E-Document Management: A Litigator Looks at Retention Policies

For IT professionals, top management and their lawyers, the explosion in awareness and use of electronic documents in litigation presents great challenges.

For example, the widespread use of business e-mail has often required the revamping of document retention policies and the dedication of substantial resources to ensure that the enormous volume of electronic communication is properly treated from the perspective of regulatory and litigation preparedness.

The problem may soon get worse with a similar explosion in the use of new communications methods such as digitized voice mail, a medium that has the potential to become as permanent and accessible as e-mail.

Electronic records are generally subject to discovery in litigation to the same extent as paper records. Yet such records, because of their volume and ease of creation, retention and destruction, can present unique challenges to a business. This article attempts to outline some of the important concepts that a business should consider in constructing a policy to deal with the retention of such e-documents.

First Principles

First, having no policy is a policy. A business that has no centralized policy regarding retention of electronic records in effect delegates decisions about which records to create, retain or destroy to all the employees who have access to record-making or record-keeping functions. Employees with limited perspectives on management and legal issues shouldn't be relied upon to make decisions that could affect the entire business.

Second, "bad" documents are being created, even as you read this sentence. It isn't possible to retain only good documents. Indeed, it's not necessarily possible to determine in advance whether a particular document will help or hurt a business in the event of litigation. A directive to retain only good documents, moreover, could be subject to severe scrutiny in the event of litigation. Thus, any e-document retention policy must be based on neutral principles that can be readily explained and defended in court.

Finally, policies are only words. To be effective, a policy must be implemented. It must also take into account practical business constraints that may affect the ability to implement it. Furthermore, in most instances, some form of training, supervision and troubleshooting must be built into the implementation. Where significant problems arise in implementing a policy, moreover, a business must be prepared to modify its policy to ensure that it works in practice. A poorly implemented policy may cause as much trouble as having no policy at all.

Purposes of the Policy

Before constructing a policy, it's vital to consider its specific purposes. Although it's possible to gain insight by reviewing sample e-document retention policies from other businesses, wholesale copying of another policy generally isn't wise. Each business has unique goals or needs that will affect its policy. If those goals aren't incorporated, the policy will fail, both because employees won't understand and support the policy and because the policy will likely need to be changed at some point to meet the unaddressed needs.

Although the following list isn't exclusive, it may be a useful starting point in determining what the goals of an e-document retention policy should be:

  • Confidentiality: The ease with which electronic documents can be duplicated and transmitted presents a real challenge in protecting trade secrets and confidential legal communications. One of the goals of the policy thus will likely be to identify and control such records in order to protect the legitimate interests of the business.
  • Inappropriate material: Documents that have nothing to do with the legitimate interests of the business generally shouldn't be created; if created, they shouldn't be retained. Many e-document policies state that the computer equipment of the business is for official use only and may specify disciplinary sanctions for inappropriate use.
  • Privacy: The law on worker privacy is highly variable, depending on jurisdiction. It may be particularly important to get legal advice on this issue. In general, however, it may be desirable for a business to clarify whether, and in what instances, workers may have any legitimate expectation of privacy regarding the e-documents they create. Clear notice to employees that there is no such expectation of privacy may be beneficial, in many instances.
  • Regulatory concerns: Businesses in certain sectors are subject to regulatory requirements for record-keeping. Again, it may be very important to get specific legal advice on such regulations. In general, however, one goal of an e-document retention policy may be to ensure that all necessary records are retained and to make it easy to demonstrate to government authorities that record-keeping requirements have been met.
  • Burden and cost: Reduction in the burden and cost of record-keeping is often an essential goal of a records-retention policy. For many businesses, an essential element of burden and cost reduction has been the destruction of records on some regular schedule. Although destruction (or write-over) of electronic documents may, in many instances, remain an essential element of a document retention policy, with increased and cheaper electronic storage, destruction may not always be the only method to reduce the burden and cost of record-keeping. Increasingly, sophisticated forms of imaging, indexing and storage permit low-cost retention and retrieval of materials. Still, the burden and cost of reviewing and producing large volumes of nonessential materials in the event of litigation may remain a legitimate concern.

Unique Problems in E-discovery

In general, any e-document retention policy should be consistent with (and ideally, part of) the general document-retention policies for the business. Employees shouldn't have to learn one set of rules and principles for paper documents and another set for electronic documents. Despite that general advice, there are certain unique problems that can arise in e-discovery, which should be taken into account in constructing an e-document retention policy. Among such problems are the following:

  • Spoliation: This generally refers to destruction of evidence that may be relevant to actual or imminent litigation. The law of spoliation varies by jurisdiction, and specific legal advice is required. In general, however, e-document retention policies must be drafted with the possibility of litigation in mind. In the event of actual or imminent litigation, a business may have a duty to preserve relevant records. Indeed, experienced litigators may make retention of e-documents one of their first demands in the event of actual or threatened litigation. If a business routinely destroys records, it must be prepared to suspend that routine in the event of notice of actual or imminent litigation.

    Electronic records, in particular, present unique spoliation problems because they often aren't designed to be permanent. For example, many e-mail systems routinely delete messages after the passage of a relatively brief period of time. Other systems, like instant messaging and internal bulletin boards, delete communications even more rapidly. Still other systems, with shared documents or documents that are regularly updated, cause changes to be made in records, which might run the risk of being labeled as spoliation in some circumstances.

    One solution to these problems, if required by applicable law or court order, is to take a "snapshot" of data when actual or imminent litigation appears. Such a solution, however, is difficult to implement on an ad hoc basis. E-document retention planning, therefore, should include some consideration of how the business could preserve electronic records that are otherwise routinely destroyed, if it were required to do so.
  • Multiple locations and copies: The decreasing cost and increasing capacity of computer and communications equipment have made it possible to generate and store electronic information in more places than ever before. An e-document retention policy should take account of the fact that an employee may generate and store electronic documents from a desktop, laptop, home computer, handheld device or other means. The policy should be clear as to what are authorized, official operations. And where destruction of documents is directed, steps should be taken to ensure that additional copies of the documents aren't retained in unauthorized, unknown locations.
  • Destruction difficulty: Related to the problem of multiple locations and copies of records is the fact that the destruction of electronic records may be incomplete unless extraordinary steps are taken. For example, many e-mail systems provide a delete function that lets users eliminate messages they no longer require. The record may not be deleted entirely, however. Often, the data continues to reside on a server, until the computer storage space is overwritten with some new data. Similarly, there may be metadata attached to a document, which can reveal much about the creation and editing of the document but which the user generally doesn't see. Thus, even if all drafts of the document are destroyed, the metadata may still be retrieved.

A document-retention policy must establish a protocol for ensuring that any destruction directive is fully implemented. A critical part of the policy may be considering which technical solutions (such as encryption of e-mail, periodic destruction of e-mail encryption keys or automatic overwriting of deleted materials) can most effectively address this problem. The policy may also require periodic reviews or other means to ensure compliance with the policy.

Key Policy Provisions

The construction of an e-document retention policy is an individualized exercise, requiring input from business, legal and technical experts. There's no one-size-fits-all policy. In general, however, most policies will contain some or all of the following provisions:

  • Statement of purpose: What should employees and outsiders (like a litigation adversary or court) understand as the reasons for the policy?
  • Statement of scope: Does the policy apply to the business as a whole, or to specific departments or functions? How does the policy relate to any other document retention policies?
  • Statement of responsibility: Who is responsible for implementing the policy? If there are questions about the policy, to whom should they be directed?
  • Exceptions: Are there any exceptions to the policy? How should requests for exceptions or exemption from the policy be made and approved?
  • Retention period: What is the length of time that's generally appropriate for retention of records? Are there some categories of records that must be retained for a longer period or that should be destroyed in a shorter period?
  • Method of retention: What are the authorized locations for retention of records? Under what circumstances should drafts of documents be retained? For documents that are no longer of immediate use but that should otherwise be retained, what method of long-term storage is provided?
  • Confidential materials: What materials are considered to be confidential, and how should they be handled? How are communications with counsel to be handled? Are there some categories of extremely sensitive materials that require even more protection?
  • Personal and unauthorized use: Are there any circumstances under which an employee may use computer or communications equipment for personal purposes? If not, what are the consequences of unauthorized personal use of such equipment? What, in particular, are the consequences of inappropriate use of such equipment?
  • Privacy: Are there any circumstances where an employee should expect that some portion of records will remain private? What are the categories of such records? What systems will be used to ensure that unauthorized access to such records won't occur?

Conclusion

In constructing a policy, the tail shouldn't wag the dog. An e-document retention policy should be written by and for the business executives, administrators and employees who will implement the policy. Lawyers have a role to play in reviewing it by identifying legal issues that may affect the policy and in ensuring that the policy conforms to applicable legal requirements. However, lawyers shouldn't substitute their opinions for the business judgments of those who run the organization, and they shouldn't attempt to force an organization to conform to a policy that isn't adapted to the actual needs and circumstances of the business.

Technology and law are changing rapidly in this area. Although construction of an e-document retention policy may seem to be cutting-edge today, there will come a time (soon) when any substantial business without a thoroughly planned, effectively implemented e-document retention policy will operate at a serious disadvantage. A policy that seems appropriate in today's business, legal and technical environment, moreover, may well require revision as that environment changes in coming years.

Steven C. Bennett is a partner in the New York office of Jones Day and a member of the law firm's E-Discovery Committee. The views expressed are solely those of the author and shouldn't be attributed to the author's firm or its clients.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon