Paperless/Retention –Preserve or Perish; Destroy or Drown
NCCMay 9, 2011
Audio
Conference © 2011
Robert D. Brownstone, Esq.
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
EIM
GR
OU
P© 2
Outline/Agenda
INTRODUCTION
I. Risks of Over-Saving
II. Risks of Under-Saving
III. Implementing a Compliant Program
IV. Going Paperless
V. Two Key Info-Sec Protocols
CONCLUSION
EIM
GR
OU
P© 3
THE THREE BUCKETS:
1) MUST/WANT TO KEEP – LEGAL NEEDS
statutes and regulations
litigation-hold
2) WANT TO KEEP – BUSINESS NEEDS
3) DISPOSE/DELETE – EVERYTHING ELSE
Many resources linked off slides 40-51 (.pdf pp. 43-54)of Brownstone, Employee-Related Records – Retention, Management & Destruction, NCC (Feb. 2, 2010)<constitutionconferences.com/RE/9W-DL#page=43>
INTRODUCTION –The Big Picture
EIM
GR
OU
P© 4
Over-Saving Costs:
retrieval capability
storage fees
“smoking gun” content
I. Risks of Over-Saving –Inefficiencies Day-to-Day
EIM
GR
OU
P© 5
Retrieval/storage efficiencies in:
operations
projects – managementand transitions
collections/productions
eDiscovery costs staggering
cost-shifting iffy at bestunder federal case law
I. Risks of Over-Saving –Over-Saving Costs (c’t’d)
EIM
GR
OU
P© 6
I. E-mails as eEvidence –“Multiple Audiences” Test
“Green Eggs & Ham” Test:
• Would you like it in the press?
• Would you like it on a competitor’s desk?
• Would you like it in the government’s hand?
• Would you like to read it on the witness stand?
If the content will get you slammed, then . . . .
DO NOT SEND IT, SAM I AM© Fenwick & West LLP; Mark Ostrau; Robert Brownstone<www.fenwick.com/services/2.23.0.asp?s=1055>
EIM
GR
OU
P© 7
I. Smoking Gun E-mails –Famous Last Words (4/16/10)
<http://www.msnbc.msn.com/id/37695879>
EIM
GR
OU
P© 8
II. Risks of Under-SavingA. “Must Keep”
Various Statutory/Regulatory Periods
• Examples of Generic Ones:
Safety Statutes/Regulations
Tax
EMP/HR
Could use 5 year “big bucket”
MANY individual categories
Statutes of Limitation (e.g., contract)
EIM
GR
OU
P© 9
II(A). Retention Rules –Must Keep . . . . (c’t’d)
“Litigation-Hold” (Preservation) Duties
State and Federal Obstruction Crimes
Federal Obstruction of JusticeCrimes Post-Sarbanes-Oxley
See Nick J. Vizy, Document Destruction under Sarbanes-Oxley, 154 Records RetentionReport 2 (Oct. 2010) (available on Westlaw)
See also Brownstone, et al. SOX Litigation Hold Triggers, Nat’l L.J. (3/10/08)<fenwick.com/docstore/Publications/EIM/SOX Litigation-Hold Triggers.pdf>
EIM
GR
OU
P© 10
II(A). Retention Rules –Must Keep . . . . (c’t’d)
MORE LIT. Hold duties . . .
Attorney Ethics Rules
Case-Law Preservation(Destruction-Suspension) Duty
See 5/11/09 Give P’s a Chance (“Policies . . .Protocols . . . [and] Preservation”) article at<www.law.com/jsp/ca/PubArticleCA.jsp?id=1202430585859>
Sanctions can include:
Adverse-inference-presumption Jury-instruction
NEW: Jail of CEO for contempt?!
Victor Stanley v. Creative Pipe II (D. Md. 9/9/10)
BUT SEE partial reversal via set of ordersdiscussed in (and linked off of) Carnahan article
EIM
GR
OU
P© 11
Safe Harbor in Fed. R. Civ. P.(FRCP) 37(e) (@ 12/1/06)<uscourts.gov/uscourts/RulesAndPolicies/rules/EDiscovery w Notes.pdf#page=40>, at 40
“AN electronic informationsystem” (not just party’s)
Rules Report, at App. C-89 <uscourts.gov/uscourts/RulesAndPolicies/rules/Reports/ST09-2005.pdf#page=174 >
To extent storage outsourced, synch up retention/destruction schedules with in-house systems
MORE COMPLICATED WITH “THE CLOUD”
II(A). Destruction“Safe Harbor”
EIM
GR
OU
P© 12
II(A). Spoliation Case-Law Discussions
TO LEARN MORE:
• Correy E. Stephenson, E-discovery ruling from a U.S. District Court in New York gives insight on errors, sanctions, Lawyers USA Today (3/17/11)
• Sean T. Carnathan, Jail Time for Spoliation? ABA Lit. News (11/29/10)
• Farrah Pepper, To Have and to Hold: A Romantic Guide to Document Preservation,Law Tech. News (12/16/09)
• Joshua Gilliland, Spoliation! A New Drama at the District Courthouse about a Litigation Hold and Missing Electronically Stored Information, Bow Tie Law’s Blog (8/24/09)
EIM
GR
OU
P© 13
II(A). HowSafe? (c’t’d)
First three questions (outside) litigationcounsel should ask his/her client:
Retention policy’s (if any) contents,including LIT-hold segment = ?
Policy actually followed in trenches = ?
Since the time the question of LIT-holdarose, what has been done = ?
EIM
GR
OU
P© 14
Business Needs, including . . .
Generic
Corporate/historical records
Intellectual Property (IP)
Particular to industryand/or to company
Ex: audit(s)-related information
II. Risks of Under-Saving (c’t’d) –B. “Want to Keep”
EIM
GR
OU
P© 15
II(B). Risks ofUnder-Saving (c’t’d)
Why is non-LIT-hold under-saving arguably less risky?
• Failure to comply with legally-imposed retention obligation NOTnecessarily spoliation per se Sarmiento v. Montclair State Univ., 513 F. Supp. 2d
72 (D.N.J. 5/9/07), available for free via PACERlogin at <https://ecf.njd.uscourts.gov/doc1/1191664237>
But see Zubulake and Morgan Stanley (heavilyregulated broker-dealer industry). Cf. FDA.
When no clear legally-imposed rule, thenorganization can create – and meet –its own quantifiable standards
EIM
GR
OU
P© 16
II(B). Under-SavingCounterpoint (c’t’d)
“Less is more”? . . .
Exs. of employers shieldedfrom spoliation sanctions insome discrimination cases:
• Patterson v. Goodyear Tire & Rubber Co.,2009 WL 1107740 (D. Kan. 4/23/09)(routine 12 month deletion of attendance logs),available for free via PACER login at<http://Patterson-Goodyear.notlong.com>
• Gippetti v. United Parcel Service Inc., 2008 WL3264483 (N.D. Cal. 8/6/08) (routinized 37-daydestruction approach re: employees' drivingrecords), available for free via PACER login at<https://ecf.cand.uscourts.gov/doc1/03504815885>
EIM
GR
OU
P© 17
Some keys to "legal defensibility" A. Policy/Program that avoids
“compliance gap”
suspicions re: roll-out’s timing
B. Addressing Key Targets
C. For LIT/eDisco Preparedness
Synch Retention Policy (incl. LIT-
HOLD piece) with other policies
D. Know what org has and where
III. Implementation –Introduction (c't'd)
EIM
GR
OU
P© 18
III. Implementing CompliantPROGRAM – A. “Real”
KUMBAYA?! Clear, well-thought-out policylanguage on which multiple constituencies (e.g.,Legal, HR, IT – and EEO?) have weighed in . . .
Compliance’s “3 E’s” = Establish/Educate/Enforce
© TOSHIBA
EIM
GR
OU
P© 19
Memorialize details of regimechange, including details ofnotification, training, etc.
Before implementation, doone’s best to segregate/collect ESI as to all pendingand reasonably anticipateddisputes and gov’t inquiries
III(A). ImplementationPROGRAM (c't'd) –
EIM
GR
OU
P© 20
• To extent data storageoutsourced, sync upschedules [see FRCP 37(e)]
• See, e.g., Tomlinson v. El Paso Corp., 245F.R.D. 474 (D. Colo. 8/31/07) (compellingproduction – under FRCP 26 (a)(1)(B) – re:third-party ERISA record- keeping system),available for free via PACER login at<https://ecf.cod.uscourts.gov/doc1/03911373138>
III(A). ImplementationPROGRAM (c't'd) –
EIM
GR
OU
P© 21
1. Email
• Consider age-based and/or mailbox-size-based purge rules on emails notstored in immune location(s)
• Address “archives”
Individual (.pst’s)
WHY?
Company-/enterprise-wide
III. Implementation –B. Key Targets
EIM
GR
OU
P© 22
III(B)(1). E-mail as aKey Target (c’t’d)
Within E-mail context, “archive”
• 1) Enterprise-wide platform
vs.
• 2) Individual’s own set of stored e-mails
Both can be outside of – and/orduplicative of – e-mails storedin live mailbox(es)
See generally Translating for IT and Earthlings, E-Discoveriescolumn, Calif. Lawyer (May 2010) <callawyer.com/story.cfm?eid=909464&evid=1>
EIM
GR
OU
P© 23
Potential Benefits
1) Readily searching/surfing for content,which can be critical to incident-responseand to eDiscovery collections.
2) Creation, in effect, of an eDiscoveryrepository, by enabling searching of:
attachments’ contents; and
across multiple users’ mailboxes
Neither has traditionally been possible in Outlook/Exchange
III(B)(1). Targets – E-mail –Enterprise Archives
EIM
GR
OU
P© 24
3) Routinize deletion per RetentionPolicy schedules, including via:
searches for items overx number of months/years
automated or manualfoldering as to categories
III(B)(1). E-mail Archives –Benefits (c’t’d)
EIM
GR
OU
P© 25
III(B)(1). E-mailArchives (c’t’d)
Potential Pitfalls:
“Hotel California” or “Roach Motel” problem:
Could become giant dumping-groundfor old, stale e-mails that never get deleted
Not thinking through workflow,which should coordinate:
Outlook e-mail “purge(s)”
“Vaulting” live e-mail into archive
Disposal of non-needed items from the archive
EIM
GR
OU
P© 26
Potential Pitfalls (c’t’d):
Not (adequately)educating employees
If enable users to“restore” at will, makesure archive settingswill sweep older e-mailsback into the archive
III(B)(1). E-mailArchives (c’t’d)
EIM
GR
OU
P© 27
2. Back-ups
• Do not keep forever
• Address old/legacy formats
• Segregate: e-mail/financials/products-related/all-the-rest
• True DR/BC vs. “Near-line” Archive
3. Locally stored data
4. Paper – see § IV below
III(B). KeyTargets (c’t’d)
EIM
GR
OU
P© 28
Another key to “legal defensibility”:“Compliance Gap Closing” = synchingRetention Policy language withpertinent contents of other key policies:
Technology-Acceptable-UsePolicy (TAUP)/No-Expectation-of-Privacy Policy (NoEPP)
Departing/Terminated Employees
Separation Policy
IT Checklist
III. C. Some KeyRelated Policies
EIM
GR
OU
P© 29
III(C). Other Policies (c’t’d) –1. TAUP/NoEPP
In addition to overall benefitsof TAUP/NoEPP, in eDiscoverysetting potentially avoid motionpractice as to own employee(s)and side-litigation re: privacy
• See generally Robert D. Brownstone,eWorkplace Privacy Materials,Nat’l. Emp. L. Inst. (NELI) (8/28/09)(more recent version available on request)
EIM
GR
OU
P© 30
III(C). Other Policies (c’t’d) –2. Separation
Trying to avoid the fate of Employer/Δ in Broccoli v. Echostar, 229 F.R.D. 506 (D. Md. 2005) (noprotocols/policies re: LIT-hold or re: separatingemployees; failing to suspend 21-day e-mail purge
<el.shb.com/nl images/edisc/nov05/broccoli%20v.%20echostar.op.080405.pdf>
Harkabi v. Sandisk, 08 Civ. 8203 (S.D.N.Y.8/23/10) <http://www.nysd.uscourts.gov/cases/show.php?db=special&id=111>
EIM
GR
OU
P© 31
III(C). Other Policies (c’t’d) –3. Destruction Protocols
Especially for highly sensitive info., e.g.:
• Personally identifiable information (PII)
Financial
States’ notice of breach laws; G-L-B; etc.
Medical/Health
HIPAA; state laws such as Cal. AB 1298
Consumer credit report information
FCRA; FACTA
But secure disposal of paper and electronicmedia/info. . . . helps across the board
EIM
GR
OU
P© 32
III. D. Know What Org.Has and Where
Partial Checklist of ESI Landscape/Locations
E-mail & E-mail Archives (company-wide and individual)
Databases (DMS, etc.) & Shared Network Drives
External Websites; Intranet/Portal
Blogs and Wikis (authorized), both external and internal
Third-party (hosted) repositories (see FRCP 37)
IM (company-provided) and Voicemail??
Hard Drives of local machines
Portable Media (hard-drives, CD’s, DVD’s, USB sticks)
For exs. of “Data Maps,” see Paperless/Retention,
NCC (6/3/10), at App. A (Slides 36-40; .pdf pp. 39-43)
EIM
GR
OU
P© 33
“Data-Mapping” Benefits
eDiscovery/Lit. Prep. & Risk-Insulation
eDiscovery costs reduction
litigation costs reduction
safe-harbor, including as to outsourced ESI
Governance, Risk & Compliance (GRC)<http://www.oceg.org/view/RB2Project>
<http://www.oceg.org/resources>
More interaction, simpatico and, ultimately,cohesiveness between [sub-]departments
III(D). What &Where? (c’t’d)
EIM
GR
OU
P© 34
IV. Going Paperless –Benefits to be Derived
Huge efficiencies to be gainedfrom – and legal support for –an all-electronic regime/environment
For new organizations
AND ditto for a long-term company to:
keep only electronic versions of all (most?)records created from a certain date forward; and
phase out pre-existing paper records over time
i.e., transitioning from a hybrid paper/electronicenvironment to an entirely paperless environment
EIM
GR
OU
P© 35
Expressly by various federal labor regs. –including under ADEA, FLSA & FMLA. Exs.:
FLSA 29 C.F.R. § 516.1
<http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?TITLE=29&PART=516&SECTION=1&YEAR=2000&TYPE=PDF>
FMLA 29 C.F.R. § 825.500(b), (g)
<www.dol.gov/dol/allcfr/ESA/Title 29/Part 825/29CFR825.500.htm>
I-9 forms (employment eligibility records) 8 C.F.R. § 274a.2
<http://8-CFR-274a2.notlong.com>
Tax/Payroll Law Exs.: Federal – IRS Rev. Rul. 97-22
<www.irs.gov/pub/irs-irbs/irb97-13.pdf#page=9>
IV. Paperless –EMP Laws
EIM
GR
OU
P© 36
State – Ex.: Cal. DLSE, Opinion Letter Re:Electronic Wage Statements (7/6/06):
Payroll department can providewage statements electronically,as long as employees have optionto receive hard copies and retainability to access the information andprint hard copies on employer’s printer
<www.dir.ca.gov/dlse/opinions/2006-07-06.pdf>
See generally Pittman, Alisa L., Making the Case for Electronic Storage of Employment Records, Elarbee, et al. E-Lert (7/6/06)<http://Pittman-Article-7-6-06.notlong.com>
IV. Paperless –EMP Laws (c’t’d)
EIM
GR
OU
P© 37
All from ABA Law Prac. Today (Sep. 2009):
Donna Neff and Natalie Sanna, The Document Naming System in Our Paperless Office<http://www.abanet.org/lpm/lpt/articles/ftr09091.shtml>
Jim Calloway, The Paperless Office as a Risk Management Enterprise<http://www.abanet.org/lpm/lpt/articles/ftr09092.shtml>
Adriana Linares, Less Paper Does Not Equal Less Training (at First!) <http://www.abanet.org/lpm/lpt/articles/ftr09094.shtml>
Michael J. Morse, Going Paperless for the Law Office: A Practical Guide <http://www.abanet.org/lpm/lpt/articles/ftr09095.shtml>
Ernest Svenson, Some Thoughts on Becoming Paperless <http://www.abanet.org/lpm/lpt/articles/ftr09097.shtml>
IV. Going Paperless –Some Helpful Articles
EIM
GR
OU
P© 38
Implicitly, if not expressly, by:
Best Evidence Rule, codified in FRE 1002<www.law.cornell.edu/rules/fre/rules.htm#Rule1002>
E-Sign Act, 15 U.S.C. §§ 7001 – 7031<http://uscode.house.gov/download/pls/15C96.txt>
Uniform Electronic Transactions Act(UETA), adopted by vast majority of states<www.law.upenn.edu/bll/archives/ulc/fnact99/1990s/ueta99.htm>
IV. Going Paperless –Generic Authorities
EIM
GR
OU
P© 39
PAST. . . Start with old boxes of PAPER: unlabeled & not retrieved
or looked at for years
whose labels and/or indicesreflect no retention need
PRESENT. . . Assess workflow re: alldocuments and information (letters,invoices, receipts, etc.)
created within your organization
disseminated by your organization
IV. Going Paperless (c’t’d) –Low-Hanging Fruit
<http://evolutionofbpr.com/tag/technology/>
EIM
GR
OU
P© 40
FUTURE . . . As to incoming documents: wherever possible, get
buy-in re: electronic form
to extent control is not possible,develop – and train on – scanning/imaging protocol for all incoming paper
TO LEARN MORE: See, e.g., ReadSoft®, E-invoices
White Paper (11/19/10)
IV. Going Paperless (c’t’d) –Low-Hanging Fruit
EIM
GR
OU
P© 41
Some suggested best practices (c’t’d)
Maintain replicated set of all ESIin distinct physical location
Protocols should entail one“original” centrally-stored copyof each scanned document
link sent to recipients
on their own, individuals can printto paper – but then discard
avoid too many compromisesin policy development and training
IV. Paperless – Food for Thoughtand Some Potential Pitfalls
EIM
GR
OU
P© 42
Some suggested best practices (c’t’d):
When scanning paper into imagefiles is part of your process:
signatures and scans in color
Cf. OFCCP Order # 279<www.dol.gov/ofccp/regs/compliance/directives/dir279.htm>
See also pp. 19-21 of<www.dol.gov/ofccp/Presentation/homestretch pres.pdf>
But see Appendix A below (Slide 46) re: someof the misc. vestiges requiring paper retention
IV. PotentialPitfalls (c’t’d)
EIM
GR
OU
P© 43
Encryption of laptops. WHY?
Protects confidential, proprietaryand personally- identifying (financialand health) information
Guards against identity theft re: individualcustomers/clients and also re: employees
Exempts from notice-of-breach statutesand thus from reputational damage
For resources on this issue, contact presenter
V. Two Key Information-Security Protocols
EIM
GR
OU
P© 44
Metadata-Scrubbing Software –Installation, Training & Use
Protects not-readily-apparentconfidential and proprietary info.from inadvertent disclosure
At least in Legal and Sales Dep’ts(all those who negotiate agreementsby exchanging multiple drafts)
Relatively inexpensive; integrateswith enterprise-wide e-mail systems
For resources on this issue, contact presenter
V. Key InfoSecProtocols (c’t’d)
EIM
GR
OU
P© 45
Conclusion/Questions
Q+A
Robert D. Brownstone <fenwick.com/attorneys/4.2.1.asp?aid=544>
650.335.7912 or <[email protected]> <facebook.com/rbrownstone> OR <twitter.com/ediscoveryguru>
Please visit F&W Groups’ homes:
EIM <fenwick.com/services/2.23.0.asp?s=1055>
Please visit F&W Groups’ homes:
See also Brownstone/Kesner“Going Paperless” article at this link
EIM
GR
OU
P© 46
SEC Reg. S-T’s Rule 302 , 17 C.F.R. § 232.302(b)<http://SEC-Reg-S-T-302.notlong.com>:
Each signatory to an electronic filing . . . Shallmanually sign a signature page or other documentauthenticating, acknowledging or otherwise adoptinghis or her signature that appears in typed form withinthe electronic filing. Such document shall be executedbefore or at the time the electronic filing is madeand shall be retained . . . for . . . five years
Federal Procurement
“Examination of records of contractor,” 10 U.S.C. §2313(h)(3) (“contractor or subcontractor retains theoriginal records for a minimum of one year after imagingto permit periodic validation of the imaging systems”)<www4.law.cornell.edu/uscode/html/uscode10/usc sec 10 00002313----000-.html>
“Contractor Records Retention, ‘Federal AcquisitionRegulation (FAR), Subpart 4.7, incl. “Policy,” § 4.703<www.acquisition.gov/far/current/html/Subpart%204 7.html#wp1082800>
App. A – Paperless (c’t’d) –CON (Counterpoint)