As I prepared for a meeting that involved a two-hour drive each way, I went to throw my iPod in the car--but it wasn't in its usual spot. This time, it was truly elusive--it wasn't in my computer bag, on the bedside table, in my office, my car or anywhere in the house. So after an hour of searching, I finally recalled I last had it in the car my son normally drives. Sure enough, it was on the back seat, hidden away under his coat.
It hit me as I began writing this article--that's what a lot of companies experience with their data identification and collection in today's swiftly evolving Web 2.0 and mobile world, especially when considering changes impacting data retention. It's easy to hit the obvious spots first--the e-mail servers, file shares and even local drives. But it doesn't end there, oh no. Those are simply the places with relatively easy access by IT. As a frustrated IT professional recently shared with me, the many collection tools and appliances available are only useful if you happen to know where to point them. What about all those places where data is present, but your IT or collections guru doesn't know about them, at least not in context with a particular custodian or matter? Then there are thumb drives, external USB hard drives, iPods, smartphones, CDs and DVDs, personal computers, personal e-mail accounts, instant message programs, Twitter accounts--and let's not forget good old-fashioned paper copies. It's also easy to have data hidden in plain sight, such as on SharePoint communities.
Depending on your culture and IT controls, employees are pretty adept at driving data underground, especially when motivated to do so. As I listed above, they certainly have enough modern tools to store and forward that information indefinitely. For instance, many companies are struggling with what to do with e-mail retention. To deal with it, they set up a cross-functional team or committee, which typically includes legal, IT, HR, compliance, records management and sometimes representatives from affected business units. More often than not, legal tends to recommend fairly short non-record e-mail retention periods, usually ranging from 30, 60 or 90 days to 6 months, in the desire to reduce the volume of ESI needing collection, processing, review and production. The department reasons this volume reduction will reduce both costs and risk.
However, many employees are working on projects and tasks for which they feel the need to retain their e-mail for much longer. Some find the e-mails consistently useful for business, while others keep the information around just in case--and still others, like data pack rats, keep everything. In particular, "cover your assets" e-mails can come back to haunt the organization from unlikely sources, and it's not unusual for them to contain warnings, recommendations or other comments for or against a particular practice or situation that later becomes the subject of a lawsuit or investigation. It's also not uncommon for employees to forward or bcc those very same e-mails to personal e-mail accounts or simply print them for safekeeping. Sooner or later, the e-mails tend to turn up in a legal matter--after the company's discovery efforts missed them.
So when faced with an official policy and/or technological constraints designed to limit their rights to data, what will employees do? Keep in mind that they often feel that the data they create and work with is "theirs"--their e-mail, their calendar, etc., regardless of company policies to the contrary. Some workers will undoubtedly find ways to drive the data underground or at the very least, store it in approved systems, but will miscategorize it to achieve the maximum retention option available. It's simply human nature, and it's important to recognize this psychology at work.
While a shorter retention policy sounds great on paper, it necessarily assumes that it will be followed by all or substantially all. In reality, this is rarely the case. There are plenty of examples in current case law where non-approved methods of employee data storage were later discovered and had a negative impact on the matter.
So what can organizations do?
An important element is creating effective places where employees feel comfortable storing "their" data, again recognizing the psychology involved. Setting a very short retention period on e-mail sounds like it will reduce costs associated with volume and reduce risk by disposing of undesirable content at an earlier date. However, consider the additional time, costs, labor and surprise involved in tracking down and collecting data on rogue sources and silos after custodians disclose them. Also consider the potential impact on the matter through spoliation issues and sanctions when it's been mishandled and perhaps just as often, misreported. Too many eDiscovery case decisions often involve certifications to the effect that all responsive data had been identified and produced to the other side, only to have more responsive data pop up later, and the vicious cycle repeat itself several more times in the case. Each instance erodes credibility with the judge, who by now has lost patience with the responding party and its counsel. Sanctions typically follow.
Many organizations are implementing or exploring e-mail archiving but tend to get stuck on the retention details. Obviously, actual business records need to be retained according to the applicable retention period. But consider how many e-mails are truly business records in their own right as opposed to being convenience copies? Most e-mails tend to be non-records, so companies struggle with how long to retain them. In-house counsel typically dispose of them eagerly as soon as possible so they'll be gone before litigation crops up, while employees generally want to retain them longer to help them perform their duties.
Thus some balance is needed to generate a higher comfort level and buy-in from business units and individual employees alike to manage their data in approved and centralized data repositories, such as an e-mail archive. If they feel they have a "place for their stuff" that won't prematurely disappear or require an inordinate amount of MacGyvering to retain and access, they're more likely to use it than drive "their" data underground.
In turn, the cross-functional information management team receives less pushback from the business units, and is finally able to move forward. The organization benefits by having a better handle on what data exists and just as importantly, knows where it is located. The ESI is also more easily and cheaply accessed, searched and processed following a more consistent and defensible process. Clearly, the potential downside is that in providing this balanced retention approach, some undesirable e-mails and related data may be kept longer than, say, 30 days. The benefit is that the organization now has the ability to find and learn about the e-mails' existence at less cost much earlier in the process and can deal with them appropriately. Consider the flip side of the coin when short retention periods motivate employees to drive data underground: E-mails and other damaging ESI tend to be like bad pennies--they usually turn up when least expected and cause much more damage.
About the Author:
Mr. Beard is also the former head of Legal IT with Caterpillar Inc., a Fortune 50 corporation, and is a Six Sigma Green Belt. He has extensive experience with law department operations and supporting technologies, including matter management, electronic invoicing, and document and enterprise content management. He served on the ABA TECHSHOW Executive Board and is a frequent national author and presenter. His popular blog, LawTech Guru (www.lawtechguru.com), regularly covers new developments in eDiscovery. This article was authored in his individual capacity, and all views expressed are his own.