Something You Never Want To Have To Tell A Judge

Posted by Gregg Mayer on Friday, February 15th, 2008   

Attorneys for New Century Financial Corp. had to confess to a United States Bankruptcy Judge that, due to a “mishap,” more than 700,000 email messages were not disclosed to the bankruptcy examiner. The attorneys blamed an outside vendor. Because of the misplaced email, more trouble may loom for New Century with the bankruptcy court:

As for the document production mishap, Missal [the bankruptcy examiner] has not yet made any filings about it. But he has consistently complained about delays and difficulties in conducting the investigation. The U.S. trustee in the case seized on New Century’s e-mail admission to support Missal’s pending request for more time to complete his investigation.

“Based upon communications with the examiner, the U.S. trustee understands that the debtors previously indicated to the examiner that the e-mails at issue had, in fact, been produced,” the trustee wrote.

The “mishap” highlights the importance of having reliable email archiving. Know where your email messages are and know how to get them.

Read the story here.

Regulation Means Retention for Years – Email and All

Posted by Gregg Mayer on Thursday, February 14th, 2008   

CIOs must implement record retention policies – including retaining email - that comply with a vast assortment of federal regulations. Often, companies must craft different retention periods for various types of communications to meet the demands of federal regulation.

Knowing what to keep and how long to keep it can be a monumental task.

For example, some records are not covered by any regulations and can be discarded under the company’s own policy – maybe in as little as 30 days. Other records – including relevant email - may need to be retained for as long as 30 years, if not permanently.

The problems of retention are compounded by the proliferation of email for business use. Thousands of email messages pour in and out of a company. Knowing where this email goes and what information is in it is a critical necessity. More importantly, knowing how long the information must be retained is necessary to ensure regulatory compliance.

In order to be prepared, CIOs need to ensure they have an active and comprehensive retention policy. They need to make sure their archiving systems properly retain relevant records. They need to know where all of that email is and how they can get to it when the regulators (or lawyers) come calling.

Just as important, they need to know how long the regulatory timelines require the information be stored. Below is a synopsis of various timelines established by regulations that affect numerous companies:

Family Medical Leave Act (FMLA)
Generally, records must be kept for three years. This includes basic payroll documents, names of employees, addresses and occupations, hours worked and total compensation, among other related information. Keep in mind the FMLA also requires records be kept pertaining to employee leave taken under the FMLA, as well as any records regarding leave disputes.

Title VII of the Civil Rights Act of 1964
Any information about race or ethnicity of employees should be kept permanently and separately. Other information relating to personnel decisions, including requests for reasonable accommodation and application forms, must be kept for one year.

Americans With Disabilities (ADA)
Requirements under the ADA mirror the requirements of Title VII. Generally, retention is one year.

Fair Labor Standards Act (FLSA)
The length of time to save records under the FLSA depends on the type of records. Here’s a general breakdown:

• Keep these records two years: Under the regulations, companies must keep “basic employment and earning records,” as well as wage rate tables and assortment of other related material for two years.
• Keep these record three years: Payroll records, certificates, agreements, plans and notices must be kept by the employer for three years.

Equal Pay Act of 1963
In addition to having the same compliance as the Fair Labor Standard Act, an employer must preserve for two years records that relate “to the payment of wages, wage rates, job evaluations, job descriptions,” and an assortment of related records.

Age Discrimination in Employment Act of 1967
Similar to the FLSA, this Act implements a three-year retention requirement for payroll and related records containing information about the employee’s identity such as the name, address, date of birth, and rate of pay.

In addition, employers must keep for one year information such as job applications, resumes, or other job inquiry information. This also includes other information such as job postings.

Employment Retirement Income Security Act (ERISA)
ERISA regulations actually specify the use of electronic media for retention of records, and demand they be kept in “reasonable order and in a safe and accessible place, and in such manner as they may be readily inspected or examined (for example, the recordkeeping system should be capable of indexing, retaining, preserving, retrieving and reproducing the electronic records).”

Records necessary to determine benefits to employees must be kept permanently. Welfare and pension records should be kept five years, and supporting documents for ERISA filing should be kept six years.

Occupational Safety and Health Act (OSHA)
Generally, information should be kept for five years after the end of the year in which the information pertains (such as an accident, illness, etc.) Records for serious adverse reactions must be kept up to 30 years.

Federal Acquisition Regulations (FAR) Subpart 4.7 Contractors Records Retention
Information, such as books, documents, accounting procedures, and other data, including email, must be kept for three years after final payment under the contract.

Health Insurance Portability and Accountability Act (HIPAA) of 1996
Employers should retain various records, such policies and procedures, patient privacy data, certificates of coverage and other coverage information, for six years. Records must be kept for two years after a patient’s death.

Employee Polygraph Protection Act
Records relating to reasons for conducting polygraph examination and other related materials must be kept for three years.

Sarbanes-Oxley Act of 2002
Generally, public companies should save business records, including email and other ESI, for five years, although the Act specifies various retention periods for different types of records.

Labor-Management Reporting & Disclosure Act of 1959
Records, including back-up and supporting documents, required by the Secretary of Labor must be kept for at least five years.

Federal Withholding
Under the Federal Insurance Contribution Act (FICA), the Federal Unemployment Tax (FUTA) and Federal Income Tax Withholding regulations, records pertaining to federal taxes must be kept for at least four years. This includes identity and wage information.

Davis-Bacon and Copeland Act
Employers with federally funded projects should keep information for two years, including records relating to the periods of contract, pay records and work records.

National Labor Relations Act (NLRA)
Any collective bargaining agreements, including correspondence with the union, must be kept for seven years from conclusion of contract.

Immigration Reform and Control Act of 1986 (IRCA)
Employers should keep for three years after date of hire (or one year after termination) information about employee’s identification and work authorization.

SEC Rule 17a-3, a-4
Broker-dealers must retain comprehensive records, including email, of securities transactions for at least six years. The first two years they must preserve the documents in a reasonably accessible place.

Check back to this blog for individual posts about different regulations and how they may impact you.

Best Buy Off The Hook – This Time

Posted by Gregg Mayer on Monday, February 11th, 2008   

Best Buy Stores recently stared down the barrel of having to pay more than $120,000 to restore back-up tapes of electronically stored information in a lawsuit that Best Buy had instigated. The district court in Minnesota, however, ruled the tapes are not reasonably accessible and Best Buy won’t have to dig them up unless the other side can show “good cause.”

As background, Best Buy brought a lawsuit against several landlords for a variety of reasons, including breach of contract and fraud.

Separately, in another lawsuit, Best Buy had prepared a database – called the Odom database – of ESI. Subsequently, Best Buy “downgraded” that database while the separate lawsuit against the landlords was pending.

The landlords said there was relevant ESI on the Odom database and Best Buy should have to restore it for the current litigation. Best Buy said it would cost $124,000, plus a monthly storage fee, to restore it. Best Buy’s lawsuit seeks about $800,000 in damages (although that could be enhanced).

The court agreed that Best Buy did not have to preserve the Odom database for the lawsuit against the landlords. Although the database would have had relevant information, the court explained:

The database, however, would have been potentially relevant to virtually any litigation involving Best Buy because of the quantity and nature of the information it contained. Absent specific discovery requests or additional facts suggesting that the database was of particular relevance to this litigation, the court determines that Best Buy did not have an obligation to maintain the Odom database at a monthly cost of over $27,000. Moreover, by downgrading the database, Best Buy did not destroy the information it contained but rather removed it from a searchable format. Therefore, Best Buy did not have a duty to preserve the Odom database as of July 27, 2006, and it need not restore the information to searchable format unless defendants establish good cause.

In other words, the information on the Odom database was likely available from other Best Buy sources and the cost to restore the Odom database was disproportionate to the value of doing it. The landlords needed more “particularlized arguments” – and a showing of “good cause” – before forcing Best Buy to restore the Odom database.

Of course, this case could have gone the other way too. After all, Best Buy admits the ESI was relevant to the case at hand, and although $124,000 is a lot of money, it is conceivably not overly prohibitive for a company the size of Best Buy to pay it.

Read a discussion about the case and the other Odom case too.

What are the FRCP and Why Do I Care?

Posted by Gregg Mayer on Friday, February 8th, 2008   

Generally, CIOs don’t have to know much about the Federal Rules of Civil Procedure. That’s why you pay your lawyer. Your lawyer spent three years in law school and years of practice trying to master the rules.

However, with changes made to the rules in 2006 pertaining to electronically stored information (“ESI”), you will want to be on top of what one of the amended rules provides because odds are your lawyer will be rushing to you to ask: “Now, where is the ESI and how much do you have?”

There are more than 80-something Federal Rules of Civil Procedure. These rules govern the procedural dos and don’ts of courtroom activity. Judges and the lawyers before them are bound to follow these rules in federal court.

One rule you should be familiar with is Rule 26, a general rule governing “discovery” in court proceedings. Discovery is a process for both sides in litigation to learn what the other side has.

Effective Dec. 1, 2006, several parts of this rule were amended to include “electronically stored information” as part of the discovery process. Early in the litigation, your lawyers will want to know how many archived databases you have, what is on them, how much is on them, and how they can be accessed. This information is critical to discovery. Most likely, your lawyer won’t know much about how your ESI is archived unless you have already had a face-to-face to talk about it. You should do that. The more you know, the more your lawyer can know, and the better the process will run.

Why is this important? Not knowing – and, consequently, failing to disclose to the other party – a compete and accurate record of your ESI may prove costly down the road. First, discovery proceeds quickly once litigation begins. Within as little as a few weeks you may have to turn over ESI.

Moreover, courts may sanction parties for not complying with discovery. Sanctions may include excluding evidence (no matter how helpful the evidence may be to you), or even giving the jury an adverse jury instruction (that is, an instruction that whatever you did not produce should be considered in the worst possible light against you). Failing to comply with discovery is the quickest way to lose a lawsuit.

To give you the larger picture, here is a list of the rules amended to include ESI, including the multiple changes made in Rule 26:

• Rule 16(b) –The pre-trial scheduling order may address electronically stored information. The lawyers can talk about how much ESI each side has. In all likelihood, your lawyers will rely on you to tell them what ESI you have.
• Rule 26(a) – ESI is included in initial disclosures to the other party. Just like other basic information that parties generally must disclose to the other side (names of people with relevant information, lists of documents that may be relevant), ESI is now part of those disclosures.
• Rule 26(b)(2) – Addresses what happens if ESI is inaccessible, including a court’s authority to require disclosure upon a showing of good cause.
• Rule 26(f) – Parties must meet and confer on e-Discovery issues before pretrial scheduling conference.
• Rule 33(d) – ESI may be referenced as a type of business record to answer interrogatories (written questions to the other side).
• Rule 34 – Discusses what form to produce ESI and notes requesting party may specify how it wants the ESI.
• Rule 37 – A “safe harbor” provision that provides that a party will not be sanctioned for the inadvertent loss of ESI based on the routine, good faith operation of the IT system (*note, it is still unclear the reach of this so-called “safe harbor” and courts still retain an inherent authority to sanction).
• Rule 45 – ESI is subject to subpoenas.

Keep in mind, the case law is developing rapidly to interpret these rules. Check back with this blog to learn more about the individual rules and how they can impact company operations.

If I Am Sued, Do I Have to Disclose My Metadata?

Posted by Gregg Mayer on Thursday, February 7th, 2008   

Metadata is the hidden stuff. It’s the information stored in electronic files, including email, that may not be apparent to users.  It includes the dates a file was accessed, modified, sent, received, the names of whomever opened and changed it, and even the prior versions of a document. One area of development in the e-Discovery frontier is whether metadata must be disclosed along with the other electronically stored information. The answer is simple: maybe.

No consensus exists that metadata must be disclosed. One reason is the Federal Rules of Civil Procedure do not directly address whether metadata must be disclosed. Instead, this is a matter that is left to the judges.

One thing is clear:  Metadata certainly can be discoverable in litigation (some judges have already decided that), but it is not clear if it always has to be disclosed.

Consider two cases:

In the 2005 Kansas federal case of Williams v. Sprint/United Management Co., the plaintiff sued for age discrimination. She wanted to look at spreadsheets showing the employment history of the company.

When the company turned over the spreadsheets, it blocked out the plaintiff’s ability to see the metadata. The plaintiff complained.

The court decided that the metadata should be available to the plaintiff and ordered the company to reproduce the spreadsheets with the metadata in tact. In fact, the court said metadata should always be produced unless a party objects. In the judge’s words:

…the Court holds that when a party is ordered to produce electronic documents as they are maintained in the ordinary course of business, the producing party should produce the electronic documents with their metadata intact, unless that party timely objects to production of metadata, the parties agree that the metadata should not be produced, or the producing party requests a protective order.

On the flip side, about a year later in a Kentucky federal court, the judge disagreed with the Kansas judge in the Sprint case. In Kentucky, the judge explained there should not be a default rule of always disclosing metadata. On the contrary, the plaintiff in this case failed to show a need for the metadata and was not allowed to get it. The court stated:

The issue of whether metadata is relevant or should be produced is one which ordinarily should be addressed by the parties in a Rule 26(f) conference [the initial meeting of the lawyers to talk about discovery]. Here, the parties clearly had no agreement that the electronic files would be produced in any particular format. Plaintiff did not notify defendant ISC that it sought metadata until seven months after ISC had produced both hard copy and electronic copies of its documents.

Plaintiff has not made any showing of a particularized need for the metadata. Although plaintiff argues generally that it “needs document custodian information for the prosecution of its case”… plaintiff does not identify any specific document or documents for which such information would be relevant…In most cases and for most documents, metadata does not provide relevant information… Depending on the format, the metadata may identify the typist but not the document’s author, or even just a specific computer from which the document originated or was generated.

In short, whether you have to disclose your metadata depends on the facts of your case.

Without Effective Email Archiving, ‘Clawback’ and ‘Quick Peek’ Agreements May Be Only Options

Posted by Gregg Mayer on Wednesday, February 6th, 2008   

If you don’t have an archiving system that can quickly and effectively retrieve specific, relevant email and other ESI, then you may be looking at having to open up all of your ESI – confidential material and all. Under the federal rules, “clawback” and “quick peek” arrangements are two possible ways to deal with e-Discovery in litigation. CIOs should know a little something about them because these concepts evolved due to the proliferation of ESI.

The better you understand your ESI archiving, and the better your archiving system, then the better choices you and your lawyers can make when it comes to deciding how to deal with e-Discovery.

Under a “clawback” agreement, you opt to give the other side all of you ESI, and then you “clawback” any inadvertently disclosed privileged material that you shouldn’t have given them.

Under a “quick peek” arrangement, both sides agree that the party requesting the ESI may hire a technology expert to access the other party’s computer system. The expert extracts all of the ESI and turns it over to the party who requested it. That party then reviews the ESI, pulls out what it wants, and then shows it to the producing party to see if anything in there might be privileged. If it is privileged, it cannot be used.

As you might imagine, neither of these arrangements are exactly ideal. In both cases, there is a risk confidential and privileged information may be disclosed to the other side. Even if the other party cannot use it, the cat is still out of the bag.

Your lawyer will want to know from you how your ESI is stored. Whether the “clawback” or “quick peek” is appropriate will depend on how well information is archived and how quickly and specifically it can be retrieved. The better your email archiving system, the better your choices.

Here’s a discussion of clawback and quick peeks.

What Would The Most Famous E-Discovery Judge Do To Ensure ESI Was Properly Maintained?

Posted by Gregg Mayer on Monday, February 4th, 2008   

Judge Shira A. Scheindlin, who gained fame for her multiple opinions on e-Discovery in the precedent-setting Zubulake case, told interviewers the top 10 things she would do if she were suddenly off the bench and general counsel for a Fortune 500 company:

1. I would be sure there is a well-thought-out records retention policy in place for business purposes that takes into account any statutory or regulatory obligations.
2. I would make sure that someone is really in charge of records retention and that she knows what she is doing. This person should probably not be the head of the IT department, but someone whose primary obligation is deciding what should be retained and how.
3. I would set up a records retention committee that meets regularly. The committee should include the general counsel — that’s me! — a senior executive, the head of the IT department and the records retention manager. Minutes of these regular meetings should be kept and circulated among all the participants.
4. I would disseminate the records retention policy to all company employees, and then I would find a way to test them on whether they have understood and implemented the policy.
5. I would set up a response team every time there is a litigation-need to preserve documents.

See the rest of her tips in this transcribed interview.

Next Entries »