| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2010 Online Security
All rights reserved.
|
|
|
Forum : Fraud Prevention
| Posted: 04/24/2002 | Failure to prepare is preparing to fail: Document Retention Policies and Networks
| | By Document Retention Policies and Networks | Imagine that you receive a phone call from an irate former customer who claims he is about to file a suit against your company for each of contract. Your first thought is likely to warn your legal counsel and management about the pending litigation. Also, your company has a standard policy that clears the e-mail server of archived e-mails every 60 days to keep network costs down. While these two issues may appear unrelated, unless someone makes a link between the two, the company could lose the future lawsuit by court imposed sanctions against the company for destruction of documents, even if there was no intent to hide the documents. Worse, even if the above corporate officer sends an e-mail to the various system administrators to retain all e-mails until the legal situation is clarified, if one of the SysAdmins ignores the memo, the company could still be sanctioned by the court and lose the suit, depending on your jurisdiction.
The duty to preserve documents that the company knows, or reasonably should know, would be relevant in an action against the company is an essential element in the pre-trial ¡§discovery¡¨ process. Essentially, the discovery process is where each side seeks information from the other side to prepare their complaints and responses. However, there is a temptation for companies to play free and loose with potentially incriminating documents in their possession. All one has to do is look at the current Enron fiasco. The consequences of hiding documents can be extremely serious, even leading to criminal charges. Judges have become more sophisticated in recognizing when a company is hiding or destroying documents, and they have a tendency to react swiftly with appropriate sanctions.
This article will attempt to explain the duty to preserve e-mail, explore when the duty kicks in and the essential elements of a document retention policy. However, to cut through the legalese, the concept behind document retention policies is to add some order to the discovery process. It is not feasible to expect companies to retain every document it generates, so it must somehow purge itself of documents. For example, electronic storage can cost a large company hundreds of thousands of dollars each year. So companies are faced with two choices: destroy documents on an ad hoc basis whenever it feels like it, or destroy documents in a routine non-discretionary manner. If companies destroyed documents in an ad hoc manner, then it subjects itself to charges of bad faith destruction. A rationale and reasonable document destruction plan can eliminate the discretion from destruction process by tossing out all scheduled documents, not just the troublesome ones.
In reality, many companies will hide behind the retention and destruction policies as justification to delete potentially damaging documents. By setting up the pre-litigation document destruction policies aggressively under the guise of cost and resource control, companies can safely purge troublesome documents with a wink to the discovery process. As discussed below, companies get into serious trouble after it receives notice that it might be subject to litigation.
I. E-mail and the Duties to Retain Documents:
Under the Federal Rules of Civil Procedure, digital documents are treated the same a paper documents. There is no legal distinction between documents that reside on a computer or a file cabinet. For example, in Playboy Enterprises, Inc. v. Welles, 60 F. Supp. 2d 1050 (S.D. Cal. 1999), the court held ¡§that by requesting 'documents' under Fed. R. Civ. P. 34, plaintiff also effectively requested production of information stored in electronic form." The Federal Rules of Evidence have also been amended to make it clear that digital evidence is admissible at trial. In Playboy Enterprises, Inc. v. Welles, 60 F. Supp.2d 1050 (S.D. Cal. 1999), the court ruled that documents that were never even reduced to paper form were discoverable if there is a likelihood that it is relevant to the litigation. Digital documents include text files, voice recordings, and e-mail. However, e-mail can be one of the most devastating documents discovered by the opposition, and therefore, is one of the most sought after as a result. For some reason, people are more cavalier with their thoughts and opinions in e-mail messages than they would be in person, or in formal documents. E-mail is a great place for one side to get inside the mind and intent of the opposition. Bill Gates and Enron have already learned this lesson. (In an e-mail uncovered during discovery in the anti-trust case against Microsoft, Bill Gates stated in an e-mail "Do we have a clear plan on what we want Apple to do to undermine Sun?") Also, e-mail is much more difficult to destroy than paper documents because there are so many copies made of each document.
Typically, as an e-mail document is sent, a copy remains on the sender¡¦s computer. The sender¡¦s e-mail server may retain a copy of the message. Then, there is typically a copy stored on the recipient¡¦s computer after he has downloaded it from its e-mail server. Also, there can be a copy of the message stored in a backup file, plus copies of the mail if it was forwarded, automatically or manually, to other locations. Unlike a paper letter, where there may be a photocopy in the sender¡¦s records, there are multiple digital versions sitting around on many computers. To make matters worse, even if the sender deletes the e-mail from his computer, the file is still physically intact on his computer until the operating system overwrites the file.
A. The White Zone:
Overall, e-mail retention duties can be divided into two zones ¡V a white and black zone, with varying shades of gray around the center. The white zone on the time line is when the company is entirely clueless about an impending litigation. In this zone, the company is free to set its own policy for document retention, unless it falls into an regulatory area where it is required to retain documents, such as accounting, medical, legal, pharmaceutical, securities and government/public records. The rationale for destroying documents ideally should be based on cost, not fear of future, unknown lawsuits. A comprehensive policy could set a time period for retaining and destroying documents that are no longer relevant to the company¡¦s operation and all e-mail, such as every 60 days.
B. The Black Zone:
However, when a company receives notice that a complaint has been filed against it, it enters the black zone. The duty to retain relevant documents radically changes. The company has a legal duty not to destroy documents ¡§which it knows, or should have known, would constitute evidence relevant to the case.¡¨ The courts interpret this quite broadly, and judges will apply the benefit of their hindsight to your foresight. The duty applies to documents that are reasonably calculated to lead to the discovery of admissible evidence. Essentially, this could be any document related to the opponent, and any documents related to the area under litigation. In other words, after receiving notice that you have been sued, it is almost reckless to destroy any documents. It is better to be safe, than sorry and sanctioned. The company must avoid the temptation to destroy relevant documents because, in the end, after your employees have been deposed, the truth is likely to come out and you¡¦ll be entering court of an angry judge.
C. The Gray Zone:
So, there are two clear legal time frames: the pre-litigation white zone where you are reasonably free to destroy non-mandatory documents on a regular basis, and the post-notice of litigation black zone, where you essentially must retain all documents that are reasonably calculated to lead to the discovery of further admissible evidence. However, the uncertain gray zone is when you have been threatened with a lawsuit, but it has not been filed. The duty will depend on the individual circumstances of the situation. Unfortunately, the problem is that the reasonableness of your actions is going to be determined by a court using hindsight.
Many courts have held that the duty to retain documents begins when the party ¡§has knowledge that the lawsuit would be filed.¡¨ Other courts have held that there is a duty to retain documents that are relevant to ¡§potential,¡¨ ¡§pending, imminent or reasonably foreseeable¡¨ litigation. In Computer Assoc. Intern. v. American Fundware, the court held that notice was provided merely by official, pre-litigation discussions between the parties and that there was a duty to preserve documents relevant to potential litigation.
One thing is fairly certain ¡V it is not an excuse to rely on the timing of the filing of the lawsuit with the court. The duty almost certainly predates the actual filing. Judges often take an ¡§I know it when I see it approach¡¨ to determining when the party should have been on notice that they should start retaining relevant documents.
In Shaffer v. RWP Group, Inc., the court held that that a party had an obligation to preserve evidence even where the party was merely on notice that litigation was likely to be commenced. The circumstance of this ¡§notice¡¨ was a discussion that RWP¡¦s attorney had with Shaffer¡¦s attorney, which was later relayed to an RWP officer. The attorney told the RWP officer that Shaffer was ¡§demanding some huge sums of money." At this point, the court considered the company on notice not to destroy computer files, even though the destruction was a normal course of their business in order to save disk space.
D. Gray and Black Zone Duties:
Once a company enters the gray or black zones, it should immediately consider itself on a war footing, and issue instructions to system administrators and employees about the change in the document retention policy. The system administrators should disable any automatic destruction programs and begin to inventory the directories, server systems, network architecture, and employee desktop and laptop machines. Any request for discovery is likely to inquire about the physical organization of the network at the time of notice. Likewise, employees should be told to carefully monitor their correspondence and not to destroy any documents that the officers of the company have informed the employees might be relevant. If feasible, the employees should be instructed not to destroy any documents.
Even if the evidence is destroyed unintentionally, a jury can be instructed to make an adverse inference against the party that destroyed the documents, or the judge may enter a default judgement against the party. That is exactly what happened to General Nutrition Corporation in California where the company was advised in correspondence that it was going to be sued, and one of the company officers sent out a memo that stated the court ¡§order should not require us to change our standard document retention or destruction policies or practices." The court held that the memo ¡§operated to authorize or condone GNC practices which resulted in the destruction of critical evidence¡¨ and granted a default in favor of the opposition.
In Cabinetware, Inc v. Sullivan, a California court also entered a default judgement against a company that destroyed source code computer files after being served a notice to produce certain files. The defendant claimed that he accidentally ¡§destroyed the evidence by writing over the floppy disks because he needed more disks and did not want to bother to go out and buy additional disks.¡¨ The court held that he was on notice to preserve the code, he erased the code, and the court entered a default decision against him. The court felt that the ¡§defendant's conduct struck at the heart of the judicial process.¡¨
In summary, once the court feels that the company is aware, or should have been aware, that it crossed into the black zone, the penalties for destroying documents and e-mail can be extremely serious.
II. ¡§A bona fide, consistent and reasonable¡¨ Document Retention Policy:
Companies that communicate and archive documents in digital form should be develop a written record retention policy that categorizes the various types of digital documents, details the company¡¦s procedures for handling documents, and schedules the destruction of documents according to their level of sensitivity. Many companies either do not have formal record retention policies, or if they do, they do not include digitally stored documents. A May 2000 ABA survey found that 83% of companies polled by the ABA did not have an established policy for handling electronic document discovery requests.
The costs of not having a document retention policy can hurt even companies with no damaging documents due to the cost of producing the material subject to a subpoena. For example, a former employee sues a company for harassment and discrimination. The company retains a backup copy of every e-mail sent over a 5-year period with no clear document destruction plan. In order to show widespread discrimination, the former employee requests a paper copy of all archived e-mails to demonstrate harassing and offensive e-mails were a regular occurrence. Unfortunately, if the judge believes this is reasonable, then the company may have to bear the expense printing out thousands of e-mails, or settle with the former employee, even if there were no offensive e-mails in the backup archive. In this hypothetical, even though there were no damaging e-mails, the fact that the e-mails existed subjected them to relevant discovery demands at a potentially considerable cost. Sadly, this extra cost becomes part of the negotiating strategy for a settlement.
Even if a company has a comprehensive policy, if the policy is not adequately enforced and relevant documents were accidentally destroyed, the company may still be liable for the destruction. In In re Prudential Ins. Co. of America Sales Practices Litigation, the court held that a party¡¦s ¡§consistent pattern of failing to prevent unauthorized document destruction warranted sanctions, even though no willful misconduct occurred.¡¨
Courts realize that it is unreasonable for companies to retain all documents, and that discretion must be applied to document destruction. The reasonableness of the discretion is likely going to be a focal point of interest to the court when deciding on the merits of discovery sanctions. The court in Carlucci v. Piper Aircraft Corp. held that a ¡§bona fide, consistent and reasonable document retention policy may be a valid justification for failure to produce documents.¡¨
One court dealt specifically with the reasonableness of a document retention policy. In Lewy v. Remington Arms Co., the Eighth Circuit setting out the following reasonableness test for consideration:
(1) whether defendant's policy was reasonable considering the facts and circumstances surrounding the relevant documents (for example, company announcements on social events will not be as relevant as negotiation correspondence)
(2) whether lawsuits concerning the complaints or related complaints had been filed, the frequency of such complaints, and the magnitude of the complaints; and
(3) whether the document retention policy was instituted in bad faith.
A. Types and Forms of Record Categories:
Not all documents have the same level of importance or relevance to potential litigation or regulatory mandates. Modern companies generate incredible amounts of correspondence and commercial documents, from casual e-mails to sensitive personal and client data. While it is impossible to fit all of the document categories into one simple outline for all industries and companies, it can also be counterproductive to develop a highly complex categorization program that confuses more than it clarifies. As a starting point, companies may find it helpful to divide documents into three major categories: required, correspondence and commercial documents.
i. Required Documents:
First, the company must explore any regulatory retention requirements that may be imposed on the company as a result of the type of business it is involved in. For example, there are certain requirements placed on medical, securities, government contractors, and financial institutions. Failure to retain these documents can result in severe financial, and even criminal, penalties. There are also required documents that are not industry specific, such as IRS tax records and OSHA employment records. These documents should be segregated in storage and a protocol for their automatic retention and backup should be developed.
ii. Correspondence
Correspondence documents consist of letters, e-mails, and other non-commercial instruments that are addressed from one person to another. The correspondence does not have to be with outside parties to be relevant. In fact, it is the internal correspondence between co-workers that can be the most damaging because of the level of candor between co-workers.
Correspondence can fall into three categories:
Essential,
Non-essential and
Borderline
Essential correspondence is correspondence that would likely be relevant to a discovery request. This can places the company in a serious dilemma. Remember that there is a duty to preserve documents that the company knows, or reasonably should know, would be relevant in an action against the company is an essential element in the pre-trial ¡§discovery¡¨ process. Obviously, two co-workers discussing attending a company-sponsored baseball game would not likely be relevant. However, what if the e-mail stated that they were not going to invite a fellow co-worker because of the person¡¦s race or gender? Would it then be relevant to a discovery request in a discrimination action? Since the company has no reasonable means to decipher the intent of every personal e-mail exchange, as long as the company avoided the appearance that it deleted such correspondence to avoid liability, such e-mail exchanges might fall into the non-essential category. Correspondence that discusses negotiations and other relevant terms could be beneficial to the company, for example, to demonstrate that certain terms in a contract had potentially different meanings attached by the parties.
Companies should analyze the types of electronic documents generated by its employees and try to determine if there are any reasonable protocols that it can establish to preserve relevant documents. A well-thought out, reasonable policy might help shield the company from charges of discovery abuse if documents are subsequently determined to be relevant.
iii. Commercial Documents
¡§Commercial documents¡¨ are contracts, policy statements, warranty information, advertising copy, sales receipts, bank statements, purchase orders, insurance policies, etc¡K These are the foundation of the company¡¦s financial activity, and have legal significance. They are usually admissible hearsay under the business records exception if they are kept in the regular course of business activity. Computer generated documents are admissible if there is sufficient evidence that the document is what it purports to be, such as a print out of daily revenue. Retention of these documents can be beneficial to the company in case the company itself seeks to litigate on a commercial issue.
B. Retention Periods for Each Record Category:
Each record category stated above may have a different requirement for retention, either on a regulatory/statutory level or a reasonableness level. Unfortunately, there is not one time period for all documents, and a company¡¦s legal counsel should assist the company with determining the retention periods. One rule of thumb to follow is that the retention period for digital records should be the same for paper records. Some commentators have suggested that the statute of limitations could be used as a guide for the length of retention periods for non-regulatory documents. Statute of limitations are defined as the time within which a suit must be
ought for a particular action after the action is discovered. Each state has different statute periods depending on the action charged, so it can be a complex issue when a company conducts business in several states. It might be wise to retain the relevant records for the longest statutory period. A careful consideration of statute of limitations time periods could be used as a ¡§reasonable¡¨ argument when defending a retention policy to the court.
As discussed above, the company is responsible for the retention of records, regardless of the effectiveness of the retention policy. Therefore, management must ensure that the document storage systems are configured to match the retention policy and should routinely audit how the system is complying with the policy protocols.
One technique developed by document management software companies is to require the writer to categorize the document before it is written in a set-up process. For example, when a person intends to write a request for proposal on a network-based system, the program would require him to enter ¡§RFP¡¨ in the ¡§document type¡¨ box from a pull-down menu. If the company has a 2-year RFP retention policy, the document would be stored on the system for 2 years. These systems make it much easier to identify and manage a wide array of documents with different retention periods. Also, ¡§black zone¡¨ management is easier to administer because the company can identify which document categories should be protected and pulled out of the routine document destruction plan.
It is often suggested that encryption is a solution to document retention and destruction. However, while encrypting documents will keep them out of the hands of prying eyes and nosey employees, it is not likely to protect the documents from discovery ¡V especially from a criminal investigation. Encrypted documents are similar to documents kept in a safe. While they are protected from unauthorized access, they are not protected from those seeking legitimate and authorized access. Refusal to provide the decryption key in a criminal investigation could subject the party to obstruction of justice charges. In reality, the company would have been better off destroying the documents on a routine basis than leave them subject to discovery. However, in a company that is involved with trade secret and other sensitive information, it might be wise to encrypt documents within the framework of the document retention policy in order to keep non-authorized, or those who exceed their authorization, from accessing the material.
C. Destruction Policy for Each Record Category:
Once a company has categorized it electronic documents into the various levels of sensitivity, determined the required and/or reasonable retention time periods for each category, and developed a functioning system to implement the retention policy, the company must then create a destruction policy for non-categorized documents and time-expired documents. The network system should be set up to permanently destroy the documents on a routine basis. A sudden, inexplicable increase in the pace of document destruction could be a sign of ¡§bad faith¡¨ ¡V which is one of the elements the court might apply to your discovery compliance.
As mentioned above, the electronic storage costs can eat up scarce IT budget funds in no time. Also, the more documents that are retained by the company, the more expensive it is to manage the categories and respond to discovery requests. The expense of sifting through all of the records for documents that may be relevant to a subpoena can be extraordinary.
An important feature of any document destruction system should be a ¡§break in case of emergency¡¨ lever that can cease the system-wide destruction of documents when the company has been put on ¡§notice¡¨ that it is likely to be subject to litigation. At that point, an audit should be conducted to identify documents ¡§which it knows, or should have known, would constitute evidence relevant to the case.¡¨ The company should operate in ¡§safe mode¡¨ until it is clear that the discovery process is over, and that there are no other ¡§potential,¡¨ ¡§pending, imminent or reasonably foreseeable¡¨ actions facing the company. ¡§Safe mode¡¨ is the retention of potentially relevant documents and a reasonable, monitored and limited destruction procedure. Companies must be careful that backup recycling is also suspended until further review. This is a point that is often overlooked that can invite sanctions.
Finally, the destruction policy should ensure that all copies of the document are accounted for and destroyed. As explained above, this can be very complex due to the number of copies that are created on multiple computers. The destruction policy should detail the network topology, list the types of document categories residing at different locations on the network, identify which process will destroy the documents and preferably, the person or administrator responsible for the various network zones. Employees should also be educated about deleting appropriate documents residing on their desktop computers.
D. Backup Policy
Companies should also develop a backup policy in the same manner as the retention and destruction policies. Most companies routinely backup their networks and documents and recycle the backup tapes after a certain period of time. However, it is very easy for a company¡¦s left hand not to know what its right hand is doing. A court may hold a company liable for destroyed documents that it in good faith thought were stored on backup, but were in fact automatically recycled. And to the surprise of several defendants, creating physical printouts of the documents before destroying them may not provide them any protection if the court determines that the electronic data was more helpful to the requesting party.
III. Conclusion:
The area of document retention policies is as confusing as it is critical to a modern company who archives documents in electronic form. Essentially, it boils down to determining whether there is a requirement to retain a document for a set time period, or whether there is a reasonable justification for a document¡¦s destruction. Once a company is put on ¡§notice¡¨ that a law suit has been filed against it, it enters the ¡§black zone¡¨ and has a duty not to destroy documents ¡§which it knows, or should have known, would constitute evidence relevant to the case.¡¨ If a company has been informed that a lawsuit may be filed, or is imminent, then the company enters the gray zone and must act reasonably. A company is responsible for the manner in which it retains documents, but a ¡§bona fide, consistent and reasonable document retention policy may be a valid justification for failure to produce documents.¡¨
In short, the court is likely to apply a reasonableness standard to any document retention and discovery issues. Unfortunately for companies responsible for document retention, the court has the advantage to apply the ¡§reasonableness¡¨ standard in hindsight. Therefore, in the long run, a conservative document retention program that does not push the edges will likely compensate for the extra manpower and storage costs. And the lack of any retention plan is a short cut to judicial sanctions. As John Wooden once said, ¡§Failure to prepare is preparing to fail.¡¨
Appendix:
Here are some rough guidelines for document retention timeframes:
A. TAX RECORDS:
Any record that substantiates the correct tax amount needs to be retained for a minimum of 3 years after the due date of the tax return. If the company is under an official audit, that 3-year period is extended until the audit is completed.
If the IRS can show you omitted at least 25% of your taxable income, the are entitled to another three-year time frame to complete the review. If the IRS can show fraud, the retention period becomes indefinite.
B. Record Retention Suggestions According to Business.gov
¡P Accounts payable ledgers and schedules 7 years
¡P Accounts receivable ledgers and schedules 7 years
¡P Audit reports Permanently
¡P Bank reconciliations 2 years
¡P Bank statements 3 years
¡P Capital stock and bond records: ledgers, transfer registers, stubs showing issues, record of interest coupons, options, etc. Permanently
¡P Cash books Permanently
¡P Charts of accounts Permanently
¡P Checks (canceled-see exception below) 7 years
¡P Checks (canceled) for important payments, i.e. taxes, purchases of property, special contracts, etc. Checks should be filed with the papers pertaining to the underlying transaction Permanently
¡P Contracts, mortgages, notes, and leases (expired) 7 years (still in effect) Permanently
¡P Correspondence (general) 2 years
¡P Correspondence (legal and important matters only) Permanently
¡P Correspondence (routine) with customers and/or vendors 2 years
¡P Deeds, mortgages, and bills of sale Permanently
¡P Depreciation schedules Permanently
¡P Duplicate deposit slips 2 years
¡P Employment applications 3 years
¡P Expense analyses/expense distribution schedules 7 years
¡P Financial statements (year-end, other optional) Permanently
¡P Garnishments 7 years
¡P General/private ledgers, year-end trial balance Permanently
¡P Insurance policies (expired) 3 years
¡P Insurance records, current accident reports, claims, policies, etc. Permanently
¡P Internal audit reports (longer retention periods may be desirable) 3 years
¡P Internal reports (miscellaneous) 3 years
¡P Inventories of products, materials, and supplies 7 years
¡P Invoices (to customers, from vendors) 7 years
¡P Journals Permanently
¡P Magnetic tape and tab cards 1 year
¡P Minute books of directors, stockholders, bylaws, and charter Permanently
¡P Notes receivable ledgers and schedules 7 years
¡P Option records (expired) 7 years
¡P Patents and related papers Permanently
¡P Payroll records and summaries 7 years
¡P Personnel files (terminated) 7 years
¡P Petty cash vouchers 3 years
¡P Physical inventory tags 3 years
¡P Plant cost ledgers 7 years
¡P Property appraisals by outside appraisers Permanently
¡P Property records, including costs, depreciation reserves, year-end trial balances, depreciation schedules, blueprints, and plans Permanently
¡P Purchase orders (except purchasing department copy) 1 year
¡P Purchase orders (purchasing department copy) 7 years
¡P Receiving sheets 1 year
¡P Retirement and pension records Permanently
¡P Requisitions 1 year
¡P Sales commission reports 3 years
¡P Sales records 7 years
¡P Scrap and salvage records (inventories, sales, etc.) 7 years
¡P Stenographers' notebooks 1 year
¡P Stock and bond certificates (canceled) 7 years Stockroom withdrawal forms 1 year Subsidiary ledgers 7 years Tax returns and worksheets, revenue agents' reports, and other documents relating to determination of income tax liability Permanently
¡P Time books/cards 7 years
¡P Trademark registrations and copyrights Permanently
¡P Training manuals Permanently
¡P Union agreements Permanently
¡P Voucher register and schedules 7 years
¡P Vouchers for payments to vendors, employees, etc. (includes allowances and reimbursements of employees, officers etc., for travel and entertainment expenses) 7 years
¡P Withholding tax statements 7 years |
>> All Fraud Prevention Forum Articles
|
|
|
|
