Minimizing litigations and investigations by managing e-records

The focus of litigations and investigations on electronic documents, particularly e-mails, and the increasing accountability of compliance programs, including record retention, are leading organizations to reexamine their document management. That includes e-mail destruction practices, records management programs, compliance training and monitoring programs, and document creation training.

Acknowledging that electronic messages have become the location of most business-critical information is a recognition of significant new risks, but one that can lead to significant opportunities for risk and cost management.

To make the most of your movement to electronic documents, you should have:

• Clear, tested project plans for achieving effective e-document;
• Policies, practices and technology that enable avoidance of legal costs and risks;
• Solutions that manage information risks to the desired degrees without interfering in business processes; and
• Vendors familiar with advantages in technology selection, contracting and/or implementation.

E-discovery readiness
Production of e-documents, particularly messages, has become a costly area fraught with risks. For organizations that have not yet confronted the inability of their technology to respond to e-discovery, it is just a “fire in the basement.”

Most organizations rely on backup tapes designed for disaster recovery to preserve content. Most backup tapes cannot be searched without restoring the whole tape, generally on a server set aside for that purpose. Therefore, when e-mail production requirements were first received in a litigation or investigation, or certain electronic messages became relevant to a reasonably likely litigation or investigation, or when a litigation “hold” was issued by counsel, most organizations had no choice but to retain all of their e-mails, because the backup tapes or other media did not permit the selective retention that the specific request, hold or area of relevance and good risk management demanded.

Such organizations face a “digital landfill” that lawyers or e-discovery specialists have to pour through at great expense when new productions are required. That preserves in inaccessible form many potentially dangerous documents not relevant to any likely investigation or litigation. Even if the organizations outsource backups to an e-discovery vendor or escape the litigation or investigation, they have given their adversaries better access to the information than they could give those they trust to run their businesses.

Most organizations also impose mailbox size quotas on users. E-mail users usually respond by copying messages to their local drives, where they are then kept indefinitely, accessible to others, only with difficulty. The practice of most end-users to retain large amounts of e-mail for personal recordkeeping, to enhance productivity through models for subsequent messages or to justify their actions, is usually underestimated.

Organizations often make substantial expenditures to produce e-mails and other electronic documents in litigation and investigations without effectively mitigating risk, and getting little, if any, business value. Yet there are ways to avoid those costs, better manage the substantial risks of e-discovery and address other key risks related to electronic documents.

The most value is derived by considering record retention requirements and broader compliance requirements, risk management priorities and business needs among the criteria for choosing the right policies, “search” criteria, and processes and technology.

Technology is moving rapidly toward permitting e-document production through defensible automatic processes with limited manual review. That may complement the processes and technology necessary for the organization to keep and find the documents it will continue to need for business purposes or as records, and to monitor compliance with the multitude of organizational policies relating to information and communications, including protecting the organization against “leakage” of confidential, proprietary or personal information. E-discovery readiness is integrally linked to information security, records and information management and compliance more generally.

The most dangerous e-mails tend not to be records. The most dangerous are informal e-mails containing thoughtlessly colorful words that can be taken out of context as, e.g., defamation or admission of a violation of law or policy. Policies and training on responsible creation of e-mails are nothing new, but they are often forgotten.

E-discovery readiness programs should impress employees with the legal risks of electronic communication and best practices in document creation. Consistently applied, stringent sanctions, more regular monitoring of employee e-mails and more specific notice of that monitoring can make training programs more memorable.

Records management
Records management used to be a relatively low-risk, technical area. Retention requirements were generally set based solely on regulatory requirements. Dealing with paper documents that fit into neat categories, it was easy to imagine that files could be kept for the required period and then destroyed. Records management programs and e-mail destruction policies need to change because:

• Most of their business-critical information is now in e-mail systems;
• There are vastly more e-mails than there were paper documents;
• E-mails and other e-messages do not fit into neat retention categories;
• Electronic records management has become a high-risk area; and
• Many old record retention policies do not contemplate or implement any process for litigation “holds” for records related to likely litigations or investigations.

The 10 goals of an adequate records management program are that the program must:

1. Be clear and well-suited to employee communication and training;
2. Be administrable given the tremendous volume of electronic messages flowing through the organization;
3. Include monitoring and/or auditing;
4. Filter out unnecessary content to an acceptable yet defensible degree;
5. Rely on the right combination of “end-user” action, automatic processes and post-send records management staff activity;
6. Not compromise speed or productivity;
7. Involve search capabilities that are defensible for e-discovery purposes (i.e., obviate the need for lawyers or specialists to review all e-mails) and also serve business needs;
8. Involve secure storage and transmission;
9. Be capable of adjustment by the client based on changing needs, and;
10. Be cost-justifiable in relation to all alternative approaches.

Records management programs also must be based on extensive knowledge regarding legal retention periods, as well as legal and business needs for records integrity and security. Integral to such programs is the protection of intellectual property and of other confidential or sensitive information.

Benefits and risks
E-discovery readiness and electronic records management begin with a series of judgments about risk. Different industries, sets of exposures, business needs for information and organizational cultures dictate how far organizations should go to preserve or destroy documents not required by law to be preserved.

The decision to retain documents for a period of time on accessible company servers may be positioned, for example, as a trade-off with employees to discourage more unmanageable and perpetual end-user archiving on their work or personal computers, USB devices or other storage media. The risks of such personal storage include not only potential significant increases in the costs of discovery and risks of non-compliance with discovery requests, but loss of intellectual property, breaches of contractual confidentiality and breaches of personal information in violation of information security laws and triggering consumer notification requirements with their attendant significant business risks.

Increased compliance and litigation risks highlight the need for records management programs to be administrable. In some cases, the old, extraordinarily detailed records management policies driven solely by regulatory requirements are being replaced by simpler ones based on judgments that the risk of retaining certain documents for periods of time beyond statutory timeframes is outweighed by additional administrative cost and risk of noncompliance due to the complexity of the program. The records management program that emerges reflects a balance between considerations of business needs and risk, litigation risk and compliance risks (both regulatory requirements and the risk of non-compliance due to complexity).

Judgments also must be made about the extents to which the company will rely on technology as opposed to employees.

Jon A. Neiditz is Of Counsel for Lord, Bissell & Brook’s Business Technology Group. Article printed with permission from Lord, Bissell & Brook LLP. Copyright 2006.