Preserving Electronic Data Is Imperative for Small Businesses

by Michelle A. Beaty, JD

The use of electronic and digital devices permeates just about every aspect of our lives today, personal and professional. From laptops to tablets to smartphones, the use of electronic devices to communicate, to complete and record transactions, to create documents, and to transmit information in the business world dominates. Even if you haven’t been faced with litigation before, let alone an e-discovery request, your chances of having to deal with such a request increase as your reliance on electronic devices to manage your business increases. If you are not knowledgeable and prepared, your small business could run into trouble.

What does an e-discovery request mean for your business or organization? It means a person or business filing suit against you and/or your business can discover not only the e-mails that you or someone in your office sent but also the metadata associated with that e-mail. Metadata is a technical term for information about the e-mail, such as the time and date the e-mail was created, the author, and the location on a computer network where the e-mail was created. Metadata, stored electronically and retrieved forensically, can also tell you when and where a spreadsheet or other document was created, as well as how many times and when it was accessed and/or modified. It can even tell you when an item was deleted. (That’s right—just because you deleted it doesn’t mean it cannot be traced.) It doesn’t take much of an imagination to envision an instance when metadata might tell a more interesting story than the actual e-mail, document or other electronically stored information (ESI).

A Quick History of ESI in Legislation and Litigation

In legal circles, the term “e-discovery” is the buzzword of our times. E-discovery is a broad term used to describe two separate, but related, activities involving ESI. First, it involves the collection of ESI through digital forensics to preserve the integrity and admissibility of the data as evidence, if needed. Second, it involves the review of ESI during pre-trial discovery, including all of its constituent sub-parts, using specialized software. Both aspects are important because the information must be understood in order to be useful and, when it comes to trial, it must be admissible under the rules of evidence.

The Federal Rules of Civil Procedure began to acknowledge and address the prevalence of ESI in modern litigation in 2006.  Most states have followed the federal lead with e-discovery rules of their own. The rules are still evolving as technological advances continue and our use of electronic information continues to expand. Despite the changes that have occurred in the rules and the consideration of more changes for the future, one thing is clear: courts expect organizations to have a plan to preserve ESI and a method to produce it when requested.

The growth of technology and e-discovery also means that you may have certain obligations of which you are completely unaware regarding your organization’s ESI, and some of those obligations are exacting. Just as you may have a retention policy in place for your paper records, your organization needs to implement a retention policy for your ESI. The rules for retaining ESI vary by industry, so it’s vital to know specifically what is required of your business. Some industries, including the financial services industry, pharmaceutical industry, and, of course, healthcare providers have comprehensive regulatory bodies governing how ESI must be retained.  Businesses in other industries should look to state and Federal guidelines, which your attorney can help you sort through.

Developing an ESI Management Policy and Retention Plan

The prevalence of e-discovery in modern litigation does not mean that everything must be saved forever. The law surrounding e-discovery issues has developed in a way that recognizes the burden associated with digital retention is similar to the burden that was once associated with paper record storage. There are the issues of the expense associated with retaining large volumes of information as well as the logistics of how and where items are stored. Digital retention policies, complete with destruction schedules, are not optional, they are necessary, and they must be carefully designed to strictly adhere to the law governing your particular industry. Just like an organization should not make a habit out of keeping every piece of paper that was ever relevant to its operations, it should also design an appropriate digital records retention policy to fit its specific business needs, while at the same time ensuring compliance with applicable law. The goal is to retain the necessary information in a manner which makes it accessible, searchable, and retrievable when needed.

In developing a solid ESI Management Policy and Retention Plan, you should:

You will also need to consult with personnel, your IT staff or consultant, and legal counsel in the development of a suitable policy on retention of your ESI, noting that different retention schedules might be required for different categories of information, different departments within your organization, or even within different levels of management.

Litigation Holds

“Litigation holds” are another aspect of e-discovery that all business owners should understand. These arise in situations where the mere threat of a dispute dictates that files cannot be modified or deleted. They require the issuance of litigation holds, which are, basically, directives to all personnel or an appropriate subset of personnel from management and/or an in-house legal department to immediately begin holding or retaining ESI. The generally accepted standard is that a litigation hold obligation attaches once a legal dispute is reasonably anticipated.

Consequences of an Insufficient Plan

Organizations that do not preserve information long enough to meet their litigation obligations (or other regulatory or governmental obligations) may face severe sanctions as a result. Legal liability for failure to retain or produce ESI when requested hinges on the reasonableness and defensibility of the organization’s policies. If information was prematurely destroyed—no matter whether the destruction occurred because the organization did not have a policy, because it had a policy with “unreasonable” retention periods, or because it did not have tools in place to retain information—that destruction could be the basis for legal sanctions. Those sanctions can include anything from punitive fines to default judgments. Accordingly, organizations need to establish clear, recorded, and defensible retention policies that demonstrate the organization’s attempt to meet its own business needs as well as its legal and regulatory obligations.

An entire industry has developed around software tools and services which help businesses identify, categorize, and retain ESI. In order to best assess your organization’s needs, we recommend that you consult with IT professionals about your current capacity, the need for greater capacity, and the best solutions for your business. Before you do that, however, you need to know your legal obligations, whether regulatory or just to be prepared for potential litigation. To understand those obligations, you should consult legal counsel.

 

For more information, contact the author, attorney Michelle A. Beaty.