When faced with impending litigation, organizations must carefully think through and put in place data preservation activities. Business leaders are well aware of the dangers and costs associated with not having the right information when confronted with a legal action such as a data preservation order, preservation letter, discovery order, or subpoena. In some cases, company officers are personally liable. In the case of U.S. District Court vs. USN Communications in October 2000, the court recommended that the CEO be personally fined $10,000 for failure to adequately discharge his responsibilities to institute a program to preserve documents.1
Data preservation notices are issued to witnesses or nonparties that may be in possession of relevant data subject to preservation notices or legal holds. The data preservation notice communicates to the organization, witness, or nonparties to suspend the normal disposition or processing of records. This may also be called a “hold order,” “preservation notice,” or “preservation order.” Data preservation notices normally precede a subpoena and provide notice of relevant data being requested and detailed information of the impending legal action.
Preservation letters are issued to the adverse party with the intent to seek information. The letter identifies the materials to be retained and warns of consequences for failure to properly preserve the data. Preservation letters are issued to notify the recipient to begin taking prompt and affirmative actions to retain and identify the requested data. The preservation letter is the trigger for an organization to cease normal data destruction and institute the “legal hold” process.
Organizations are faced with mounting costs and challenges when addressing a preservation order or in carrying out their responsibilities associated with imminent legal actions toward them. It is not uncommon for organizations to spend thousands of dollars a day in expenses for storage and equipment due to data preservation during imminent legal actions. One organization is spending more than $5,000 a day in expenses due to data preservation in response to imminent legal actions. The organization is entering its third year of data preservation efforts, and legal action has yet to begin.
Ceasing normal data destruction
Instituting a legal hold traditionally meant stopping all scheduled record destruction for physical records; however, since 2006 with the new Federal Rules of Civil Procedure regarding electronic records, the term legal hold has a whole new impact on organizations. The IT (information technology) or IS (information systems) department is the target for data preservation actions. When confronted with this type of an action, IT must cease automated email deletions, backup tape rotation, tape recycling, and defragmenting and compressing hard-drives and cannot add new software or operating systems. A legal hold very quickly adds up to increased costs from purchasing additional tapes and server memory to accommodate the volume of data that IT is now required to maintain.
Organizations must include as part of their legal hold process specific steps for preserving data in the event of impending legal action. The data preservation program must be analyzed and defined and include employee training, testing, a risk assessment, and possibly other components before an actual legal action occurs. Once established, the data preservation program may (depending on the industry) have multiple actions going on simultaneously, where data could very likely be targeted for more than one legal action at a time.
Data Preservation Need
As with any new program or initiative within an organization, an evaluation of risk, importance, and urgency is required, in addition to the impact on departmental and corporate budget, resources, preservation longevity, and productivity. The financial burden of data preservation increases over time; the longer the legal action the greater the impact on the budget, resources, and external storage costs.
Data Preservation Team
A data preservation team typically consists of employees, vendors and corporate legal counsel. Depending on the industry, it may be helpful to include outside counsel as an advisor for program design. The “core” team should represent departments or functional groups responsible and accountable for the organization’s business data. For example, core team members might include system/network backup and archival administrators, database administrators, e-mail administrators, records managers, forensic imaging vendors, litigation attorneys, in-house lawyers, and change management representatives. Other members may be added and rotated off as the need for their areas of expertise is met.
The team is responsible for creating the charter and budget, defining roles and responsibilities of its members, developing rules of engagement for any sub-teams, and developing, deploying, and testing the program. Their responsibilities also include developing training for employees.
Data Preservation Program
The data preservation program should outline and account for multiple scenarios. To establish a set of standard equations the following items should be noted.
Volume of emails received and sent over the past 24 months
- The increase in number of employees (if applicable) and email volume over the 24 months
- The volume of emails targeted for auto-deletion each month
- The number of tapes used for backing up emails
- The volume of emails maintained by employees outside of the email system (PDAs, thumb drives, smart phones, home computers, etc.)
- The estimated number of duplicate emails within the system (courtesy or blind copies)
- The estimated number of emails within the system that are nonessential or unrelated to business (lunch plans, non-work related communications)
Volume of IM (instant messaging) being conducted within the organization
- Internal IM communications captured in real time
- The increase of employee use over the past 18 months
- External IM communications (organizations will have to address the potential of being ordered to produce those communications as well)
- IM communications captured through PDAs, smart phones, home computers, etc.
Volume of duplicate data on network shared drives
- Increased number of drafts or versions of the same documents on network shared drives
- Volume of databases outside the IT or IS normal backup plan
- Volume of data housed on laptops or workstations of remote employees outside of the daily data backup process
Volume of server space decreased when compression or defragmentation is conducted.
- The increased use of server or hard-drive space due to ceasing data compression actions
- The projected cost of increasing server or hard-drive memory
§ Per server
§ Per employee
Tape backup and tape rotation use
- The volume of tapes currently being used in the rotation program
- The increased volume in the past 24 months
- The volume of tapes currently being used for daily, monthly, and annual system backups
- The volume of tapes currently being used for daily, monthly, and annual database or software backups
The number of external drives used by employees
- Volume of data being overwritten by employees for external backups
- Volume of data stored or backed up on thumb drives by employees
Volume of disaster recovery tapes
- Increased number of tapes used for disaster recovery over the past 18 months
Scheduled purchase, implementation, and deployment of new software or operating systems
Volume of legacy or obsolete data
- Legacy data of software no longer used by the organization
- Legacy data acquired through an acquisition or merger
- Obsolete data backups from operating systems or software from defunct lines of business
- Obsolete data backups from old email systems
Training and awareness
- Responsibility of employee contractor, and vendor to preserve data
Corporate divisions, business units, and subsidiaries
- Volume of data rotated among other divisions, business units, or subsidiaries for the purpose of disaster recovery or archival
- International requirements and laws pertaining to data transfer
Records management and retention schedules
- Reclassification process for during and after legal actions
- Collecting all record destruction certifications for any relevant data having met their retention maturity and destroyed prior to the preservation order through an established records management program
- Recall of any physical records that have met their retention maturity yet are not physically destroyed as of the preservation order date
Corporate web pages—pages internal and external
- Volume of tapes currently used to back up web pages and web sites
- Assembling all established procedures and documentation regarding the use, protection, and management of external user data collected during visits to web sites
Collaboration tools
- Collecting all documentation regarding the security approach of external individuals entering shared areas of the network.
Forensic Imaging and Chain of Custody
It is key to remember that metadata (data about data) associated with the business records are just as important as the data itself. Consequently, methods must be followed to ensure that the metadata is preserved. Many organizations contract with data forensic organizations as part of their data preservation programs. Not only do data forensic services provide organizations with methods for extracting relevant data and metadata—they also can provide a chain of custody. A chain of custody is the ability to prove a record’s origin by means of examining the digital file residing on a hard drive or other storage device. The date, time, and originator’s information is maintained as part of the image, which is useful when the record is required for a legal action.
Conclusion
A successful data preservation program gives an organization the ability to make scheduled backups, properly label and retrieve data for the length of the preservation order and legal action, and reclassify the data at the completion or settlement of the action. A successful data preservation program in conjunction with a comprehensive records and information management program enables an organization to identify relevant data associated with a legal action and segregate that information from the remaining collection of data, thus reducing the productivity and cost of identifying data later. Legal actions have become part of doing business. Although instituting a data preservation plan and educating employees on carrying it out won’t stop impending litigation, a tested process will make the litigation less disruptive to the organization’s operations.
Penny Quirk is the director for the Records Information Optimization Practice at Robbins-Gioia, LLC.
