Electronic data proliferation is economically neutral—it grows exponentially in good times or bad, and the costs of managing electronically stored information (ESI) continue to increase irrespective of budgetary increases. Corporations and counsel must anticipate increased litigation and regulation by instituting sound data-management practices and getting corporate data in order.

By Regina A. Jytyla and R. Jason Straight | The National Law Journal

As Ben Franklin admonished back in the 1700s, "Drive thy business or it will drive thee." This advice remains relevant as today's volatile economic climate challenges corporations to keep a tight rein on expenses and scrutinize costs. Many American corporations are restructuring and realigning in an effort to reduce expenses and optimize operational profit. Because economic conditions are expected to worsen before improving, corporations are forcing themselves to become swifter and leaner, while minimizing vulnerabilities concomitant to rapid reorganization and downsizing.

Increased regulation and litigation seem likely consequences of the current economic climate. So what issues should executives, corporate counsel and information technology (IT) professionals keep top of mind when preparing to respond and defend? How can corporations efficiently collect, review and produce the electronically stored information (ESI) that is core to the issues being scrutinized? With more and more information conveyed and stored in electronic form, IT professionals and senior managers are grappling with how to implement best practices and procedures to manage company data through dissolutions, divestitures, mergers, acquisitions and reductions in force. The good news is that there are steps that corporations and counsel can take to shepherd assets through the economic storm. This article explores solutions to common data-management quandaries and offers a few simple steps to achieve regulatory compliance and mitigate risks inherent to the failure to properly preserve ESI.

Corralling ESI hardware sources, upholding fiduciary duty and tightening the belt are all important considerations of corporations that are reducing staff and reorganizing. As work force cutbacks become commonplace, many organizations face the daunting task of locating, securing and imaging hard drives left behind by departing employees. For example, what should a corporation do with 30, 100 or even 1,000 idle computer terminals? Organizational changes can make it more difficult for counsel to adequately represent corporate clients while making sure that privileged information is not inadvertently disclosed. The challenge ultimately is doing more with less: ESI best practices must be maintained despite the fact that budgets and head count are diminishing.

A comprehensive data-management plan is imperative to a corporation's ability to support ESI continuity despite the organizational changes presented in today's volatile economic and business climate. In other words, corporations must stretch available dollars and continue to create and implement preventative policies and procedures to mitigate data-management vulnerabilities associated with litigation, regulation and potential breaches of fiduciary duty.

Joint Responsibility

Recent case law demonstrates that counsel bears oversight duties associated with the proper preservation and production of ESI. Recent case law exemplifies an increasing intolerance by the judiciary for parties and lawyers who fail to adhere to sound data-management practices. In fact, attorneys may be held individually responsible for failures to preserve and produce responsive electronic data. ESI maintained in the usual course of business is assumed to be structured and organized, and should be produced in a manner that is comprehensible.

In a groundbreaking case from the past year, Qualcomm Inc. v. Broadcom Corp., No. 05CV1958, 2008 WL 638108 (S.D. Calif. March 5, 2008), the court found the plaintiffs to have committed "monumental and intentional" discovery violations for failing to produce thousands of documents requested in discovery. The court cited the "impressive education and extensive experience" of Qualcomm's attorneys to justify significant sanctions for failure to produce relevant e-mails, including reporting to the State Bar of California.

In a January 2009 case from the Southern District of New York, U.S. District Judge Shira Scheindlin noted that producing parties have two options under Federal Rule of Civil Procedure 34 to produce materials: in response to categories on request or in the "usual course of business." Scheindlin noted that "usual course of business" is not defined and looked to the legislative history of Federal Rule of Evidence 803(6), which protects "regularly conducted business activity" as a hearsay exception. The court concluded that to be kept in the usual course of business includes an assumption that documents will be maintained in an organized fashion. See SEC v. Collins & Aikman Corp., 2009 WL 94311 (S.D.N.Y. Jan. 13, 2009).

Cases such as Qualcomm and Collins serve to remind corporations and counsel that serious consequences follow when corporations fail to properly organize and maintain ESI. Not only must data be properly preserved, they must be organized in a manner that will allow for timely production of ESI that is responsive to an investigatory matter or suit. While there is no "one size fits all" approach to proper data management, there are steps a corporation and its counsel should take to evade unnecessary litigation and regulatory preparation costs, and avoid sanctions. The following steps should be tailored to the needs of each organization and are designed to empower corporations to address data-management challenges unique to their business.

• Step One: Extinguish fires. The first step is to safeguard corporate data and hardware during the employee exit process. As employees leave an organization, the human resources department must work with IT to ensure that those employees' computer accounts and remote access databases are deactivated immediately. All company-owned electronic devices should be collected in a timely manner to prevent data spoliation that may occur as a result of malfeasance or mere negligence. Most importantly, the company should image and review the data on these devices before properly disposing of or recycling the hardware or electronic device -- especially if the data are subject to a legal hold requirement. Once data are safely secured within these protective walls, an entity is well-positioned to implement a sound records-management policy.
• Step Two: Identify and leverage resources. The cliché, "It is not what you know but who you know," certainly applies to the process of identifying sources of electronic data. When looking for sources of ESI, it is important to identify individuals within the organization who know where company information is stored. This task should not be undertaken alone; instead, the process should be augmented with assistance from internal resources who are knowledgeable about the organization's forms of ESI, along with consultants who have both legal and technical experience.
• Step Three: Create a data inventory. Once internal experts are identified, they should be interviewed to determine sources of active and archived data. Identified sources of ESI should then be cataloged in a data inventory, including all storage devices in use throughout the company (e.g., laptops, cellphones, personal digital assistants, etc.) and their locations; all archived electronic data-storage formats and locations; and all methods by which data can be transferred to or from the organization.
• Step Four: Classify records and useful life. In addition to creating a data inventory, organizations should classify records by purpose and "useful life" (i.e., how long the document will be relevant to the business needs of the organization). Documents should be destroyed promptly after that useful life is over. Knowing a document's useful life allows for a reasoned decision on its retention.
• Step Five: Determine retention periods. Once record classifications and corresponding useful life periods are determined, corporations should create a record-retention policy that dictates how long each classification should be kept. The purpose of a record-retention policy is to specify storage periods for different types of records, based on business need. The policy should also detail procedures for destroying records after their useful life expires. Determining an appropriate retention period will require identifying any statutory and/or regulatory requirements that necessitate storing the data for a specific period of time (for example, tax documentation or U.S. Securities and Exchange Commission filings). The legal standard for records not governed by a regulation is reasonableness. Factors going to this standard include individual business practices, industry standards and relevant statute-of-limitations periods.
• Step Six: Determine retention procedures. Once it's determined what should be maintained, the next step is deciding how it should be maintained or destroyed and by whom. A records retention policy should detail where and in what format documents should be retained, and when documents should be converted. For example, should documents be stored in active format or backup tapes? In addition, an electronic documentation retention policy should include appointing a records custodian for each department who is responsible for developing and enforcing record management policies.
• Step Seven: Create a discovery task force. An organization should appoint a group of individuals to oversee records management issues in the event of a pending or impending litigation. This team should comprise individuals from various departments, including corporate counsel, human resources, business line managers, IT and outside counsel. This committee should be authorized to alter any document-retention policies in the event of an emergency and ensure compliance with record preservation duties. Finally, the team should maintain a corporate data directory, including a record of past and present operating systems and software document retention and backup rotation procedures and schedules, and contact information for a designated point person in each business department.

The weakened economy has placed incredible budgetary pressures on corporations, which must maintain profit margins despite increased litigation and shrunken resources. Nevertheless, electronic data proliferation is economically neutral—it grows exponentially in good times or bad, and the costs to manage ESI continue to increase despite the lack of a corollary budgetary raise. Corporations and counsel must anticipate increased litigation and regulation by instituting sound data-management practices and getting corporate data in order.

By instituting preventative measures, corporations will ultimately reduce the costs that result from responding to litigation and regulation. In addition, taking a proactive approach will lessen the likelihood that responsive data are lost or that damaged and/or privileged information is inadvertently produced. The tips discussed above are intended to serve as a benchmark, but each corporation must assess its own concerns and create a plan that is tailored to the needs of its unique business. As courts are becoming less tolerant of parties who fail to properly produce ESI, corporations must, in the words of Ben Franklin, "drive thy business" and take proactive measures to create and enforce corporate ESI protocol.

Authors

Regina A. Jytyla is a managing staff attorney at Kroll Ontrack. Based in Minneapolis, she can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it . R. Jason Straight, an attorney, is a senior managing director for the firm's computer forensics and ESI consulting group. Based in New York, he can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .