Everyone knows that our world is digital. We are so dependent on technology in order to perform our job responsibilities that we have a computer at the office, multiple computers at home, and handheld devices so we can be reached via e-mail, text and voice mail where ever we go. And if we are smart, we have backup copies of our digital materials stored on external hard drives, CDs or DVDs in case our original files become destroyed or inaccessible. We communicate via multiple e-mail accounts (I have 7), instant messaging and chat. We generate numerous memos, documents, spreadsheets and presentations. On top of this, our digital materials can be found on corporate servers and back-up tapes.
Knowing how widely disseminated our data has become is frightening enough, but add to that the data that computers create in the background during use and it becomes apparent that controlling access to our data has become nearly impossible. The vast amount of data we generate has created a dilemma for many organizations. Those with security and privacy concerns want to delete as much data as possible to prevent inadvertent security breaches and loss of proprietary information. Those with their eye toward litigation and investigations want to keep everything because digital data can help support or defend specific claims and provide an accurate view of employee activity. Trying to strike a balance between what to keep and what to destroy (and when) has proven a difficult task for many organizations.
Every organization must retain materials for a variety of reasons. There are state and federal laws as well as regulatory requirements that impact how long an organization should retain specific records. There are business requirements that impact how long records should be kept. As an example, colleges and universities must permanently retain student transcripts. Although I have been out of college for nearly 30 years, I still must provide a college transcript every time I apply for a teaching position. Medical organizations must keep medical records in perpetuity.
But the retention of digital data is now being scrutinized due to the fact that on December 1, 2006, the Federal Rules of Civil Procedure were modified to require that attorneys address electronically stored information (ESI) as part of the discovery process. The Federal Rules of Civil Procedure are the rules governing civil litigation in U.S. federal courts. The rules governing civil litigation in state courts generally parallel the Federal Rules to some degree.
Understanding the Legalities
While no one expects security professionals to understand all the legal aspects of the Federal Rules of Civil Procedure, it is important to understand the legal requirements of preservation of materials relevant to current litigation. When an organization is served notice of litigation, it has a duty to preserve all materials — both in paper and digital format — which may contain information relevant to the lawsuit. This process is called a “litigation hold” or “preservation hold” and is a critical part of the litigation process.
The penalties for not putting a preservation hold in place can be severe. An organization can even be sanctioned by the court for having an inadequate preservation hold in place. The reason for this is that all relevant materials need to be preserved so an informed decision can be reached during litigation. If relevant materials are not properly preserved, it becomes difficult, if not impossible to understand the underlying facts of the litigation. A fair trial is no longer a possibility.
When data gets destroyed in civil litigation, it is called “spoliation” and can result in significant sanctions and a lost lawsuit. While inadvertent destruction of data can result in severe sanctions, the courts really frown on deliberate data destruction. If it can be determined that data destruction tools like Eraser, BCWipe or Evidence Eliminator have been used after the initiation of litigation, there will be severe penalties.
Many organizations have implemented document retention policies that include guidelines for the routine destruction of specific materials. While a company can not be sanctioned for the destruction of data during the “normal course of business” according to Rule 37, the “Safe Harbor Provision” in the Federal Rules, they can be sanctioned for not suspending the destruction process for the duration of litigation.
Implementing a data destruction policy upon notice of litigation does not constitute “normal course of business!” The question that is asked is whether or not a party acted in “good faith” and made a reasonable effort to preserve relevant materials. If the answer is “yes,” then no sanctions will be leveled.