Litigation isn’t something any of us want to think about, but having to put a plan together when the time comes isn’t an option. Here’s a short primer on handling electronic records, like email, so we can be prepared …
Johnny Lee is a Managing Director at Grant Thornton, forensic investigator, and licensed attorney. He shares his expertise with us to help small businesses gain a better understanding of what eDiscovery and records retention is, and why — from a legal perspective — it’s important for us to have a basic plan in place to protect our businesses.
In this 20-minute episode Johnny Lee and I discuss:
- What is eDiscovery
- If I’m an SMB, why should I care
- Understanding your risk profile
- How does email put my business at risk in litigation
- How does eDiscovery impact a company who is vendor to a company being sued
- What happens if I find out I’m being sued and start deleting email I don’t want discovered
- How do I put some protection in place
- How can I use automation to make managing my records easier
- Johnny’s two pieces of advice for any SMB
The Show Notes
- Johnny Lee on LinkedIn
- Grant Thornton
- Johnny Lee on Twitter (@forensicupdate)
- Google Security & Compliance Whitepaper
Protecting Your Digital Business: A Primer on Small Business and The Law
Voiceover: This is Rainmaker.FM, the digital marketing podcast network. It’s built on the Rainmaker Platform, which empowers you to build your own digital marketing and sales platform. Start your free 14-day trial at RainmakerPlatform.com.
Scott Ellis: Welcome to Technology Translated, episode two. I’m your host, Scott Ellis.
Today’s guest is Johnny Lee. Johnny is a managing director for Grant Thornton, forensic investigator, and licensed attorney. Johnny and I used to work together once upon a time, and he has agreed to join us today to teach us a thing or two about eDiscovery and records retention.
What should we do in the event we get sued with our electronic records and documents which may be relevant to that lawsuit?
How do we protect ourselves?
What are the things we need to think about?
This isn’t a topic that a lot of SMBs have probably spent a lot of time thinking through or planning for, but it is definitely one with big implications for business. Let’s go ahead and get into it and hear what Johnny has to say.
Johnny, welcome to Technology Translated, and thank you for carving out a little time to chat with us today.
Johnny Lee: Thanks for having me.
Scott Ellis: Today, we’re going to talk about eDiscovery and records retention, which is a topic that a lot of SMBs don’t know much, if anything, about and probably don’t know why they should even care. Why don’t you dig in and give us a little bit of a background on what eDiscovery is and why this is, or is not, relevant to SMBs.
What Is eDiscovery?
Johnny Lee: Sure. eDiscovery is really just an elaboration on an older established thing, the discovery process in litigation, the mechanism by which parties exchange information of a trial. The eDiscovery component is really just a modern aspect of that, where electronic information, or electronically stored information, which is the terms that are bandied about quite a lot in the literature, brings with it a host of attendant concerns and nuances and complexities and is, of logical necessity, deserving of a little bit more explanation, case law, and clarification.
eDiscovery, technically speaking, is not new. It’s been codified Federal Rule of Civil Procedure for almost 40 years now, actually, over 40 years. What’s really changed in the last 10 years in particular is the courts struggling to keep up with all of those nuances around the day-to-day handling of data and how those things need to be preserved, culled, and produced when there is a litigation event.
Scott Ellis: This sounds like something that, on a day-to-day basis, most SMBs aren’t going to need to be overly concerned with. However, litigation is an unfortunate reality of business. It’s all too common. There are things that SMBs can, and probably should, be doing to at least protect and prepare themselves moving forward. Is that fair?
Why You Should Care, If You Are an SMB
Johnny Lee: Yeah, I think that’s well said. What I would tell you is that I’ve given talks all over the country on the notion that records retention and eDiscovery are flip sides of the same coin. Your record retention practices are driven on business necessities, on the practicalities of keeping your doors open, keeping your customers happy, and selling a product or delivering a service — or both.
Nobody goes into business thinking about how they’re going to keep regulators happy or compliance obligations met. Those things are usually secondary to the operation of a business. Records management is certainly in that camp. No one’s suggesting that you should invert that business model and focus on eDiscovery, especially if your risk profile doesn’t necessarily warrant that kind of shift in focus.
Understanding Your Risk Profile
Johnny Lee: To your point, if you’re a small or medium business and you’re not a serial litigant, your eDiscovery readiness can and, of logical necessity, will be quite different than if you were a heavily regulated entity with a lot of statutory compulsions around the way you keep data and you’re frequently dragged into court. That’s going to be a very different profile.
Those practices are going to vary quite a bit based on your industry, your size, and your frequency of appearance in front of a judge.
Scott Ellis: If I am an SMB with a low-risk profile, is this even something that I need to be concerned about, or is it something that I just deal with when it comes up?
Johnny Lee: I think it’s dangerous to just be strictly reactive. I’ll say it this way. There needs to be enough awareness of what the demands would be if you were subject to an eDiscovery request, but those, in many ways, are not different than if you were subject to any other discovery request or regulatory inquiry. That is, things that are kept in the regular course of business that are, in fact, business records need to be maintained in a way that allow you to meet your statutory requirements and to meet your business needs.
There’s nothing revolutionary in that sentiment. It’s very often a distant afterthought for companies who think all of their key records are in email and email alone, so they don’t really take as much attention as they might in their shared folders, or their archives, or their off-site physical storage –because all of those things may be implicated in an eDiscovery exercise.
Scott Ellis: Okay, so you touched on email. I’m glad you went there because that’s a particularly interesting and, in some cases, sensitive topic. Email is pervasive in business use, but it also can lead to people getting themselves in a fair amount of trouble because so much stuff is kept in email. As a business, what are the things I should be thinking about with respect to email to protecting myself, retaining the records I need, getting rid of the things that I don’t? If I am getting rid of things, is there an additional risk associated with that from a legal standpoint?
How Email Puts Your Business at Risk in Litigation
Johnny Lee: It’s a good question, and I’ll go back to part of the answer that I gave earlier. I would tell you if you were a broker dealer in a financial company you would have a very different way you would have to answer that than if you were the franchise owner of six stores in the state of Texas alone in a non-heavily regulated industry. Studies indicate that as much of 75% of an organization’s intellectual property is resident email and email alone.
It is different in many regards than most records, in that email is a mechanism for exchanging content. It is not in and of itself a record. What’s important is for you to have some measure of attention. Again, if you’re heavily regulated and a serial litigant, this attention needs to be in the form of memorialized policies and procedures that are tested with some frequency and audited on occasion. If you’re on the other end of that bookshelf and you’re a small or medium business, and not dragged into court, and not subject to a lot of regulation, that’s something that maybe you’ve thought through from a design perspective, and you archive your email in a regular way.
It really will vary. Just to go back to the bookshelf metaphor, the SEC regulates broker dealers in a very prescriptive way relative to email. It not only explains and enumerates the kinds of things that you must keep, it actually goes so far as design and define the specific technology you must use to keep it in a ‘write once, ready many’ format.
Nobody’s suggesting that your normal mom and pop shop has the same standard of diligence because they’d be out of business trying to comply with that. At the same time, you don’t want to be in a strictly reactive footing if you do get a discovery request.
How eDiscovery Impacts a Company Who Is a Vendor to a Company Being Sued
Johnny Lee: Very often, the small and medium businesses are brought in under Rule 45 Discovery, which is, basically, they’re not even a core party to the lawsuit, but they may have documents responsive to the underlying matter. So they have a discovery obligation. If they can’t produce records, that may or may not put one of their trusted suppliers or good vendors in a bad way.
Scott Ellis: Okay, so if I understood that correctly, it sounds like even if my company has a low-risk profile and I am doing work with another company which is being sued, or is in litigation, my communications with them are potentially a part of that discovery process. Is that correct?
Johnny Lee: Yeah, broadly stated, that’s fair. There are a number of exceptions there. One of the things that’s important is that email in particular, once written, is imminently discoverable. Not only do you want to be professional and diligent about what you commit to paper, but you may be creating an obligation to preserve those things if, in fact, that’s the only memorialization of, say, an approval that is required under the contract — a written approval for change orders, or changes in scopes, or changes in delivery states or contract prices, or what have you.
You may have such a relationship with your vendor or you may be such a vendor where email is acceptable in that medium, but in that place, that becomes a pretty crucial record for disputes that may arise from that kind of discussion later on.
Scott Ellis: I know one of the questions that people are going to have going through their minds right now is, “If I find myself in a position where I think I’m going to be sued, or involved in litigation, or I am given notice that I’m going to be sued, can’t I just go into my email and delete any emails that I don’t want to be discovered that might implicate me in some way, that I don’t want to have out there?”
What Happens If You Find Out You’re Being Sued and Start Deleting Email You Don’t Want Discovered
Johnny Lee: There’s two principle dangers in that. One is assuming that whatever you delete is truly gone. Remember, there are the recipients and the senders, so you’d have to literally obliterate every touchpoint it had along its path. That assumes that it’s not resident in any backup or recovery regimen as well. That’s a very dangerous assumption just as a matter of logical reality.
Even more so, there is a notion in the law called ‘spoliation,’ the spoiling of evidence. Here’s where the important part of records management comes in. There is a regular and routine practice of records destruction that is not only conducive to good business, it’s necessary. Otherwise, we’d be swimming in even more data than we’re swimming in now. The point of a record retention policy isn’t that it helps you keep stuff. Most companies don’t struggle at all with retention. What they struggle with is destruction.
To your point, if you have a communication, a contract, a writing, even a somewhat sarcastic instant message record, and you have been served with papers or there is some trigger that requires you to now preserve data related to an underlying matter, to delete it is to run afoul of that spoliation concept and to risk sanctions in the court proceeding. There is a real and material danger to trying to cure the record, especially if there’s already a triggering event that causes you to preserve those data.
Scott Ellis: The lesson is, if you do get served, don’t go into your email and just start deleting things at will because you could probably get yourself into some serious trouble.
How to Put Some Protection in Place
Johnny Lee: Consider the source. You’re talking to someone who does forensic technology for a living, but the best advice is to be careful what you commit to writing. The next best advice is to have a policy. It doesn’t take that long to establish a good practice here. A policy need not be 40 pages, but have some policy for your executives and your employees that talk about the fact that email is a professional communication mechanism and try not to be committing things to writing that could be misinterpreted down the road, however innocent they may be at the time. If you’re going to rely on email as a key business repository of records, those policy stances, and the enforcement of them, become that much more important — for all the reasons we’ve talked about to date.
Scott Ellis: I was hoping we would get to the policy question because, as a matter of business process, in particular, as an example, we use Google Apps for business, and as a business customer, we have the ability to set policies in place — so they are documented — which are automated. We’ll go through and delete email after a certain period of time or based on some other criteria.
Does a situation like that — where I have a policy, and I follow it — help me out or put me in a better position in the event that I am sued and have to produce records?
How to Use Automation to Make Managing Your Records Easier
Johnny Lee: Yeah. If the case law tells us nothing else, it’s that policies that are works of fiction generally tend to frustrate the judiciary. They tend to take it out on the parties that don’t follow their own policies. In many ways, as a practical matter, it’s better to have no policy and to be able to demonstrate a consistent process than it is to have a very well-written policy that is a fantasy that nobody follows or understands.
Scott Ellis: Which I’m sure is rather common.
Johnny Lee: Which is rather common. And, again, if you’re a small or medium-sized business, there’s no mandate that you have to have a bulletproof policy. The standard here is not perfection against some weird objective criteria. It’s reasonableness. What is reasonable relative to data preservation for your organization based on what you’re doing in the market, based on how you’re regulated, and based on what your litigation profile is.
Here, to your point about using an enterprise platform to automate some of those things, the only cautionary I’d throw out there is that automating something that’s broken only means that it will break faster and in less visible ways. Provided that you have the practice, over time, of deleting things on, say, a 90-day rolling cycle — and here’s a kicker — and you are able to suspend such deletions when needed, when you have an affirmative data preservation obligation, then that automation can be a tremendous benefit to the business and should be pursued. It’s incredibly cost-effective, and it addresses all of those operational concerns, which ought to be the focus in the first place.
All the courts ask is that you be able to stop deleting things in an automated fashion when the requirement arises to do so.
Scott Ellis: Okay, that is sound advice. Let’s go out on this. If you could give any two pieces of advice to SMBs with respect to our topic today of eDiscovery and litigation support, what would those things be? What would you suggest they do that is reasonable and helpful, but not too much of an encumbrance?
Johnny’s Two Pieces of Advice for Any SMB
Johnny Lee: One on the recommendations that would be at the foremost of that is identifying what your current practices are today. The time to learn how inconsistent your practices are is not when your key employees are being deposed. That is way too late and much too problematic for you, so I would start there.
This doesn’t have to be $100,000 effort to get your arms around what your practices are, some understanding of how routine operations work, what that means. That adjective ‘routine’ has a big weight in the case law and under the Federal Rules of Civil Procedure, which serves as the model for many state courts as well. So understanding what your practices are, simply put, is definitely the place to start.
Then, the second would be try to identify what level or rigor you need to apply to that routine operation so that you don’t deviate over time from that routine. That may require memorializing a policy. It may require ongoing monitoring. It may require a third party coming in to do an audit every year or other year, or what have you. That’s going to vary on your risk profile. That’s much more of a judgement call.
But if you could establish the assessment side of things by understanding what your current practices are, and then you could establish what controls are ‘appropriate.’ I use that word deliberately. What controls are cost-effective? Which controls are relevant to your industry? Which controls are required under the laws and statutes governing your business model?
Those two things are going to keep you in good stead. Probably 90 percent of the problems that we see relative to sanctions and eDiscovery are hemmed and hedged by those two things. If those are in place, you’re going to not run afoul of a lot of the problems we see in those sanction cases.
Scott Ellis: All right, again, solid advice. Johnny, thank you so much for joining us today.
Johnny Lee: My pleasure, Scott. Thanks for reaching out.
Scott Ellis: For anybody that wants to learn a little bit more about the topic, I will definitely be linking some things up in the show notes, including some things, some references that were not necessarily mentioned on the show. Be sure to check that out if you want to educate yourself a little bit more.
We didn’t really get into the forensic side of things. There’s a whole other show on that that maybe we’ll come back to in the not too distant future. We’ll pull Johnny back onto the show to talk to us about that. Again, Johnny, thank you for joining us. We appreciate your time, and we’ll talk to everybody next week.
Johnny Lee: Take care.
Scott Ellis: Technology Translated is brought to you by the Rainmaker Platform, the complete website solution for content marketers and online entrepreneurs. Find out more and take a free 14-day test drive at Rainmaker.FM/Platform.