Transcription
2010 Canadian Bar Association IPEBLAConferenceWorkshop 12: Electronic Record Retention and DestructionA presentation to the Canadian Bar Association and International Pension & EmployeeBenefits Lawyers Association, Québec Cityby Paul A. MeyerJune 21, 2010 2010 Towers Watson. All rights reserved.
Electronic Retention and Destruction Considerations in establishing international recordretention. Costs of business and litigation. Managing competing interests of employers and employee. Benefits of a good records management program.towerswatson.com2 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Considerations in international record retention Why have retention rules? Regulatory compliance Efficiency and quality control Defensible disposition of obsolete recordsInternational considerations Varying retention requirements. Inconsistent data privacy rules. Inconsistent standards for disposition.towerswatson.com3 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Evolving Challenges – Europe and the World European Community April 2008 White Paper on privateantitrust actions includes sanctions for failure to preserveevidencePopularity of “dawn raids” by EU competition regulators Extensive Privacy Laws in Europe, Canada and Abu Dhabicomplicate hold obligations U.S. courts disregard Hague Convention, blocking statutes andprivacy laws to impose cross-border e-discoverytowerswatson.com4 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Privacy in Europe “(1) Pursuant to Directive 95/46/EC Member States are required toprovide that a transfer of personal data to a third country may only takeplace if the third country in question ensures an adequate level of dataprotection and the Member States' laws, which comply with the otherprovisions of the Directive, are respected prior to the transfer.“(2) However, Article 26(2) of Directive 95/46/EC provides thatMember States may authorise, subject to certain safeguards, a transferor a set of transfers of personal data to third countries which do notensure an adequate level of protection. Such safeguards may inparticular result from appropriate contractual clauses.”European Commission Decision of 27 December 2001 on standard contractualclauses for the transfer of personal data to processors established in thirdcountries, under Directive 95/46/EC.towerswatson.com5 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Privacy in North America Canada - Consent is usually required under PersonalInformation and Electronic Documents Act (“PIPEDA”) andprovincial privacy statutes, subject to exceptions.United States – Privacy of health information protected byfederal law under HIPAA, as amended by HiTech47 states have data security laws, the most comprehensive ofwith is the Mass Data Security Law.towerswatson.com6 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Data Loss “285 million records were compromised in 2008. 74% resultedfrom external sources, 67% were aided by significant errors and87% were considered avoidable through simple or intermediatecontrols.”“The majority of the lost data was neither encrypted norprotected by a password.”“An alarming 78% of IT professionals in the United States claimthat their companies have suffered unreported insider-relatedsecurity.”Kevin P. Kalinich, “Red Flags, Broken Hearts & Data Breach Stimulus;Insurance for Breaches of Data Privacy and Information Security,” (Aon2009).towerswatson.com7 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Average costs of 2008 breach per data loss eventsCOUNTRYTOTAL COST COST PER RECORD LOSTAustraliaUS 1.83 millionUS 114FranceUS 2.53 millionUS 119GermanyUS 3.44 millionUS 177United KingdomUS 2.57 millionUS 98United StatesUS 6.75 millionUS 204"2009 Annual Study: Global Cost of Data Breach,“ Ponemon Institute(2009)towerswatson.com8 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Data loss Costs Europe – enforcement by government. UK - Monetary Penalty Notice ("MPN") under the DataProtection Act 1998 (the "DPA") imposes fines of up to 500,000. In force on April 6, 2010.Spain – Imposed 22,000,000 in penalties in 2009.United States – Under HiTech amendments to HIPAA, state Attorney Generalsmay prosecute violations of federal health privacy law. Enforcement through civil litigation as well as governments;SEC filings show 256 million loss anticipated by TJX forconsumer data loss. Kevin Kalinich, supra, at 2. towerswatson.com9 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Privacy Risk of International Discovery“Cross-border discovery represents a “Catch-22” situation in whichthe need to gather relevant information from foreign jurisdictionsoften squarely conflicts with blocking statutes and data privacyregulations that prohibit or restrict such discovery – often uponthreat of severe civil and criminal sanctions. . . . .“Cross-border discovery has become a major source ofinternational legal conflict, and there is no clear, safe wayforward.”Framework for Analysis of Cross-Border Discovery Conflicts: A PracticalGuide to Navigating Competing Currents of International Data Privacyand e-Discovery at 1 (Sedona Conference 2008).towerswatson.com10 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
The Hague Convention Article 23 of The Hague Convention restricts pretrial discovery to“letters of request” or “letters rogatory” issued by courts of onenation to courts of another. Many civil code jurisdictions and Australia restrict discoveryunder the Hague Convention with blocking statutes to limit thereach of foreign courts and government agencies. Framework forAnalysis of Cross-Border Discovery Conflicts, supra, at. 18. In France, honoring a foreign court‟s discovery request ispunishable by up to six months in prison and files of up to 18,000. Id. At 21.towerswatson.com11 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Impact of U.S. Discovery Requirements Internationally Regulatory Reach. Civil Jurisdiction of U.S. Courts. Jurisdiction over non-citizens.towerswatson.com12 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
The Discovery Process in the United States Parties engage in discovery with little or no oversight by courts. Parties demand information from their opponents via requestsfor disclosure, requests for admissions, requests for production,interrogatories, and depositions. Scope is broad: anything not privilege that may lead todiscoverable evidence; discoverable information need not beadmissible. Unique ability to demand information from non-parties withadvance supervision by court. Parties to a lawsuit may also request information from thirdparties via subpoena.towerswatson.com13 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Regulatory Reach U.S. v. UBS Warburg - 2009. Criminal charges of facilitating off-shore tax evasion. Deferred prosecution agreement required cooperation andidentification of holders of 4,550 accounts. Swiss bank secrecy law defended confidentiality of accounts withcriminal sanctions. Diplomatic crisis as U.S. required UBS to violate Swiss law.towerswatson.com14 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
United States v. UBS – the saga August 2009: Swiss – U.S. - Swiss accord to transfer accountdata to the United States, subject to Swiss parliament approval. January 21, 2010 and February 26, 2010: Federal AdministrativeCourt of Switzerland prevented the disclosure of UBS accountdata, finding that the failure to file an IRS Form W-9, “Requestfor Taxpayer Identification Number and Certification,” was notevidence of fraud. March 31, 2010: United States and Switzerland signed a protocolthe Swiss Federal Tax Administration (“SFTA”) to provisionallyapply the August 2009 accord that the two countries entered intoin connection with the deferred prosecution agreement betweenthe U.S. Department of Justice and UBS.towerswatson.com15 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
United States v. UBS – the saga continues June 16, 2010: Switzerland‟s lower house of parliament overruled the court and approved a law allowing SFTA to hand UBSdata over to U.S. tax authorities; bill to be reconciled with lawapproved by upper house.A referendum is still possible that could make it impossible forUBS to turn over Swiss data by the August 2010 deadline in thedeferred prosecution agreement. If this occurs, the IRS said it isprepared to reopen the case against UBS.Deborah Ball, “UBS Tax Deal Approved, but . . .,” WALL STREET JOURNAL (June18, 2010).towerswatson.com16 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Reach of U.S. Courts Legal Holds and Discovery: Pension Committee of the University of Montreal Pension Planv Banc of America Securities, LLP et al., No. Civ. 05-9016,2010 U.S. Dist. LEXIS 1839 (S.D.N.Y. Jan. 11, 2010), –Quebec plaintiffs. AccessData Corp. v. Alste Techn. Gmbh, No. 2:08-cv-00569(D. Utah Jan. 21, 2010) - Discovery of foreign customer datashielded by German privacy law. Chanel, Inc. v. Song Xu, (W.D. Tenn. Jan. 29, 2010) – serviceof process outside U.S. by email only.towerswatson.com17 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Hold Triggers Reasonable anticipation of litigation: Must preserve documentsfrom date notice of potential claim, not subsequent suit. 336332B.C. Ltd. V. Imperial Oil, et al., B.C.L.R. (4th) 168 (Canada);Zubalake v. UBS Warburg, IV (2d Cir. 2004) Discussion of risk of specific claim within management. Broccoliv. EchoStar, 229 F.R.D. 506, 516-17 (D. Md. 2005)(sexualharassment) Discovery of ESI that “might” be useful to “any” potentialgovernment investigation. U.S. v. Russell (criminal conviction for„failure to preserve‟ evidence of child pornography use underSOX)towerswatson.com18 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Compelled Disclosure Contrary to Foreign LawAccessData Corp. - magistrate judge granted a motion to compelto produce customer records from Germany. Objection on the grounds that production of this “private thirdparty information” would subject producing party to civil andcriminal penalties under the German Data Protection Act. The court granted the motion to compel, declaring privacy law tobe a “blocking statute.” Opinion suggests ways that future parties should argue for aproceeding through the Hague Convention.towerswatson.com19 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Reach of US Process over Foreign Parities Service of process by email authorized on foreign defendantwhere attempts to find a valid address failed, email addressappeared valid, and service by email would not violate Chineselaw.Chanel, Inc. v. Song Xu, 2010 WL 396357 (W.D. Tenn. Jan. 29,2010)(Charmaine, M.J.)towerswatson.com20 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Reach of US Process over Foreign Parities Factors: Internet Corp. for Assigned Names and Numbers showed validemail address linked to non-existent mailing address –bounced back receipts.Fed.R.Civ.P. 4(f) “internationally agreed means of service thatis reasonably calculated to give notice.” Hague ServiceConvention does not apply when physical address is unknown.Email found reasonably calculated to provide notice andeffective since business was designed so owners could only becontacted by email.towerswatson.com21 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Limiting the reach U.S. courts recognize no right of discovery in privateinternational arbitrations under UNCITRAL rule Co.El Paso Corp. v. Comision Ejecutiva Hidroelectrica Del RioLempa 341 Fed.Appx. 31, 2009 WL 2407189 (5th Cir. 2009)(ElSalvadoran substantive law; Swiss procedural law). Cost shifting under Federal Rules of Civil Procedure 45 and 68.towerswatson.com22 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Foreign Regulation of U.S. Courts – an example In August 2009, French Data Protection Agency (CNIL)Délibération No. 2009-474; see also, Article 29 Data ProtectionWorking Party, Working Document 1/2009. CNIL requires proportionality and legitimacy standards, andprocedural safeguards.towerswatson.com23 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
CNIL Requirement Proportionality – Data processing must occur in country wheredata is located. Data should be limited to identity, function and contactinformation. Only data that is strictly necessary to the suit.towerswatson.com24 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
CNIL Requirements Legitimacy – Must be in compliance with the Hague EvidenceConvention, plus: Subject of data must consent to transfer; Party subject to U.S. discovery MUST comply with laws of EUmember state; and Interest must be essential to prosecution or defense.towerswatson.com25 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
CNIL Requirements Procedural Safeguards for “massive and repeated” datatransfers: Recipient must qualify for EU- U.S. Safe Harbor Scheme;orAdopt “standard clauses” for data security approved byEC; orHave “strict and binding” corporate rules for adequatedata security.towerswatson.com26 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
BREADCRUMB (OPTIONAL)U.S. Discovery - The evolving U.S. E-Discovery landscape Zubalake v. UBS, (S.D.N.Y 2004)(Scheindlin, J.) sanctions for“intentional” failure to preserve – enter the hindsight test. December 2006: Federal Rules of Civil Procedure Amended toaddress “electronically stored information” or “ESI.” 2007 – 2008: Dealing with the new rules.2010: “Zubalake Revisited.” In Pension Committee case, JudgeScheindlin‟s set forth an unforgiving new hindsight judicial reviewof “negligently” managed legal holds.towerswatson.com27 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
So Where Does This Leave Us? First, Second, Third, Fourth and Ninth Circuits: Either gross negligence or willful misconducts (and nownegligence?) justify severe sanctions. Spoliation instructionpresumed gross negligence.Seventh, Eighth, Tenth, Eleventh and D.C. Circuits: Only bad faith or only willful misconduct justify severesanctions.But note –the law is being made by 450 District Court Judgesand Magistrates, not the Circuit Courts of Appeal.towerswatson.com28 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
“Zubalake Revisited” The Pension Committee of the University of Montreal PensionPlan v Banc of America Securities, LLP et al., No. Civ. 05-9016,2010 U.S. Dist. LEXIS 1839 (S.D.N.Y. Jan. 11, 2010)(Scheindlin, J.). Canadian pension funds serving as plaintiffswere “careless and indifferent” about preserving and collectingdata.towerswatson.com29 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Pension Committee and the New Test for SactionsFour-part analytical framework for culpable conduct and sanctions:1.Level of culpability – negligent, gross negligent or willful.2.Timing of duty to preserve and spoliation.3.Burden of proof and when it shifts.4.Remedy for the type of harm caused.Op. at 5.towerswatson.com30 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Pension Committee “I conclude that all of these [Canadian] plaintiffs were eithernegligently or grossly negligent in meeting their discoveryobligations.”“As a result, sanctions are required.”Op. at 5.towerswatson.com31 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Judge Schiendlin’s Culpability “Negligence, gross negligence, and willfulness . . . in thecontext of discovery conduct . . . [i]t is apparent to medescribes a continuum.”“Conduct is either acceptable or unacceptable.”“Once it is unacceptable the only question is how bad theconduct is.”Op. at 6.towerswatson.com32 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Judge Scheinlin’s Culpability “[N]egligence involves unreasonable conduct in that it createsrisk to others but willfulness involves intentional or recklessconduct that is so unreasonable that harm is likely to occur.”Op. at 7. (emphasis in orig.) “The standard of acceptable conduct . . . [i]n the discoverycontext . . . Have been set by years of judicial decisions.”Op. at 7.The oddity: the standards imposed on the Canadian fundsevolved in U.S. trial courts in the years following initiation ofthe suit!towerswatson.com33 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Culpability – Examples of the New Negligence Issuance of defective litigation hold resulting in the loss ordestruction of relevant information. Failure to obtain records from all employees (as opposed to keyplayers). Failure to take sufficient measures to preserve ESI. Failure to assess accuracy and validity of search terms.towerswatson.com34 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Culpability – Examples of Gross Negligence Failure to issue written litigation hold. Failure to collect records from key players. Failure to cease destruction of e-mail or back-up tapes after dutyto preserve. Failure to collect ESI from former employees that remain inparty's possession.towerswatson.com35 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Culpability – Examples of Willful Misconduct Intentional destruction of e-discovery or documents after duty topreserve attaches. Intentionally deleting computer files. Calculated decision not to preserve evidence.towerswatson.com36 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Timing of duty to preserve Obligation to preserve exists once the party reasonablyanticipates litigation.Plaintiff‟s duty to preserve is often triggered before litigationcommences (for defendant‟s – when claim is reasonablyanticipated. Zubalake.)Pension Comm.’s plaintiffs – Quebec pension funds andfoundations – were under a duty to preserve as soon as theunderlying events had transpired and some – but not all –plaintiffs had filed suit and retained counsel – many years beforethe case reached the merits!towerswatson.com37 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Sanctions Sanction terminating the case is appropriate only in the face ofthe most egregious conduct. For negligent spoliation, defendants were entitled to monetarypenalties. For gross negligence, defendants were entitled to an adverseinference instruction.towerswatson.com38 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Why Have Records Management Policies: the LegalCase: Civil Sanctions 29 million verdict following “adverse inference” instruction onemails not preserved by employer. Zubalake v. UBS Warburg,2005.Sanctions of 8.5 for “monumental lapse” in discovery.Qualcomm v. Broadcom (S.D. Cal 2008) (failure to disclose46,000 emails, 21 of which were relevant).Adverse inference for failing to preserve for a “reasonable timeafter statutory retention period.” Moezzan Saeed Alvi v. YM Inc.,2003 CarswellOnt 3386 (Ont.S.C.J.)towerswatson.com39 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Why Have Records Management Policies: The LegalCase: Criminal Sanctions US v. Russell – SOX conviction & disbarment of lawyer fordeleting employee child pornography from church computer. 18U.S.C. 1518 (SOX) .Morgan Stanley fined 15 million by SEC for violating emailsretention agreement ( 3 billion verdict in civil trial followingadverse inference for e-discovery loss reversed on appeal).Loss of data on “crashed” hard drive after suit was contempt ofcourt. Netbored, Inc. v. Avery Holdings, 2005 FC 1405(Canada).towerswatson.com40 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Contact Details Paul A. Meyer Senior Counsel901 N. Glebe tson.com41 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.
Service of process by email authorized on foreign defendant where attempts to find a valid address failed, email address appeared valid, and service by email would not violate Chinese law. Chanel, Inc. v. Song Xu, 2010 WL 396357 (W.D. Tenn. Jan. 29, 2010)(Charmaine, M.J.) 20
