United States: Record and Data Management Alert

One of the most crucial challenges faced by companies today is the rising risk associated with burgeoning data management responsibilities. How well company leaders identify and act on corporate information issues—before they become legal problems—is an increasingly vital indicator of corporate health.

The potential costs are high for those found to have violated record retention, privacy, security and other corporate information standards. Companies that fail to update record retention policies and practices may not be able to meet increasingly stringent rules regarding electronic discovery, as well as heightened expectations of regulators conducting administrative inquiries. Businesses also must grapple with a growing morass of concerns involving privacy, computer systems security, identity theft, outsourcing, electronic signatures, and many other matters.

Across industry lines, every company today must sift through layers of regulation, and weigh competing business priorities, to develop and implement a compliant, effective, and defensible data management program. These efforts envelop considerable corporate resources—requiring input and coordination from many corners of the company and involving senior staff that includes in-house counsel, and corporate officers charged with privacy, security, compliance, technology and information.

Understanding the diverse needs of our clients, Reed Smith has created a firmwide Record and Data Management Team. This multidisciplinary group includes attorneys versed in regulatory compliance, securities, environmental law, employment, tax, financial services, privacy and especially white collar criminal defense. The goals of our team are to help clients anticipate corporate information concerns, develop strategic solutions, and assist in responding to matters as they arise. Our team advises clients concerning:

• Creation and implementation of company data retention policies and programs
• Compliance with industry-specific standards, such as financial record-keeping and reporting requirements
• Global cross-border data transfer issues
• Privacy mandates created by HIPAA, Sarbanes-Oxley, the EU privacy directive and other laws
• Management of electronic discovery requests
• Responses to subpoenas, search warrants and books and records requests issued by courts, regulators and law enforcement officials

Reed Smith attorneys are knowledgeable of the record-keeping and compliance requirements affecting many industry sectors. We have represented clients in matters that include responding to requests from the Commodity Futures Trading Commission, the Environmental Protection Agency, U.S. Securities and Exchange Commission—in short, a host of federal and state regulatory authorities, law enforcement investigative agencies and prosecutorial offices, as well as management of massive litigation dockets involving millions of pages of company records.

Companies that do not make rigorous efforts in the area of data management risk the addition of substantial burdens and penalties in litigation and government investigations. A few examples are described below:

A company that fails to effectively manage its records to allow for prompt identification and production in response to a government investigation may be subject to severe penalties. In a recent SEC enforcement action, for example, a major securities dealer agreed to a settlement that included a censure and a $10 million civil penalty for violations of the record-keeping and access requirements of securities laws.¹

The enforcement action and settlement resulted from alleged violations of the record-keeping and access requirements under the Exchange Act, which generally require broker-dealers to preserve for a period of not less than three years, originals and copies of all communications sent and received by the broker-dealer (including inter-office memoranda and communications) relating to his or her business, and to promptly furnish such records to the Commission as requested.

During the SEC investigation, the securities company repeatedly failed to promptly furnish in a timely manner (i) electronic mail, including a particular e-mail exchange relating to matters that company officials knew were under investigation, (ii) compliance reviews after the staff had requested them, and (iii) compliance and supervision records concerning the personal trading activities of a former senior employee of the firm.

A federal court held as early as 1997 that a company’s good intentions are not relevant in the event the company fails to protect electronic evidence. The court found that a willful effort to thwart discovery was not required to support the imposition of sanctions. In the case at issue, neither the company nor its employees had engaged in intentional spoliation of evidence. But the court imposed a $1 million fine because the company had failed to create and distribute to all employees a comprehensive plan for the preservation of electronic documents, after the imposition of a preservation order.²

Today federal courts frequently impose an obligation to preserve documents as soon as a party is aware that its electronic information is relevant to foreseeable claims. In one case the court held that spoliation encompasses the failure to preserve evidence "in pending or reasonably foreseeable litigation."³ In another case, a federal district court found that the duty to preserve arose when the "relevant people at [the company] anticipated litigation"—10 months prior to suit being filed and three months prior to the filing of an EEOC complaint.⁴

Recently, the SEC announced its intention to request and review e-mails of registered investment advisers in connection with routine books’ and records’ examinations of the adviser. One senior member of the staff of the Office of Compliance, Inspections and Enforcement has opined that a document-retention policy that provides for no more than the routine deletion of e-mails after a certain period of time should be considered a prima facie books-and-records violation since the adviser could in no way demonstrate that required records were not part of the deleted e-mails.

Increasingly burdensome preservation orders are being imposed in the earliest stages of litigation. In addition to imposing large fines, courts have ordered companies to take specific steps, as outlined by the court, to implement a preservation plan. Such steps may include an order to mail each company employee a copy of the court’s preservation order, and to establish a certification process by which field managers would confirm compliance with the document preservation policy.

In a more dramatic example, a court ordered production and preservation of defendants' documents, including data existing in electronic form, and specified the format in which each type of electronic document was to be produced.⁵ Generally, each responsive electronic document, as well as each file and database, had to be produced in electronic form with its associated meta-data. The defendants were required to maintain back-up and archival copies of all responsive documents, and take specific steps to prevent any alteration to those documents. The defendants also were directed to produce a catalog of back-up and archival data for all media, which then was used to determine the extent to which back-up and archival tapes would have to be restored by defendants.

The order required defendants to back up all network storage devices; suspend all routine deletion, including e-mail; secure the hard drives of all computers; and retain for the remainder of the litigation any electronic data already backed-up or archived. Full back-up tapes and other storage media had to be retained for 20 months, at which time the court would entertain proposals for the continued treatment of such items. Preservation orders of this scope can add millions to the cost of litigation.

Reed Smith’s Record and Data Management Team is mindful of these and many other chilling examples of the challenges and expenses confronting companies today. Call us to help you develop practical and responsible solutions for the issues at your company.

Footnotes

This article is presented for informational purposes only and is not intended to constitute legal advice.