Businesses Generally Ignoring E-Discovery Rules 109
eweekhickins writes "A full year after the institution of new federal e-discovery court rules, only a minority of companies are paying attention. Keeping track of every IM, email, and document for a court order that may never come must seem like a tall order. Researcher Michael Osterman said that only 47 percent of companies have some kind of e-mail retention policy in place. 'I don't think it's difficult to understand the rules,' Osterman told eWEEK. 'I just think that it sometimes takes headline shock to make people move on some things.'"
the FRCP (Score:5, Informative)
The Federal Rules of Civil Procedure are being grossly mischaracterized here. The main purpose of the changes is to make it so companies can't intentionally obfuscate their data storage in order either 1) increase the timeline for digital discovery; or 2) increase the costs (especially to the non-business plaintiff) for digital discovery.
The FRCP are not a set of regulations to govern businesses, it just means that parties with digital information will bear the burden to produce it in the event of a lawsuit. Depending on the frequency with which your company is sued, it may or may not be a good idea to make it faster to access your backups.
You aren't under an obligation to save all electronic corresponce unless you are in a heavily regulated industry with special rules requiring that. However, anyone who deletes or destroys documents once a court order has been issued is in pretty big trouble if they get caught. This has been true long before the advent of email.
IMPORTANT NOTE: I am not a lawyer, this is not legal advice, there is no formation of attorney client privilege, this does not serve as an offer to represent you, your family, or anyone you have ever met, consult the advice of a licensed attorney in your jurisdiction before taking any action, the forgoing is for informational and educational purposes only, and any and all warranties inherent in this post whether express or implied are hereby disclaimed.
This is my business (Score:5, Informative)
I can tell you the following:
1. It is a big business.
2. It is not "pointless".
3. The reason the laws were passed is that people were intentionally deleting documents or worse LYING and claiming they had deleted it when back ups were clearly present. They lied because of the expense it would take to recover the back-ups. Honestly, was it that hard to have the lawyers talk directly to the tech people, instead of too middleman that cared more about money than their legal responsibilities?
4. The law at heart simply states that if you have documents then deleting it BECAUSE of a legal action is illegal.
5. The law clearly allows you to routinely delete documents, say 1/year, or even every month.
6. All it really takes to satisfy the law is a commitment to a reasonable data-retention policy. The only businesses that don't or can't comply are
A. those that have been giving their IT department the short-shift, not providing a reasonable amount of cash for data and back-ups.
B. Those that don't realize that after you are SUED or CHARGED with a crime means you have to spend money on the law-suit. That includes the responsibility of saving and organzing the data you collected.
Re:The law should be overturned (Score:3, Informative)
This "law" should not be "overturned." It is not a "law." It is Rules of Civil Procedure for parties in litigation in Federal court. You can read them here [house.gov]. The rule you want is R. 34.
This post does not constitute legal advice and is not endorsed by Jackson Walker LLP
PLEASE help stop the FUD!!! (Score:4, Informative)
Despite what the vendors who produce e-mail archiving software may say, there is NO requirement that ANYONE archive all their e-mail/chat/word docs. etc. for potential litigation!!!
The rules say that, once you know that there is a legal case (or can reasonably expect that an issue may lead to legal action) you can't destroy evidence that could be used in the case. The federal rules actually spend more time outlining all the valid reasons you may have for destroying/deleting old e-mails or other correspondence.
There are a lot of vendors generating a lot of FUD about this issue, and even more clueless tech writers and glorified corporate publicity rags like eSchool news to perpetuate it. Don't be sucked in!
Yes, your company/agency should have a retentions policy, but that doesn't mean to retain everything! It should spell out how often you delete materials that are no longer deemed necessary. As long as you follow that policy, you are covered if you delete something that comes up later in an un-anticipated legal action! Once you are aware of a legal action, it is your responsibility to identify and secure any documentation in any form that can have bearing on the case.
Internal insight not necessary to regulate. (Score:3, Informative)
I'm not sure why we should really give a shit about what goes on inside a company. What matters is what it does. If a corporation does something bad, punish it. I don't really care, and I don't think it should matter, whether people in the corporation "knew" what they were doing was bad, and that's mainly what the retention laws are all about. They exist in order to make it easier to pin down when so-and-so knew something. If you just tell companies you don't care, and enforce rigorous strict-liability doctrine (on the corporation -- I don't really agree with strict liability as applied to individuals, but that's a separate discussion), you can leave the internal policing to the corporations themselves.
The idea is that basically, you make the corporations responsible for the actions their employees take in their name and the results of those actions, whether intentional or not, and whether the harm was foreseeable or not. Leave it up to them to decide how they want to manage risk and how much freedom they want to give employees to act without authorization.
I don't really see why we need to peer into companies in order to regulate them. If a company wants to keep its financial records in cuneiform impressed on wads of sodden toilet paper, that's fine by me. The market will punish them for it when nobody wants to buy their stock because there's no way to gain any insight into their performance. Maybe the stock exchanges would even enforce minimum accounting standards for listed companies, as a way of keeping the crap out. But caveat emptor -- do your own research, and don't come whining to anyone else if you put all your money into a company that implodes. If you want secure investments, that's what savings accounts are for.
Similarly, if a company pollutes or otherwise externalizes costs on the public, punish it. If they don't cough up payment for the externality, forcibly seize whatever physical assets they have under their direct control and sell them at auction.
I can train my dog without knowing exactly what's going on in his head every moment; that's exactly the philosophy I'd apply to corporate governance. Reward good overall corporate behavior, punish overall bad behavior with meaningful sanctions (asset forfeiture and seizure), and let them do whatever the hell they want internally.
Re:the FRCP (Score:3, Informative)
Lots of interesting comments in this thread. There is a lot of FUD out there (like that's news). I hardly know where to start.
First, sophisticated litigants have seen increased costs from eDiscovery compliance, because "Joe Average" lawyer on the other side is getting more sophisticated about these issues. The new eDiscovery rules require companies to make pretty specific disclosures regarding what electronically stored information they have that might contain potentially relevant information. Federal judges are also more sophisticated on these issues now, and are expecting more of people. It's becoming a lot more difficult to 'hide your head in the sand' and hope the other side doesn't ask about this stuff.
Because the cost of searching, reviewing and producing email (and other electronic information) can be so burdensome, the table stakes for pursuing or defending a lawsuit can be higher than "before".
theMerovingian said: The FRCP are not a set of regulations to govern businesses, it just means that parties with digital information will bear the burden to produce it in the event of a lawsuit.
Not entirely true. In some cases, courts have held that cost-shifting is appropriate.
theMerovingian said: Depending on the frequency with which your company is sued, it may or may not be a good idea to make it faster to access your backups.
This is dangerous advice. There are companies out there which are making it cheaper to access backups. If you make it faster and easier to access information on offline (tape) or nearline storage, then you may reduce your ability to argue that the information is "not reasonably accessible due to undue cost or burden" under Rule 26(b)(2)(B). I have seen clients tripped up because IT people somehow get the notion that the lawyers WANT them to have really long retention periods on backups "just in case". While lawsuits sometimes require backup tapes to be held, if there isn't a lawsuit, it often isn't helpful to keep this data lying around when there isn't any business need for it.
theMerovingian said: However, anyone who deletes or destroys documents once a court order has been issued is in pretty big trouble if they get caught.
Agreed on the court order part -- don't violate court orders! But there's lots of room to argue before that order gets issued. When a company is sued, does that mean they have to create a bitstream image of each and every computer in the organization? (After all, just continuing to use the computer overwrites the pagefile and other unallocated space -- that's destroying potentially relevant data!) There are vendors (and even some lawyers) out there who are telling companies that they have to do this. The real answer is that in many cases, locking down every last bit of data is not necessary.
Ones being investigated for a crime. (Score:5, Informative)
The first deals with data deleted prior to the start of an investigation. Basically if you have an data retention plan that states how long you keep documents for, and you follow that plan, then you cannot be charged with destruction of evidence. On the other hand if a bunch of documents relevant to an investigation just happen to be deleted in a manner that deviates from your normal behavior, then you can be.
It doesn't matter what the plan is - it could be that you delete emails from the server immediately after they are download, or you can back them up for eternity, or anything in between - it is entirely up to you. For the sake of CYA, it is a good idea to have this policy documented, and to make sure it is followed closely, but you are not required by law to do so.
The second part gives judges the ability to require companies to retain data relevant to an investigation that would otherwise be deleted as part of their normal data retention policy. This requires a court order, and is no different from dead-tree requirements. Again, you are not required by law to have a plan in place to do this, however, it is good idea to think about it so that you aren't scrambling to figure out how to deal with it if you ever are investigated.
Re:More business for lawyers (Score:2, Informative)
PLEASE, PLEASE, PLEASE create a regular document retention policy that mandates the deletion of all unnecessary emails and other e-documents on a regular basis. You CAN delete these files and you should. But if you wait until the lawsuit is filed, it's too late - and now we have to wade through all this crap. That's the point.
Re:pretty obviously unenforceable (Score:3, Informative)