- Email: [email protected]
Computer forensics and electronic discovery: The new management challenge
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
Computer forensics and electronic discovery: The new management challenge Vicki Miller Luoma Minnesota State University, USA
article info
abstract
Article history:
Recent American court decisions and legislation have shown that the failure of an organi-
Received 21 December 2005
zation to retain electronic documents and to be able to locate the information when
Revised 23 January 2006
needed can cost the organization millions of dollars as well as its reputation. In spite of
Accepted 23 January 2006
understanding the need for compliance, very few organizations actually have a good understanding of how to implement a system that will satisfy the requirements for electronic
Keywords: Computer forensics
document retention and retrieval for litigation purposes. This paper suggests some positive steps that an organization can take to minimize the
Litigation hold
likelihood of court-imposed sanctions for noncompliance with discovery requests for elec-
Information management
tronic documents. The first step is the creation of an Information Management Team that
Electronic discovery
includes experts in computer forensics, law, information management, information tech-
Document retention
nology, and auditing. The next step is to develop and implement an electronic document
Document deletion
retention and deletion policy. Any such policy must retain the flexibility to implement lit-
Spoliation
igation holds by suspending routine document deletion when litigation is imminent. ª 2006 Published by Elsevier Ltd.
In light of recent American court decisions and legislation, the failure of a company not only to retain electronic documents but also the failure to be able to locate the information when needed can cost a company millions of dollars and its reputation. Even though most organizations understand the need for compliance, based on the recent high frequency of court-imposed sanctions, very few organizations actually have a good understanding of how to implement a system that will satisfy the requirements for electronic document retention and retrieval for litigation purposes. When a company does not have or does not produce the electronic documents requested in litigation, the lawsuit can become a battle over providing electronic documents and the punishment for failing to do so. In some circumstances the outcome of a case has depended entirely upon compliance or lack of compliance with discovery requests. This paper suggests some positive steps that an organization can take to minimize the likelihood of court-imposed sanctions for noncompliance with discovery requests for
E-mail address: [email protected] 0167-4048/$ – see front matter ª 2006 Published by Elsevier Ltd. doi:10.1016/j.cose.2006.01.002
electronic documents. The best means of accomplishing this goal is by the creation of an Information Management Team headed by an Information Management Director. This is a position separate and distinct from the Information Technology Director. The Information Management Team should also include a computer forensics expert. Following the creation of the Information Management Team, an electronic document retention and deletion policy must be developed based on a careful determination of what documents should be retained and when they should be destroyed. Any such policy must retain the flexibility to implement litigation holds by suspending routine document deletion.
1.
The reality of data retention and production
Litigants and the judicial system must deal with evidence that is created, stored and communicated electronically. The volume of discoverable electronic documents continues to increase as more employees adopt numerous methods of electronic document storage. Keeping up with technological
92
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
advances in electronic communications is one of the most critical problems facing organizations today. At the present time, most of data in the world are created by computers. Storage of data has become easier and more economical, but few organizations have retention and deletion policies for electronic documents and even fewer have a litigation hold policy to suspend document deletion when litigation has commenced or is likely. The failure to have a plan or policy can be extremely costly to an organization because it can lead to spoliation and the court sanctions that inevitably follow. Navigating the plethora of rules and regulations for record retention can be overwhelming. In addition, the increased use of paperless records and electronic communications has made it more difficult for businesses to monitor records retention policies. These deficiencies can present serious problems for companies if they fail to comply with record retention regulations or become involved in litigation. It is critical for companies to understand both the legal and the business implications of poor record retention policies. If their policies are not up to par, corporations can face both civil and criminal sanctions, as well as costly document recovery efforts. There is often uncertainty as to who should be responsible for the records retention and deletion policy, who develops the policy, who monitors the policy, and who is in authority. Most companies assign sole responsibility for electronic records retention policies to their IT departments with little or no training on the legal requirements of electronic document retention and deletion. Often, due to a lack of understanding on the part of employees, they do not provide all requested documents. Employees often misunderstand requested documents as only those that are prepared for business purposes and do not include emails to co-workers, blogs, PDAs, or their private meeting notes. If all electronic information retained by all employees is not produced in response to discovery requests and it is later found somewhere during the discovery process, the corporation is at risk for court-imposed sanctions. Even if an employee does try to turn over all electronic documents, he or she might not be able to access some of the information. With the extraordinary amount of electronic documents created and retained by business organizations, if a company is not prepared for future litigation it can be nearly impossible to retrieve the required information. The lack of a comprehensive policy is a recipe for disaster. Once litigation has commenced in the United States, litigants serve the opposing party with discovery requests in the form of requests for the production of documents, interrogatories, requests for admissions, and depositions. The discovery process is the legal procedure used by parties to a lawsuit to obtain information from the opponent and other witnesses before the trial. The purpose of the discovery is to help a litigant find the other litigant’s version of the facts, what witnesses know, and other evidence that may exist. During the discovery process litigants normally have the right to receive copies of or inspect electronic documents. Further, courts often will grant temporary restraining orders and injunctive relief that prohibits parties from deleting electronic information. Sometimes the court will allow a computer forensic expert to create mirror images of all relevant storage devices. Organizations that do not have a policy concerning retention, deletion and maintenance of electronic documents can encounter expensive
litigation problems when discovery is requested. The general custom in litigation in the United States is that the party producing responses to discovery requests bear the costs of producing the information. Certainly, exceptions to the general rule exist, but the prospect of receiving onerous requests in response to one party’s requests generally operates to keep requests reasonable. The courts consistently impose a variety of sanctions on litigants who do not provide requested electronic documents. The bottom line is that an organization must retain all relevant documents. Generally, courts maintain the position that although a party might be confused about retention or deletion and exactly what information needs to be retained to comply with various laws and regulations, the court is clear that any relevant information must be provided to the other side upon request. This confusion is understandable given the multifaceted and active nature of current laws and regulations, but business organizations must develop a policy and a team to ensure they are in compliance. Judges and legislatures are learning the nuances of electronic data and technology as computer forensics experts and expert witnesses educate the court, but company record retention policies are lagging behind. Yet, the courts and legislatures are clear: failure to understand the law and its nuances does not relieve one of the consequences. United States Federal Procedural Rule 26, which applies to all litigation in United States federal courts, defines the scope of discovery to be any information ‘‘relevant to the claim or defense of any party; . Relevant information need not be admissible at the trial if the discovery appears reasonably calculated to lead to the discovery of admissible evidence.’’ In short, almost any information requested by a party to litigation is allowed to be discovered. Even if the specific information requested may not be relevant or admissible in court proceedings, if it is likely to lead to the discovery of other information that may be relevant or otherwise admissible in court proceedings, it is a permissible discovery request. Therefore, a party must provide the information requested to other party unless it is specifically protected by the court. In recent United States court decisions, the failure of an organization not only to retain documents but also the failure to be able to locate the information when needed can cost the organization millions of dollars and tarnish the company’s reputation. In addition, courts have consistently sanctioned litigants who have failed to implement a litigation hold of electronic data once a lawsuit has either been commenced or reasonably anticipated. The courts are finding spoliation more frequently than ever before. Spoliation is defined as the intentional alteration, destruction, or concealment of information that is relevant to pending or threatened litigation when a party knows or should know that the information is or may be relevant. In many cases, the American courts have found that mere negligence is enough to warrant sanctions. It simply does not matter to the court that a party intended to keep records, meant to comply with requests, or does not have data in a retrievable fashion. If the opposing litigant can prove that information is missing – often by using a computer forensic expert – the court will give negative inference instructions to the jury. A negative inference instruction to the jury means that the court
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
instructs the jury that missing information is either deemed to be in favor of the opposing party or that the information was deliberately destroyed. With negative inference instructions, a jury will likely project that negative inference to any information that appears questionable that the litigant presents in its case. As such, it is a powerful message that may largely determine the outcome of the litigation. Courts have responded to missing discovery information by dismissing the case, granting summary judgment without trial, awarding attorney fees and costs, awarding monetary damages, requiring the party to pay for forensic reconstruction of data as well as a negative inference instruction. Indeed, the prospect of such dire consequences for the unprepared in litigation requires an innovative solution to this most serious of management challenges.
2.
The solution
2.1.
An Information Management Team
The best method for organizations to ensure compliance with all the civil and legal requirements concerning document retention and deletion is for every organization to create the position of Information Management Director and establish an Electronic Document Information Management Team. The team should include an attorney either from within the organization or from outside the organization, an auditor or accounting professional, a computer forensic expert, as well as the IT experts who are responsible for document storage and who have the ability to physically halt document deletion. The team should be headed by a management professional such as a Director of Information Management who has access to and the support of top management. Typically, this individual should report to the Chief Information Officer of the organization. The inclusion of a computer forensic expert into this team and in the planning process is crucial. A variety of issues must be considered in devising a plan that it is well beyond the technical skills of most executives and even many IT experts. This executive and the department must be fully supported by senior management. The Information Management Team has four critically important responsibilities: implementation, education, enforcement, and compliance with company requirements, laws and regulations. Without the backing and support of top management in each of these areas, it will be difficult to ensure compliance, the key to avoiding problems in court. For these reasons, the Information Management Director must report to upper level management, namely, the Chief Information Officer of the organization. The Information Management Director must be a separate and distinct position from the Information Systems Director or Information Technology Director so he or she can concentrate on the complicated and critical area of document management. The Information Management Director must have definitive responsibility across departments to ensure that a policy is in place and that it is being followed. This individual must have a close working relationship with the IT department, the legal department, and a computer and network forensic expert. He or she must be empowered to implement,
93
educate, and work with a liaison in every department to be responsible for overseeing the retention policy at the lowest levels of the organization to ensure compliance. The Information Management Director must be able to implement the document retention policies, educate all members of the organization, and enforce the policies in order to maintain compliance. All new employees should be trained at the time of hiring and all employees should have their knowledge refreshed regularly on information management issues and be kept well aware of such policies. A key part of the enforcement and compliance responsibilities of the Information Management Director is a regular information management audit. The audit function should be a collaborative effort of the Information Management department, the Legal department, and Information Technology/Information Systems department. This approach brings together all information professionals – the Legal department brings current legal knowledge and advice, the Information Management/Information Systems department has physical control over most of the subject information, and the Information Management department brings expertise in information management, compliance and enforcement. Another advantage of conducting an audit is that once a plan has been devised and implemented, an audit may highlight the weaknesses and the problems in the system that can be corrected long before litigation occurs.
2.2.
Role of the computer forensic expert
The computer forensic expert fulfills a key role in the Information Management Team. The computer forensics expert can provide key support before litigation commences, during the litigation process, and in court giving testimony as an expert witness. Prior to litigation, the computer forensic expert can assist in establishing the company’s electronic document retention and deletion policy including the litigation hold policy, as well as offer advice on document storage and retrieval technology. During litigation the value of the computer forensic expert on the Information Management Team becomes even more apparent. The computer forensic expert is instrumental in recovering deleted files or files otherwise not readily accessible. These skills can be applied to both the organization’s electronic storage devices and those of the adverse party during discovery. Further, the insights of the computer forensic expert can be very useful in formulating procedures governing the forensic inspection of computers and asking the right questions in the discovery process. The computer forensic expert can be invaluable in developing a persuasive argument in regard to shifting the costs of discovery to the adverse party in litigation. Another important benefit of having a computer forensic expert involved during litigation is educating the courts during the litigation process.
2.3.
Determining what to retain
One of the first challenges that organizations must confront is to determine what documents must be retained and for how long. Companies must determine which laws and regulations affect their company with the help of their internal auditors and legal
94
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
counsel. Electronic documents that are related to litigation or regulatory investigation that they know or should have known about must be retained. The electronic documents that must be included are not limited to email and business reports and memoranda, but also include voicemail, desktop applications, databases, corporate intranet/extranet, PDAs, cell phones, websites that archive other websites and meta data, and documents that may exist on employees’ personal electronic data sources. Perhaps this last source is most problematic because it is the most difficult for any organization to control. One of the first steps the team must take is to determine all sources of electronic data being used by the organization’s employees. Some questions to answer are the following. These same questions could be asked to the opposing side in litigation. 1. Identify all employees and all electronic sources where they may store information. 2. What email system is presently in use or has been in use at any time during the last 10 years? 3. Identify the specific hardware used with all the computers that served as terminals for emails that may be relevant to this lawsuit. 4. Is the email is encrypted? If so, what encryption system is used? 5. List names and job titles of all employees who have used the email system at the place of employers and who has a list of the employees’ email passwords. 6. Do you backup, save or track instant messages? 7. What is your company policy on employee instant messaging? 8. Identify and describe each and every computer that is in use at the present time or in the last 10 years by type, brand and model number and current location. 9. Identify each and every computer for the last five years that is or has been in use at this company that has had its operating systems reinstalled, hard drives reformatted or overwritten. Specify the date and the reasons for each such reinstallation or reformatting. 10. List each and every brand and version of software that is or has been in use on each computer, including the version(s) for the past 10 years. 11. Identify the method of communication and connectivity for each computer, including the terminal-to-mainframe emulation, data download and upload capability, and computer-to-computer connections and any direct connections. 12. Identify the brand and version of the network operating system used at anytime in the past 10 years. 13. Describe in detail the quantity and configuration of all network servers and workstations. 14. Identify the names and job descriptions of each and every person responsible for operating, maintaining, updating and repairing the computer network during anytime relevant to this lawsuit. 15. Identify by brand name, version number of all software installed on the server or individual computers by computer serial number anytime in the past 10 years. 16. Are computers able to install their own software? If not, identify person(s) who have authorization to install software.
17. Describe in detail all ways in which data are shared between the computers of employees at this company. 18. Describe in detail all methods these data can be transferred and the types of data that can be transferred. 19. Name the person(s) and identify their job title that is responsible for shared data systems at this company. 20. If an outside company has responsibility or access to this shared data system, give their names, telephone numbers and addresses of these individuals and entities. 21. Name the individual(s) and job titles of all individuals responsible for the data backup at this company. 22. Describe in detail the procedures used to backup all software and data and type(s) of data storage used including active online storage, near-line data, off-line storage/ backup tapes. 23. How often are each and every kind of data backed up, and how long is each type of data stored, and what type of backup software is used, including the name and version number and its capacity? 24. Is this backup storage maintained off the premises, and if so, where? Describe the method of archiving and retrieving off-site and on-site data. 25. Describe a current list of all backup materials, their locations, custodians, dates of backup, and content. 26. Are additional quarterly or yearly backups done on any data used for any servers and identify the location of the backup data and list the material. 27. Identify any server, computer or workstation in which the hard drive has been reformatted, erased, or wiped clean. 28. What data have been deleted or destroyed or damaged, in the past 10-year period. 29. What is the company policy concerning notification of suspension of the normal destruction of data when litigation is suspected and who is responsible for making that notification? 30. What happens to computers used by former employees? Is their information saved in a format no longer used by the company, and if so, where is it stored? 31. What is the policy overriding the standard protocols regarding data handling during litigation or threatened litigation? 32. What major conversions of hardware or software have occurred in the last 10 years? Next, the organization must adopt a document retention policy and then educate its employees. It must further continue to update and periodically remind employees of the policy and its provisions. Employees must understand what the consequences of failing to retain, failing to destroy, or failing to reveal electronic documents can mean to the company. Employees need to be prepared for the possibility of electronic discovery requests, or to comply with a litigation hold at a moment’s notice. Employees must be taught how to retain and to backup information in an accessible format and to eliminate data when required. Employees need to be taught to think about the electronic trail they are leaving and to learn to make responsible decisions about creating the electronic information. The problem is that most people perceive emails casually and do not consider that they will ever be part of a lawsuit. Another problem with emails and other electronic
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
data is that they might be stored on several different electronic resources. Additionally, the deletion key and the recycle bin give people a false sense of security. The team must decide upon the appropriate method of data storage that will make information attainable, identifiable, retrievable, and determine what electronic data are being created by employees. Part of the employee education process must include the fact that keeping too much information can be as bad as retaining too little information. It is too easy to store information indefinitely because of the relatively low cost of archival electronic data storage and the relatively small volume of physical space needed. From an IT operational point of view, very often it is more efficient and less costly to simply archive everything without taking the time to filter out some data that should be deleted. However, disposing of needless electronic information can reduce operational inefficiency and can possibly limit exposure for legal consequences. It is a balancing act. Destroying data that may be needed later to comply with regulations or discovery in legal proceedings can be disastrous. Any destruction of documents should be part of a documented and systematic retention plan and not done on an extemporized basis. Companies must determine the formats in which data are retained and also create a cost-efficient retrieval system that allows timely retrieval. All data retained, including email correspondence, should be stored in a way that allows for quick retrieval of specific items, such as might be accomplished with a search engine, rather than the traditional batch backups used for disaster recovery and data backup procedures. Critical data must be protected from damage and be stored in a way that cannot be overwritten.
2.4.
Duty to investigate and disclose information
It is important for employees to realize that the duty to preserve documents occurs before a lawsuit is commenced in the United States. The moment the company knows or should have known that a lawsuit is possible the company and its employees have a duty to preserve all relevant documents and to find all sources of relevant data. How does a company know when it should have known a lawsuit is imminent, short of being served a summons and complaint? All employees, but primarily managers at all levels, need to report incidents immediately that they feel might lead to litigation, such as an allegation of sexual harassment, a fired and angry employee, or employment of a competitor’s employee. Then, once the litigation has commenced and discovery requests have been served, the company has a duty to disclose all requested information unless it obtains an order for protection from the court. The team must determine how enforcement, oversight and periodic assessment will be conducted and reported as well as who will be assigned to carry out these functions. In addition, the team must determine how this plan will be communicated and activated.
2.5.
Developing an electronic document retention policy
The lessons learned from the numerous cases in which the court found spoliation are that every company must develop a defensible document retention policy. The policy must be reasonable in the context of the facts and circumstances
95
surrounding the type and potential inevitability of the importance of the information. The policy needs to consider legal requirements, applicable laws and regulations, as well as any applicable statute of limitations. Other considerations should include good business practices and the industry standard. For example, an auditing firm may be required to keep documents under Sarbanes Oxley for seven years, but may it make sense to keep documents for 10 years to monitor business growth patterns. Then, even if something is inadvertently deleted or irretrievably lost, the party can argue the company made this realistic and well designed effort to comply. The company needs to determine what technology will provide the most retrievability and be the least destructive. All relevant laws, regulations and personal business needs must be considered in determining how long to retain various records. The retention policy should include a provision regarding a communications mechanism so that both legal counsel and all pertinent employees are informed immediately when a potential litigation threat occurs so that all relevant data are retained. Electronic information must be placed on litigation hold status as soon it is known or should be known that litigation is likely or possible. Litigation holds should include notifying the IT department that any automatic delete functions should be stopped immediately. The Document Management Team must oversee evidence management issues in responding to internal and external investigations. As soon as an organization is reasonably aware of pending litigation, it must have a policy in place that puts a litigation hold on the destruction of all electronic documents that are relevant to the proceedings or might lead to relevant information involved in the litigation. The problematical issues are not only putting the litigation hold in effect but also determining what information might be relevant or might lead to relevant information. Organizations must not only educate employees about the litigation hold but must also have a policy not allowing software such as evidence eliminator on their computers. This kind of software may eliminate all information on the computer, but a forensic computer expert can tell that erasures were made. The fact of missing documents may be more damaging than the information contained in those documents would have ever been. Courts will often instruct the jury that the missing documents can be presumed to be against the interests of the party who fails to provide the information even if, in reality, had the data been retrieved it would have been innocuous. In general, the courts have found that managers and corporate leaders are responsible for electronic document retention and deletion policies and for the failure to maintain the policy in an accessible format. Companies must have a comprehensive system in place to monitor compliance with their records’ retention policies and they must educate their employees regarding records’ retention requirements. There should be clear responsibilities under the plan and a clear message of the importance of compliance with the plan must be communicated throughout the organization. Because of the decentralized nature of e-documentation in today’s businesses, ensuring compliance with any plan will be a significant challenge. Compliance can be improved to some extent by
96
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
ensuring that employees understand the policies. Employees should be required to sign a compliance agreement on the company’s retention policies for which they are partly or wholly responsible. This would serve both to improve compliance with the policy and to provide evidence of compliance with the regulations. However, this will not go far enough. The monitoring function will need to have a team in place to regularly ensure that email correspondence and other documents required to be retained are saved and backed up on a regular basis in the required formats and that the unneeded files are deleted. Using automatic delete functions, such as those designed to erase all email messages more than a set number of days old, are easy to implement but can be dangerous if items required to be retained are not regularly extracted and saved elsewhere before being deleted from the email system. Companies must ensure that they have adequate storage space, hardware and software to ensure safe storage of necessary information for the requisite time periods and be able to retrieve those documents. Companies cannot wait until litigation happens to attempt to retrieve information or to create a plan. That is a plan for disaster. It would be like first deciding how to evacuate passengers once you hit the iceberg. A safe plan involves preplanning and preparation.
3.
Conclusion
In conclusion, the issues of electronic discovery and the closely related matter of electronic document retention pose significant management challenges. Not having a plan can
be financially devastating to a company during litigation. This paper has suggested some positive steps that an organization can take to minimize the likelihood of court-imposed sanctions for noncompliance with discovery requests for electronic documents. The best means of accomplishing this goal is the creation of an Information Management Team headed by an Information Management Director. The Information Management Team should also include a computer forensics expert. Following the creation of the Information Management Team, an electronic document retention and deletion policy must be developed based on a careful determination of what documents should be retained and when they should be destroyed. Any such policy must retain the flexibility to implement litigation holds by suspending routine document deletion. With an Information Management Team in place to develop an effective electronic document retention policy that is flexible enough to implement a litigation hold policy, an organization will be well prepared in the event of litigation and in the challenges of electronic discovery. Vicki Luoma holds a Juris Doctor degree in Law and is a candidate for a Ph.D. in Business. She has practiced law and worked as a business consultant in the United States for over 25 years. She is currently an Assistant Professor in the College of Business at Minnesota State University, and she was formerly the Vice President of a private business university in St. Paul, Minnesota. She is licensed to practice law in before the Supreme Court of the State of Minnesota; the U.S. District Court, District of Minnesota; the U.S. Eighth Circuit Court of Appeals; and the U.S. Tax Court. She is a member of the Computer Security Institute and has been a featured or keynote speaker at many conferences and companies.
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
Computer forensics and electronic discovery: The new management challenge Vicki Miller Luoma Minnesota State University, USA
article info
abstract
Article history:
Recent American court decisions and legislation have shown that the failure of an organi-
Received 21 December 2005
zation to retain electronic documents and to be able to locate the information when
Revised 23 January 2006
needed can cost the organization millions of dollars as well as its reputation. In spite of
Accepted 23 January 2006
understanding the need for compliance, very few organizations actually have a good understanding of how to implement a system that will satisfy the requirements for electronic
Keywords: Computer forensics
document retention and retrieval for litigation purposes. This paper suggests some positive steps that an organization can take to minimize the
Litigation hold
likelihood of court-imposed sanctions for noncompliance with discovery requests for elec-
Information management
tronic documents. The first step is the creation of an Information Management Team that
Electronic discovery
includes experts in computer forensics, law, information management, information tech-
Document retention
nology, and auditing. The next step is to develop and implement an electronic document
Document deletion
retention and deletion policy. Any such policy must retain the flexibility to implement lit-
Spoliation
igation holds by suspending routine document deletion when litigation is imminent. ª 2006 Published by Elsevier Ltd.
In light of recent American court decisions and legislation, the failure of a company not only to retain electronic documents but also the failure to be able to locate the information when needed can cost a company millions of dollars and its reputation. Even though most organizations understand the need for compliance, based on the recent high frequency of court-imposed sanctions, very few organizations actually have a good understanding of how to implement a system that will satisfy the requirements for electronic document retention and retrieval for litigation purposes. When a company does not have or does not produce the electronic documents requested in litigation, the lawsuit can become a battle over providing electronic documents and the punishment for failing to do so. In some circumstances the outcome of a case has depended entirely upon compliance or lack of compliance with discovery requests. This paper suggests some positive steps that an organization can take to minimize the likelihood of court-imposed sanctions for noncompliance with discovery requests for
E-mail address: [email protected] 0167-4048/$ – see front matter ª 2006 Published by Elsevier Ltd. doi:10.1016/j.cose.2006.01.002
electronic documents. The best means of accomplishing this goal is by the creation of an Information Management Team headed by an Information Management Director. This is a position separate and distinct from the Information Technology Director. The Information Management Team should also include a computer forensics expert. Following the creation of the Information Management Team, an electronic document retention and deletion policy must be developed based on a careful determination of what documents should be retained and when they should be destroyed. Any such policy must retain the flexibility to implement litigation holds by suspending routine document deletion.
1.
The reality of data retention and production
Litigants and the judicial system must deal with evidence that is created, stored and communicated electronically. The volume of discoverable electronic documents continues to increase as more employees adopt numerous methods of electronic document storage. Keeping up with technological
92
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
advances in electronic communications is one of the most critical problems facing organizations today. At the present time, most of data in the world are created by computers. Storage of data has become easier and more economical, but few organizations have retention and deletion policies for electronic documents and even fewer have a litigation hold policy to suspend document deletion when litigation has commenced or is likely. The failure to have a plan or policy can be extremely costly to an organization because it can lead to spoliation and the court sanctions that inevitably follow. Navigating the plethora of rules and regulations for record retention can be overwhelming. In addition, the increased use of paperless records and electronic communications has made it more difficult for businesses to monitor records retention policies. These deficiencies can present serious problems for companies if they fail to comply with record retention regulations or become involved in litigation. It is critical for companies to understand both the legal and the business implications of poor record retention policies. If their policies are not up to par, corporations can face both civil and criminal sanctions, as well as costly document recovery efforts. There is often uncertainty as to who should be responsible for the records retention and deletion policy, who develops the policy, who monitors the policy, and who is in authority. Most companies assign sole responsibility for electronic records retention policies to their IT departments with little or no training on the legal requirements of electronic document retention and deletion. Often, due to a lack of understanding on the part of employees, they do not provide all requested documents. Employees often misunderstand requested documents as only those that are prepared for business purposes and do not include emails to co-workers, blogs, PDAs, or their private meeting notes. If all electronic information retained by all employees is not produced in response to discovery requests and it is later found somewhere during the discovery process, the corporation is at risk for court-imposed sanctions. Even if an employee does try to turn over all electronic documents, he or she might not be able to access some of the information. With the extraordinary amount of electronic documents created and retained by business organizations, if a company is not prepared for future litigation it can be nearly impossible to retrieve the required information. The lack of a comprehensive policy is a recipe for disaster. Once litigation has commenced in the United States, litigants serve the opposing party with discovery requests in the form of requests for the production of documents, interrogatories, requests for admissions, and depositions. The discovery process is the legal procedure used by parties to a lawsuit to obtain information from the opponent and other witnesses before the trial. The purpose of the discovery is to help a litigant find the other litigant’s version of the facts, what witnesses know, and other evidence that may exist. During the discovery process litigants normally have the right to receive copies of or inspect electronic documents. Further, courts often will grant temporary restraining orders and injunctive relief that prohibits parties from deleting electronic information. Sometimes the court will allow a computer forensic expert to create mirror images of all relevant storage devices. Organizations that do not have a policy concerning retention, deletion and maintenance of electronic documents can encounter expensive
litigation problems when discovery is requested. The general custom in litigation in the United States is that the party producing responses to discovery requests bear the costs of producing the information. Certainly, exceptions to the general rule exist, but the prospect of receiving onerous requests in response to one party’s requests generally operates to keep requests reasonable. The courts consistently impose a variety of sanctions on litigants who do not provide requested electronic documents. The bottom line is that an organization must retain all relevant documents. Generally, courts maintain the position that although a party might be confused about retention or deletion and exactly what information needs to be retained to comply with various laws and regulations, the court is clear that any relevant information must be provided to the other side upon request. This confusion is understandable given the multifaceted and active nature of current laws and regulations, but business organizations must develop a policy and a team to ensure they are in compliance. Judges and legislatures are learning the nuances of electronic data and technology as computer forensics experts and expert witnesses educate the court, but company record retention policies are lagging behind. Yet, the courts and legislatures are clear: failure to understand the law and its nuances does not relieve one of the consequences. United States Federal Procedural Rule 26, which applies to all litigation in United States federal courts, defines the scope of discovery to be any information ‘‘relevant to the claim or defense of any party; . Relevant information need not be admissible at the trial if the discovery appears reasonably calculated to lead to the discovery of admissible evidence.’’ In short, almost any information requested by a party to litigation is allowed to be discovered. Even if the specific information requested may not be relevant or admissible in court proceedings, if it is likely to lead to the discovery of other information that may be relevant or otherwise admissible in court proceedings, it is a permissible discovery request. Therefore, a party must provide the information requested to other party unless it is specifically protected by the court. In recent United States court decisions, the failure of an organization not only to retain documents but also the failure to be able to locate the information when needed can cost the organization millions of dollars and tarnish the company’s reputation. In addition, courts have consistently sanctioned litigants who have failed to implement a litigation hold of electronic data once a lawsuit has either been commenced or reasonably anticipated. The courts are finding spoliation more frequently than ever before. Spoliation is defined as the intentional alteration, destruction, or concealment of information that is relevant to pending or threatened litigation when a party knows or should know that the information is or may be relevant. In many cases, the American courts have found that mere negligence is enough to warrant sanctions. It simply does not matter to the court that a party intended to keep records, meant to comply with requests, or does not have data in a retrievable fashion. If the opposing litigant can prove that information is missing – often by using a computer forensic expert – the court will give negative inference instructions to the jury. A negative inference instruction to the jury means that the court
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
instructs the jury that missing information is either deemed to be in favor of the opposing party or that the information was deliberately destroyed. With negative inference instructions, a jury will likely project that negative inference to any information that appears questionable that the litigant presents in its case. As such, it is a powerful message that may largely determine the outcome of the litigation. Courts have responded to missing discovery information by dismissing the case, granting summary judgment without trial, awarding attorney fees and costs, awarding monetary damages, requiring the party to pay for forensic reconstruction of data as well as a negative inference instruction. Indeed, the prospect of such dire consequences for the unprepared in litigation requires an innovative solution to this most serious of management challenges.
2.
The solution
2.1.
An Information Management Team
The best method for organizations to ensure compliance with all the civil and legal requirements concerning document retention and deletion is for every organization to create the position of Information Management Director and establish an Electronic Document Information Management Team. The team should include an attorney either from within the organization or from outside the organization, an auditor or accounting professional, a computer forensic expert, as well as the IT experts who are responsible for document storage and who have the ability to physically halt document deletion. The team should be headed by a management professional such as a Director of Information Management who has access to and the support of top management. Typically, this individual should report to the Chief Information Officer of the organization. The inclusion of a computer forensic expert into this team and in the planning process is crucial. A variety of issues must be considered in devising a plan that it is well beyond the technical skills of most executives and even many IT experts. This executive and the department must be fully supported by senior management. The Information Management Team has four critically important responsibilities: implementation, education, enforcement, and compliance with company requirements, laws and regulations. Without the backing and support of top management in each of these areas, it will be difficult to ensure compliance, the key to avoiding problems in court. For these reasons, the Information Management Director must report to upper level management, namely, the Chief Information Officer of the organization. The Information Management Director must be a separate and distinct position from the Information Systems Director or Information Technology Director so he or she can concentrate on the complicated and critical area of document management. The Information Management Director must have definitive responsibility across departments to ensure that a policy is in place and that it is being followed. This individual must have a close working relationship with the IT department, the legal department, and a computer and network forensic expert. He or she must be empowered to implement,
93
educate, and work with a liaison in every department to be responsible for overseeing the retention policy at the lowest levels of the organization to ensure compliance. The Information Management Director must be able to implement the document retention policies, educate all members of the organization, and enforce the policies in order to maintain compliance. All new employees should be trained at the time of hiring and all employees should have their knowledge refreshed regularly on information management issues and be kept well aware of such policies. A key part of the enforcement and compliance responsibilities of the Information Management Director is a regular information management audit. The audit function should be a collaborative effort of the Information Management department, the Legal department, and Information Technology/Information Systems department. This approach brings together all information professionals – the Legal department brings current legal knowledge and advice, the Information Management/Information Systems department has physical control over most of the subject information, and the Information Management department brings expertise in information management, compliance and enforcement. Another advantage of conducting an audit is that once a plan has been devised and implemented, an audit may highlight the weaknesses and the problems in the system that can be corrected long before litigation occurs.
2.2.
Role of the computer forensic expert
The computer forensic expert fulfills a key role in the Information Management Team. The computer forensics expert can provide key support before litigation commences, during the litigation process, and in court giving testimony as an expert witness. Prior to litigation, the computer forensic expert can assist in establishing the company’s electronic document retention and deletion policy including the litigation hold policy, as well as offer advice on document storage and retrieval technology. During litigation the value of the computer forensic expert on the Information Management Team becomes even more apparent. The computer forensic expert is instrumental in recovering deleted files or files otherwise not readily accessible. These skills can be applied to both the organization’s electronic storage devices and those of the adverse party during discovery. Further, the insights of the computer forensic expert can be very useful in formulating procedures governing the forensic inspection of computers and asking the right questions in the discovery process. The computer forensic expert can be invaluable in developing a persuasive argument in regard to shifting the costs of discovery to the adverse party in litigation. Another important benefit of having a computer forensic expert involved during litigation is educating the courts during the litigation process.
2.3.
Determining what to retain
One of the first challenges that organizations must confront is to determine what documents must be retained and for how long. Companies must determine which laws and regulations affect their company with the help of their internal auditors and legal
94
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
counsel. Electronic documents that are related to litigation or regulatory investigation that they know or should have known about must be retained. The electronic documents that must be included are not limited to email and business reports and memoranda, but also include voicemail, desktop applications, databases, corporate intranet/extranet, PDAs, cell phones, websites that archive other websites and meta data, and documents that may exist on employees’ personal electronic data sources. Perhaps this last source is most problematic because it is the most difficult for any organization to control. One of the first steps the team must take is to determine all sources of electronic data being used by the organization’s employees. Some questions to answer are the following. These same questions could be asked to the opposing side in litigation. 1. Identify all employees and all electronic sources where they may store information. 2. What email system is presently in use or has been in use at any time during the last 10 years? 3. Identify the specific hardware used with all the computers that served as terminals for emails that may be relevant to this lawsuit. 4. Is the email is encrypted? If so, what encryption system is used? 5. List names and job titles of all employees who have used the email system at the place of employers and who has a list of the employees’ email passwords. 6. Do you backup, save or track instant messages? 7. What is your company policy on employee instant messaging? 8. Identify and describe each and every computer that is in use at the present time or in the last 10 years by type, brand and model number and current location. 9. Identify each and every computer for the last five years that is or has been in use at this company that has had its operating systems reinstalled, hard drives reformatted or overwritten. Specify the date and the reasons for each such reinstallation or reformatting. 10. List each and every brand and version of software that is or has been in use on each computer, including the version(s) for the past 10 years. 11. Identify the method of communication and connectivity for each computer, including the terminal-to-mainframe emulation, data download and upload capability, and computer-to-computer connections and any direct connections. 12. Identify the brand and version of the network operating system used at anytime in the past 10 years. 13. Describe in detail the quantity and configuration of all network servers and workstations. 14. Identify the names and job descriptions of each and every person responsible for operating, maintaining, updating and repairing the computer network during anytime relevant to this lawsuit. 15. Identify by brand name, version number of all software installed on the server or individual computers by computer serial number anytime in the past 10 years. 16. Are computers able to install their own software? If not, identify person(s) who have authorization to install software.
17. Describe in detail all ways in which data are shared between the computers of employees at this company. 18. Describe in detail all methods these data can be transferred and the types of data that can be transferred. 19. Name the person(s) and identify their job title that is responsible for shared data systems at this company. 20. If an outside company has responsibility or access to this shared data system, give their names, telephone numbers and addresses of these individuals and entities. 21. Name the individual(s) and job titles of all individuals responsible for the data backup at this company. 22. Describe in detail the procedures used to backup all software and data and type(s) of data storage used including active online storage, near-line data, off-line storage/ backup tapes. 23. How often are each and every kind of data backed up, and how long is each type of data stored, and what type of backup software is used, including the name and version number and its capacity? 24. Is this backup storage maintained off the premises, and if so, where? Describe the method of archiving and retrieving off-site and on-site data. 25. Describe a current list of all backup materials, their locations, custodians, dates of backup, and content. 26. Are additional quarterly or yearly backups done on any data used for any servers and identify the location of the backup data and list the material. 27. Identify any server, computer or workstation in which the hard drive has been reformatted, erased, or wiped clean. 28. What data have been deleted or destroyed or damaged, in the past 10-year period. 29. What is the company policy concerning notification of suspension of the normal destruction of data when litigation is suspected and who is responsible for making that notification? 30. What happens to computers used by former employees? Is their information saved in a format no longer used by the company, and if so, where is it stored? 31. What is the policy overriding the standard protocols regarding data handling during litigation or threatened litigation? 32. What major conversions of hardware or software have occurred in the last 10 years? Next, the organization must adopt a document retention policy and then educate its employees. It must further continue to update and periodically remind employees of the policy and its provisions. Employees must understand what the consequences of failing to retain, failing to destroy, or failing to reveal electronic documents can mean to the company. Employees need to be prepared for the possibility of electronic discovery requests, or to comply with a litigation hold at a moment’s notice. Employees must be taught how to retain and to backup information in an accessible format and to eliminate data when required. Employees need to be taught to think about the electronic trail they are leaving and to learn to make responsible decisions about creating the electronic information. The problem is that most people perceive emails casually and do not consider that they will ever be part of a lawsuit. Another problem with emails and other electronic
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
data is that they might be stored on several different electronic resources. Additionally, the deletion key and the recycle bin give people a false sense of security. The team must decide upon the appropriate method of data storage that will make information attainable, identifiable, retrievable, and determine what electronic data are being created by employees. Part of the employee education process must include the fact that keeping too much information can be as bad as retaining too little information. It is too easy to store information indefinitely because of the relatively low cost of archival electronic data storage and the relatively small volume of physical space needed. From an IT operational point of view, very often it is more efficient and less costly to simply archive everything without taking the time to filter out some data that should be deleted. However, disposing of needless electronic information can reduce operational inefficiency and can possibly limit exposure for legal consequences. It is a balancing act. Destroying data that may be needed later to comply with regulations or discovery in legal proceedings can be disastrous. Any destruction of documents should be part of a documented and systematic retention plan and not done on an extemporized basis. Companies must determine the formats in which data are retained and also create a cost-efficient retrieval system that allows timely retrieval. All data retained, including email correspondence, should be stored in a way that allows for quick retrieval of specific items, such as might be accomplished with a search engine, rather than the traditional batch backups used for disaster recovery and data backup procedures. Critical data must be protected from damage and be stored in a way that cannot be overwritten.
2.4.
Duty to investigate and disclose information
It is important for employees to realize that the duty to preserve documents occurs before a lawsuit is commenced in the United States. The moment the company knows or should have known that a lawsuit is possible the company and its employees have a duty to preserve all relevant documents and to find all sources of relevant data. How does a company know when it should have known a lawsuit is imminent, short of being served a summons and complaint? All employees, but primarily managers at all levels, need to report incidents immediately that they feel might lead to litigation, such as an allegation of sexual harassment, a fired and angry employee, or employment of a competitor’s employee. Then, once the litigation has commenced and discovery requests have been served, the company has a duty to disclose all requested information unless it obtains an order for protection from the court. The team must determine how enforcement, oversight and periodic assessment will be conducted and reported as well as who will be assigned to carry out these functions. In addition, the team must determine how this plan will be communicated and activated.
2.5.
Developing an electronic document retention policy
The lessons learned from the numerous cases in which the court found spoliation are that every company must develop a defensible document retention policy. The policy must be reasonable in the context of the facts and circumstances
95
surrounding the type and potential inevitability of the importance of the information. The policy needs to consider legal requirements, applicable laws and regulations, as well as any applicable statute of limitations. Other considerations should include good business practices and the industry standard. For example, an auditing firm may be required to keep documents under Sarbanes Oxley for seven years, but may it make sense to keep documents for 10 years to monitor business growth patterns. Then, even if something is inadvertently deleted or irretrievably lost, the party can argue the company made this realistic and well designed effort to comply. The company needs to determine what technology will provide the most retrievability and be the least destructive. All relevant laws, regulations and personal business needs must be considered in determining how long to retain various records. The retention policy should include a provision regarding a communications mechanism so that both legal counsel and all pertinent employees are informed immediately when a potential litigation threat occurs so that all relevant data are retained. Electronic information must be placed on litigation hold status as soon it is known or should be known that litigation is likely or possible. Litigation holds should include notifying the IT department that any automatic delete functions should be stopped immediately. The Document Management Team must oversee evidence management issues in responding to internal and external investigations. As soon as an organization is reasonably aware of pending litigation, it must have a policy in place that puts a litigation hold on the destruction of all electronic documents that are relevant to the proceedings or might lead to relevant information involved in the litigation. The problematical issues are not only putting the litigation hold in effect but also determining what information might be relevant or might lead to relevant information. Organizations must not only educate employees about the litigation hold but must also have a policy not allowing software such as evidence eliminator on their computers. This kind of software may eliminate all information on the computer, but a forensic computer expert can tell that erasures were made. The fact of missing documents may be more damaging than the information contained in those documents would have ever been. Courts will often instruct the jury that the missing documents can be presumed to be against the interests of the party who fails to provide the information even if, in reality, had the data been retrieved it would have been innocuous. In general, the courts have found that managers and corporate leaders are responsible for electronic document retention and deletion policies and for the failure to maintain the policy in an accessible format. Companies must have a comprehensive system in place to monitor compliance with their records’ retention policies and they must educate their employees regarding records’ retention requirements. There should be clear responsibilities under the plan and a clear message of the importance of compliance with the plan must be communicated throughout the organization. Because of the decentralized nature of e-documentation in today’s businesses, ensuring compliance with any plan will be a significant challenge. Compliance can be improved to some extent by
96
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 91 – 96
ensuring that employees understand the policies. Employees should be required to sign a compliance agreement on the company’s retention policies for which they are partly or wholly responsible. This would serve both to improve compliance with the policy and to provide evidence of compliance with the regulations. However, this will not go far enough. The monitoring function will need to have a team in place to regularly ensure that email correspondence and other documents required to be retained are saved and backed up on a regular basis in the required formats and that the unneeded files are deleted. Using automatic delete functions, such as those designed to erase all email messages more than a set number of days old, are easy to implement but can be dangerous if items required to be retained are not regularly extracted and saved elsewhere before being deleted from the email system. Companies must ensure that they have adequate storage space, hardware and software to ensure safe storage of necessary information for the requisite time periods and be able to retrieve those documents. Companies cannot wait until litigation happens to attempt to retrieve information or to create a plan. That is a plan for disaster. It would be like first deciding how to evacuate passengers once you hit the iceberg. A safe plan involves preplanning and preparation.
3.
Conclusion
In conclusion, the issues of electronic discovery and the closely related matter of electronic document retention pose significant management challenges. Not having a plan can
be financially devastating to a company during litigation. This paper has suggested some positive steps that an organization can take to minimize the likelihood of court-imposed sanctions for noncompliance with discovery requests for electronic documents. The best means of accomplishing this goal is the creation of an Information Management Team headed by an Information Management Director. The Information Management Team should also include a computer forensics expert. Following the creation of the Information Management Team, an electronic document retention and deletion policy must be developed based on a careful determination of what documents should be retained and when they should be destroyed. Any such policy must retain the flexibility to implement litigation holds by suspending routine document deletion. With an Information Management Team in place to develop an effective electronic document retention policy that is flexible enough to implement a litigation hold policy, an organization will be well prepared in the event of litigation and in the challenges of electronic discovery. Vicki Luoma holds a Juris Doctor degree in Law and is a candidate for a Ph.D. in Business. She has practiced law and worked as a business consultant in the United States for over 25 years. She is currently an Assistant Professor in the College of Business at Minnesota State University, and she was formerly the Vice President of a private business university in St. Paul, Minnesota. She is licensed to practice law in before the Supreme Court of the State of Minnesota; the U.S. District Court, District of Minnesota; the U.S. Eighth Circuit Court of Appeals; and the U.S. Tax Court. She is a member of the Computer Security Institute and has been a featured or keynote speaker at many conferences and companies.