By Joe Bartling, Bartling Forensic LLC
Many companies have absolutely no idea how much electronically stored information (ESI) is resident in their firm at any given point in time, much less how much of it might be subject to, or relevant to, a particular investigation or litigation. Certainly, the firm wants to employ “best practices” in this area of electronic document retention, retrieval and destruction. But what exactly is the “best practice”?
The question seems simple enough, and the answer should be simple too, right? Well, the answer to the question depends on who you ask. To a records manager or administrator at your firm, those electronic and paper documents designated by the company’s published records management and destruction policy to be specifically defined as “records” are narrowly defined as “those records we send off to our offsite storage vendor.” Many records management policies, and hence the administrators of such records, leave the definition of “record” up to the business unit personnel that create the document.
Records managers rarely considerelectronic information they have no access to as “records.” This includes documents or data residing on other employees’ hard drives, e-mail servers or enterprise application systems. Most enterprise storage and database software vendors want their customers to define all electronically stored information as “records,” or at least define them as pertinent and, as such, valuable to the company.
They use broad labels such as “knowledge management” or “enterprise content management” in an attempt to classify all information in the same light as “records,” which have a much higher classification. Using this criterion, they define “best practices” as “archive everything.” They use the rationale that you can search everything and retrieve everything ever created at your company.
Rarely is this “archive everything” strategy appropriate for companies. In the end, these vendors endeavor to sell you massive quantities of storage devices and expensive, complicated software to manage it. Some companies want to classify all e-mail in the firm as a “non-record,” and therefore, not subject to any preservation, document retention or archive management. This idea or argument is archaic and could not be considered credible in this age of instant electronic communication and in the light of the recent Federal Rules of Civil Procedure (FRCP) amendments regarding electronic discovery. It is common practice in most companies today to conduct almost all business via e-mail or other methods of electronic communication. Terms and conditions of many business transactions are negotiated, transacted and confirmed using e-mail, voice mail, and even instant messaging and short message service (SMS) “texting.”
So what is the “best practices” approach for your firm? The “best practice” for electronic document retention at your firm can be broken down into three crucial components:
Before the FRCP for e-discovery were amended in December 2006, most firms had a records management policy that focused on paper “records.” (In fact, many of those policies are still in effect today.) A common practice back then was to instruct employees to print a hard copy of e-mails that they determined met the criteria for a “record,” and save that hard copy in a file.
The new rules changed that. Rather than treating only the printed out copy of an e-mail as the preservable and produceable “record,” the original electronic version of the e-mail itself would be classified as “electronically stored information” and potentially subject to preservation and production. This electronically stored version of the e-mail inherently contains significantly more information than the printed copy. This information is usually called “metadata” or “data about data.” In its native, electronic form, the e-mail message may contain information in addition to the “To:”, “From:”, “Cc:” and “Bcc:” addresses typically found in an e-mail header.
Metadata includes, for example, information identifying the path that message has traveled through the network, information about whether the message has been read, opened, deleted or exists in draft form, expanded recipients such as distribution lists, or “rich text” formatting such as bold, underline, table, numbering or other formatting.
In a Microsoft Outlook system, each message includes a MessageID header that uniquely identifies each individual message. When a user replies or forwards a message, the “chain” of messages is maintained in that the system and includes each and every MessageID from all of the component messages in the chain. The MessageIDs are extremely useful in identifying who sent or read particular e-mail messages. It is also useful in identifying duplicate e-mails in the system to facilitate review.
Because of these and other factors, the company’s policies must address these new realities. That said, here are some guidelines that should be addressed in a document retention policy:
- Make sure the policy properly signifies electronic-stored information, including files and e-mail, as “records” if they otherwise meet the criteria for the company’s definition of “record.”
- Make sure that the company’s Records Management, Retention and Destruction Policy is consistent and in sync with the terms, definitions and acceptable use of the company’s e-mail Use Policy and Acceptable Computer Use Policy, if those policies are separate.
Policies don’t work if they are not implemented by people. Your people are your employees. Some of your employees have an appreciation for electronic records management, and some do not. You could expect that the employees who work in your records management group or those in your forensic accounting group would have more knowledge about this subject than the average employee, but you might be surprised. Records management is a demanding discipline requiring years of training and education. Many records managers are not information technology (IT) types and may not have enough technical knowledge and ability to use records management software.
Your company’s IT personnel are focused on keeping the systems up to support the critical business functions of the company. They work on security plans and testing, software testing and patching and disaster recovery including backup and recovery. Given those responsibilities, electronic document retention usually isn’t in the forefront of their minds when they go about the performance of their duties. Until the preservation request or litigation hold request comes in, that is.
When that happens, it’s hard for many of them to balance the demands of implementing a litigation hold or electronic evidence preservation with the demands of the routine day-to-day work that normally keeps them extremely busy.
Many employees have never received a litigation hold notice and may not understand what their obligations are. Many times they are not aware that a particular notice applies to them. They could just think they are on a mailing list, and that this notice is like many other e-mails from the company that they ignore, like birthdays and brownies in the kitchen. Even employees who routinely get such notices can have a difficult time determining which notices apply to them for which information and for what time period. Sometimes it’s not clear to them which notices supersede other notices, or which notice has precedence over another.
They might be under a notice to preserve some information for a specific time period, and other types of information may be subject to an “ongoing preservation” notice, subject to some day in the past until some day in the future, or seemingly forever.
Effective communication is the answer in all of these situations. Some employees need more information, education and training than others. For example, the assistant to the managing partner and the human resources director would need a higher level of training than mailroom personnel.
It is up to the company to develop a communication plan that is focused on the tested and measured results, not merely that “notice was given to employee X on a given date.” Companies need to test the effectiveness of their communications, ensuring that employees are complying with the notices that apply to them. This can be done with sampling and forensic testing, accompanied with interviewing. Answers given in sample IT document-retention interviews can be cross-referenced with forensic testing results to ensure that employees are correctly interpreting and applying the instructions they receive with regard to litigation holds or other communications regarding their electronic discovery obligations. Such testing can also serve to identify gaps in the practices or the manner in which they are communicated across the company.
Knowing upfront that your employees can and will comply with routine electronic records management, as well as specific litigation hold or preservation requests, will ensure that there will not be a panic if a notice comes.
Practices are the things your firm actually does to implement stated or unstated policy. From the firm’s viewpoint, it implements particular practices for an intended purpose. For example, your firm may have an automated process to sweep email from Inbox or Sent folders into the “Deleted Items” for a day or so, then permanently delete, or “double delete” the message from the e-mail server to implement a 30-day e-mail retention policy.
This sounds well and good, but in some instances the effect of the practices employed have a different result than the outcome desired. For example, your firm may impose a limit on mailbox size so that IT has a manageable (and cost-effective) e-mail server environment. Let’s say the e-mail administrator limits mailbox size to 50MB. The average corporate e-mail user, according to a 2005 study by The Radicati Group, sends 34 and receives 99 e-mail messages every day. This equates to a volume of about 15MB per business day. With the mailbox limit set to 50MB, the user quickly exhausts their 50MB limit with the accumulation of only three days worth of e-mail. Because the user does not want his or her e-mail service restricted by the administrator, the user is forced to decide whether to save or delete e-mail within the three-day window. The user is forced to move messages out of the system within three days, thereby negating the system-imposed 30-day archive and deletion practice. Rarely would an e-mail survive long enough in the e-mail system for the automated process to have its intended effect.
So where do these e-mails (along with their attachments) go? Most users archive (or move) messages, sometimes en masse, to personal folders on their hard drives. The more sophisticated ones do this automatically using filters. Some users save their archive files to portable devices, such as thumb drives, or external CDROMs, or USB drives. Some, in the absolute worst possible case, actually forward business-related e-mail to their personal accounts (like Gmail, Hotmail, or AOL), where they might have several GBs of free available storage.
All of these files, wherever they exist, would be recoverable and potentially producible in the event of litigation. Understanding how employees actually use their computers at work, including how they manage their e-mail and save their business documents, is crucial to setting up an effective practice that actually accomplishes the intended purpose.
Again, forensic testing and analysis, including employee interviews using a sampling methodology, can uncover and help in measuring the risk exposed by these potential electronic evidence holes.
The “Best Practice” for electronic document retention at your firm should be uniquely yours, developed with your policies, people and practices as the crucial components. There is no “silver bullet,” no easily implemented, one-size-fits-all “best practice.” The true best practice is proactively addressing these issues and testing your firm’s policies to ensure that everything is working smoothly and as intended so that your company is prepared if litigation comes.