Avoiding the Perils of Electronic Data

Each time your employees edit a Word document or create an Excel spreadsheet, they unknowingly leave behind vital hidden electronic data. These data can include, for example, text that a manager added or deleted to a performance review, formulas employees used for making spreadsheet calculations, and information regarding which individuals accessed a file, when they accessed it and how they changed it.

These records can be so important in legal proceedings that courts increasingly are requiring employers to maintain and track such hidden data, which do not exist in paper records.

Federal court rulings in employment discrimination suits—all within the past two years—illustrate what can befall organizations that don’t properly manage electronic data. In one case, a judge chastised an employer for not having kept everything on a former employee’s computer hard drive. In another, a judge ruled that an employer had to provide plaintiffs with the hidden data in electronic documents. In a third case, a judge ruled that an employer should have reasonably assumed it was going to be sued and should have retained e-mails it destroyed.

For HR, the unique challenges posed by maintaining and tracking such hidden electronic data require working with IT staff, legal counsel and business units to formulate an effective electronic data retention policy.

The need for such policies has never been greater. While electronic discovery has been a fact of life for more than a decade, the proliferation of computers, networks, cell phones, digital voice recorders, digital cameras, personal digital assistants, flash drives and every other manner of digital storage system has accelerated its complexities.

What’s more, lawyers have never been savvier about using electronic discovery, and computer forensic experts are more skillful at digging out damning details, including data users thought had been deleted or didn’t know existed. And there have never been more electronic documents to mine.

These trends are creating an important role for HR in reducing the risks associated with the mismanagement of e-mail, blogs, word processing files, spreadsheets, graphics presentations, voice mails and other digital files. In so doing, HR can help reduce the risk of stiff sanctions, costly settlements and public embarrassment for businesses.

The Need for Retention Policies

Three years ago, there were about 2,000 federal and state laws and regulations that had some bearing on electronic document retention, says Sharon Nelson, a lawyer and president of Sensei Enterprises Inc., a Fairfax, Va., consulting firm.

Today, that figure has ballooned to more than 14,000—spawned by the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, regulations from the Occupational Safety and Health Administration and the Equal Employment Opportunity Commission (EEOC), and additional industry-specific regulations and state laws. The number of rules and regulations employers must comply with are “enormous,” Nelson says.

And more rules are being added. In December, several amendments to the Federal Rules of Civil Procedure took effect to address electronic discovery. Judges and lawyers hope the amendments, under review for 18 months, will clarify ambiguities they’ve been dealing with for years.

“Because of the new amendments to federal civil procedure, companies need to take a hard look at what they are doing on record retention” for all electronic data, says Amy Longo, a partner and co-chair of electronic discovery and document retention practice at O’Melveny & Myers LLP in Los Angeles. (For more information, see sidebar “Crafting a Document Retention Policy”.)

Most Businesses Lack Policies

While the amendments underscore the growing need for well-crafted electronic document retention policies, many businesses don’t have such policies in place.

In a 2005 survey of 2,054 professionals involved in records management, 87 percent said their organizations had a formal records retention program—but only 65 percent said the program covered electronic records. (This is in a world where 95 percent of documents are in electronic form and only 30 percent are ever committed to paper.) The survey was conducted by Cohasset Associates and co-sponsored by the American Records Management Association and AIIM International.

When it comes to electronic document retention policies, e-mail is the biggest problem for most employers. By now, most companies have policies governing the proper use and content of e-mail—but few have retention policies. In a survey last year of 416 companies by the American Records Management Association, 76 percent had e-mail usage policies and only 34 percent had e-mail retention policies. “E-mail is still the No. 1 target in litigation,” says Nelson. “Most smoking guns are found in e-mail.”

Not all companies are equally prepared—or unprepared—for the challenges of managing hidden digital data.

“In companies with more than $100 million a year in revenues, we usually see some kind of electronic documents retention policy,” says Nelson. But “even among larger companies, at least half do not have specific e-mail retention and management policies.

“Among smaller companies,” she says, “less than 30 percent have a policy. Government agencies and nonprofits are worse.”

Nelson adds that establishing effective policies often requires a team of individuals dedicated to the task. “When companies craft retention policies, they need the right team of legal counsel, HR, business executives, subject-matter specialists and probably an outside document retention consultant,” she says.

Here are some of the key issues such team members should seek to address.

The Dangers of Hard Drives

Hard drives are a pervasive problem. Most IT staffs routinely wipe a drive clean soon after an employee leaves, reformat it and give it to a new worker, destroying potentially important hidden digital data.

That can be a significant issue, as illustrated by the case of Liggett v. Rumsfeld (2005 WL 2099782 (E.D. Va. 2005)). In the case, a former employee, William Liggett, sued the U.S. Department of Defense, alleging racial discrimination when his supervisors suspended him for 10 days for accessing sexually explicit web sites from work. The supervisors argued they didn’t go looking for the evidence; it came to their attention during an unrelated review of the department’s network firewall.

Liggett argued that either someone had stolen his password and used his computer to access the sites, or that a previous legitimate user of the hard drive had visited the sites. Either way, the hard drive would show the tracks—but the department had not kept a copy of it. The court dismissed the case for unrelated reasons, but it issued a strongly worded ruling that the defendant should have preserved the hard drive data. The department was lucky; the court could have fined it for not keeping the electronic documents.

To guard against such problems, experts now encourage companies to keep a mirror image of a hard drive used by any former employee who left under suspicious circumstances, threatened a lawsuit, had access to confidential information, or handled intellectual property or copyrighted material.

“It is not widespread yet, but we’re beginning to see corporations implement drive imaging programs,” says Michele Lange, a staff attorney for legal technologies at Kroll Ontrack Inc., an Eden Prairie, Minn., electronic discovery firm. “Some do it for every worker, some only for high-level or suspect employees.” Her firm offers a hard drive imaging service. “I can’t count the number of employers who came to us and said they wished they had not redeployed the computer so quickly.”

While such efforts are useful for maintaining electronic evidence needed in court, they also have other practical uses. Let’s say the competitor where a former employee now works suddenly appears to have some of your intellectual property. The copy of his hard drive could be used to show if, when and what the former employee may have stolen. (See “Tailor Non-competes to a T” in the September 2006 issue of HR Magazine.)

In general, the problems with hard drives underscore the vast difference between managing electronic documents and paper. Companies are most likely to box up and send paper documents to storage for a specified period, says Tom Mighell, senior counsel and litigation technology support coordinator for Cowles & Thompson PC in Dallas. The same can be done for electronic documents—archive them digitally for specified periods—but the volume is much larger and the information more dispersed.

Simply finding which hard drives hold certain data can be difficult. For example, by the time a supervisor sends around a copy of an employee evaluation to his bosses and the employee, it can wind up on several hard drives, plus a server. “You don’t even know all the places it resides,” says Mighell.

The Hazards of Hidden Data

The hidden data embedded in nearly every electronic document are called “metadata,” and they can be a headache with or without litigation and need to be dealt with in retention policies and procedures.

In Williams v. Sprint/United Management Co. (230 F.R.D. 640 (D. Kan. 2005)), a former employee, Shirley Williams, brought a class action against Sprint and United Management claiming age was a determining factor in the defendants’ decision to lay off workers. In discovery, the plaintiff requested the spreadsheets that were used to analyze layoff scenarios—and requested those documents in the form in which the defendant had maintained them, with the hidden formulas used to analyze the data. The defendant initially provided spreadsheets with the cells locked, so the formulas and other hidden data could not be viewed.

The court ruled that when a party is ordered to produce electronic documents as they are maintained in the course of business, it must produce them that way, hidden data and all. The ruling was issued before publication of the amendments to the federal procedure, but the new guideline says electronic documents must be provided in native format if they are requested that way. (“Native format” is another way of saying hidden data and all.)

Lawyers increasingly ask to see metadata during electronic discovery. While metadata is not inherently good or bad, it can be helpful in determining which documents to seek in discovery.

Mighell says that even though metadata “can put skeletons in the closet, information you did not intend to have there,” it also can be beneficial to an employer.

For example, Nelson has seen metadata used to show an employee tried to backdate a document to prove their innocence. Metadata showed the original time stamp.

The Peril of Purging

In Zubulake v. UBS Warburg (No. 02 Civ. 1243(SAS) (S.D.N.Y. 2004)), Laura Zubulake, a former trader at UBS Warburg, filed an EEOC claim against UBS after she was passed over for a promotion. The court ruled that UBS should have discontinued its e-mail deletion policy several months before Zubulake filed her complaint. The judge said it should have been clear when other employees began talking about her situation that a suit was likely, and that should have triggered a “litigation hold” to preserve the e-mails.

A litigation hold has long been an important concept in discovery. In blunt terms: Once sued, you have to stop shredding documents. A party also has a responsibility to preserve evidence whenever a suit appears likely. The trigger could be the filing of the suit or something that was said or written months earlier, suggesting the possibility of a suit. Litigation holds are a bigger problem for electronic documents than for paper. E-mail and document deletion can be set up automatically, so stopping that process for a litigation hold takes effort.

In Zubulake, after a series of rulings required because of the defendant’s motions, and the fact that many e-mails had been destroyed, the judge took the rare step of ruling “adverse inference”—telling the jury to assume that the defendant had purged the missing evidence because it would have hurt its case. The judge also levied expensive sanctions. UBS Warburg shelled out $29 million in penalties and damages.

Zubulake suggests that companies need to ensure that electronic documents are not destroyed—and the first step in that process is establishing an electronic document retention policy that spells out how and when the company would stop automated deletion or purging of electronic documents. The minute the company faces litigation—or even the possibility of litigation—it should take steps not to purge electronic documents that might be evidence. Judges appear increasingly inclined to mete out stiff sanctions, especially against companies that appear to be using electronic documents to stall or obstruct the process.

“The sanctions are coming fast and furious,” says Nelson. “Judges are angry and think nothing of slapping million-dollar sanctions on some of these big companies.”

When to trigger a litigation hold is among the fuzziest of areas in electronic discovery, Nelson says, and the new federal guidelines don’t entirely clear up the matter. They say: “Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide [electronically stored information] lost as a result of the routine, good-faith operation of an electronic information system.”

Nelson and others point out that “routine, good-faith operation” is open to interpretation; they predict the courts will do a lot more wrangling over this.

“The important thing is to be sure you are litigation-ready,” Nelson says. That means having a plan to stop any electronic document purging the minute a suit seems imminent.

Teaming Up To Take Action

Electronic discovery—and by extension electronic document retention—offers myriad issues and challenges outside employment law, but that is one arena where the issues are most pressing to HR. “A lot of electronic discovery opinions come from the employment arena,” says Longo.

More broadly, electronic discovery impacts everything from shareholder suits to trade secret cases and intellectual property battles. And that means an electronic document retention policy must be designed by a cross-functional team. “The impetus to address these issues is not only coming from legal but, in my experience, IT and HR people want to figure it out as much as anyone,” says Longo.

Large companies have legal counsel that pays close attention to these concerns, but smaller companies don’t always have legal resources. “In smaller companies where there is smaller or no in-house legal, then I see sensibilities assumed by HR people,” says Longo. In the end, though, this is a group problem for every business, one that should be solved by legal, HR, information technologists and even high-level business executives.

Bill Roberts, technology contributing editor for HR Magazine, is a freelance writer based in Los Altos, Calif., who covers business, technology and management issues.