Legal Holds Do Not Preserve Data
Friday, August 12, 2016
Posted by: Jason Krause
United States attorneys may use the terms “legal hold” and “preservation” interchangeably. But there is a big difference between the two activities.
“Legal Hold” is short for “Legal Hold Notice.” The notice is generally in the form of an email or a letter. A Legal Hold only notifies a company or individual that material pertaining to an active or anticipated legal proceeding should not be destroyed.
“Preservation” refers to the affirmative act of keeping or copying data, rather than allowing it to disappear in a records retention sweep, automated IT housekeeping or a fit of spring-cleaning.
Once a matter commences, or is anticipated, the potential claims and defenses govern the scope of the obligation to produce. This is a marked reduction in scope from days prior to the 2015 Amendments to the Federal Rules of Civil Procedure. The Rules at that time allowed discovery “reasonably calculated to lead to the discovery of admissible evidence.” This was sometimes called the “fishing expedition” rule. The new standard is, “proportional to the needs of the case.” For international cases, this is a welcome change from unfettered discovery.
Federal Rules of Civil Procedure 37(e) states that when electronically stored information “that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery”, the court may take certain actions.
Organizations can look at their entire portfolio of legal risk to create reasonable steps to assess how broad legal holds should be in the matters that are most often encountered. Standard templates can be developed and outliers handled by exception.
Legal teams can identify individuals, departments, companies and systems that hold potentially responsive data. Using the templates, they can craft a matter-specific communication to the individuals and the caretakers of systems to notify them that the normal document retention and destruction policy should be suspended.
As the team is identifying individuals and data stores, it is critical to note the country in which the individuals and data stores reside to ensure compliance with international data handling laws. In some countries, asking individuals to save information (preserve) is akin to asking them to “process” data, which brings in Data Protection obligations.
Generally, the legal hold notice will be written and sent from a legal team member. Community standards in the U.S. call for the notice to be tracked, and in many cases acknowledged as well. A phone number is generally provided for questions. Notices are updated as the matter evolves, and a lift notice sent at the end of the matter to allow the normal document retention and destruction policy to resume. (Assuming the individual or data store is not subject to another legal hold in another matter.)
It is important to note that, while a legal hold can be considered a step in the direction of reasonableness, it does nothing but notify parties of their duty. Taking steps to actually save data and engage in preservation is required to fulfill that duty.
Legal Holds often, as a best practice, include instructions for how to hold or preserve data. For example, for custodians of enterprise systems, the instruction may be to make a snapshot copy, or extract a subset from a database, or to suspend the normal protocol to roll up and delete detail records. Human Resources is generally instructed to include questions regarding data for employees who are departing, or changing jobs. Similarly, the IT help desk may have specific instructions for the repair of equipment for custodians or systems under hold, or for reinstalling operating systems, migrating data or helping in other ways.
Individual custodians are given instructions, often including a reminder that deleting information will actually hurt the case and will carry consequences. All individuals should be notified when and if IT suspends normal deletion routines.
The instructions given to individual custodians will vary by organization and by type of matter to include the following potential approaches: self-preservation (in place), self-preservation (aggregate in a specified place), IT preservation or third party preservation.
Self Preservation (in place)
Many organizations depend on employees to sort out what data pertains, and what data does not pertain and to “preserve in place” without making an evidence copy. Sometimes called the “Honor System," this method can be effective and economical for low-profile, low-risk matters. As the risk profile increases, preserving in place may look like “Self Preservation” and introduce the element of self-interest into the decisions on what to hold and what not to hold.
Depending on how systems are routinely cleaned out, or backed up, this may be an appropriate way to discharge preservation obligations. If the retention policy has data on a short time frame, the organization can be held to “know” data will be deleted if the policy is not suspended.
For example, in a recent case, the New York Police Department ran into trouble by allowing the retention policy to destroy emails:
…. the Department knew that officers’ email inboxes would hit their space limits – and that those officers would delete potentially relevant ESI when they did. Although the paucity of relevant emails produced from the inboxes of key decision-makers does not establish that ESI was deleted, it is consistent with such spoliation and with Lieutenant Scott’s acknowledgement that deletion of emails was a foreseeable consequence of the NYPD’s storage policy.
Stinson et. al. v. City of New York et. al., Case No. 10-4228 (S.D. N.Y., Jan. 2, 2016)
Preservation in place allows employees to change the content of documents while working with them in the course of business. The old copy will be gone when the document is edited, unless the organization has a document management application or settings that save each version.
Self Preservation (Aggregate in a Specific Place)
Individuals may be asked to move potentially responsive documents to a special folder. This requires the individual to understand both the content requested and the method of moving the files.
Instructions regarding legal matters can be difficult for individuals to interpret. One person’s interpretation can differ from another person’s. For example, one person may interpret the hold very broadly, potentially over-saving documents, while another may interpret the hold as narrowly as possible, perhaps saving only a handful of documents.
Moving files on the same media only changes the folder and the access time. However, moving files from one hard drive to another, or from a server to a USB will change the folder, access date/time and create date/time. Once date/times on files are changed in this way, it is incumbent upon the attorneys to specify the modify date/time only for data reduction and during scope negotiations during the meet and confer. The modified date/time is the most stable date. This date does not change until the file is opened and saved again. The save command would need to be consciously and purposefully invoked, unless autosave is enabled or macros present that will save the file automatically. The ability of files to “self-save” is something that should give an attorney pause if they are spot checking files while doing “desk-side review” at the custodian’s workstation.
If dates referenced in the scope agreement are not defined with granularity, and instead described generically, i.e. “the date” instead of the “Modified Date”, it is possible that the Create or Access date/time will be deemed included and suddenly, entire stores of data will be in or out of scope.
Some organizations include special instructions, software, or send a USB or hard drive that automatically collects to make sure dates remain stable during self preservation by aggregation to a special place.
Preservation by Collection
When collection for legal purposes becomes more frequent, many IT organizations designate and train internal personnel with a standard operating procedure (SOP) for preservation by collection. With security and network access, an IT person can selectively collect by date, folder, media and in some cases by keyword. In this way, the collection methodology and its documentation become similar to a business record, making it much less likely to be challenged. This reduces the risk of testimony, and the time-consuming creation of affidavits or declarations.
Mistakes happen even with the best SOPs, and exceptions can be documented as well. Documenting that information is not there, or that files are corrupt at the point of collection, should be done well in advance of production deadlines to allow the legal team to seek the data from alternate sources, or to create a record as to why the data no longer exists.
Internal teams, properly trained in evidence preservation methodology, can save their organizations money, and can be deployed immediately with very little hold up for security credentials.
There are times when internal staff is over-scheduled, or the matter is highly sensitive. Third party preservation is appropriate when there are allegations of bad faith implicating IT or the chain of command. High profile government criminal investigations, some IP matters and "bet the company" cases may require forensics preservation or the arm’s length objectivity of a third party. Forensic preservation is the most expensive type of preservation.
Third-party preservation is sometimes used after hours, leaving most employees blissfully unaware. This can be referred to as a “black bag” collection. It is critical for an executive be on call during the black bag collection. If security training has been effective, the sight of unknown persons collecting data at the desk or in a server room will cause employees to challenge or stop the individuals. Executive backing may be necessary for the third party to remove hard drives from the building.
Forensics preservation will preserve not only active files, but also deleted files and artifacts. It will preserve the entire hard drive including the empty space. Forensic preservation will save internet searches, contain remnants of web activity and passwords to other systems.
Forensic preservation is rare. It is most often used in the following circumstances: when there is an indication of data destruction, when an organization has been sanctioned for poor evidence handling, or to enable the organization to assert it has gone to the highest standard of preservation.
Organizations that handle money (banks, retail) may have an internal team with forensic training and tools. However, if forensic testimony is expected, third parties will most often accomplish the work.
When third parties preserve, it is important to receive documentation of who, when and what was collected. It is even more important that contact information for both collectors and those collected be recorded since if testimony is needed, it will not be required until perhaps years later.
For U.S. litigation, it is critical to understand the difference between putting out a hold notice, and actually preserving data. Your case depends on it.