An Effective Management Policy Is A Necessity In Responding To Litigation And Regulation.
The Federal Rules of Civil Procedure (“FRCP”) are the procedural rules governing lawsuits in federal court. These rules have evolved to require disclosure to the opposing party of any information relevant to a party’s claims and defenses. The FRCP’s latest amendments address the disclosure of electronically stored information (“ESI”) in anticipation of future technological issues between parties litigating in federal courts across the country. The new amendments address how ESI will be handled during the investigative phase of federal litigation known as discovery. Among other matters, the amendments change the FRCP by:
- Requiring parties to turn over any relevant ESI or describe the location of any relevant ESI to the opposing party prior to discovery;
- Requiring parties to prepare a discovery plan that includes the specifics of how and in what form ESI will be produced;
- Allowing parties to subpoena ESI from their opponents and from third-parties; and
- Instructing parties how to respond to document requests and questions regarding ESI.
Why Is This So Important?
Today, businesses receive and generate vast quantities of information daily. Effective record keeping and management is a key component to the success of your enterprise by helping to manage finances, compliance with state and federal laws, inventory, logistics, transportation, labor, and communications. Most of this information is stored electronically and a great deal is not even visible. Because of this volume, effective information management policies must include regular and routine destruction of ESI.
Although the FRCP amendments relate to discovery in federal litigation, their impact is much broader. Adoption of similar rules is probably not far behind for state courts. Information management policies are also critical in responding to audits and regulatory inquiries. Laws such as Sarbanes-Oxley, FACTA, and HIPAA require that certain company records be kept or destroyed. Employment-related laws such as ADA, FMLA, OSHA, ERISA, and even the Internal Revenue Code require companies to keep certain records for their employees. These laws set forth their own set of information management requirements.
Haphazard destruction of electronic information or destruction not related to a reasonable policy may result in criminal responsibility for the decision makers and/senior management. Businesses failing to adhere to or implement information management policies may suffer default judgments, adverse inferences, penalties, fines, and increased attorneys fees.
Consider Enron’s accounting firm, Arthur Anderson. As the Enron scandal unfolded, against its own policy, Arthur Anderson’s managers accelerated destruction of Enron related information and failed to enforce a “litigation hold” to cease destruction of documents relevant to the pending litigation. Arthur Anderson’s failure to follow its own policy eventually led to criminal charges and the premature conclusion of many careers. Civil suits followed the criminal charges and the 89 year old accounting firm closed its doors.
Similar consequences can result from the lack of a policy. In another business-ending catastrophe, a badly coordinated search for back-up tapes led to the late discovery of over 2,000 tapes. This eventually led to a partial default judgment and contributed to a jury verdict of $1.5 billion, including punitive damages.
If a business cannot isolate, gather, and produce all relevant ESI, judges, juries, and opponents will still be inclined to believe the failure to supply the information was intentional. In such a circumstance, recent trends in court decisions allow for evidentiary inferences that such unintentional failures can be treated as though the failures were intentional.
Implementing An Information Management Policy Is Essential.
An effective information management policy must be implemented well before the lawsuit, audit, or regulatory inquiry lands on your desk. Even though Arthur Anderson and other similar companies had excellent and defensible information management policies, their failure to follow those policies on a day-to-day basis ultimately led to their demise. In extreme cases, the failure to implement a policy may result in a business-ending liability. In less extreme cases, the failure to capture, coordinate, and manage information and to keep records may result in lost business, failure to comply with certain laws, and lost profit opportunities.
Information is everywhere. There are bits and bytes on every computer in your organization. There are internal and external servers, hard drives, C drives, CD’s, and software. There is email. There may be back-up tapes and, more likely than not, there are hard copies of documents created by endless varieties of software programs. In addition, your employees may have access to your company’s information and may store some of that information on their home computers. Lurking in all ESI is metadata and other invisible information. The trick is organizing all this information from each source and managing how it is kept and destroyed.
Key Points To Implementing A Policy.
There are some important points to remember in implementing a policy. First, backing up data at regular intervals is a critical function but it is not an information management policy. Second, not all data everywhere needs to be kept. In fact, even the United States Supreme Court in the Arthur Anderson case recognized that regular disposal or destruction of data and hardware is necessary and good policy. Third, the policy should be realistic, practical, and tailored to the circumstances of the enterprise. Fourth, the policy must be flexible so that suspension of destruction practices can be implemented in appropriate circumstances. Fifth, and finally, an information management policy is a mandatory component of cutting edge success.
A specific policy tailored to each enterprise is best provided by professionals specializing in this field. However, there are guidelines that every enterprise can begin with:
- Information and records management must be realistic and matched to the circumstances of the enterprise.
- Electronic data should be destroyed at regular intervals.
- Any policy should include all aspects of electronic data, including its creation, retention, identification, retrieval, and disposition or destruction.
- The policy must be capable of suspension in order to comply with preservation obligations in the event of a lawsuit, audit, or regulatory inquiry.
- Every person in an organization, from the top to the bottom, handles some electronic data – so all must understand and comply with the policy.