To print this page, click your browser's print icon.

The Legal Necessitry of Data Archiving

By Qahim Moosavi, Margolis Consulting Services

The Legal Necessity of Data Archiving- The law requires you to be able to provide documents and emails in a timely manner…Are your prepared?

The following is a brief overview of the FRCP changes.  It is not intended to provide legal advice but rather some IT implications of the changes.  

Data compliance regulations which once governed publically traded companies or specific industries such as the health industry, will now affect everyone.  The recent changes to the Federal Rules of Civil Procedure (FRCP) increased the risk and thus liabilities to companies and their IT and legal departments.  The new rules require companies to prepare for litigation discovery requests on short notice.  The emphasis of the new rules is on electronically stored information, requiring the company to identify its stored information.

At its core, e-discovery whether for compliance audits or for use in legal cases involves the production and presentation of electronically stored information that may exist in repositories throughout the organization, from document management systems to common office applications to email.  Organizations must develop records management strategies to be able to capture and classify volumes of information within the enterprise. They must be able to understand the data they have so they can identify and quickly find information that may be called for as part of e-discovery; retain it for the purposes of audits or legal holds; and finally purge obsolete data from their systems after required time periods. Such policies will reduce risk and help organizations avoid the infinitely escalating costs of searching through haphazardly stored information.

Although there have been many rule changes, two of them have significant implications for data storage and retention.  The first change is FRCP Rule 16 which establishes parameters for time limits and processes for discovery.  It states that a discovery meeting must occur within 120 days of the filing or 90 days after an answer is filed.  The other pertinent change is FRCP Rule 26 “meet and confer”.  This requires attorneys to discuss, among many other things, any issues relating to the preservation of information, and to discuss the disclosure, discovery, or production of information. In addition, attorneys must review what information may be privileged and therefore withheld.

Not only is there more material for lawyers to examine but this in turn places the burden of information provision on the IT department.    The legal counsel of a company has the duty of delivering relevant, non-privileged information as required.  The IT department, which controls the data, is responsible for managing the information securely while meeting its own set of requirements.  In order to meet the new FRCP laws it will be necessary for the IT department to work closely with the legal counsel to ensure that proper procedures are in place and that if the need arises for a discovery all relevant data is available in an expeditious manner. 

The compliance requirements do not dictate any specific type of technology to be used in a storage/retention policy.  The main criterion is being able to protect the data against deletion, removal or alteration.  If effective, a manual policy is acceptable.   However, data management software can manage information storage and archiving making the process of e-discovery much simpler.  A manual policy is often both time consuming and inconsistent.  A company that uses a manual policy might find that in a situation where e-discovery is warranted the process will consume many hours of the IT and legal department resulting in very high costs that could have been mitigated by a more effective, automated data management solution.

As expensive as it may be to comply with the FRCP, non-compliance may prove to be more expensive.  This point is clearly stated in some noteworthy rulings:

    • A jury awarded $800-million in punitive damages when Morgan Stanley repeatedly failed to produce emails in a timely manner. The judge stated that "efforts to hide its emails" were evidence of "guilt." (Coleman Holdings v. Morgan Stanley)
    • A jury awarded $29.2-million in the largest single sex discrimination verdict in U.S. history after UBS Warburg could not produce copies of relevant emails. The jury was instructed to "infer that the [missing] evidence would have been unfavorable" to the defendant. (Zubulake v. UBS Warburg)
    • The SEC imposed a fine of $10-million on Banc of America Securities, the brokerage arm of Bank of America, after they "repeatedly failed promptly to furnish" email and gave "misinformation".

The sizable fines awarded in the above cases illustrate how large enterprises have been affected, but it is important to note that any company regardless of size will be subject to the FRCP rules in legal proceedings.  Small to midsize companies who think that they need not implement such a policy should think again.  If a company was involved in a law suit, absent or ineffective data retention policies that resulted in missing data could be construed as the deliberate hiding of information or misinformation which could imply guilt.

It may seem daunting to try to meet these regulations and establish a solid data retention policy.  However, it is requirement that all businesses must face.  With a structured plan, cooperation throughout the company and proper implementation of technology, it can be a successful project that could have added benefits for the normal business processes as well.

For further information pertaining tothis article, IT Controls or Off-Site backup issues, please contact Qahim Moosavi at (610) 784-0155 or at qmoosavi@marg.com.