image area

Robert Kerwin and Michael Radin Speak at the 14th IAMERS Annual Meeting

Saturday, April 29, 2006

Electronic Document Retention: The Basics
Robert Kerwin, Esq.
and Michael Radin, Esq.

A good document retention policy will save your business time and money. After the Arthur Andersen meltdown, Congress and the Securities Exchange Commission created laws making it a crime (including obstruction of justice) for public companies to destroy records, even if there are no pending proceedings. Protecting your company and its directors, officers and employees now requires that document retention policies be formalized and complied with before litigation arises. This is particularly important with electronic "documents."

Electronic documents cover the range from emails, to purchase orders, draft and final contracts, and supply-chain information. All of these could be helpful — or hurtful — in any investigations or lawsuits. On the other hand, keeping items unnecessarily can be overly expensive on an operational level, and more so if a suit or investigation arises.

The laws regarding document retention are complex, and cannot be fully-covered in a short summary. What is important to know is that the rules need to apply day to day (for simple items such as purchase orders) and during any investigations or lawsuits.

Upon commencement of a lawsuit, the laws become more severe, and require that you preserve all material that could be evidence in the case. Continuing to destroy old materials "relevant" to a case can, itself, be a basis for liability (under the spoliation of evidence rules). Further, failure to produce evidence requested by another party that you should have retained allows a judge to impose broad sanctions — such as delay of trial, mistrial, an adverse inference against you, and sanctions (particularly if you are shown negligent). Remember that Morgan Stanley was ordered to pay $1.58 Billion in a case involving a botched deal in a jury verdict that turned on the failure to turn over requested documents. (To add to the pain, the SEC in February 2006 imposed a $15,000,000 fine based on a probe into Morgan's e-document retention policies). Even delays in responding to a request for information can expose you to sanctions. The April 2006 issue of CFO magazine refers to records retention issues as a "nightmare."

The more items that are retained, the bigger the cost day to day, and when producing all copies of requested information. A well-designed policy will allow you to operate day to day, control costs, and when necessary to comply with discovery duties. Perhaps most important, a well-designed policy can allow you to quickly locate relevant materials when needed, sometimes allowing you to manage a situation to resolution without litigation.

Deciding What to Keep

In the past, document retention policies were generally loose and of the nature "When in doubt, delete!" This is no longer a wise policy in the post-Arthur Anderson world. The decision of what to keep depends, in part, on the type and size of business. You need to be able to decide what is "relevant." Relevance needs to be assessed by looking backwards from the perspective of a pending lawsuit: Your company should ask whether certain material would be discoverable by an adverse or investigating party. Discovery rules, in turn, allow discovery of any item reasonably calculated to lead to admissible evidence — regardless of whether the item itself is admissible. Hence, the duty to preserve documents (from a litigation perspective) hinges on a legal determination of whether the item at issue is reasonably calculated to lead to admissible evidence. This raises two distinct issues: What evidence would be admissible pertaining to the matter at hand? What documents would a court likely consider reasonably calculated to lead to such evidence?

Any information that rules or regulations require to be saved must be kept. This includes federal and state rules from licensing authorities (among others). Confirm whether there have been changes to the rules that require a change in your procedures. Importantly, you should consider the rules in each geographic area (country and state) in which the company operates.

Judges will expect you to learn from prior litigation. This means that your experience from prior litigation can be held to put you on notice that you had to retain certain items (such as those relating to the particular case or area of your business). It is important to review past investigations and litigation to see if there are prior events that could have such an effect.

Anything "sensitive" should be saved. Important contracts (including customer and insurance contracts) should be saved. Documents or emails that contain references to certain phrases (such as "warranty" or "contract") should be identified and saved. This may include drafts of agreements to provide insight as to what issues were raised and how they ultimately were to be resolved in the final version. Anyone who has been through a "battle of the forms" can attest to how important it is to be able to peel away drafts to determine which form governs. At the same time, you may decide that you do not want to keep drafts of certain items (for example, drafts of securities offering materials have often been destroyed once the final document is agreed to — to avoid forensic eyes from second-guessing what disclosures were made and why).

A filtering program for email can be programmed to save copies of sensitive materials. A well-structured filtering program can help tremendously in reducing the volume of what needs to be retained. Importantly, you need to decide whether all (or some) attachments should be saved with any original emails. On this level, you need to know about metadata — electronic "fingerprints" that are often hidden in documents. This goes well beyond what appears as a transmission string in emails. Metadata is buried information that can be uncovered by basic forensic analysis and can include who worked on a document on what dates, what changes were made, and comments to documents. It can be a treasure-trove of information you might prefer not to get out. You may be unknowingly receiving this from outside parties, or you may be including them with your outbound documents. It is vital to know how to clean documents of metadata before they leave your computer system. You cannot rely on the typical tools of a word processing program to protect you — track changes in Word is one of the easiest ways to leave clear fingerprints on your documents.

Certain types of files may be worth saving. These could include certain modules within an accounting or reporting program. A technology-based business or engineering/design firm may need to retain CAD files. Any files that may contain or reflect intellectual property of the company (such as trade secret items or customer lists) should be saved, especially if the company has any patents that may need to be asserted or protected.

We advise our clients to examine their computer systems and design programs. For example, does the company have a central network or something less centralized? A central network offers document control options that are, frankly, easier to implement. Extensive use of notebook computers and PDA's suggests that synchronization software will be crucial to routinely copying matters onto the central network for further filtering, copying and archiving.

Your work environment plays a role in determining what type of records to retain. For example, corporate hoteling, or telecommuting, raises specific issues. All information needs to be accounted for. Forensic software tools can be used to identify, copy and archive key files. Use of home computers particularly can complicate matters if files from the central network are or can be copied onto home PCs. Home PC's can be subject to examination unless there is a central system for archiving from each home PC or synchronizing information onto the central network.

There is no one-size-fits all approach. A well-structured approach should allow for a regular process that makes sense for your business. The presence of a thoughtful routine itself is a form of protection, as regular destruction of items identified for routine destruction generally will not expose your company to a challenge of spoliation or obstruction. Anything less than a thoughtful program that has become routine will be examined and the opposing party can be expected to try to use it against you.

Test Your Systems.

Any system can work on paper. Your systems should be checked under normal conditions and any shortcomings corrected (before they cost you). The time to test your system is not when an investigation or dispute has started.

First, identify who is in charge of the program and confirm that she or he knows their responsibilities (such as following the routine, or what to do if an inquiry letter is received). Involve your responsible group in the design and administration of your program. If practical, have a small committee that meets periodically to review and update procedures. Create minutes of that meeting and create (and review) log books to confirm that the routine is being followed. Confirm who has the authority to order an end to any destruction procedures if required to do so and what their subordinates would do if alerted. Establish an email mailing list for rapid dissemination of information, particularly an alert when a case arises and you should halt your regular document destruction processes.

Second, identify all forms of media (such as written documents, emails, photocopies, scans, telephone bills, and credit card receipts). Inventory all media including your computers, servers, storage devices, PDA's, and cell phones. Look at all communications systems used — hardware and software — and list them on a central list. Be alert to inventory or supply-chain tracking systems (including RFID tags) that have remote components and communications links. Decide what email attachments should be kept.

Third, periodically review and test your archiving and destruction procedures. This means looking at your routines and confirm they are being followed. Check the software filtering, copying, and archiving functions. Check your backup hardware and software by recalling some archived materials and running test searches to confirm system compatibilities. If there has been a major hardware or software change, make certain that prior storage media and files can still be accessed. Verify that your physical storage system works (e.g., is fire and theft proof and there is some redundancy). Confirm the system for rotating back-up storage media. Check your log books and inventory physical counts. Make certain everything is getting properly accounted for. Confirm that any hardware changes since your last inventory have been added to the system (such as synchronization software for laptops and PDA's). Importantly, check logs of previous destructions. Regular enforcement of your policy is key to showing that what was destroyed is not itself the basis for a penalty.

Fourth, consider hiring an outside consultant to periodically review and validate your policies and procedures. These outsiders should interview key personnel and review a sampling of data using cutting-edge forensic tools. Push them to give you a written report identifying areas of compliance as well as areas where there is room for improvement. Depending on the size of your business, you may be able to include compliance testing with the basic fees you pay for the actual retention services.

Be Prepared

These programs need to be created before a lawsuit is filed. Once a lawsuit is filed, you have three major duties that apply automatically for data that is discoverable:

  1. The duty of preservation.
  2. The duty of retention.
  3. The duty of production.

A well-formed policy can lessen liability in a lawsuit. It can even avoid a suit by providing easy access to information that could avoid the exposure or support a defense. Tactically, quick access to such information can be very useful to show readiness for litigation to help you settle disputes faster or on more favorable terms. Here, your program is serving an important deterrence function. In short, you need to be ready.