Effective Legal Holds Policy Requires IT-Legal Interaction

The explosive growth in electronic communications has resulted in a corollary growth of e-mail as a primary source of legal discovery when organizations are faced with litigation. As recent high profile cases demonstrate, traditional litigation hold processes are being successfully challenged as inadequate in the context of electronic communications. The lesson, therefore, is that if a company uses technology to run its daily business operations, it will be expected to utilize similar technologies to search, collect and produce requested or subpoenaed business records. Symantec Corporation, a developer of security and availability software tools, is leveraging its own products and the expertise of both its legal and IT departments to develop and implement a litigation hold program designed to significantly reduce the time and money spent to collect and preserve e-mail records. This article summarizes some of the 'lessons learned' by Symantec as we worked with our own technology to develop our legal hold program.

Document Deletion Policies: Proceed At Your Own Risk

Until recently, companies were reasonably safe following policies that called for the deletion of all e-mail records after a short time period, typically 30-90 days. The motivation for doing so was to hold down records storage and management costs, which continue to grow year over year. According to market research firm IDC, this explosion of corporate e-mail represents not only an increase in the number of messages sent and received, but also an increase in the size of e-mail attachments. IDC reports that in 2004, the size of business e-mail volumes sent annually worldwide increased by 47% from 2003, and more than doubled from 2002 levels. See, 'Worldwide E-mail Usage 2004-2008 Forecast: Spam Today, Other Content Tomorrow,' Mark Levitt and Robert P. Mahowald, August 2004.

This growth in the number and size of e-mails places an enormous strain on a company's IT resources, hence the reasoning behind regularly deleting records. However, several court rulings, most notably the 2004 decision in Zubulake v. UBS Warburg (Zubulake V), have called into question this approach to records management because it often fails to take into consideration litigation process demands.

In Zubulake, the court ruled that a party must take affirmative steps to preserve documents, including: 1) issuing a litigation hold at the outset of the litigation or whenever litigation is reasonably anticipated such that all sources of discoverable information are identified and retained; 2) communicating the litigation hold directly to key employees who may be implicated by the claims and defenses; 3) repeating the litigation hold instructions; 4) monitoring compliance with the litigation hold; and 5) instructing employees/custodians to produce potentially relevant documents within their control.

Given these detailed preservation obligations, which are triggered whenever litigation is 'reasonably anticipated,' it is easy to understand how a routine deletion policy can result in the deletion of records that may be relevant to the litigation. Unless an organization is confident that it knows how to find and retain all records that may be relevant to a lawsuit or investigation at the outset of the matter, a routine deletion policy can lead to the destruction of that, which in hindsight, should have been retained.

Backup Is for Recovery, Not Discovery

In response to Zubulake and other relevant rulings, legal departments across all industries sounded the alarm that e-mails and other forms of electronic communications should be preserved and not destroyed. As a result, the pendulum swung from routine deletion policies to a 'keep it all' approach in which legal departments required that the IT department save all e-mails, unaware of the enormous consequences that directive presented to IT ' both from a budgetary and resources standpoint.

Typically, companies save e-mail to backup tapes at regular intervals, such as the end of every business day, week or month. As a result, thousands, even millions, of e-mails and attachments are being kept on volumes of un-indexed tapes, usually stored off-site. But backup systems are not designed for information discovery, where responding to a request means finding specific e-mail and attachments based upon the context (eg, date, sender, recipient) and content (eg, keywords, subject line, attachments) of the information requested. Also, to keep storage and management costs in line, these tapes are usually recycled every few weeks or months. If these tapes become the 'repository' of a company's e-mail, however, then tapes that may have responsive records must be suspended from recycling in response to a litigation hold.

Another source of unstructured e-mail is employee laptops. These local e-mail caches, known as .PST files in the Microsoft Outlook/Exchange world, pose a tremendous challenge during the legal discovery process. These files are highly susceptible to corruption and/or accidental loss (eg, if the laptop is stolen) or destruction (eg, if the laptop crashes). Retrieving these .PST files means laboriously copying all business records off each laptop and then searching through them to find specific documents. Often, this information is on the laptops of highly paid business executives, causing inconvenience and lost productivity of key company employees as laptops are taken away and imaged.

Once the data is restored, it must then be extracted for presentation in court. Depending on the size and scope of the discovery request, this entire process can take days, weeks or even months, especially because some attachments come in formats that cannot be searched electronically (eg, .tiff) and must be converted into text-searchable files or manually reviewed.

The costs of recovering e-mail messages and attachments from volumes of un-indexed backup tapes and individual employees' laptops and desktops are enormous.

Using Technology to Manage Technology

Just as recent advances in electronic communications technology created the need to re-think traditional document retention policies, technology advances are also are the key to tackling this challenge. Retaining only 'Record E-mail,' pursuant to a state-of-the-art retention policy that works in conjunction with a software-based e-mail archiving solution, both minimizes storage costs while ensuring the preservation of records required for regulatory compliance and/or legal hold reasons.

An effective e-mail archiving system immediately and automatically indexes all messages passing through the e-mail system (eg, Microsoft Exchange, Lotus Domino/Notes), stores them in their original form (e-mails and attachments) to a centralized repository with specified retention periods, and ensures the e-mails are not altered or deleted.

The system should allow authorized reviewers to quickly pinpoint specific e-mail required as part of litigation support. This would significantly reduce the time spent recovering requested e-mails, and save some of the exorbitant costs associated with meeting the e-discovery request. The support of global marking schemes eliminates unnecessary duplication of a review effort when discovery requests overlap, as they frequently do.

By reducing the size of data stores in applications such as Microsoft SharePoint Portal Server or Microsoft Exchange, organizations improve both the performance of primary applications and the speed with which they can protect the underlying data.

Finally, the archive acts as an online repository for older items that are moved from primary application storage (eg, Microsoft Exchange Server) according to customer defined polices. Archiving technologies that apply single instance storage and compression technologies to files further reduce the footprint of data. By controlling the size of the message store, the applications and servers hosting them remain focused on real-time transactions. The online archive also enables customers to rationalize their storage resources and dedicate primary storage to dynamic and transactional data. Older, less-frequently accessed content can be moved to a secondary or tertiary storage device, saving money for more strategic purposes.

Technology Alone Isn't Enough

However, software tools aren't enough ' an effective program also requires an organization's legal and IT departments work together more closely. In this regard, an effective litigation hold program will anticipate, rather than simply react to, potential litigation. In developing our program, we focused on three main phases of a litigation hold: 1) initial post-trigger activities; 2) ongoing 'hold' activities; and 3) 'hold' concluded activities. A description of what we identified as key steps to be taken in implementing a litigation hold program follows ' take note how closely a company's IT and legal personnel must work together to ensure success.

Response to a Trigger Event

The first step is determining that litigation is reasonably anticipated or has commenced, or that another hold-triggering event has occurred (eg, receipt of a document subpoena). Once that determination has been made, the company identifies key employees who would be likely custodians of potentially relevant and responsive data (eg, e-mails, documents, spreadsheets), identify enterprise level data sources (eg, databases, shared files, networks), and identify potential third parties under the company's control that likely have responsive and relevant data.

A Document and Data Preservation Memo is then sent to the relevant custodians, IT and Human Resources (HR). Legal and IT must determine whether a custodian's computer (and other hardware and storage media) should be collected or imaged, and if so, designate whether an IT person, paralegal, or outside vendor will perform that work. Legal also works with IT to identify and preserve likely IT and enterprise level data sources relevant to the specific matter (eg, server logs, shared networks, community files). Legal also may send a preservation request to certain third parties that are in possession of documents and data under the company's control, and that are requested to acknowledge that they have received the litigation hold request and agree to comply.

Ongoing Hold Activities

As discussed earlier, an e-mail archiving software tool is a critical piece of this entire process. An effective e-mail archiving tool will include a journaling function that automatically captures all e-mail messages and attachments sent and received through the e-mail system (eg, Microsoft Exchange). It will also allow for the creation of automatic deletion policies for records after retention requirements have expired.

At this point in the process, IT activates the journaling function for the selected custodians. E-mail expiry is disabled and quotas expanded for the custodians. IT creates a 'discovery case' for each custodian, then searches the e-mail repository for that custodian's messages and places them in the discovery case. Selecting an e-mail archiving and discovery software that enables the automation of this tedious process will ensure all relevant records are preserved while simultaneously saving time and money.

Additionally, IT can use the archiving software to migrate the custodians' existing .PST files (discussed earlier) to facilitate recoverability and searchability of those records as well.

It's not uncommon for an e-discovery request to include records for employees who have left the company or who leave during the pendency of the litigation hold. Thus, the HR department should be apprised of the selected custodians as early as possible so that HR can inform the IT and legal departments of any departing custodians. This will allow IT and legal to evaluate what data, if any, should be preserved and/or collected, even if the employee/custodian who created those records is no longer with the company.

Closure

After determining that a matter is closed, and it is no longer reasonable to expect that specific records will be relevant to future litigation, a notice is sent to the custodians and IT lifting the litigation hold. A 'conclusion date' for that matter is recorded, which removes the 'litigation hold' and en-ables the company's document retention policy to resume as to those documents.

Retaining What Must Be Kept Without Keeping Everything

The requirement to retain business records pertaining to ongoing or 'reasonably foreseeable' litigation does not mean companies have to absorb these costs and preserve all records indefinitely. As the Sedona Working Group concluded in its Best Practice Guidelines and Commentary for Managing Information and Records in the Electronic Age, 'an organization need not retain all electronic information ever generated or received.' Rather, the test should be whether there is any continuing value or need to retain it. Companies are obligated to maintain only those records that:

• Document a specific business-related event or activity;
• Demonstrate a specific business transaction;
• Identify individuals who participated in a business activity;
• Support facts of a particular business-related event, activity or transaction; and
• Are needed for other specific legal, accounting or business compliance reasons.

At a minimum, therefore, the substantial number of e-mails that are personal or spam may be excluded from these onerous retention requirements. IDC's research finds that in 2004, spam represented 50%-95% of all inbound e-mail; somewhat higher than 2003 levels, and triple 2002 levels of 15%-30%. Preserving personal e-mails and spam is unnecessary and a waste of money and storage resources. Moreover, transient electronic information without long-term value should be removed promptly from the system, once it is determined not to be subject to a legal hold.

The key to an effective and efficient records-retention and deletion pro-cess, therefore, is the ability to automatically delete those e-mails that do not need to be retained. Once the retention period applicable to those e-mails not covered by a legal hold has expired, a company should have the infrastructure in place to enable it to safely and reliably expire and delete such e-mails. Best practices require a company to preserve 'Record E-mails' in accordance with their overall records retention schedules, and retain 'Non-Record E-mails' for only a short period. Regularly disposing 'Non-Record E-mails' after a short period of time reduces a company's document management and storage burdens and minimizes litigation risks.

Any effective litigation hold policy should accomplish three objectives: 1) ensure the automatic preservation of business records pertaining to ongoing or 'reasonably foreseeable' litigation; 2) enable authorized legal and IT personnel to quickly search for and recover specific records; and 3) reduce the time and money spent performing all these tasks. Technology, such as a software-based e-mail archiving and discovery system, plays an important role, as courts now expect that a company leveraging software and hardware tools to run its daily business operations to also utilize similar technologies to produce subpoenaed records.

But even for a technology vendor such as Symantec, the tools alone are not adequate. A company's legal and IT departments must work closely together before, during, and after the matter is concluded. For many organizations, that may mean legal and IT personnel are meeting for the first time. In addition, managing the funding for implementing an effective records-management system should come from both groups' budgets. IT's budget is strictly tied to storage and other technology issues, while legal's budget is more fluid to enable response to litigation when the subpoena arrives. Managing the costs of proactively archiving and placing legal holds on specific records is easier if both sides work together and contribute budget dollars.

The explosive growth in electronic communications has resulted in a corollary growth of e-mail as a primary source of legal discovery when organizations are faced with litigation. As recent high profile cases demonstrate, traditional litigation hold processes are being successfully challenged as inadequate in the context of electronic communications. The lesson, therefore, is that if a company uses technology to run its daily business operations, it will be expected to utilize similar technologies to search, collect and produce requested or subpoenaed business records. Symantec Corporation, a developer of security and availability software tools, is leveraging its own products and the expertise of both its legal and IT departments to develop and implement a litigation hold program designed to significantly reduce the time and money spent to collect and preserve e-mail records. This article summarizes some of the 'lessons learned' by Symantec as we worked with our own technology to develop our legal hold program.

Document Deletion Policies: Proceed At Your Own Risk

Until recently, companies were reasonably safe following policies that called for the deletion of all e-mail records after a short time period, typically 30-90 days. The motivation for doing so was to hold down records storage and management costs, which continue to grow year over year. According to market research firm IDC, this explosion of corporate e-mail represents not only an increase in the number of messages sent and received, but also an increase in the size of e-mail attachments. IDC reports that in 2004, the size of business e-mail volumes sent annually worldwide increased by 47% from 2003, and more than doubled from 2002 levels. See, 'Worldwide E-mail Usage 2004-2008 Forecast: Spam Today, Other Content Tomorrow,' Mark Levitt and Robert P. Mahowald, August 2004.

This growth in the number and size of e-mails places an enormous strain on a company's IT resources, hence the reasoning behind regularly deleting records. However, several court rulings, most notably the 2004 decision in Zubulake v. UBS Warburg (Zubulake V), have called into question this approach to records management because it often fails to take into consideration litigation process demands.

In Zubulake, the court ruled that a party must take affirmative steps to preserve documents, including: 1) issuing a litigation hold at the outset of the litigation or whenever litigation is reasonably anticipated such that all sources of discoverable information are identified and retained; 2) communicating the litigation hold directly to key employees who may be implicated by the claims and defenses; 3) repeating the litigation hold instructions; 4) monitoring compliance with the litigation hold; and 5) instructing employees/custodians to produce potentially relevant documents within their control.

Given these detailed preservation obligations, which are triggered whenever litigation is 'reasonably anticipated,' it is easy to understand how a routine deletion policy can result in the deletion of records that may be relevant to the litigation. Unless an organization is confident that it knows how to find and retain all records that may be relevant to a lawsuit or investigation at the outset of the matter, a routine deletion policy can lead to the destruction of that, which in hindsight, should have been retained.

Backup Is for Recovery, Not Discovery

In response to Zubulake and other relevant rulings, legal departments across all industries sounded the alarm that e-mails and other forms of electronic communications should be preserved and not destroyed. As a result, the pendulum swung from routine deletion policies to a 'keep it all' approach in which legal departments required that the IT department save all e-mails, unaware of the enormous consequences that directive presented to IT ' both from a budgetary and resources standpoint.

Typically, companies save e-mail to backup tapes at regular intervals, such as the end of every business day, week or month. As a result, thousands, even millions, of e-mails and attachments are being kept on volumes of un-indexed tapes, usually stored off-site. But backup systems are not designed for information discovery, where responding to a request means finding specific e-mail and attachments based upon the context (eg, date, sender, recipient) and content (eg, keywords, subject line, attachments) of the information requested. Also, to keep storage and management costs in line, these tapes are usually recycled every few weeks or months. If these tapes become the 'repository' of a company's e-mail, however, then tapes that may have responsive records must be suspended from recycling in response to a litigation hold.

Another source of unstructured e-mail is employee laptops. These local e-mail caches, known as .PST files in the Microsoft Outlook/Exchange world, pose a tremendous challenge during the legal discovery process. These files are highly susceptible to corruption and/or accidental loss (eg, if the laptop is stolen) or destruction (eg, if the laptop crashes). Retrieving these .PST files means laboriously copying all business records off each laptop and then searching through them to find specific documents. Often, this information is on the laptops of highly paid business executives, causing inconvenience and lost productivity of key company employees as laptops are taken away and imaged.

Once the data is restored, it must then be extracted for presentation in court. Depending on the size and scope of the discovery request, this entire process can take days, weeks or even months, especially because some attachments come in formats that cannot be searched electronically (eg, .tiff) and must be converted into text-searchable files or manually reviewed.

The costs of recovering e-mail messages and attachments from volumes of un-indexed backup tapes and individual employees' laptops and desktops are enormous.

Using Technology to Manage Technology

Just as recent advances in electronic communications technology created the need to re-think traditional document retention policies, technology advances are also are the key to tackling this challenge. Retaining only 'Record E-mail,' pursuant to a state-of-the-art retention policy that works in conjunction with a software-based e-mail archiving solution, both minimizes storage costs while ensuring the preservation of records required for regulatory compliance and/or legal hold reasons.

An effective e-mail archiving system immediately and automatically indexes all messages passing through the e-mail system (eg, Microsoft Exchange, Lotus Domino/Notes), stores them in their original form (e-mails and attachments) to a centralized repository with specified retention periods, and ensures the e-mails are not altered or deleted.

The system should allow authorized reviewers to quickly pinpoint specific e-mail required as part of litigation support. This would significantly reduce the time spent recovering requested e-mails, and save some of the exorbitant costs associated with meeting the e-discovery request. The support of global marking schemes eliminates unnecessary duplication of a review effort when discovery requests overlap, as they frequently do.

By reducing the size of data stores in applications such as Microsoft SharePoint Portal Server or Microsoft Exchange, organizations improve both the performance of primary applications and the speed with which they can protect the underlying data.

Finally, the archive acts as an online repository for older items that are moved from primary application storage (eg, Microsoft Exchange Server) according to customer defined polices. Archiving technologies that apply single instance storage and compression technologies to files further reduce the footprint of data. By controlling the size of the message store, the applications and servers hosting them remain focused on real-time transactions. The online archive also enables customers to rationalize their storage resources and dedicate primary storage to dynamic and transactional data. Older, less-frequently accessed content can be moved to a secondary or tertiary storage device, saving money for more strategic purposes.

Technology Alone Isn't Enough

However, software tools aren't enough ' an effective program also requires an organization's legal and IT departments work together more closely. In this regard, an effective litigation hold program will anticipate, rather than simply react to, potential litigation. In developing our program, we focused on three main phases of a litigation hold: 1) initial post-trigger activities; 2) ongoing 'hold' activities; and 3) 'hold' concluded activities. A description of what we identified as key steps to be taken in implementing a litigation hold program follows ' take note how closely a company's IT and legal personnel must work together to ensure success.

Response to a Trigger Event

The first step is determining that litigation is reasonably anticipated or has commenced, or that another hold-triggering event has occurred (eg, receipt of a document subpoena). Once that determination has been made, the company identifies key employees who would be likely custodians of potentially relevant and responsive data (eg, e-mails, documents, spreadsheets), identify enterprise level data sources (eg, databases, shared files, networks), and identify potential third parties under the company's control that likely have responsive and relevant data.

A Document and Data Preservation Memo is then sent to the relevant custodians, IT and Human Resources (HR). Legal and IT must determine whether a custodian's computer (and other hardware and storage media) should be collected or imaged, and if so, designate whether an IT person, paralegal, or outside vendor will perform that work. Legal also works with IT to identify and preserve likely IT and enterprise level data sources relevant to the specific matter (eg, server logs, shared networks, community files). Legal also may send a preservation request to certain third parties that are in possession of documents and data under the company's control, and that are requested to acknowledge that they have received the litigation hold request and agree to comply.

Ongoing Hold Activities

As discussed earlier, an e-mail archiving software tool is a critical piece of this entire process. An effective e-mail archiving tool will include a journaling function that automatically captures all e-mail messages and attachments sent and received through the e-mail system (eg, Microsoft Exchange). It will also allow for the creation of automatic deletion policies for records after retention requirements have expired.

At this point in the process, IT activates the journaling function for the selected custodians. E-mail expiry is disabled and quotas expanded for the custodians. IT creates a 'discovery case' for each custodian, then searches the e-mail repository for that custodian's messages and places them in the discovery case. Selecting an e-mail archiving and discovery software that enables the automation of this tedious process will ensure all relevant records are preserved while simultaneously saving time and money.

Additionally, IT can use the archiving software to migrate the custodians' existing .PST files (discussed earlier) to facilitate recoverability and searchability of those records as well.

It's not uncommon for an e-discovery request to include records for employees who have left the company or who leave during the pendency of the litigation hold. Thus, the HR department should be apprised of the selected custodians as early as possible so that HR can inform the IT and legal departments of any departing custodians. This will allow IT and legal to evaluate what data, if any, should be preserved and/or collected, even if the employee/custodian who created those records is no longer with the company.

Closure

After determining that a matter is closed, and it is no longer reasonable to expect that specific records will be relevant to future litigation, a notice is sent to the custodians and IT lifting the litigation hold. A 'conclusion date' for that matter is recorded, which removes the 'litigation hold' and en-ables the company's document retention policy to resume as to those documents.

Retaining What Must Be Kept Without Keeping Everything

The requirement to retain business records pertaining to ongoing or 'reasonably foreseeable' litigation does not mean companies have to absorb these costs and preserve all records indefinitely. As the Sedona Working Group concluded in its Best Practice Guidelines and Commentary for Managing Information and Records in the Electronic Age, 'an organization need not retain all electronic information ever generated or received.' Rather, the test should be whether there is any continuing value or need to retain it. Companies are obligated to maintain only those records that:

• Document a specific business-related event or activity;
• Demonstrate a specific business transaction;
• Identify individuals who participated in a business activity;
• Support facts of a particular business-related event, activity or transaction; and
• Are needed for other specific legal, accounting or business compliance reasons.

At a minimum, therefore, the substantial number of e-mails that are personal or spam may be excluded from these onerous retention requirements. IDC's research finds that in 2004, spam represented 50%-95% of all inbound e-mail; somewhat higher than 2003 levels, and triple 2002 levels of 15%-30%. Preserving personal e-mails and spam is unnecessary and a waste of money and storage resources. Moreover, transient electronic information without long-term value should be removed promptly from the system, once it is determined not to be subject to a legal hold.

The key to an effective and efficient records-retention and deletion pro-cess, therefore, is the ability to automatically delete those e-mails that do not need to be retained. Once the retention period applicable to those e-mails not covered by a legal hold has expired, a company should have the infrastructure in place to enable it to safely and reliably expire and delete such e-mails. Best practices require a company to preserve 'Record E-mails' in accordance with their overall records retention schedules, and retain 'Non-Record E-mails' for only a short period. Regularly disposing 'Non-Record E-mails' after a short period of time reduces a company's document management and storage burdens and minimizes litigation risks.

Any effective litigation hold policy should accomplish three objectives: 1) ensure the automatic preservation of business records pertaining to ongoing or 'reasonably foreseeable' litigation; 2) enable authorized legal and IT personnel to quickly search for and recover specific records; and 3) reduce the time and money spent performing all these tasks. Technology, such as a software-based e-mail archiving and discovery system, plays an important role, as courts now expect that a company leveraging software and hardware tools to run its daily business operations to also utilize similar technologies to produce subpoenaed records.

But even for a technology vendor such as Symantec, the tools alone are not adequate. A company's legal and IT departments must work closely together before, during, and after the matter is concluded. For many organizations, that may mean legal and IT personnel are meeting for the first time. In addition, managing the funding for implementing an effective records-management system should come from both groups' budgets. IT's budget is strictly tied to storage and other technology issues, while legal's budget is more fluid to enable response to litigation when the subpoena arrives. Managing the costs of proactively archiving and placing legal holds on specific records is easier if both sides work together and contribute budget dollars.