Litigation Support and Risk Management for Pretrial Discovery of Electronically Stored Information

By John Ruhnka and John W. Bagby

E-mail Story
Print Story
MAY 2007 - Most organizations are eventually involved in litigation, and the increasing frequency of litigation often requires litigation support and careful records management. Familiarity with electronic data discovery (EDD) is necessary to conduct internal investigations, as well as to identify and disclose electronically stored information (ESI) to litigation opponents, regulators, or prosecutors. Many potential parties to a lawsuit are not knowledgeable about electronic records management (ERM) practices or their legal obligations when served with a discovery request. Accountants often serve important roles in litigation support and as expert witnesses. Indeed, Deloitte and KPMG are among the top 10 EDD service providers (see the 2006 Socha-Gelbmann Electronic Discovery Survey,

Electronic discovery is steadily increasing in importance. Several landmark cases have dramatically illustrated the need for clearer, balanced standards of EDD, and the federal judiciary recently revised the Federal Rules of Civil Procedure (FRCP) to recognize the special problems of electronic discovery. These rule revisions are likely to reduce pretrial motion delays, require advance EDD planning, clarify the forms of electronic records that are discoverable, and balance the burdens among litigants. The following is an overview of the variety of discoverable electronic records, the legal responsibilities accompanying a litigation hold, and the strategies and costs of EDD in litigation support and litigation risk management.

Discovery of Electronically Stored Information

EDD is the modern version of document production traditionally required of all litigants during the pretrial discovery phase. Often, litigating parties and government agencies do not possess enough evidence to prove their cases. Civil litigants traditionally have the right to request “documents” and “data compilations” from opposing parties if relevant to the issues or their defense. Subpoenas are used to access such materials in regulatory investigations and criminal prosecutions.

Federal courts can order opponents to produce potentially incriminating internal files and communications. Most states also have parallel discovery rules. The recent growth of EDD reflects how much modern business and government activity is conducted electronically. Under various estimates, 92% to 99% of all records and data are created and/or stored electronically [see Stephen D. Whetstone and Michael S. Simon, National Law Journal, July 17, 2006, at p. S1 (99%); Peter Lyman and Hal R. Varian, “How Much Information,” Technical Report, School of Information Management, University of California–Berkeley, 2000, reprinted in Wirtschafts Politische Blatter, 48, Jahrgang 2001 (over 90%)].

Typically, requesters first query about various repositories of ESI and print documents by serving “interrogatories,” questions that opposing parties must answer. Interrogatories can compel important facts about ESI, such as its existence, its custodians’ identity, its form, and its various locations. It is difficult to exhaustively inventory portable storage devices like personal data assistants (PDA), laptop computers, cellphones, iPods, and flash memory devices. The new FRCP removes any question that all such ESI is discoverable and subpoenable, just like other business records. ESI includes both the content and metadata of word-processed documents, spreadsheets, e-mail, e-mail attachments, instant messages, voice-over-Internet protocol (VOIP), information on PDAs and BlackBerries, reports, correspondence, memos, text files, PowerPoint presentations, digital photos, graphs, and any other data that are created or stored on a computer or computer network or other electronic storage media.

Any ESI, documents, files, or records are discoverable if they are plausibly relevant to issues in upcoming litigation or the subject of a governmental investigation. A primary target of electronic data discovery is often e-mail on the organization’s servers, because of its central role in organizational communications. Also potentially discoverable are employees’ personal e-mail residing with third-party Internet service providers (ISP), cellphone data, PC/laptop storage (hard drives, optical disks), and other personal storage media such as digital camera memory sticks. Voicemail messages and other call records are also discoverable. Even archives of websites and webpages that have been taken down are often still available from web archives such as the Wayback Machine. Litigators often “do a Wayback” to discover potential trademark infringement from the Wayback’s archives of more than 40 billion webpages.

E-mails include electronic records of the message content, file attachment content and metadata. Metadata can reveal the participants’ identity, can note the timing and routing of communications that show interactions between parties, and can be used to infer motive and intent. For example, insider-trading tips can be inferred from phone or e-mail communications made just prior to the tip-recipient’s trades that are then proved from brokerage records. Phone logs are retained by telephone companies, inside cellphones, and in wireline systems, and are archived automatically. For example, Martha Stewart’s erasure of an electronic office diary of a phone call was the subject of her federal obstruction-of-justice conviction. Although Stewart allegedly had an immediate change of heart and reentered the data herself, metadata revealed the attempt, and this was sufficient to constitute tampering with evidence. Of course, there are limitations on accessing phone records outside of the litigation context—as by “pretexting,” the impersonation of phone customers in order to access their personal calling records.

Electronic information other than e-mail can include current and prior website content or access card logs showing employee site egress (e.g., timing, duration, location). Such records are then correlated with camera surveillance tapes or digital video archives. The New York State Thruway annually responds to over 250 subpoenas for EZ Pass records, many from matrimonial lawyers documenting the movements of errant spouses. When surfing the Internet, a user’s IP address is posted to the servers queried via an ISP’s server. Some ISPs have initially resisted production of such IP addresses when subpoenaed, but they must eventually reveal them. Archived electronic information enables litigants and investigators to retroactively eavesdrop on formerly private communications and activities.

There is generally no right to confidentiality of ESI that is arguably relevant to an investigation or litigation. There are some limited exceptions for privileged communications, such as the privileges for attorney-client work product and certain communications such as spousal, doctor-patient, and priest-penitent. There is a more limited scope for accountant-client and self-evaluation privileges. Care is needed in responding to EDD requests because the revised FRCP rules require a faster pace of discovery, increasing the risk that privileged information might be inadvertently produced. Mistakes in disclosing privileged information do not, however, imply a waiver of privilege under new clawback provisions that enable the target to retrieve privileged information that was inadvertently disclosed. While clawback does not apply to inadvertently produced trade secrets, they can still be addressed by agreement among litigants.

Electronic Data Discovery Process

There are several steps in the EDD process, from creation, archiving, management, and review, to production and presentation.

First, there is electronic records management (ERM), in which document retention programs are formalized. These are internal policies governing the preservation of needed and destruction of unneeded business records. Eliminating unnecessary corporate records is legitimate, so long as it does not interfere with legal duties to preserve or disclose information. As the Supreme Court noted in Arthur Andersen v. United States [544 U.S. 696 (2005)]:

Document retention policies, which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business … It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.

The second step is identification, which refers to finding the location of the particular EDD records requested. There is a legal duty to find and review all relevant documents for possible production.

Third, there is preservation and collection. The discovery target must preserve and collect all potentially relevant information after a legal duty arises to preserve. Potentially relevant files may exist in many locations. Data are regularly backed up on various media (e.g., tapes, optical discs, flashdrives) and may be periodically overwritten for disposal or reuse. At the collection phase, potentially relevant records must be maintained in their native file formats with all content and metadata unaltered. This is critical to establishing a “chain of custody” required to ensure admissibility as evidence and to avoid sanctions for tampering. Consider how merely opening a Word document changes the metadata by showing the time of last access.

The fourth step combines processing, review, and analysis. Potentially relevant data must be processed and converted into a readable and reviewable format. Review should be performed by a discovery management team consisting of domain experts and litigation managers who can identify relevant documents for production but withhold privileged and irrelevant documents. Analysis assesses each document’s strategic importance because planning is required for the response needed if the opposition uses the document effectively.

The fifth step is production of relevant and responsive data, converted to formats negotiated upon by the parties early in the discovery process.

The parties must meet quickly following the filing of a suit to negotiate the scope of EDD—within 120 days after service of the complaint—and agree upon a protocol covering the scope of EDD. The practical effect is that litigators must quickly understand the IT environment of their client and the opposing party to negotiate the protocol design. This is best achieved if competent ERM and litigation support can quickly swing into action. Over time, protocol uniformity or de facto EDD standards should emerge that diminish delaying tactics, which too often manifest as motions to compel and countermotions to resist production of EDD—as evident in the Zubulake litigation [Zubulake v. UBS Warburg, 220 F.R.D. 212, 218 (S.D.N.Y. 2003)] and Rambus [Samsung Elecs. Co., Ltd. v. Rambus, Inc., 439 F.Supp.2d 524 (E.D. Va. July 18, 2006)]. This compressed schedule leaves limited time for the selection of EDD and litigation support service providers and the establishment of service-level commitments and metrics for those who will manage EDD: the requests, collection, review, and production of ESI.

Litigation Holds

The legal duty to preserve discoverable data, data potentially relevant to an investigation or litigation, arises as soon as litigation or a governmental investigation is reasonably anticipated. Zubulake v. UBS Warburg, a gender discrimination suit, was influential in defining litigation hold duties. It held that: “Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.” The new rules require safeguarding and preserving “inaccessible” ESI, but such data need not be produced unless ordered by the court. The FRCP encourages voluntary and timely disclosure even before receiving a discovery request. A litigation hold is triggered by a preservation demand sent to an opponent requesting preservation of all backup tapes and files that are potentially relevant ESI. Targets may dispute the overly broad scope or relevance of requests at discovery hearings held before trial, possibly triggering a court to issue a preservation order.

Best practice suggests that a litigation hold team be composed of experienced personnel in relevant functions such as IT, legal, human resources, and records management. These professionals should be ready to instantly deploy litigation holds when imposed. First, IT should immediately cease all document destruction on potentially relevant records, particularly e-mail. Backup tapes and individual PC hard drive overwriting should be suspended. A written preservation plan should be prepared identifying specific data and e-mails for preservation, and then distributed to all employees in control or possession of relevant data. Compliance with the plan requires active monitoring to avoid destruction of relevant files. Such efforts might have prevented the Arthur Andersen obstruction-of-justice conviction.

Zubulake is instructive: Snapshot or mirror-image records are needed of network servers and employee hard drives following a litigation hold to preserve the data’s original, unmodified state. Increasingly, experienced third-party forensic experts are needed to authenticate files and preserve chain of custody, and thereby avoid file corruption, using technical procedures to help prevent claims that records have been altered or destroyed. Existing backup tapes, covering the individuals or subjects relevant to the litigation, should be preserved to avoid tampering charges. Document destruction following a litigation hold exposes the party to sanctions for spoliation or obstruction. A new, but limited, safe harbor now protects an entity for lost, overwritten, or otherwise unrecoverable ESI if done as part of regular business practice of document destruction before a litigation hold attaches. The safe harbor enhances opportunities for litigation support and EDD service providers to improve document destruction planning and retention practices.

Allocating Discovery Costs

Discovery targets often ask courts to limit the scope of EDD if it is overbroad, would violate privilege, or would be unduly burdensome, expensive, or oppressive. Consider five ESI categories in order of increasing difficulty and expense in production: First, active online files and, second, near-line data (on removable media: optical/floppy disks, tapes, flashdrives) are most easily produced, so the target usually pays production costs. Third, offline, archived data reside on backups that are more costly to restore, justifying shared production costs. Fourth, backup tapes are generally used for disaster recovery, and involve massive and costly re-image restoration and are not organized for convenient retrieval. Finally, deleted, fragmented data files are only recoverable using expensive assistance from forensic experts.

Recent cases have imposed more cost sharing of ESI. In some cases a sample of potentially relevant backup tapes has been ordered restored to predict whether relevant evidence will be produced or whether the request is a mere “fishing expedition.” Some forms of ESI can actually impose greater search costs and hide potentially relevant metadata. The revised FRCP may make the form of production less contentious because the requesting party may choose the format for review and may request native file formats, including metadata. For example, Word documents including track-changes metadata may reveal individuals authoring revisions, revision dates, eventually deleted concessions, compromises, or faux pas.

The Zubulake case illustrates the complexity and cost of restoring backup tapes. UBS objected to Zubulake’s e-mail discovery request, arguing that potentially relevant e-mails might reside on 94 different backup tapes. Restoration and search costs were not immediately charged to the plaintiff; instead, UBS was ordered to sample five tapes to estimate the time and cost for restoration of other backups. Enough relevant e-mails were discovered in the sample that UBS was ordered to pay 75% of restoration and search costs for all remaining backups and 100% of its own attorney fees. The costs were nearly $300,000—not unusually high for large companies.

Critics argue that the threat of high discovery costs forces settlements on litigation opponents, so EDD cost-balancing provides some relief. For example, in a discrimination suit alleging sexual harassment retaliation, a federal magistrate oversaw pretrial discovery [McPeek v. Ashcroft, 202 F.R.D. 31, 34 (2001)]. The Justice Department was not ordered to restore server backup tapes; the decision cited the fishing-expedition and settlement-incentive rationales:

If the likelihood of finding something was the only criterion, there is a risk someone will have to spend hundreds of thousands of dollars to produce a single e-mail. This is an awfully expensive needle to justify searching a haystack. … Ordering the producing party to restore backup tapes upon a (unproven) likelihood that they will contain relevant information in every case gives the plaintiff a gigantic club with which to beat his opponent into settlement. No corporate president in her right mind would fail to settle a lawsuit for $100,000 if the restoration of backup tapes would cost $300,000.

New FRCP rules make ESI discovery two-tiered: accessible and inaccessible. Targets must shoulder the costs of providing accessible ESI. Production costs for ESI that is not readily accessible are borne by the requester. For example, server backup tapes intended only for restoration following a system crash might be compressed and organized chronologically such that they are difficult to search. They might be designated inaccessible. Requesters may challenge this designation. A claim of inaccessibility permits the requester to file a motion to compel production, and in such event the target must then provide detailed proof that ESI production would impose an undue burden. Targets can legitimately resist production and claim inaccessibility only when fully informed with an accurate ESI inventory, often requiring third-party services: ERM, litigation support, and EDD. Targets must still preserve inaccessible ESI until a litigation hold is finally released.

Avoiding Spoliation

Spoliation is the civil charge of tampering with or destruction of evidence, whereas obstruction is the analogous criminal offense. Spoliation sanctions are levied if the party controlling the evidence breached a duty to preserve it by destroying evidence with a “culpable state of mind.” Judges have broad discretion to impose spoliation sanctions based upon the degree of fault weighed against the prejudice to the injured party. Sanctions can include monetary fines, payment of attorney fees and costs, additional discovery, an “adverse inference” jury instruction, and even a default judgment imposing liability against the defendant or dismissing the plaintiff’s lawsuit. An adverse inference instruction permits the jury to infer that missing or destroyed evidence would have been favorable to the requesting party.

Spoliation sanctions can overwhelm the underlying issues of a case. For example, the plaintiff in Zubulake showed that potentially incriminating e-mails were inexplicably missing and relevant backup tapes were overwritten. The judge agreed, finding misbehavior, and instructed the jury to make an adverse inference that the missing e-mails would have been unfavorable to UBS. The Zubulake jury returned a $29.1 million verdict against UBS Warburg. In 2005, a $1.58 billion judgment against Morgan Stanley was based in part on the failure to disclose an additional 1,423 network server backup tapes, after Morgan Stanley falsely certified that all relevant e-mails were produced, prompting the judge to give an adverse inference instruction [Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co., Inc., 2005 WL 679071 (Fla. Cir. Ct., Mar. 1, 2005)].

What ESI Should Be Preserved?

Regulations from many government agencies require the creation, maintenance, and preservation of specified business records. Regulated record retention applies to written and electronic documents. For example, SEC Exchange Act Rule 17a-4(f) requires exchange members, brokers, and dealers to preserve many records and correspondence with customers, including e-mails, for three years. Arguably, section 802 of the Sarbanes-Oxley Act (SOX) can be interpreted to require publicly traded companies to preserve e-mails if such documents are potentially relevant to a federal investigation or matter (litigation) that may not yet exist, with penalties if that company’s intent was to “impede, obstruct, or influence” such future matter by destruction of such records. SOX contains no explicit e-mail preservation requirement, so SEC clarification will be necessary.

Preserving ESI

Some organizations have aggressive e-mail destruction policies requiring systematic deletion after 30 or 60 days, reasoning that short-interval ERM policies prevent damaging revelations. This may not be an effective strategy, however. First, e-mails are regularly preserved at multiple locations (sender, recipient, intermediate servers, forwarded parties) and in repositories not under one entity’s control. Second, erasing or overwriting server backup tapes does not erase copies stored at various other locations, such as external recipients’ hard drives or outside servers. Laptops, PDAs, cellphones, ISPs, and thumb drives are also sources of potential “smoking-gun” e-mails. Third, even deleted files on magnetic storage media are potentially restorable with expensive forensic recovery technologies. Fourth, aggressive document or e-mail destruction increases the risk of eliminating useful information. Finally, destruction when a party “should have reasonably known” that an investigation or lawsuit was imminent risks sanctions for spoliation or obstruction. SOX requires adequate internal controls, and aggressive destruction is inconsistent with that duty.

Some software programs can wipe out metadata automatically generated by word processors or e-mail client software. Wiping metadata after a litigation hold is imposed would likely constitute spoliation or obstruction. There may be no legal obligation to provide metadata in some instances, such as the exchange of documents during contract negotiations or when no litigation hold is imposed. Indeed, lawyers may be subject to ethical violations if word-processing documents have the track-changes function enabled that shows a detailed previous history of sensitive changes such as bids, tradeoffs, or the identity of coauthors.

Successful EDD Strategies

Requests for discovery of electronic information in litigation and regulatory investigations do not show signs of abating in the near future. Aggressive e-mail destruction risks spoliation or obstruction penalties while it hobbles the monitoring of unethical or illegal activities and the maintenance of strong internal controls. Best practices suggest central archiving of all e-mails separately from disaster recovery backup tapes, thereby reducing the costs of search and production. Centrally archiving e-mails can reduce settlement pressures, due to the lowered cost of searching and producing e-mails.

Archiving technologies are offered by third-party vendors such as Fios, LexisNexis Applied Discovery, and Kroll Ontrack. Useful features include “de-duping” (the elimination of duplicate copies), full-text searches on e-mails and attachments, case folders, and privilege marking. Concept-based searching and linguistic
pattern recognition features are also emerging, an improvement over traditional key-word searching. Application service provider (ASP) services are also becoming increasingly available. ERM and EDD vendors can convert all electronic records into more-usable formats and provide storage at secure Internet-based repositories accessible only to authorized personnel to facilitate EDD request responses.

Aggressive EDD has embarrassed many litigants. Electronically stored information must be better managed. There will be a demand for information from litigators, and well-managed information lowers costs and reduces legal risk.

John Ruhnka, JD, LLM, is the Bard Family Term Professor of Entrepreneurship at the business school of the University of Colorado at Denver and Health Sciences Center, Denver, Colo. John W. Bagby, JD, is a professor and codirector of the Institute for Information Policy in the college of information sciences and technology at the Pennsylvania State University, University Park, Pa.




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices