Handling Electronic Records and Dealing with Risk Management

By Robert Jones, legal consultant at Kroll Ontrack, and John Doherty, litigation partner at Manches

What other challenges and benefits might arise when addressing the most effective management of electronically stored information?

The Information Commissioner’s Office recently announced new fines to deter breaches of the law in relation to personal, which could see organisations being fined up to £500,000 in the most serious cases. A more informed and serious approach towards the issue of electronically stored information (ESI) is increasingly being displayed by the Judiciary too, with some Judges exhibiting a great deal of personal know-how in cases involving electronic evidence and computing. Some courts have even demanded companies to have well-organised systems of ESI and judges are taking a critical, even outspoken, view of those who appear to be behind the times. Robert Jones, legal consultant at Kroll Ontrack, and John Doherty, litigation partner at Manches, look at some of the practical challenges businesses face in putting their ESI houses in order and the reasons why it pays to be prepared.

It is well known that co-operation with regulatory bodies, such as the Financial Services Authority and Trading Standards, can earn companies credit in investigations, as well as increase confidence in those businesses’ abilities to achieve compliance generally, without official intervention. Accordingly, in our evermore burgeoning information era, responsible businesses must have in place policies and strategies to help them respond to an increasingly wide range of data related obligations, carrying with them associated legal risks.

In the modern business world increasingly vast amounts of data are gathered, stored and transferred electronically and technological advances, moving at a swift pace, are only contributing further to that trend. Following reports of the first case in legal history in which an injunction was served via Twitter, arguably email is even becoming ‘old hat’ – a particularly remarkable prospect for those who can remember when email was first introduced at work. Equally, it remains surprising to many people how even the smallest amounts of data, such as those recorded by a computer when it is switched on, or the date when a document was last amended, can be highly significant in any fact-based investigation/litigation context. That said, however, it has been recognised that information is one of the most valuable assets held by any company and that the risks associated with its use (and very often misuse) must be managed.

It is therefore necessary for business leaders (across many disciplines) to consider what steps they should take to understand and control the information that is created and used by their employees, through the implementation of appropriate policies and procedures. From a practical perspective, however, the use of different forms of technology, and failures to properly regulate the use of business systems, can present a number of challenges to the ability to quickly gather items of potential evidence whenever required in any relevant legal context. In that connection, significant obstacles can arise from the onerous legal requirements imposed on Data Controllers concerning the processing of personal data. This often vexed issue for businesses, now carrying with it a potential fine of £0.5m for serious breaches (for example, if following a security breach by a data controller, financial data is lost and an individual becomes the victim of identity fraud), is addressed further below.

Personal Data

Personal data and the associated private rights of individuals are clearly very important matters, rightly deserving of effective protection under the law. That said, from the perspective of a business, they can cause significant practical obstacles in any necessary evidence gathering exercise. For instance, the use of business email for private purposes is commonplace. In addition, personal data can also be found routinely within “business” communications, for example emails, voicemails, correspondence with human resources departments.

Bearing in mind the prevalence of personal data mixed amongst business data, the conduct of any investigation requires a delicate mix of respect for the protection of personal information and judgement in determining whether any items of ‘personal’ data (such as curricula vitae submitted to rival companies) might lawfully be processed (perhaps having substantial probative value). Reliance on adequately drafted data processing policies will be a key factor to assist businesses here.

For cross-border investigations, an appreciation of the local laws applicable to the conduct of investigations will be key too, as the EU Directive on personal data protection (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995) has not been implemented by each EU Member State in an identical fashion. In France, for example, trade unions and representatives are likely to be involved in the collection of data to ensure their employees’ rights are not violated; and in Germany it is not possible to image a computer for preservation without first obtaining the consent of the custodian. In many cases, these obstacles can frustrate the performance of a confidential preliminary investigation, which is supposed to confirm or eradicate suspicion, and can result in tipping-off the subject of an investigation.

A major internal threat stems from current or departing employees who steal confidential corporate information and there are several steps a company should take to reduce this risk. However, a practical consideration in that connection is that without an adequate understanding of the relevant data systems and devices on which information is recorded, businesses must rely on individuals who might be potential witnesses or perpetrators to gather evidence, obviously conveying with it an increased risk of spoliation.

For the reasons identified above, it will be apparent that the handling of data at many companies requires at the very least a thorough review and, more probably than not, an overhaul. Most businesses are guilty of retaining too much ESI and can lose a significant proportion of control over the management of that data as a result. With many corporations now ‘information driven’, ESI is in most cases a significant corporate asset. In fact, because companies now routinely utilise email as their primary means of communication, those companies’ intellectual property is increasingly contained in its employees’ emails and attachments. Therefore, not having command of ESI is the same as not having command of key physical assets.

The rise of new technologies and popular alternatives to communication via email, present a constant risk to all businesses. Text messages, instant messaging, social networking sites and even the permitted use of multi-media software (for example, iTunes) can, at best, complicate a reasonable search and, at worst, open channels for data theft. Such developments need to be considered, and policies need to be created and/or revised on a regular basis, to assess the impact of any changes in technology.

Experts concur that information should only be kept electronically if it is required to conduct the ordinary course of business, for regulatory purposes, or for litigation. If the data does not fall under any of those criteria then it should not be kept, as failure to dipose of surplus ESI can add to what may already be an expensive e-discovery process. An overload of data could mean that companies are unable to quickly and cost effectively implement a legal hold process when required. Furthermore, firms may be unable to identify the type, location and volume of information required to respond to a regulator’s request for documentation. But perhaps the most critical commercial issue with poor data management is the inability to protect a company’s confidential information from internal security threats.

In response to the issues outlined above, companies are beginning to take a more proactive approach to the management of ESI and its associated risks. For example, document management policies governing the creation, retention and deletion of electronic data have been implemented by many responsible companies in an effort to reduce the pitfalls identified.

Document Management Policies

The first step towards drafting an effective document management policy is to understand precisely which ‘documents’ it is intended to manage. By conducting a detailed survey of daily business practices, it will be possible to gain an understanding of the types of documents which are created, by whom, how those documents are stored, how long for and what happens when they are no longer needed. However, this raises for consideration a number of practical and potential legal issues. For example, one of the challenges to understanding what data a company has is to survey its departments in sufficient depth so as to differentiate between what really happens and what employees think that the corporation wants to hear.

In addition, once in place, businesses face the challenge of keeping their policies up to date. Any number of changes to a business, including strategic development, new products, staff reorganisation and technology upgrades will impact the assumptions on which a document management policy is based. The timescales set for the relevant retention periods must be aligned with the commercial requirements of the business and any relevant legal obligations.

In light of the recent emergence of blog sites like Twitter or Facebook and the abundant stories about indiscreet postings, which have resulted in disciplinary action or dismissals, a further challenge is the extent to which a company may regulate the behaviour of its employees outside of work. Once a company knows what information it is producing, only then will it be able to determine where it is kept and what to do about it.

Going beyond document retention policies, Kroll Ontrack’s recent survey has found that a growing number of businesses have taken steps to create legal response plans (41%). Such plans are focused on delivering an appropriate response to a particular legal challenge and are perhaps best illustrated by looking at the fictional case of Company X:

• Company X is either ordered or requested to disclose digital information to help with a legal investigation.
• Company X’s general counsel is relieved to know the company is capable of producing the relevant documents in order to comply, because there is a policy which governs the retention of documents created during the relevant time period.
• However, Company X’s electronic records are poorly managed, intermingled with personal data and there are insufficient resources to extract the information within the prescribed timeframe for responding.

In this case, Company X is vulnerable to non-compliance with its legal obligations. The business may be fined by a regulator, openly criticised by a Court or by a litigious opponent and may suffer reputational damage, potentially encouraging new claims, if news of its disorganisation is sensationalised in the media. A legal response strategy in that case would look beyond the retention of information, at practical issues such as where the data is kept, how custodian consent will be obtained, how the data will be searched and produced. A legal response plan should deliver strategies to respond in a uniform and standardised, timely and cost effective manner.

Looking ahead, companies need to expect the risks associated with electronic records to increase, as the amount of information companies retain continues to rise. These risks are also likely to increase because of the rapid developments occurring in information processing and storage areas, such as digital photos, voice messages, full motion videos and three dimensional objects. These developments will bring with them a new set of storage alternatives, including server virtualisations, cloud computing, the storage of full motion video of a meeting rather than the minutes of the meeting, social networks and wireless workforces. These advances will in turn create a new set of litigation risks and cost.

As courts and regulators now regularly sanction companies for failure to comply with electronic record preservation and production obligations, senior executives would be well advised to place record management issues higher up on their lists of priorities.