WIXLIB

The amendments to the FRCP created new requirements for organizations, including the following: Know what ESI exists Know where that ESI is stored Be able to produce that ESI rapidly in the case of litigationIf organizations do not adhere to these rules, the sanctions are severe. A case can be lost on procedural issuesalone, regardless of the merits. Figure 2 below shows four key provisions of the FRCP that organizations must beable to meet. Many organizations today—both big and small—do not have the capabilities or technology to satisfythese requirements.Figure 2: Four Key Provisions to the FRCPLegal Rule26(f)(1-4) Meet & ConferThe parties must confer before the scheduling conferenceregarding any issues relating to disclosure or discovery ofelectronically stored information - ESI.26(b)(2)(B) Reasonably AccessibleA party need not provide ESI from sources that are notreasonably accessible because of undue burden or cost. Courtmay specify cost-shifting or conditions of such discovery.34(b)(2)(E) FormatThe request should specify the form(s) in which ESI is tobe produced – or a party must produce it in the format inwhich it is ordinarily maintained.37(f) Safe HarborCourt may not sanction a party for failing to produce ESIwhich was lost due to routine, good-faith operation ofits document management system.Plain EnglishAn organization must know at the beginning of a case whatrelevant ESI exists, where it is, and how hard it is to access.An organization must quickly produce all relevant electronicinformation from accessible systems.Opposing litigants want to track changes to documents andview metadata, and the producing party has to provide themeans to do it.As long as litigation is not pending or threatened, anorganization can implement a document retention policy andnot be penalized for having purged information routinelyin accordance with that policy.Do Not rely on the “Safe Harbor” ProvisionSometimes, courts will not require the inventorying and production of information stored on backup tapes, orinformation stored in legacy systems that are no longer active for business purposes. But this “Safe Harbor”provision only applies when electronic evidence is lost as result of the routine, good-faith operation of anelectronic information system.7In other words, if an organization does not have a retention policy, and information is deleted from backup tapes orlegacy systems, it is possible that a court will order the organization to provide ESI regardless of the burden or cost.Also, an organization must stop destroying ESI, even as part of a routine process, if that organization has reasonto believe it may be involved in litigation (see “Litigation Holds” section, below).7Fed. R. Civ. P. 37 (f).CIO Strategies for the Retention and Deletion of Email4

Four Steps to a Successful Retention Strategy for Email & ESIHow does an organization create a successful retention strategy? To do so, it must:1.2.3.4.Understand where ESI is storedCreate written retention policies and a legal hold mechanismImplement those retention policiesImplement search and discovery capabilities that can efficiently retrieve ESIStep 1: Understand Where Electronic Information is StoredThe first step in implementing a successful retention strategy is to understand what data constitutes ESI, andknow where it is stored. Figure 3 below shows just a sample of what is included in ESI:Figure 3: Four Key Provisions to the FRCPExamples of Electronically Stored InformationElectronic format of any dataEmail (corporate and personal)Digital signatures andtime stamps on recordsSystem-generated reportsAll email attachmentsScanned imagesBusiness contractsDigital photographMetadataAll data inside yourcontact management systemFlash videoFaxesSigned contractsSpreadsheets, Microsoft Word documentsMicrosoft PowerPoint and .PDF files.WAV filesWeb browser cacheData in your sales systemInstant Message conversationsTape backupsDocuments stored onyour personal hard driveSmart phones & PDAsFlash drivesCD-ROMSDigitally stored voice mailAs this chart shows, ESI is typically stored in numerous locations within the organization as well as off site. Itincludes every desktop in the organization, every flash drive used by an employee, every notebook carried out ofthe office, and even smart phones. To make matters even more complex, multiple copies of email for disasterrecovery, archiving, and compliance reside in discrete systems. And because these various copies tend not tobe identical, an organization may find itself having to search each one for potentially responsive information.Locating ESI involves assessing backup processes and procedures (probably with the help of IT and disasterrecovery (DR) teams). It also requires the CIO to understand how the business units use their computers tocreate and store ESI on a daily basis.To refine the process, a CIO should consult with legal counsel, preferably someone with actual experience insearching for ESI in the context of an actual lawsuit. Practical experience in this area—like so many others—isworth years of theoretical training. Smart CIOs will be well counseled to create a comprehensive data mapbefore they are hit with an actual subpoena. But if a CIO finds herself having to respond to a subpoena beforeshe has been able to create a data map, she absolutely must consult with the lawyer representing the company.CIO Strategies for the Retention and Deletion of Email5

In addition, an organization should review its current practices – do end users tend to create .pst files that arestored locally on their desktop? Does the organization experience frequent outages that encourage users to relyon personal email accounts such as Gmail or Hotmail for business related tasks? Do the outside sales force usetext messages to communicate with customers? Do users tend to save documents as attachments to emailinstead of saving them elsewhere?Start with EmailIn crafting retention policies, organizations should start where the lawyers start: with email. Email is the mostimportant type of ESI and one of the most difficult applications to manage. Email has become the key focus forlitigation for several reasons. Email is the corporate system of record. Email is used by customers, employees,and partners and includes key documents such as contracts, P.O.s and proposals sent as attachments.More importantly, for litigation, email uniquely captures context and intent. Winning a court case is often aboutshowing what people are thinking at a particular time. Employees are often off-guard when they send email, andemail usually includes a narrative that shows both thought process and intent.As the legal landscape evolves over the next few years, organizations will need to closely track evolving bestpractices in e-Discovery and find ways to defend themselves against unreasonable discovery requests.Step 2: Defining a Retention StrategyHow does an organization determine a retention strategy? Often there will be internal conflict, with somewanting to destroy messages as quickly as possible, and others wanting to retain them for as long as possible.Users, for example, typically want to keep messages for as long as possible for business purposes or forconvenience. Compliance departments may want to keep messages as long as possible to ensure compliancewith regulations. The CIO and the IT staff, on the other hand, often want to delete messages as quickly aspossible. Deleting messages reduces the cost and complexity of managing and keeping email up and running.Legal departments can have differing views. Some legal teams prefer deleting messages as soon as possibleto eliminate “smoking guns,” while other legal teams want to keep messages as long as possible because theybelieve the defense value of the context provided by email is more important than the damage of the potential“smoking guns” in email data. Often it is assumed, and correctly, that the damaging email is already in the handsof opposing counsel; after all, when an organization deletes email, it does not impact the recipient’s retention ofthat email.Approaches to Retention / Deletion PoliciesWhat policies should be adopted? Unfortunately, there is no single answer to this question. Discussions withmany CIOs have revealed three typical approaches for determining retention policies. These include:Universal Retention Policy: An organization saves all messages sent and received by all employees, regardless ofuser or content, forever. This policy may be the easiest to implement, but it is the most expensive to maintain.Retention Based on User Role: This approach provides a specific user in a particular department or role with a uniqueretention policy. A simple example of this would be keeping messages for anyone in the finance department forseven years, whereas users’ messages in other departments are only kept for one year.Retention Based on Message Content: Basing retention on specific content or key words is probably the most difficulttype of retention policy to implement for it carries risks of deleting messages that need to be kept.CIO Strategies for the Retention and Deletion of Email6

Sample Acceptable Policies:Here are some acceptable and questionable policy examples seen in practice:Delete everything after 30-days. While this policy may be in violation of some industry compliance regulations,it would be unlikely to violate the FRCP, simply because it is clearly stated and applies to all records in areasonable, consistent manner.Keep email for finance, HR, and procurement users for seven years; all other mail for one year. This policy is also anacceptable policy as it defines a clear standard applied consistently to all messages.Keep all messages forever. This policy would be in full compliance with just about any regulation in existence today,including the FRCP. However, even without litigation it is a costly and complex policy to manage. And shouldthe organization be involved in litigation, it would become unwieldy in the extreme, and ESI management andretrieval costs would be massive.Here are some acceptable and questionable policy examples seen in practice:Sample Questionable Policies:Users determine how long to keep documents. This is not a retention policy. If an organization abdicates responsibilityfor message retention and deletion to users, a company risks spoliation problems and will be unlikely to find aberth in the FRCP’s safe harbor provision.Save all messages with certain keywords for five years and delete everything else. Many people, especially those in therecords management field, advocate a content-specific approach to retention of electronic information. However,this policy can be very risky. First, it is nearly impossible to identify all of the key words for information that anorganization might want to retain. Conversely, if the key word list is too comprehensive, then few items will getdeleted, effectively becoming a keep everything approach.Tell employees what to save and delete, but do not enforce the policy. There is little difference between not having apolicy at all and putting a policy in place but not enforcing it. In fact, the existence of an ignored policy is fodderfor opposing counsel in litigation and will subject an organization to spoliation problems and a refusal by the courtto apply the FRCP’s safe harbor provision.In short, whichever policy is adopted, it must be applied consistently and involve the entire organization. As aminimum a retention and deletion policy should be: Developed through a consensus of key stakeholders Written down Applicable to specific individuals, groups, and teams Clearly explained to employees through repeated, ongoing training Part of new hire training Audited to ensure that policies are being followed Responded to immediately when anomalies are found Automated, and provide mechanisms for litigation holdsCIO Strategies for the Retention and Deletion of Email7

Additional Retention Policy ConsiderationsAs problematic as email can be, it may still have some management advantages over other forms of electroniccommunication. Some organizations may want to consider prohibiting IM or text messages in an effort tofunnel more communications through the email server. At least this way, all of the communications are (sortof) in one place.Another common issue that organizations encounter in litigation is the frequency with which attachments arestored with email, oftentimes with multiple versions of the same or identical document. A potential strategy toreduce the number of documents is to prohibit original attachments in replies. Or a company might prohibit (orseverely) attachments altogether and require emails to include hyperlinks instead.Yet another common issue that creates heartburn when trying to locate ESI is when users store *.pst files infolders on their desktops. These files are beyond the reach of most centrally operated software applications,and require a computer-to-computer search. In a 10-user office, it’s a headache. In a 10,000 user organization,it’s a nightmare. One potential solution to consider is the adoption of a document management system thatallows users to drag and drop emails into folders that look like a typical Microsoft Outlook folder, but whichactually store the emails on a server instead of a desktop.Litigation HoldsWhile the FRCP rules do allow flexibility in defining policies to meet the needs of individual businesses, thereis one policy that cannot be ignored – the legal or litigation hold. A litigation hold is a communication withinan organization that orders all information relating to a dispute that is the subject of current or “reasonablyanticipated” litigation be preserved for possible production. When an organization is anticipating or involved inlitigation, legal holds are mandatory.Litigation holds may occur before an initial court filing. If an organization has a business dispute that may leadto litigation, the litigation threat alone is enough to require a litigation-hold mechanism. The organization must“turn off” their standard deletion policies to ensure the retention of potential evidence related to the disputeor risk a spoliation finding and sanction.Why is an effective litigation hold policy crucial?“Omnia Presumuntur Contra Spoliatorem” – in a courtroom, all things are presumed against those whodestroy evidence, even if that evidence is destroyed accidentally. This is known as “spoliation.”Spoliation can destroy a court case and, in extreme examples, a business. The elements of spoliation varyfrom court to court but generally include:1. Pending or probable litigation involving the plaintiff,2. Knowledge on the part of defendant that litigation exists or is probable,3. Willful destruction of evidence by defendant designed to disrupt the plaintiff’s case,4. Disruption of the plaintiff’s case, and5. Damages caused by the defendant’s acts.8Penalties for destroying evidence also vary, but can include: Monetary sanctions Legal fees Adverse inference instructions, that tell the jurors to presume damaging information was indeed includedin the evidence destroyed, and to consider that information during deliberation “Death penalty” sanctions, where a party’s entire pleadings are stricken9 Criminal charges for obstruction of justice8Smith v. Howard Johnson Co., 615 N.E.2d 1037, 1038 (Ohio 1993).9See, e.g., Kamatani v. BenQ Corp., 2005 WL 2455825 (E.D. Tex. Oct. 4, 2005) (Refrainingfrom entering “death penalty” sanction though finding it to be warranted, cour t struck cer tainaffirmative defenses as sanction for defendant’s “blatant and extensive” discovery violationswhich included a deliberate failure to search its own records for relevant documents; cour tfur ther awarded plaintiff its attorneys’ fees and imposed a monetary sanction of 500,000 tobe paid to the cour t within 30 days of the order.CIO Strategies for the Retention and Deletion of Email8

Step 3: Implementing Retention & Deletion PoliciesImplementing retention and deletion policies involves more than just writing policies down and giving them toemployees. As noted previously, a policy that exists on paper but not in practice is worse than useless.Experience shows that successful implementation requires a combination of effective processes and technology.The initial task involves working with DR and the IT team to synchronize the organization’s backup policies withthe retention policy. If an organization uses tape for backup and DR, it must ensure that the retention period forbackup tape is shorter than all other retention periods. This step ensures that, in case of litigation, older backuptapes are not subject to a litigation hold.Once DR and storage management methods are integrated, the organization should implement policies andprocesses to ensure that email content is not being moved to home computers, stored in .pst files, or beingkept on users’ computers past the deletion date. This requires centralized email and ESI management andis necessary to prevent further distribution of ESI beyond the control of the retention / deletion system. Anorganization should implement regular employee training on retention requirements, and there should be aprocess in place to monitor for violations, as well as a standardized enforcement process.Archiving TechnologyWhile the FRCP rules do allow flexibility in defining policies to meet the needs of individual businesses, thereis one policy that cannot be ignored – the legal or litigation hold. A litigation hold is a communication withinan organization that orders all information relating to a dispute that is the subject of current or “reasonablyanticipated” litigation be preserved for possible production. When an organization is anticipating or involved inlitigation, legal holds are mandatory.Effective control of retention and deletion policy management requires an archiving system. The archivingsolution should have the flexibility to apply discrete retention periods to different users, groups, departments,etc. Rules concerning retention periods are evolving and the archiving solution should be able to change retention periods as needed. An organization’s core email system, whether it’s Microsoft Exchange , Novell GroupWise , or Lotus Notes , will not provide this level of archiving technology. A third-party product orservice must be installed to granularly manage retention and deletion policies as well as manage e-Discovery.In addition to routine retention and deletion policy management, organizations should choose archivingtechnology that enables an organization to quickly implement litigation holds. Litigation holds may be ongoingfor an extended period of time for specific users, groups or departments, and tape backups do not provide acompliant mechanism for litigation holds. If your organization uses backup tapes and nightly backs up emailmessages, and a user deletes an email before that nightly backup, this message is deleted forever and clearlyviolates the spirit of the litigation hold. Today, archiving technology is a requirement for organizations subjectto litigation risks.An organization also needs archiving technology to have the ability to import distributed content. The archivingsolution should enable them to intelligently import messages stored in Exchange, local .PST files, and legacysystems. By centralizing distributed email into a single archive, an organization will have complete control overemail retention policies, compliance, e-Discovery, and litigation holds.Lastly, archiving technology should have strong disaster recovery (DR) capabilities for the primary environmentto ensure email outages do not invalidate retention policies. Research shows that companies face a 72%10probability of an email outage in any given 12 month period. When corporate email goes down, users startusing their personal email accounts to continue to send and receive corporate email. This creates a universeof messages that the organization is still responsible for managing and potentially discovering during litigation,though is not controlled or even visible to IT. These risks make it crucial that an organization have a DR andcontinuity process in place to ensure messages are never lost and that archiving continues no matter whathappens to the local infrastructure, hardware, software, or staff.10Dell EMS Activation Da

CIO Strategies for the Retention and Deletion of Email 2 Introduction With new regulations and the recent changes to the Federal Rules of Civil Procedure (FRCP), legal departments are turning to IT leadership to manage the retention, deletion, and search and recovery of email in addition to other forms of Electronically Stored Information (ESI).