E-Discovery: When Legal Trouble Hits, the Delete Button Will Not Protect You

Many businesses hardly give a second thought to old e-mails, digital documents, and instant messages. But, if you don't know how long employees are keeping these documents, you may very well have some legal time bombs sitting on your company's network or employee hard drives.

Recent headlines serve as a chilling reminder that the e-discovery process can unearth damaging data that sinks careers and company reputations.

Last week, two Bear Stearns managers were arrested and indicted on securities fraud, wire fraud, and conspiracy charges, amid allegations that they defrauded investors in hedge funds that invested money in subprime mortgages. The funds collapsed when the mortgages they were tied to lost value, leading to the loss of $1.4 billion in for investors.

In a fateful e-mail that federal prosecutors turned up during the e-discovery process, one of the managers recommended that they close the funds due to poor performance of bond securities. The two managers had told investors four days later that they were comfortable with holdings in both funds.

The Bear Stearns debacle shows the value of being ethical in business. It also shows the importance of developing best practices and policies to protect your company in case employees do unethical things.

It used to be that the discovery process, used by attorneys to find relevant information for pre-trial motions and trials, was mostly confined to printed documents. But with advancing technology and new forms of communication, the federal rules of civil procedure were modified in December 2006 to include all electronic and digital documents. Only two years later, it's estimated that 75 percent of discovery orders require companies to produce e-mail, and companies that fail to comply face millions of dollars in sanctions and fines. Under the e-discovery requirements, companies also need to pay attention to how they are managing and purging scanned documents, voicemails, instant messages, text messages, and everything in between.

While it's true that companies only have so much control over employees' actions, having the right best practices and processes in place can help prevent and mitigate problems when it comes to e-discovery, said Antoinette S. Gilbert, an associate labor and employment law attorney with Karen Smith Kienbaum & Associates in Detroit. The key is to develop a policy that provides employees and managers with guidelines on how to properly manage and dispose of electronic and digital data.

Even if an employee demonstrates bad judgment and sidesteps your policy, you can help your company stay out of trouble by establishing “routine good faith policies” that demonstrate a concerted and consistent effort to protect and manage sensitive data.

So how can you avoid e-discovery headaches? Gilbert suggests the following tips:

• Don't destroy documents if you're facing a lawsuit: If your company is facing a lawsuit or it appears that one is imminent, do not destroy any electronic or paper documents or communications. The legal system places companies on a “litigation hold” until the conclusion of a lawsuit. A litigation hold requires a company to suspend any document destruction policies and informal procedures for managing print or electronic documents (e.g. how your company recycles e-mail backup tapes). Destroying documents or communications despite a litigation hold can result in a lot of costly legal trouble.
• Develop a document retention and management policy: A policy should describe how, where, and how long to store print and electronic documents. For example, you might want to specify how long employees should keep e-mail (e.g. 30 days unless it contains important information) and where it should be stored (e.g. e-mail inbox or archive file on the network). The policy also should take into account the different federal retention requirements for various documents. For example, companies can purge job applications after two years if applicants are not hired, but must retain them for three years after the date of an employee's termination.
• Protect sensitive information: A document retention policy also should make it clear that employees are prohibited from removing sensitive information and confidential documents from the workplace. Some employers may make exceptions to that rule, but if employees do take information off site, they need to make sure it's encrypted in the event that the storage device or employee laptop is lost or stolen. Client or customer data that is lost or stolen can create a host of legal problems for companies.
• Know the law: Before developing a document retention policy, it's a good idea to know the legal record retention guidelines. Different documents and records have different retention and destruction requirements under the law. Some documents must be destroyed in a specific way. For example, federal law requires businesses to shred credit reports.
• Provide training: In addition to having your document retention and management policy in writing, it's also a good idea to provide employees and managers with training so that they are clear on how the policy impacts the documents that they use, refer to, and archive. You'll also want to make sure you educate employees and managers about litigation holds and what needs to be done to comply. And when people attend, make sure they write their signature on a sign-in sheet so that there is a record of their attendance.
• Enlist the help of the IT department: Your company’s technical staff can help you develop appropriate archival and purging processes and procedures for electronic documents. IT departments also can investigate who created documents and when, and they also can retrieve deleted information. The IT department also can help you develop a backup tape for your network drives to ensure that information is managed properly. If your company is named in a lawsuit, contact your IT department to help you make sure that people are complying with the litigation hold. If your company doesn't have an IT department, consider hiring a computer forensic specialist or computer-savvy consultant to help your company comply with legal requirements related to e-discovery.
• Penalize violators: Make sure you enforce your document retention and management policy. For example, if you have a policy that requires employees to delete e-mail after 30 days unless the information in them is absolutely necessary, make sure you're enforcing that rule. Under that guideline, if the IT department discovers that an employee has a year's worth of e-mail and none of it is necessary, make sure they receive a verbal or written warning.
• Consult an attorney: If your company is slapped with a lawsuit, contact your attorney to make sure you're taking all the necessary steps to avoid e-discovery headaches and additional legal trouble.

Additional Resources

• “Employer Record Retention Requirements.”
• “E-Discovery Leads to Arrest of Bear Stearns Hedge Funds Managers,” Wall Street & Technology.
• “E-Discovery is Becoming Much More Important,” Network World.
• "Electronic Document Retention Policy," Society for Human Resource Management (SHRM) Web site.
• "HR Technology Hot Topics: Document Retention Articles," SHRM Web site.

Written by Jenny Cromie, certified human resources specialist (CHRS)