One thing in his response (and a conversation w/ one of my friends known to shoot holes in my theories) that gives me pause is the whole idea around user deletion.

If i decided to delete a file or email that is part of a litigation hold, how does anyone know I’ve deleted it?

Curtis Preston talked about “true CDP” in a session a few years back at Storage Decisions and what true CDP meant both to the user and to the requirements for storage, policy etc, and I’ve mused about multi-terabyte hard drives, and why on earth would someone need one. I think I’ve just found the need.

This is a logical game of Twister I’ve been playing in my head and the great comments here has prompted me to schedule time w/ our legal, risk management and security teams again.

In answer to your first question, No, the “Safe Harbour” clause does not protect an organization if an end-user is allowed to delete a relevant email after a litigation hold is put in place (even if a policy was in place and was well-communicated to the employee). The deletion of that email (whether intentional or accidental) can be considered spoliation of evidence (which carries serious penalties). So, you are absolutely correct that “simply having and following a policy is not enough” – the policy must be enforced to meet the FRCP requirements.

And to your second question, yes, the technology exists to address the concerns you raise. An email archive with litigation readiness features (litigation hold, no end-user deletion, automatic policy enforcement and e-discovery search capabilities) is a cost-effective way to meet FRCP requirements for a litigation hold, while making the e-discovery process much faster and easier. Many archives (Fortiva included) also offer additional benefits for IT, including reducing the burden on the Exchange store and providing real-time, browser-based search of the archive for legal (so IT doesn’t have to spend days and weeks retrieving and searching through data).

I wrote a more in-depth response to your post on the Fortiva blog, http://blog.fortiva.com. Thanks again for raising some very valid concerns that are causing a great deal of confusion for a lot of people.

The other thing is I don’t want us to lose sight of the issue I have w/ this whole thing: The cost of storage! I’m still on the hook to pay for all this stuff (including the Records Mgr position), and out of this conversation I am seriously questioning whether the cost surrounding “legal hold storage” belongs on the budget as an IT storage line item or an IT security line item.

*Legal hat again*
Precedent, something lawyers live and die by in the court room. How much precedent has there been surrounding FRCP, and has anyone really tested the Safe Harbor clause yet?

Thanks again for your comments guys, it really did help clarify some of these issues in my mind.

The current FRCP was out for public comment originally in 2005, and there were many opportunities for people to weigh in on the proposed changes. In fact the proposed changes were amended a few times prior to being finalized (in April 2006) and they eventually went into effect in December of 2006. So, here we are 14 months later, and people are still complaining about what is a severely simplified manner of producing ESI in the event of a discovery action.

As the author correctly mentions, there is a Safe Harbor provision. Not only does this provision limit the volume of data subject to combing through in the event of a legal action, it is based on sound business practices. It has been proven for decades that organizations which have a Records Management policy, supported by a well-crafted, industry and location specific records retention schedule are able to minimize costs and improve operating efficiencies. And yes, if you don’t have one, it takes time to develop one, but it’s money well spent.

Business Process Analysis and Management is a cornerstone to efficient and effective operations, and at the heart of this is establishing policies and procedures for the generation and management of information assets. This is the forte of Professional Records and Information Managers (RIMs), many of whom are members of ARMA, the Association of Records Managers and Administrators (www.arma.org). ARMA has been at the heart of this critical function for over 50 years, offering training and education to its members, ensuring that there will always be RIM Professionals trained and ready to provide the services necessary to improve on information management business practices.

Of great concern to those of us in the Profession is the frequent publication of misinformation when it comes to the complexity and extreme measures required to achieve compliance with legislation such as Sarbanes Oxley, HIPAA, and the FRCP. Even more disconcerting are statements like those in this article, indicating that the only way to comply is to keep everything forever. Nothing could be farther from the truth. A well crafted records retention schedule establishes the minimum legal required retention period for information to comply with regulations, statues, and laws impacting an organization. Additionally, it takes into account the potential business need for information that may exceed those periods, and after a careful evaluation of the potential risk extended retention may place an organization at, determines how long information should be retained. It also takes into account any known or potential legal actions an organization may be involved in and ensures legal holds are placed on the destruction of any information that may be impacted by those actions.

By doing this, an organization can minimize the volume of information that it retains, reducing costs for management of unnecessary information by ONLY managing what meets the organization’s definition of a “record”, and only retaining it for the required time. Other information that is defined as non-record, or has met it’s assigned retention can be destroyed of in the course of normal business.

In the long run, the information that truly is an asset to an organization will be readily available to support decisions, use for research or reference, and defend an organizations position in the event of a legal action… THAT is what Records and Information Management is all about.

Larry Medina
Danville, CA
RIM Professional since 1972

Take a deeeeeeep breath. Let it out. Feel better? Your panic is real, but unrealistic.

First of all, the FRCP apply only to litigation that ends up in Federal court. Some states are adopting these rules, or variations on them, because they make the rules of engagement between opposing attorneys a bit more even. They aren’t perfect by any means.

Secondly, there is nothing in there that says, “keep everything” or “get rid of everything”, implied or otherwise. I would suggest that many IT folks are having similar panic attacks to what you are experiencing.

Third, get your legal staff to put together a retention policy for your organization. That means either hiring a records manager or engaging a records management consultant. Records managers have been setting retention policies for years and we have a pretty good sense of what works for an organization.

To make you feel a little better, think about snail mail. Remember postal letters? Do you retain every piece of mail that you get? Of course not. You toss out the junk mail and keep the few pieces that you need. Email and electronic records work the same way. Toss the junk and keep the items that have value to the company. While I think we would all like some magic software that would make that decision and retain the records of the organization, most of us are stuck relying on the end user to do the right thing. You provide guidance within a policy structure and verify that they are doing what they are supposed to do. At the end of the day, it is going to be the end user who has to account for his or her decisions.

All that said, you will still get sued and someone will still want you to hold electronic records — and that will be costly. And it will be problematic when subsequent litigation hits some of the same data and you have to figure out what needs to continue on hold and what can be tossed. So I would focus my attention on building a good approach to e-discovery collection and preservation, particularly focusing on finding out all the places that people squirrel away data. You’ll also want to create a data map of your organization so that your attorneys will be able to explain where and how electronic records are being maintained. You’ll also need to educate your legal staff about what makes good sense and what doesn’t. They are in as much of a panic as many IT people. Some of them don’t “get” IT stuff and some think they do and have no clue (witness the lawyer who wanted my staff to create 170 forensic images of HDDs — by the next morning). You’ll need to think about what makes sense and ask the lawyers questions when they require you to do something that seems stupid. Get to know people who do e-discovery and forensics. Get some vendors under contract. You may find it more cost-effective for your company to retain an outside firm to manage records needed for e-discovery, as well as having them collect it. There is an analysis for you to do there. If you have enough litigation, hiring someone in house may be cheaper, although the big issue tends to be finding a place to store what is required.

Get your legal staff to roll out a retention policy and enforce it, but don’t let trying to be perfect stand in the way of being good.

I can’t provide the author here a complete course in how to establish records retention schedules for electronic records. However, if such retention schedules were in place… the frantic, costly and difficult effort to establish legal holds, and to produce electronic records required in e-discovery could be dealt with effectively.

For those IT professionals who read these comments, I recommend that they – or their peers – learn more about the field of Records Management (yes, it fully encompases records generated, managed and stored in electronic form). One of the best ways in which to do that is to join ARMA International, or to learn more through the Association’s education and training sessions. The web site for ARMA International is: http://www.arma.org

Douglas P. Allen, CRM, CDIA+