Finding safe harbor in a leakproof vessel: the importance of document and data retention policies and Rule 37(f)
By John J. Coughlin
February 2, 2007
Among the many changes embodied in the recently enacted Federal Rules of Civil Procedure dealing with electronic discovery, perhaps none was passed with more controversy than the "safe harbor provision" contained in Fed.R.Civ.P. 37(f), which protects parties under certain circumstances from sanctions for the loss or alteration of electronically stored information.
Rule 37(f) provides, in pertinent part:
[a]bsent exceptional circumstances, a court may not impose sanctions ... on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.
This safe harbor provision attempts to reconcile the evolution to a paperless society with the historical doctrine of spoliation of evidence. "Spoliation is the destruction or significant alteration of evidence, or the failure to preserve property for another's use as evidence in pending or reasonably foreseeable litigation." Zubulake v. UBS Warburg LLC, 229 F.R.D. 422, 429 (S.D.N.Y. 2004). Zubulake was one of the first judicial decisions, and certainly the most well known, where the spoliation doctrine was applied to the loss of e-mails that were relevant to the plaintiff's claims. Historically, spoliation usually arose in the context of product liability cases, where the missing evidence took the much larger form of a motor vehicle or a piece of machinery.1
Today's spoliation involves smaller and exponentially more voluminous evidence that is almost always eventually deleted, changed and/or transferred to other media. Such changes may occur at the discretion of the user or IT department, or they may result from automatic operation of the data management system. In order to understand whether the safe harbor exception applies, one must first understand, in its unique environment, how such deletion or alteration may occur, and whether it is possible and feasible to make changes to the process.
In considering the "routine operations" discussed in the safe harbor provision of Rule 37(f), one must first understand the extent to which discretionary controls exist. Many computer applications are not designed to store information for extended periods of time, which makes preservation difficult, if not impossible. For example, databases create and operate within a dynamic "multidimensional" environment in which it may be unrealistic or at least unreasonably burdensome to isolate and save or even print specified data from a certain time or transaction. It is important to note that the new procedural rules and cases do not necessarily impose additional obligations to save that which cannot reasonably be saved without disrupting or crippling business operations. However, one cannot truly evaluate the burdens or benefits without first understanding generally what the system is and how it operates.
Conversely, many systems operate under "settings" of the user's or administrator's choice that govern time periods and volume thresholds at which data are deleted, overwritten or stored to offline media. (Whether such offline or archival media are discoverable is determined by a comprehensive weighing of factors set forth in Rule 26.) It is this discretionary process that ties into the language of Rule 37(f), as such settings are subject to potential hindsight analysis of whether the party allowed deletion to occur in the "good-faith operation of an electronic information system" or whether something is amiss under the circumstances.
The Role of the Document Retention Policy
Now that discovery explicitly includes "electronically stored information," the distinction or lack thereof between "document" and "data" must likewise be addressed in company document retention policies. Some clients may have found such policies unnecessary in the past, but the volumes of data now involved in daily transactions practically demand that data retention practices be addressed and formalized in a written policy.
The difference to a court between "spoliation" and "good-faith operation of an electronic information system" may be borne out by examination of the document/data retention policy that was in effect at the time. Recently, in Samsung Elecs. Co. v . Rambus Inc., 439 F. Supp. 2d 524 (E.D. Va. 2006), the U.S. District Court for the Eastern District of Virginia analyzed this issue closely, guided by a U.S. Supreme Court decision in the prosecution of Arthur Andersen LLP, flowing from the Enron scandal:
As the Supreme Court has noted, "'[d]ocument retention policies,' which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business." Arthur Andersen LLP v. United States 544 U.S. 696, 704, 125 S. Ct. 2129, 161 L. Ed. 2d 1008 (2005). "It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances." Id. "In contrast, however, a document retention policy adopted or utilized to justify the destruction of relevant evidence is not a valid document retention policy," and "[i]t follows that implementing such a policy in advance of reasonably foreseeable litigation would not be proper and could constitute spoliation." Hynix Semiconductor, Inc. v. Rambus, Inc., 2006 U.S. Dist. LEXIS 30690, 2006 WL 565893, *20 (N.D. Cal. 2006) (unpublished).
The above cases illustrate that courts will not turn a blind eye to spoliation simply because a policy allows for the destruction of documents and data. The knowledge or even reasonable basis for knowledge of pending claims may give rise to a duty to preserve evidence. The fact that loss of evidence occurred pursuant to a retention policy does not by itself entitle one to safe harbor from sanctions for spoliation. Rule 37(f) explicitly requires the court to analyze whether the loss or alteration occurred as the result of "routine, good-faith operation" of the system.
It is important for parties to fully understand how each of their systems manages and ultimately deletes data. As the previous Alerts of this series have indicated, this understanding usually occurs only through in-depth exchanges between legal and information technology representatives. Just as most attorneys are unqualified to explore network infrastructure to identify and change all settings without understanding the burdens imposed on the system, most IT personnel who manage the systems must consider legal implications of allowing the deletion of data that could have been easily and/or cost-effectively saved for litigation or other legal reasons.
Once the interests of the IT and legal departments have been vetted and perhaps reconciled, it is time to create or update company policies related to document and data retention. The written policy may comprise anywhere from a few to a few hundred pages, depending on the size and type of business and systems in place. Generally, the policy should accomplish at least four goals: (1) identify subject documents; (2) embody legal objectives; (3) identify specific time periods for retention; and (4) explain processes and lines of responsibility in clear unambiguous terms.
Remember that the policy tells a story that may be subject to the scrutiny of hindsight in the event that information that once existed is unavailable during litigation or other legal proceedings. Prescribing time periods for retention or destruction can be a tightrope walk between the financial and logistical burdens of saving data on the one hand and the legal cost and benefit on the other.
The document retention policy is a double-edged sword in that its proper creation and implementation can protect a party from sanctions; but an ill-advised policy or one not properly followed can, in fact, create the record to support a claim of failure to act "in good faith." In this regard, the most important aspect of the policy, ironically, is the section that provides for suspension of that very policy, known as the "litigation hold."
Finally, the policy must be realistic and enforced. The risk of stating the obvious on this point is nothing compared to the risk of being confronted during litigation with proven failure to follow procedures that, by virtue of enactment, are considered reasonable. The best way to prove the good-faith operation of an electronic information system is by showing that a well-reasoned policy is in place and that all persons relevant to its enforcement are properly trained.