This is the seventh in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations. As always, your comments are gratefully solicited.
The Path to Production: Retention Policies That Work
(Part II of IV)
[Originally published in Law Technology News, November 2005]
We continue down the path to production of electronic mail. Yesterday, I reminded you to look beyond the e-mail server to the many other places e-mail hides. Now, having identified the evidence, we’re obliged to protect it from deletion, alteration and corruption.
Anticipation of a claim is all that’s required to trigger a duty to preserve potentially relevant evidence, including fragile, ever-changing electronic data. Preservation allows backtracking on the path to production, but fail to preserve evidence and you’ve burned your bridges.
Complicating our preservation effort is the autonomy afforded e-mail users. They create quirky folder structures, commingle personal and business communications and — most dangerous of all — control deletion and retention of messages.
Best practices dictate that we instruct e-mail custodians to retain potentially relevant messages and that we regularly convey to them sufficient information to assess relevance in a consistent manner. In real life, hold directives alone are insufficient. Users find it irresistibly easy to delete data, so anticipate human frailty and act to protect evidence from spoliation at the hands of those inclined to destroy it. Don’t leave the fox guarding the henhouse.
Consider the following as parts of an effective e-mail preservation effort:
- Litigation hold notices to custodians, including clear, practical and specific retention directives. Notices should remind custodians of relevant places where e-mail resides, but not serve as a blueprint for destruction. Be sure to provide for notification to new hires and collection from departing employees.
- Suspension of retention policies that call for purging e-mail.
- Suspension of re-use (rotation) of back up media containing e-mail.
- Suspension of hardware and software changes which make e-mail inaccessible.
- Replacing backup systems without retaining the means to read older media.
- Re-tasking or re-imaging systems for new users.
- Selling, giving away or otherwise disposing of systems and media.
- Preventing custodians from deleting/ altering/corrupting e-mail.
- Immediate and periodic “snapshots” of relevant e-mail accounts.
- Modifying user privileges settings on local systems and networks.
- Archival by auto-forwarding selected e-mail traffic to protected storage (i.e., journaling).
- Restricting activity like moving or copying files tending to irreparably alter file metadata.
- Packet capture of Instant Messaging (traffic or effective enforcement of IM prohibition.
- Preserve potential for forensic recovery.
- Imaging of key hard drives or sequestering systems.
- Suspension of defragmentation.
- Barring wiping software and encryption, with audit and enforcement.
A threshold preservation issue is whether there is a duty of preservation going forward, e.g., with respect to information created during the pendency of the action. If not, timely harvest of data, imaging of drives and culling of relevant backups from rotation may sufficiently meet the preservation duty so as to allow machines to be re-tasked, systems upgraded and back up tape rotation re-initiated. Securing guidance from the court and cooperating with opposing counsel to fashion practical preservation orders help insulate a producing party from subsequent claims of spoliation.
The Knowledge Hurdle
Thanks to a string of recent, high profile decisions, litigants are gradually awakening to their obligation to preserve electronic evidence. Still, attitudes often range from insufficient (“We’ll just stop rotating backup tapes”) to incredulous (“Why would we need to preserve voice mail?”).
One hurdle is the lack of knowledge on the part of those charged with the responsibility to design and direct preservation efforts: too many don’t understand what and how data change or what triggers those changes. They fail to appreciate how the pieces fit together.
For example, in a lawsuit concerning a plant explosion, the defendant, a major oil company, preserved monthly “full” backups of its e-mail server but failed to hang on to four weeks of incremental backups immediately preceding the blast.
A full back up is a snapshot of the e-mail system at a single point in time. An incremental backup records changes to the e-mail system between snapshots. Did someone think that full backups were cumulative of the incremental sessions? If so, they missed the fact that any e-mail received and deleted between snapshots might exist on the incremental backups but be absent from the monthly tapes. They didn’t consider how the pieces fit together.
If you’ve done a good job identifying where e-mail lives, preservation is largely a matter of duplicating the e-mail without metadata corruption or shielding it from subsequent loss or alteration. Both demand technical competence, so you’ll need expert help the first time or two. If you ask questions and seek out reasons behind actions, knowledge gained from one effort will guide you through the next.
Minimize Burden and Cost
With digital storage costs at all time lows, it’s tempting to minimize spoliation risks by simply keeping everything. Don’t. Keeping everything merely postpones and magnifies the cost and complexity of production. Yet, you can suspend document retention and tape rotation without triggering a costly data logjam, if you adapt your preservation from reflexive to responsive.
Reflexive preservation describes steps you take while figuring out what’s relevant and what’s not. It’s immediate and encompassing action to preserve the status quo while you sift the facts, forge agreements with opponents or seek guidance from the court. Calling a halt to backup tape rotation or suspending retention policies is reflexive preservation.
Reflexive preservation is a triage mechanism and a proper first response; but it’s too expensive and disruptive for the long haul. Instead, convert reflexive preservation to responsive preservation by continually tweaking your preservation effort to retain only what’s relevant to claims or necessary to meet business and regulatory obligations. Narrow the scope of preservation by agreement, motion practice and sound, defensible judgment.
Having identified the e-mail evidence and preserved it, we need to collect it and make it accessible for review and searching. Tomorrow, we hike up harvest hill and perambulate population pass. Wear sensible shoes!
The preservation advice above now feels as familiar as an old slipper. But back in 2005, preservation checklists were rare birds. The steps haven’t changed much, except that a modern e-mail preservation checklist needs to place more emphasis on webmail, cloud-based mail repositories and especially mobile devices like phones and tablets. Today, I’d expect that upwards of two-thirds of e-mail users primarily access their messaging using phones and tablets.
But, the sea change in my thinking since I wrote this goes to the question of whether to save “everything.” I was wrong, and I’ve changed my mind from what I wrote. Now I say, “keep the e-mail!” In the dozens of botched e-discovery efforts I’ve been appointed to clean up in the last ten years, so much expense and hardship could have been avoided had an e-mail journaling mechanism (or similar reliable means of retention) been employed. E-mail journaling automatically retains a copy of every non-spam message and attachment sent or received by key custodians. A good system achieves efficiencies by single-instance storage and powerful search capabilities. Still, it’s basically keeping “everything.”
There is a mantra among corporate counsel that goes, “if we don’t keep it, they can’t hurt us with it.” That’s sound thinking if the company is, say, corrupt or into a lot of dirty dealing. But, what if the company tends to do things well and honestly, isn’t it possible that more information is more likely to exonerate than implicate? And, really, aren’t you better off having the evidence than having to explain why you lost it…again?
I’ve heard both sides of the debate and, as my old advocacy reveals, I’ve taken my time coming around to the conviction that broad and routine retention is the better bet. I believe there is such a thing as “defensible deletion;” but it poses no threat of spoliation (that’s what makes it “defensible”). I concede that keeping more mail sometimes means more mail must be searched and reviewed. But, we can deal with that downside through sensible limits on scope of discovery and use of improved culling and analytics.
E-mail is institutional memory. It’s our digital DNA. Witnesses need e-mail to refresh recollections. If you don’t have the e-mail, your opponent will. On balance, I’d rather have all the facts, and I’d rather my clients stay out of the spoliation crosshairs. Hence, I say, “keep it;” not because storage is so cheap, but because failure is so costly.