To delete or not to delete, this now appears to be one of the holy grails of the e-mail archival industry, and it’s extending beyond regulated industries. On the surface, you would think that the regulatory industry is the best suited for deleting e-mails as the regulations are very specific for how long particular e-mails have to be kept. What more could you ask for, you have it in black in white, from the government in a loud booming voice "thou shall keep the Equity traders e-mails for a period of 5 years, thou shall only delete it after the prescribed period has come and gone".
So what’s the issue with deleting that e-mail on it’s 5 year anniversay date? With today’s systems you can schedule the deletion for the exact second it reaches it’s 5 year anniversay. So again, what’s the big deal, well let’s take a look at look at it from the opposite perspective.
What happens when you don’t delete the record. The answer to that one can be found in the Federal Rules, the pertinent rules are 26 and 34, which regulate the production of evidence. These rules make electronic information available for broad discovery, with some protections for the party whose information is being sought, these rules are currently under review with proposed amendments before congress, however let’s see how they can effect whether you delete or not today. Rule 26, states that all parties in litigation must disclose "a copy of, or description by category and location of, all documents, data compilations, and tangible things in possession, custody, or control of the party that are relevant to disputed facts alleged with particularity in the pleadings" FED. RUL. CIV. PROC. 26(a)(1)(B). Rule 26 also provides the scope of discovery: "Parties may obtain discovery regarding any matter, not privileged, which is relevant to the subject matter involved in the pending action . . . including the existence, description, nature, custody, condition, and location of any books, documents, or other tangible things." FED RUL. 26(b) So, if you have it, and it’s relevant and not privileged you are compelled to turn it over. The protections under Rule 26 also defines discovery limits: "The frequency or extent of use of the discovery methods . . . shall be limited by the court if it determines that: (i) the discovery sought is unreasonably cumulative or duplicative, or is obtainable from some other source that is more convenient, less burdensome, or less expensive . . . (iii) the burden or expense of the proposed discovery outweighs its likely benefit . . ." FED. RUL. CIV. PROC. 26(b)(2). In addition, Rule 26 allows a court to authorize a protective order to protect a party from "annoyance, embarrassment, oppression, or undue burden or expense" FED. RUL. CIV. PROC. 26(c).
These protections essentially are designed to bring some law and order to the process which is admittedly out of control with respect to both electronic evidence and even paper records. The rules simply were not written to account for today’s massive volumes of both electronic and paper records.
So, back to the small matter of deleting records. Why not delete them if you can?
Otherwise you will have to provide them, if they are relevant to a particular legal matter. If you are being litigated for the largest deal your company ever executed and the government is requesting every piece of electronic information from or to these three senior securities traders in your organization, would you want to turn over less or more information. The answer to that one is obvious. So why keep the records that you are allowed, by the same laws that you are trying to comply with, to delete.
The answer is simple, fear.
Fear of doing the wrong thing or more relevant lack of confidence in the electronic systems, people, processes and internal policies that are standing behind the delete key. And here is a dilemma where spending millions of dollars on a top tier consultancy to devise the processes, pick the systems, train the people, and possibly even hit the delete key doesn’t make a difference. For good or bad, Enron and Sarbox have changed the world’s business landscape, so much so that it is spreading from the USto other parts of the world. The consequences for doing the wrong thing will be your problem and burden to bear, and Section 802 of the Sarbanes Oxley act talks to those penalties. There will be no one to point the finger at except yourself.
So, is the answer to keep everything? It’s certainly a strategy, however not a very good one given the risk. The answer is to take full and absolute control of your electronic systems, people and processes. Build internal confidence, training, re-training, certifications so that everyone is aware of the processes that govern your electronic data. Start with the most critical first, e-mail. Have a plan for what’s second and third on the list, and execute according to a well documented plan, that is part of your official corporate archive. And, lastly a small fact that seems to go unspoken, but execute swiftly and publicly for corporate violations of compliance matters. {My kids high-school hand-book is a good example, strike another student and receive an automatic 10 day suspension, no questions asked. And yes, I have beeen in the principals office pleading my kids case "the other kid pushed him first", no level of articulation was going to make a difference, the punishement was executed and swiftly}.
Within a system a record targeted as compliant should follow a specific chain of custody which can be re-produced through verifiable audit logs that are designed and sequenced to electronically prove, to the satisfaction of forensics experts, that what the audit logs reports is what actually occurred. A file plan for example, which dictates how a record from the Equity Trader is managed through it’s five year life-cycle should be recorded as part of the corporate archive, and if the file plan changes, the new file plan should be recorded and the electronic audit logs should be updated, and the states of times copies of the audit logs should be stored serially by date of occurrence within a secure tamper proof system.
These small level’s of detail within large systems with many moving parts will pay dividends in proving that even wrong decisions in data deletion were done without malicious intent, and under the umbrella of good faith, because you have designed full transparency into your entire governance platform.
What is needed within your overall systems is the element of “transparency”, shareholders tend to like that, and so do the regulators as well as the courts.
Proving what you did, how you did it, fully, is as important as to why.
You shouldn’t keep records longer than needed, unless you make a conscious corporate decision based on the “smoking gun” factor. And that is that it is just as prudent if not more so, to know what the other side may possibly already know. Just because you deleted the Equity Trader’s mail after five years, doesn’t mean that some other party joined in the same litigation didn’t delete their corresponding copy. So one of your records may be turned over as part of another party’s discovery request, and you are potentially unaware. That is a viable reason, if made consciously to keep records, but certainly not because of fear.
It should also be noted that the current proposed amendments to the Federal rules discussed here, take into account that, based on the massive volumes of electronically stored information involved in particular legal matters, that errors in the discovery process are likely to occur, and they will not penalize one side or the other for accidentally turning over records that are not relevant or privelged. Basically, you may be able to call time-out and ask for a "do over". ESI or Electronically Stored Information will soon be recognized more fully at the Federal level, this will certainly make the years to come more interesting and challenging for providers of systems which manage ESI for the purposes of compliance and legal discovery.
Welcome to e-Discovery. In a nutshell, email is now considered a legal form of communication which by rights has to be maintained with some type of retention/destruction policy.
In today's world of litigation - the first place lawyers going digging for the juice is an email archive. An Judges are supporting these efforts by requiring disclosure of said archives. Don't have one, just deleted it. You better have a policy/procedure your following....
Posted by: John Feeney | August 19, 2008 at 01:30 PM