Could you produce old e-mails and IMs in the event of a lawsuit?

How new federal rules could affect you

While the data management implications of new criminal regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Sarbanes-Oxley Act of 2002 have captured a great deal of attention, recent changes to the (U.S.) Federal Rules of Civil Procedure (FRCP) impose their own requirements on management of archived e-mail and other electronic transmissions.

Unlike Sarb-Ox and HIPAA, which focus on subsets of an organization's activities and primarily on specific vertical industries, FRCP covers everything that could potentially be part of a federal civil suit or tort claim, which means everything in an organization.

Over the last several years, the FRCP committee at the U.S. Department of Justice has conducted a thorough update of the rules in light of the shift in business from paper to electronic communications and records. E-mail was a major focus of this review, says Brian Babineau, analyst at Enterprise Strategy Group Inc., "because people will say anything in an e-mail."

In 2005, "77% of organizations that went through an electronic discovery event had to produce e-mail," he says. And that percentage will only grow over the next few years. Because e-mail production is new in civil cases, however, it raises a number of key questions than the rules changes attempt to answer, among them:

  • What needs to be produced in response to a request?

  • What format does in have to be in?

  • What is a reasonable effort to produce requested documents from archives?

  • How long do e-mails need to be archived?

  • What about IMs and other forms of electronic communications?

The changes contain both good and bad news for IT. Babineau, who has researched them as part of his intelligent information management practice, offers the following information that CIOs and data managers need to know, with the caveat that neither he nor the writer of this article is a lawyer, and nothing in it should be regarded as legal advice:

1. Know what you have

All entities doing business in the U.S. are required to inventory all e-mail and other electronically stored information they have, including everything archived on tape and other media. "Basically, they need to know what they have, what media it is on, where is it and how much it will cost to retrieve it," Babineau says.

This is the bad news for organizations because it applies whether or not they are ever sued and have to produce any of the information. Given that many organizations don't know where all their backup tapes are, much less what old e-mails are stored on desktops and laptops, meeting this requirement can affect their IT budget.

This requirement is driving a boom market for data archiving and indexing tools from vendors such as Solix Technologies Inc., Princeton Softech Inc., Coppereye Ltd. and Hewlett-Packard Co., because they assist in managing structured (database) information. There are several other vendors that specialize in other content archiving and information indexing.

Babineau suggests that organizations should invest in data de-duplication tools as well, because the fewer copies of the same documents the organization has, the easier it is to manage the archive and the less likely that the company will be embarrassed in court by not having a document that opposing counsel had. The best tools combine de-duplication, archiving and automated indexing.

2. Organizations are protected from "fishing trips"

One reason for this requirement is that the FRCP encourages opposing sides to negotiate exactly what documents will be required to be produced before the tort goes to trial. Each document's relevance to the specific case, and the cost in money, time and effort to produce it, are to be taken into account. And documents that are not specifically relevant to the action that are accidentally produced are to be returned to the document's owner. These changes protect against "fishing trips," in which opposing counsel attempts to require production of all e-mails between certain dates or on a general subject or sent to or by a list of people. Thus, building an information inventory via an index ahead of time can save an organization money later.

3. Corporate policies determine what must be archived

Another piece of good news for organizations is that the FRCP contains no specific requirements for what must be archived or how long it must be kept. If the organization follows an established procedure such as deleting all e-mail after two years, as long as the organization does not deviate drastically from that policy, it may not be subject to penalties for not having possibly relevant e-mails from an earlier period.

However, if the organization has the documents that are requested, then it must produce them, even if they should have been destroyed. "This means that it is very important to establish and follow policies concerning how long e-mails and other data types should be kept," Babineau says. It also means that if the organization does not keep backups of IM sessions, for instance, they are not required to start by the FRCP changes. However, it is not always easy to actually delete all copies of an e-mail from corporate systems, so deletion policies must be followed rigorously.

4. Documents can be produced in their native format

The rapid evolution of technologies in the past three decades has often left archived documents trapped in outmoded formats that may be difficult to access or read. Converting these is an expensive process, particularly when large numbers of documents are involved. The FRCP specifically says that documents may be presented to the court in their original formats, relieving the organization of this expense.

5. Work with your corporate counsel

Finally, Babineau says, IT should establish a liaison with the corporate counsel's office because increasing numbers of regulations are imposing requirements on data storage. "If you don't have someone who can bridge that gap between IT and the lawyers in your organization, you need to hire someone." Attorneys, he says, are becoming increasingly knowledgeable of IT, so the communications gap is not as great as it once was.

The primary catalyst for the FRCP changes was the out-of-control electronic discovery expenses that organizations incurred during litigation. As more business is conducted electronically, attorneys are turning their attention of the sources and repositories of e-mail, files and databases to locate the potential "smoking gun." The cost burden of data restoration, processing and analysis has traditionally fallen upon the producing party.

However, there have been case precedents established where, because of the range of the electronic discovery requested, the requestor has also born some of the expenses. The new FRCP is designed to help organizations better negotiate what information exists and the cost to produce it to minimize pretrial electronic discovery hearings and limit discovery "cost shifting" exercises. While these new rules provide organizations some guidance in how to manage electronic evidence more efficiently, the process can still be expensive and the decision of "who is to pay" will most likely still fall in a judge's hands.

Bert Latamore is a journalist with 10 years' experience in daily newspapers and 25 in the computer industry. He has written for several computer industry and consumer publications. He lives in Linden, Va., with his wife, two parrots and a cat.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon