Green Light for Defensible Data Remediation

In December 2015, the electronic discovery provisions of the Federal Rules of Civil Procedure (FRCP) were amended to substantially expand the Safe Harbor against sanctions for destruction of electronic data.  In my November 2015 white paper, C-Level Guide to Covering Your Information Governance Assets, I predicted that the amended rules signaled a pivot away from one of the main sources of eDiscovery uncertainty – the inconsistent imposition of severe sanctions for the loss of electronically stored information (ESI) relevant to dispute resolution.  The prediction holds. The prior Safe Harbor under the 2006 FRCP provided modest protections against sanctions where ESI was lost due to routine and automatic deletion.  Because of the inconsistent standards previously applied by courts around the country, organizations fearful of doomsday sanctions would over-preserve.  The new discovery rules greatly expand this protection. A cursory review of sanctions cases decided under the new rules in influential U.S. District Courts indicates that the Federal bench is successfully applying the new rules as the Rules Advisory Committee intended – limiting judicial discretion to impose case-killing sanctions to situations where a party intentionally deprives its opponent of documents covered by a “legal hold.”  An excerpt from a Northern District of California …

Read more

Legally Defensible Data Remediation

A document retention policy is in reality a document destruction policy.  Therefore, a key reason for an organization to adopt a document retention policy is to establish a program for the deletion/destruction of information that is not required for business, regulatory and other needs.  This reality is made necessary by the fact that digital information is growing at an unprecedented rate and that much of it is contained in “unstructured” storage such as email, SharePoint and shared network drives.  Data hoarding not only increases direct information technology costs but it presents other substantial risks and costs to an organization ranging from discovery of “smoking gun” documents during investigation, litigation or audit; to reputational damage from information security breaches (hacking). Document retention/destruction policies have long been recognized as a good business practice.  Inherent in the practice is the notion that information has a life cycle and that there are valid reasons to protect that information from competitors, thieves, snoops and even government investigators.  In the context of an appeal of an obstruction of justice conviction against Arthur Andersen LLP, this practice was blessed by the U.S. Supreme Court.  Chief Justice William Rehnquist delivered the opinion of the Court: ‘Document Retention Policies,’ …

Read more

Legal Hold 101 – Data Retention and Destruction

Every gambler knows That the secret to survivin’ Is knowin’ what to throw away And knowin’ what to keep ‘Cause every hand’s a winner And every hand’s a loser And the best that you can hope for is to die In your sleep The Gambler lyrics © Sony/ATV Music Publishing LLC Some of the more frequent questions asked of eDiscovery attorneys when teaming with IT professionals on archiving and other retention policy projects, relate to the timing, scope and especially the release of legal holds.  Misconceptions about “Legal Hold” abound, many of them (unfortunately) coming from litigation attorneys stuck in the paper document past or those who do not understand data systems architecture.  One common source of over-broad Legal Hold retention is the misapprehension of the risk of severe judicial sanctions for the destruction (aka spoliation) of evidence.  Too many attorneys take what they consider to be the safe route and continue to advise enterprises to keep too much for too long.  As Kenny Rogers’ Grammy award-winning song reminds us, risk can cut both ways.  Not only does an overbroad legal hold increase the cost of maintenance and infrastructure, it increases the cost of legal review of held documents, and …

Read more

Boards and C-Level Executives Are Sailing in Dangerous Waters

Great White Shark

In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance.  It warned in stark terms: Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i] To say that information is an asset to business enterprises is to recognize the obvious.  Certain intellectual property such as trade secrets and customer lists are universally considered to be assets and deserving of protection.  But, as enterprises have shifted to digital systems where work-flows, communications, collaboration systems, data analytics and other metrics now condition and drive business decisions, the value and integrity of these systems has become ever more fraught with risk.  Consider that the Ashley Madison hacking uncovered email correspondence between executives and legal counsel.  While Coca Cola might have been able to lock away a few copies of its secret formula in a steel safe a generation ago, today’s information assets, by their nature, must be widely distributed and available …

Read more

Create a Legally Defensible Document Retention / Destruction Policy

My February 2015 NARI Legal Corner guest blog titled Build a Record You’ll Be Proud Of, addressed the importance of recordkeeping for contractors and provided practical guidelines for creating project records.  It showed that the successful management of construction projects requires proper management of a company’s records and other “information assets.”  Information asset management should be viewed as a key component of every contractor’s overall risk management program. The article concluded by recommending that organizations develop and implement a document retention policy and legal retention schedule, which together allow old records to be destroyed in a legally defensible manner. This article describes an approach to managing and retiring (destroying) information assets that is based on industry standards and best practices. A document retention policy is really a document destruction policy Information as Assets Broadly defined, information assets include not only project records, accounting records and official documents but all other information holding any value or representing any risk to the organization.  Information assets include anything that is recorded or stored such as email, instant messaging, voicemail, databases, digital photos or any type of document, whether printed out or not.  Assets in the form of Electronically Stored Information (ESI) also include …

Read more

Cloudy Laws II – Only 65 Challenges to eDiscovery Forensics in the Cloud

clous over hawaii

Among the many types of challenges presented by the adoption of cloud computing are those involving computer forensics. Computer forensics can be thought of as the set of tools and techniques that make eDiscovery possible and reliable. It is defined in Wikipedia as, “a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media.” The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) defines cloud computing forensic science more specifically as, the application of scientific principles, technological practices and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, interpretation and reporting of digital evidence As with other legal evidence, digital evidence is subject to challenge in court. It has to be what it purports to be. Therefore, the accurate identification of the creator, custodian, chain of custody, authenticity and other attributes of digital evidence is essential in any eDiscovery setting. Essentially, a computer forensic investigation must locate and identify “documents” and other information that can be traced to the actions, knowledge and information available to parties and other witnesses involved in a lawsuit, arbitration or investigation While a number of technical tools and techniques have been developed to …

Read more

Cloudy Laws I – Cloud Computing Security and Legal Challenges

Supercell clouds over Nebraska

Cloud computing presents innumerable opportunities and brings with it enormous security and legal challenges.  While there is no single accepted definition of the “cloud,” the National Institute of Standards and Technology created a reference model in 2011.  NIST defined cloud computing by describing its five essential characteristics, three service models, and four deployment models. (NIST Special Publication 800-145): Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Essential Characteristics Service Models Deployment Models 1. On demand self service 1. Software as a Service (SaaS) 1. Private Cloud 2. Broad network access 2. Platform as a Service (PaaS) 2. Community Cloud 3. Resource pooling 3. Infrastructure as a Service (IaaS) 3. Public Cloud 4. Rapid elasticity 4. Hybrid Cloud 5. Measured service NIST Cloud Computing Reference Model The rapid increase in the availability of cloud computing solutions ranging from Enterprise systems, to Office 365, to the ad hoc use of unencrypted Dropbox accounts, has profound implications for privacy, information security, eDiscovery and legally defensible document retention policies.  Hardly a …

Read more

LocationGate – Where in the World Was Waldo?

Just look at his iPhone data Apparently I am not the only person troubled by the 2011 revelation that Google and Apple collect location data from smart phones.  Mike Elgan wrote a thoughtful piece for Computerworld. Who owns your location? – Computerworld The idea of tracking files existing on phones and on the computers used to synch data raises eDiscovery issues as well as obvious privacy and data security concerns.  Will employers be tempted to look at the data collected by company issued phones to see if their sales team or delivery drivers were on task?  Employers defending discrimination cases are always on the lookout for employee misconduct that would justify termination of employment on non-discriminatory grounds.  Did she lie to the boss about that sick day as shown by the trip to the Foxwoods Casino? Warrantless Searches A January 2011 decision by the California Supreme Court held that police may make a warrantless search of a person’s cell phone incident to a lawful arrest – in California.  In the opinion, the court considers and dismisses the privacy argument: Regarding the quantitative analysis of defendant and the dissent, the salient point of the high court‟s decisions is that a “lawful custodial arrest …

Read more