Paperless/Retention – Preserve or Perish; Destroy or Drown
De
NCC June 3, 2010 (1 link updated
9/4/15)
Audio
Conference © 2010
Robert D. Brownstone
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
EIM
GR
OU
P
© 2
Outline/ Agenda
INTRODUCTION
I. Risks of Over-Saving
II. Risks of Under-Saving
III. Implementing a Compliant Program
IV. Going Paperless
V. Two Key Info-Sec Protocols
CONCLUSION
EIM
GR
OU
P
© 3
THE THREE BUCKETS:
1) MUST/WANT TO KEEP – LEGAL NEEDS
statutes and regulations
litigation-hold
2) WANT TO KEEP – BUSINESS NEEDS
3) DISPOSE/DELETE – EVERYTHING ELSE
Many resources linked off slides 40-51 (.pdf pp. 43-54) of Brownstone, Employee-Related Records – Retention, Management & Destruction, NCC (Feb. 2, 2010) <constitutionconferences.com/RE/9W-DL#page=40>
INTRODUCTION – The Big Picture
EIM
GR
OU
P
© 4
Over-Saving Costs:
“smoking gun” content
retrieval capability
storage fees
I. Risks of Over-Saving – Inefficiencies Day-to-Day
EIM
GR
OU
P
© 5
efficiencies in:
operations
projects – management and transitions
collections/productions
eDiscovery costs staggering
cost-shifting iffy at best under federal case law
I. Risks of Over-Saving – Over-Saving Costs (c’t’d)
EIM
GR
OU
P
© 6
II. Risks of Under-Saving A. “Must Keep”
Various Statutory/Regulatory Periods
• Examples of Generic Ones:
Safety Statutes/Regulations
Tax
Statutes of Limitation (e.g., contract)
EMP/HR
Could use 5 year “big bucket”
MANY individual categories
EIM
GR
OU
P
© 7
II(A). Retention Rules – Must Keep . . . . (c’t’d)
“Litigation-Hold” (Preservation) Duties
Sarbanes-Oxley (SOX) Federal Obstruction of Justice Crime(s)
See generally 3/10/08 N.L.J. article at <fenwick.com/docstore/Publications/EIM/SOX_Litigation-Hold_Triggers.pdf>
Attorney Ethics Rules
Case-Law Preservation (Destruction-Suspension) Duty
See generally 5/11/09 Give P’s a Chance (“Policies . . .
Protocols . . . [and] Preservation”) article at <www.law.com/jsp/ca/PubArticleCA.jsp?id=1202430585859>
EIM
GR
OU
P
© 8
"Safe Harbor" in Fed. R. Civ. P. (FRCP) 37(e) (@ 12/1/06)
<www.uscourts.gov/rules/EDiscovery_w_Notes.pdf>, at 40
“AN electronic information system” (not just party’s)
Rules Report, at App. C-89 <www.uscourts.gov/rules/Reports/ST09-2005.pdf#page=174>
II(A). Destruction Safe Harbor
EIM
GR
OU
P
© 9
II(A). Spoliation Case- Law Discussions
• Ralph Losey, Judge Rosenthal v. Judge Scheindlin: A Bogus Battle, e-Discovery Team (3/28/10) <e-discoveryteam.com/2010/03/28/judge-rosenthal-v-judge-scheindlin-a-bogus-battle/>
• Ralph Losey, Raising the Bar – Judge Scheindlin Defines Gross Negligence in Spoliation, eDiscovery Team Blog (1/17/10) (detailed discussion of Pension-Comm.) <e-discoveryteam.com/2010/01/17/raising-the-bar-judge-scheindlin-defines-gross-negligence-in-spoliation/>
• Farrah Pepper, To Have and to Hold: A Romantic Guide to Document Preservation, Law Tech. News (12/16/09) (an excellent read, citing many 2009 decisions) <www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202436361715>
• Gregory P. Joseph, Spoliation: Truth or Consequences (5/14/07) (thorough piece on various spoliation issues) <www.josephnyc.com/articles/viewarticle.php?45>
EIM
GR
OU
P
© 10
Business Needs, including . . .
Generic
Corporate/historical records
Intellectual Property (IP)
Particular to industry and/or to company
Ex: audit(s)-related information
II. Risks of Under-Saving (c’t’d) – B. “Want to Keep”
EIM
GR
OU
P
© 11
II(B). Risks of Under-Saving – “Must Keep” Rules
BIGGER risks [see § II(A)(2)] can be:
• Over-saving
• No Litigation-Hold protocol
• Spoliation via hold mishandling
Why?
• Failure to comply with legally-imposed retention obligation NOT spoliation per se
Sarmiento v. Montclair State Univ., 513 F. Supp. 2d 72 (D.N.J. 5/9/07) <https://ecf.njd.uscourts.gov/doc1/1191664237>
But see Zubulake and Morgan Stanley (heavily regulated broker-dealer industry). Cf. FDA.
EIM
GR
OU
P
© 12
Some keys to "legal defensibility" A. Policy/Program that avoids
“compliance gap”
suspicions re: roll-out’s timing
B. Addressing Key Targets
C. For LIT/eDisco Preparedness
Synch Retention Policy (incl. LIT-
HOLD piece) with other policies
D. Know what org has and where
III. Implementation – Introduction (c't'd)
EIM
GR
OU
P
© 13
III. Implementing Compliant PROGRAM – A. “Real”
KUMBAYA?! Clear, well-thought-out policy language on which multiple constituencies (e.g., Legal, HR, IT – and EEO?) have weighed in . . .
Compliance’s “3 E’s” = Establish/Educate/Enforce
© TOSHIBA
EIM
GR
OU
P
© 14
Memorialize details of regime change, incl. details of notification, training, etc.
Before implementation, segregate/collect ESI re: all pending and reasonably anticipated disputes and gov’t inquiries
• To extent data storage outsourced, synch up schedules [see FRCP 37(e)]
• See also Tomlinson v. El Paso Corp., 2007 U.S. Dist. LEXIS 64783 (D. Colo. 8/31/07) <http://Tomlinson-DColo-8-31-07.notlong.com>
III(A). Implementation PROGRAM (c't'd) –
EIM
GR
OU
P
© 15
1. Email
• Consider imposing age-based and/or mailbox-size-based purge rules on emails not stored in immune location(s)
• Address “archives”
• Individual (.pst’s)
WHY?
• Company-/enterprise-wide
III. Implementation – B. Key Targets
EIM
GR
OU
P
© 16
Potential Benefits
1) Readily searching/surfing for content, which can be critical to incident-response and to eDiscovery collections.
2) Creation, in effect, of an eDiscovery repository, by enabling searching of:
attachments’ contents; and
across multiple users’ mailboxes
Neither is possible in Outlook/Exchange
III(B)(1). Targets – E-mail – Enterprise Archives
EIM
GR
OU
P
© 17
3) Routinize deletion per Retention Policy schedules, including via:
searches for items over x number of months/years
automated or manual foldering as to categories
III(B)(1). E-mail Archives – Benefits (c’t’d)
EIM
GR
OU
P
© 18
III(B)(1). E-mail Archives (c’t’d)
Potential Pitfalls:
“Hotel California” or “Roach Motel” problem:
Could become giant dumping-ground for old, stale e-mails that never get deleted
Not thinking through workflow, which should coordinate:
Outlook e-mail “purge(s)”
“Vaulting” live e-mail into archive
Disposal of non-needed items from the archive
EIM
GR
OU
P
© 19
Potential Pitfalls (c’t’d):
Not (adequately) educating employees
If enable users to “restore” at will, make sure archive settings will sweep older e-mails back into the archive
III(B)(1). E-mail Archives (c’t’d)
EIM
GR
OU
P
© 20
2. Back-ups
• Do not keep forever
• Address old/legacy formats
• Segregate: e-mail/financials/ products-related/all-the-rest
• True DR/BC vs. “Near-line” Archive
3. Locally stored data
4. Paper – see § IV below
III(B). Key Targets (c’t’d)
EIM
GR
OU
P
© 21
Another key to “legal defensibility”: “Compliance Gap Closing” = synching Retention Policy language with pertinent contents of other key policies:
Technology-Acceptable-Use Policy (TAUP)/No-Expectation- of-Privacy Policy (NoEPP)
Departing/Terminated Employees
Separation Policy
IT Checklist
III. C. Some Key Related Policies
EIM
GR
OU
P
© 22
III(C). Compliant/Defensible Separation Policies (c’t’d)
Trying to avoid the sins of Employer/Δ in Broccoli v. Echostar, 229 F.R.D. 506 (D. Md. 2005)
no protocols/policies re: LIT-hold or re: separating employees
failing to suspend 21-day e-mail purge <http://Broccoli-Echostar-8-4-05.notlong.com>
EIM
GR
OU
P
© 23
III. D. Know What Org. Has and Where
Partial Checklist of ESI Landscape/Locations E-mail & E-mail Archives (company-wide and individual)
Databases (DMS, etc.) & Shared Network Drives
External Websites; Intranet/Portal
Blogs and Wikis (authorized), both external and internal
Third-party (hosted) repositories (see FRCP 37)
IM (company-provided) and Voicemail??
Hard Drives of local machines
Portable Media (hard-drives, CD’s, DVD’s, USB sticks)
For exs. of “Information Maps”, a/k/a “Data Maps,” see Appendix A (Slides 36-40) below
EIM
GR
OU
P
© 24
“Data-Mapping” Benefits
eDiscovery/Lit. Prep. & Risk-Insulation
eDiscovery costs reduction
litigation costs reduction
safe-harbor, including as to outsourced ESI
Governance, Risk & Compliance (GRC)
<http://www.oceg.org/view/RB2Project>
<http://www.oceg.org/resources>
More interaction, simpatico and, ultimately, cohesiveness between [sub-]departments
III(D). What & Where? (c’t’d)
EIM
GR
OU
P
© 25
IV. Going Paperless – Benefits to be Derived
Huge efficiencies to be gained from – and legal support for – an all-electronic regime/environment
For new organizations
AND ditto for a long-term company to:
keep only electronic versions of all (most?) records created from a certain date forward; and
phase out pre-existing paper records over time
i.e., transitioning from a hybrid paper/electronic environment to an entirely paperless environment
EIM
GR
OU
P
© 26
Expressly by various federal labor regs. – including under ADEA, FLSA & FMLA. Exs.:
FLSA 29 C.F.R. § 516.1 <www.dol.gov/dol/allcfr/ESA/title_29/Part_516/29CFR516.1.htm>
FMLA 29 C.F.R. § 825.500(b), (g)
<www.dol.gov/dol/allcfr/ESA/Title_29/Part_825/29CFR825.500.htm>
I-9 forms (employment eligibility records) 8 C.F.R. § 274a.2 <http://8-CFR-274a2.notlong.com>
Tax/Payroll Law Exs.: Federal – IRS Rev. Rul. 97-22
<www.irs.gov/pub/irs-irbs/irb97-13.pdf#page=9 >
IV. Paperless – EMP Laws
EIM
GR
OU
P
© 27
State – Ex.: Cal. DLSE, Opinion Letter Re: Electronic Wage Statements (7/6/06):
Payroll department can provide wage statements electronically, as long as employees have option to receive hard copies and retain ability to access the information and print hard copies on employer’s printer
<www.dir.ca.gov/dlse/opinions/2006-07-06.pdf>
See generally Pittman, Alisa L., Making the Case for Electronic Storage of Employment Records, Elarbee, et al. E-Lert (7/6/06) <http://Pittman-Article-7-6-06.notlong.com>
IV. Paperless – EMP Laws (c’t’d)
EIM
GR
OU
P
© 28
All from ABA Law Prac. Today (Sep. 2009):
Donna Neff and Natalie Sanna, The Document Naming System in Our Paperless Office <http://www.abanet.org/lpm/lpt/articles/ftr09091.shtml>
Jim Calloway, The Paperless Office as a Risk Management Enterprise <http://www.abanet.org/lpm/lpt/articles/ftr09092.shtml>
Adriana Linares, Less Paper Does Not Equal Less Training (at First!) <http://www.abanet.org/lpm/lpt/articles/ftr09094.shtml>
Michael J. Morse, Going Paperless for the Law Office: A Practical Guide <http://www.abanet.org/lpm/lpt/articles/ftr09095.shtml>
Ernest Svenson, Some Thoughts on Becoming Paperless <http://www.abanet.org/lpm/lpt/articles/ftr09097.shtml >
IV. Going Paperless – Some Helpful Articles
EIM
GR
OU
P
© 29
Implicitly, if not expressly, by:
Best Evidence Rule, codified in FRE 1002 <www.law.cornell.edu/rules/fre/rules.htm#Rule1002>
E-Sign Act, 15 U.S.C. §§ 7001 – 7031 <http://uscode.house.gov/download/pls/15C96.txt>
Uniform Electronic Transactions Act (UETA), adopted by vast majority of states <www.law.upenn.edu/bll/archives/ulc/fnact99/1990s/ueta99.htm>
IV. Going Paperless – Generic Authorities
EIM
GR
OU
P
© 30
PAST. . . Start with old boxes of PAPER: unlabeled and not retrieved or looked at for years
whose labels and/or indices reflect no need to retain
PRESENT. . . Assess workflow re: all documents and information (letters, invoices, receipts, etc.)
created within your organization
disseminated by your organization
FUTURE . . . As to incoming documents: wherever possible, get buy-in re: electronic form
to extent control is not possible, develop – and train on – scanning/imaging protocol for all incoming paper
IV. Going Paperless (c’t’d) – Low-Hanging Fruit
<http://evolutionofbpr.com/tag/technology/>
EIM
GR
OU
P
© 31
Some suggested best practices (c’t’d)
Maintain replicated set of all ESI in distinct physical location
Protocols should entail one “original” centrally-stored copy of each scanned document
link sent to recipients
on their own, individuals can print to paper – but then discard
avoid too many compromises in policy development and training
IV. Paperless – Food for Thought and Some Potential Pitfalls
EIM
GR
OU
P
© 32
Some suggested best practices (c’t’d):
When scanning paper into image files is part of your process:
signatures and scans in color
Cf. OFCCP Order # 279 <www.dol.gov/ofccp/regs/compliance/directives/dir279.htm>
See also pp. 19-21 of <www.dol.gov/ofccp/Presentation/homestretch_pres.pdf>
But see Appendix B below (Slide 41) re: some of the misc. vestiges requiring paper retention
IV. Potential Pitfalls (c’t’d)
EIM
GR
OU
P
© 33
Encryption of laptops. WHY?
Protects confidential, proprietary and personally- identifying (financial and health) information
Guards against identity theft re: individual customers/clients and also re: employees
Exempts from notice-of-breach statutes and thus from reputational damage
For resources on this issue, contact presenter
V. Two Key Information- Security Protocols
EIM
GR
OU
P
© 34
Metadata-Scrubbing Software – Installation, Training & Use
Protects not-readily-apparent confidential and proprietary info. from inadvertent disclosure
At least in Legal and Sales Dep’ts (all those who negotiate agreements by exchanging multiple drafts)
Relatively inexpensive; integrates with enterprise-wide e-mail systems
For resources on this issue, contact presenter
V. Key InfoSec Protocols (c’t’d)
EIM
GR
OU
P
© 35
Conclusion/ Questions
Q+A
Robert D. Brownstone <fenwick.com/attorneys/4.2.1.asp?aid=544>
650.335.7912 or <[email protected]> <facebook.com/rbrownstone> OR <twitter.com/ediscoveryguru>
Please visit F&W Groups’ homes:
EIM <fenwick.com/services/2.23.0.asp?s=1055>
Please visit F&W Groups’ homes:
See also Brownstone/Kesner Managing Partner Magazine article (available on request)
EIM
GR
OU
P
© 36
Appendix A – “Data Maps”
Important re: eDiscovery PLAN & COLLECT steps
Exs. of “Data-Maps” (Proactive & Reactive):
Short/Sweet Repository List
EIM
GR
OU
P
© 37
App. A (c’t’d) – Data Map Exs. (c’t’d) – Server Architecture Diagram # 1
“accompanied the testimony of Microsoft Vice President and Deputy General Counsel Tom Burt presented during the period of public comment on the proposed changes to the Federal Rules of Civil Procedure”
From <http://convergentsemiconductors.blogspot.com/2011/10/hybrid-memory-solution-for-enterprise.html> (link/URL updated 9/4/15)
EIM
GR
OU
P
© 38
App. A (c’t’d) – Data Map Exs. (c’t’d) – Server Architecture Diagram # 2
From <http://content.edgar-online.com/edgar_conv_img/2007/10/29/0000891618-07-000615_F28075A2F2807501.GIF>
EIM
GR
OU
P
© 39
App. A (c’t’d) – Exs. (c’t’d) – Web-ified Visio Chart of data flow . . .
. . . between HR databases & geographical locations
© 2004, 2010 Robert D. Brownstone, Esq.
EIM
GR
OU
P
© 40
App. A (c’t’d) – Exs. (c’t’d) – Others, described . . .
Spreadsheet with content-types on one axis (rows) and Dep’ts on other axis (columns)
Chart/diagram of physical locations, each with respective list of repositories
Diagrams/flow-charts of SOX internal-controls workflows
Items enabled/facilitated by map:
Records-Retention Schedules
“Pre-Collection Checklist”
EIM
GR
OU
P
© 41
SEC Reg. S-T’s Rule 302 , 17 C.F.R. § 232.302(b) <http://SEC-Reg-S-T-302.notlong.com>:
Each signatory to an electronic filing . . . Shall manually sign a signature page or other document authenticating, acknowledging or otherwise adopting his or her signature that appears in typed form within the electronic filing. Such document shall be executed before or at the time the electronic filing is made and shall be retained . . . for . . . five years
Federal Procurement
“Examination of records of contractor,” 10 U.S.C. § 2313(h)(3) (“contractor or subcontractor retains the original records for a minimum of one year after imaging to permit periodic validation of the imaging systems”) <www4.law.cornell.edu/uscode/html/uscode10/usc_sec_10_00002313----000-.html>
“Contractor Records Retention, ‘Federal Acquisition Regulation (FAR), Subpart 4.7, incl. “Policy,” § 4.703 <www.acquisition.gov/far/current/html/Subpart%204_7.html#wp1082800>
App. B – Paperless (c’t’d) – CON (Counterpoint)