating unnecessary corporate records is legitimate,
so long as it does not interfere with legal duties to preserve
or disclose information. As the Supreme Court noted in Arthur
Andersen v. United States [544 U.S. 696 (2005)]:
Document retention policies, which are created in part to keep
certain information from getting into the hands of others, including
the Government, are common in business … It is, of course,
not wrongful for a manager to instruct his employees to comply
with a valid document retention policy under ordinary circumstances.
The second
step is identification, which refers to finding the location of
the particular EDD records requested. There is a legal duty to
find and review all relevant documents for possible production.
Third, there
is preservation and collection. The discovery target must preserve
and collect all potentially relevant information after a legal
duty arises to preserve. Potentially relevant files may exist
in many locations. Data are regularly backed up on various media
(e.g., tapes, optical discs, flashdrives) and may be periodically
overwritten for disposal or reuse. At the collection phase, potentially
relevant records must be maintained in their native file formats
with all content and metadata unaltered. This is critical to establishing
a “chain of custody” required to ensure admissibility
as evidence and to avoid sanctions for tampering. Consider how
merely opening a Word document changes the metadata by showing
the time of last access.
The fourth
step combines processing, review, and analysis. Potentially relevant
data must be processed and converted into a readable and reviewable
format. Review should be performed by a discovery management team
consisting of domain experts and litigation managers who can identify
relevant documents for production but withhold privileged and
irrelevant documents. Analysis assesses each document’s
strategic importance because planning is required for the response
needed if the opposition uses the document effectively.
The fifth
step is production of relevant and responsive data, converted
to formats negotiated upon by the parties early in the discovery
process.
The parties
must meet quickly following the filing of a suit to negotiate
the scope of EDD—within 120 days after service of the complaint—and
agree upon a protocol covering the scope of EDD. The practical
effect is that litigators must quickly understand the IT environment
of their client and the opposing party to negotiate the protocol
design. This is best achieved if competent ERM and litigation
support can quickly swing into action. Over time, protocol uniformity
or de facto EDD standards should emerge that diminish delaying
tactics, which too often manifest as motions to compel and countermotions
to resist production of EDD—as evident in the Zubulake
litigation [Zubulake v. UBS Warburg, 220 F.R.D. 212,
218 (S.D.N.Y. 2003)] and Rambus [Samsung Elecs. Co.,
Ltd. v. Rambus, Inc., 439 F.Supp.2d 524 (E.D. Va. July 18,
2006)]. This compressed schedule leaves limited time for the selection
of EDD and litigation support service providers and the establishment
of service-level commitments and metrics for those who will manage
EDD: the requests, collection, review, and production of ESI.
Litigation
Holds
The legal
duty to preserve discoverable data, data potentially relevant
to an investigation or litigation, arises as soon as litigation
or a governmental investigation is reasonably anticipated. Zubulake
v. UBS Warburg, a gender discrimination suit, was influential
in defining litigation hold duties. It held that: “Once
a party reasonably anticipates litigation, it must suspend its
routine document retention/destruction policy and put in place
a ‘litigation hold’ to ensure the preservation of
relevant documents.” The new rules require safeguarding
and preserving “inaccessible” ESI, but such data need
not be produced unless ordered by the court. The FRCP encourages
voluntary and timely disclosure even before receiving a discovery
request. A litigation hold is triggered by a preservation demand
sent to an opponent requesting preservation of all backup tapes
and files that are potentially relevant ESI. Targets may dispute
the overly broad scope or relevance of requests at discovery hearings
held before trial, possibly triggering a court to issue a preservation
order.
Best practice
suggests that a litigation hold team be composed of experienced
personnel in relevant functions such as IT, legal, human resources,
and records management. These professionals should be ready to
instantly deploy litigation holds when imposed. First, IT should
immediately cease all document destruction on potentially relevant
records, particularly e-mail. Backup tapes and individual PC hard
drive overwriting should be suspended. A written preservation
plan should be prepared identifying specific data and e-mails
for preservation, and then distributed to all employees in control
or possession of relevant data. Compliance with the plan requires
active monitoring to avoid destruction of relevant files. Such
efforts might have prevented the Arthur Andersen obstruction-of-justice
conviction.
Zubulake
is instructive: Snapshot or mirror-image records are needed of
network servers and employee hard drives following a litigation
hold to preserve the data’s original, unmodified state.
Increasingly, experienced third-party forensic experts are needed
to authenticate files and preserve chain of custody, and thereby
avoid file corruption, using technical procedures to help prevent
claims that records have been altered or destroyed. Existing backup
tapes, covering the individuals or subjects relevant to the litigation,
should be preserved to avoid tampering charges. Document destruction
following a litigation hold exposes the party to sanctions for
spoliation or obstruction. A new, but limited, safe harbor now
protects an entity for lost, overwritten, or otherwise unrecoverable
ESI if done as part of regular business practice of document destruction
before a litigation hold attaches. The safe harbor enhances opportunities
for litigation support and EDD service providers to improve document
destruction planning and retention practices.
Allocating
Discovery Costs
Discovery
targets often ask courts to limit the scope of EDD if it is overbroad,
would violate privilege, or would be unduly burdensome, expensive,
or oppressive. Consider five ESI categories in order of increasing
difficulty and expense in production: First, active online files
and, second, near-line data (on removable media: optical/floppy
disks, tapes, flashdrives) are most easily produced, so the target
usually pays production costs. Third, offline, archived data reside
on backups that are more costly to restore, justifying shared
production costs. Fourth, backup tapes are generally used for
disaster recovery, and involve massive and costly re-image restoration
and are not organized for convenient retrieval. Finally, deleted,
fragmented data files are only recoverable using expensive assistance
from forensic experts.
Recent cases
have imposed more cost sharing of ESI. In some cases a sample
of potentially relevant backup tapes has been ordered restored
to predict whether relevant evidence will be produced or whether
the request is a mere “fishing expedition.” Some forms
of ESI can actually impose greater search costs and hide potentially
relevant metadata. The revised FRCP may make the form of production
less contentious because the requesting party may choose the format
for review and may request native file formats, including metadata.
For example, Word documents including track-changes metadata may
reveal individuals authoring revisions, revision dates, eventually
deleted concessions, compromises, or faux pas.
The Zubulake
case illustrates the complexity and cost of restoring backup tapes.
UBS objected to Zubulake’s e-mail discovery request, arguing
that potentially relevant e-mails might reside on 94 different
backup tapes. Restoration and search costs were not immediately
charged to the plaintiff; instead, UBS was ordered to sample five
tapes to estimate the time and cost for restoration of other backups.
Enough relevant e-mails were discovered in the sample that UBS
was ordered to pay 75% of restoration and search costs for all
remaining backups and 100% of its own attorney fees. The costs
were nearly $300,000—not unusually high for large companies.
Critics argue
that the threat of high discovery costs forces settlements on
litigation opponents, so EDD cost-balancing provides some relief.
For example, in a discrimination suit alleging sexual harassment
retaliation, a federal magistrate oversaw pretrial discovery [McPeek
v. Ashcroft, 202 F.R.D. 31, 34 (2001)]. The Justice Department
was not ordered to restore server backup tapes; the decision cited
the fishing-expedition and settlement-incentive rationales:
If the likelihood of finding something was the only criterion,
there is a risk someone will have to spend hundreds of thousands
of dollars to produce a single e-mail. This is an awfully expensive
needle to justify searching a haystack. … Ordering the producing
party to restore backup tapes upon a (unproven) likelihood that
they will contain relevant information in every case gives the
plaintiff a gigantic club with which to beat his opponent into
settlement. No corporate president in her right mind would fail
to settle a lawsuit for $100,000 if the restoration of backup
tapes would cost $300,000.
New FRCP
rules make ESI discovery two-tiered: accessible and inaccessible.
Targets must shoulder the costs of providing accessible ESI. Production
costs for ESI that is not readily accessible are borne by the
requester. For example, server backup tapes intended only for
restoration following a system crash might be compressed and organized
chronologically such that they are difficult to search. They might
be designated inaccessible. Requesters may challenge this designation.
A claim of inaccessibility permits the requester to file a motion
to compel production, and in such event the target must then provide
detailed proof that ESI production would impose an undue burden.
Targets can legitimately resist production and claim inaccessibility
only when fully informed with an accurate ESI inventory, often
requiring third-party services: ERM, litigation support, and EDD.
Targets must still preserve inaccessible ESI until a litigation
hold is finally released.
Avoiding
Spoliation
Spoliation
is the civil charge of tampering with or destruction of evidence,
whereas obstruction is the analogous criminal offense. Spoliation
sanctions are levied if the party controlling the evidence breached
a duty to preserve it by destroying evidence with a “culpable
state of mind.” Judges have broad discretion to impose spoliation
sanctions based upon the degree of fault weighed against the prejudice
to the injured party. Sanctions can include monetary fines, payment
of attorney fees and costs, additional discovery, an “adverse
inference” jury instruction, and even a default judgment
imposing liability against the defendant or dismissing the plaintiff’s
lawsuit. An adverse inference instruction permits the jury to
infer that missing or destroyed evidence would have been favorable
to the requesting party.
Spoliation
sanctions can overwhelm the underlying issues of a case. For example,
the plaintiff in Zubulake showed that potentially incriminating
e-mails were inexplicably missing and relevant backup tapes were
overwritten. The judge agreed, finding misbehavior, and instructed
the jury to make an adverse inference that the missing e-mails
would have been unfavorable to UBS. The Zubulake jury
returned a $29.1 million verdict against UBS Warburg. In 2005,
a $1.58 billion judgment against Morgan Stanley was based in part
on the failure to disclose an additional 1,423 network server
backup tapes, after Morgan Stanley falsely certified that all
relevant e-mails were produced, prompting the judge to give an
adverse inference instruction [Coleman (Parent) Holdings,
Inc. v. Morgan Stanley & Co., Inc., 2005 WL 679071 (Fla.
Cir. Ct., Mar. 1, 2005)].
What
ESI Should Be Preserved?
Regulations
from many government agencies require the creation, maintenance,
and preservation of specified business records. Regulated record
retention applies to written and electronic documents. For example,
SEC Exchange Act Rule 17a-4(f) requires exchange members, brokers,
and dealers to preserve many records and correspondence with customers,
including e-mails, for three years. Arguably, section 802 of the
Sarbanes-Oxley Act (SOX) can be interpreted to require publicly
traded companies to preserve e-mails if such documents are potentially
relevant to a federal investigation or matter (litigation) that
may not yet exist, with penalties if that company’s intent
was to “impede, obstruct, or influence” such future
matter by destruction of such records. SOX contains no explicit
e-mail preservation requirement, so SEC clarification will be
necessary.
Preserving
ESI
Some organizations
have aggressive e-mail destruction policies requiring systematic
deletion after 30 or 60 days, reasoning that short-interval ERM
policies prevent damaging revelations. This may not be an effective
strategy, however. First, e-mails are regularly preserved at multiple
locations (sender, recipient, intermediate servers, forwarded
parties) and in repositories not under one entity’s control.
Second, erasing or overwriting server backup tapes does not erase
copies stored at various other locations, such as external recipients’
hard drives or outside servers. Laptops, PDAs, cellphones, ISPs,
and thumb drives are also sources of potential “smoking-gun”
e-mails. Third, even deleted files on magnetic storage media are
potentially restorable with expensive forensic recovery technologies.
Fourth, aggressive document or e-mail destruction increases the
risk of eliminating useful information. Finally, destruction when
a party “should have reasonably known” that an investigation
or lawsuit was imminent risks sanctions for spoliation or obstruction.
SOX requires adequate internal controls, and aggressive destruction
is inconsistent with that duty.
Some software
programs can wipe out metadata automatically generated by word
processors or e-mail client software. Wiping metadata after a
litigation hold is imposed would likely constitute spoliation
or obstruction. There may be no legal obligation to provide metadata
in some instances, such as the exchange of documents during contract
negotiations or when no litigation hold is imposed. Indeed, lawyers
may be subject to ethical violations if word-processing documents
have the track-changes function enabled that shows a detailed
previous history of sensitive changes such as bids, tradeoffs,
or the identity of coauthors.
Successful
EDD Strategies
Requests
for discovery of electronic information in litigation and regulatory
investigations do not show signs of abating in the near future.
Aggressive e-mail destruction risks spoliation or obstruction
penalties while it hobbles the monitoring of unethical or illegal
activities and the maintenance of strong internal controls. Best
practices suggest central archiving of all e-mails separately
from disaster recovery backup tapes, thereby reducing the costs
of search and production. Centrally archiving e-mails can reduce
settlement pressures, due to the lowered cost of searching and
producing e-mails.
Archiving
technologies are offered by third-party vendors such as Fios,
LexisNexis Applied Discovery, and Kroll Ontrack. Useful features
include “de-duping” (the elimination of duplicate
copies), full-text searches on e-mails and attachments, case folders,
and privilege marking. Concept-based searching and linguistic
pattern recognition features are also emerging, an improvement
over traditional key-word searching. Application service provider
(ASP) services are also becoming increasingly available. ERM and
EDD vendors can convert all electronic records into more-usable
formats and provide storage at secure Internet-based repositories
accessible only to authorized personnel to facilitate EDD request
responses.
Aggressive
EDD has embarrassed many litigants. Electronically stored information
must be better managed. There will be a demand for information
from litigators, and well-managed information lowers costs and
reduces legal risk.
John
Ruhnka, JD, LLM, is the Bard Family Term Professor of
Entrepreneurship at the business school of the University of Colorado
at Denver and Health Sciences Center, Denver, Colo. John
W. Bagby, JD, is a professor and codirector of the Institute
for Information Policy in the college of information sciences
and technology at the Pennsylvania State University, University
Park, Pa.
|
|