The Rule 37(e) Safe Harbor: The Touchstone Of Effective Information Management

Tuesday, January 17, 2012 - 16:03

Nothing surprises us anymore in the world of information retention and electronic discovery. Organizations routinely complain about the exponential growth of information and the associated costs. Those costs have been acutely felt in litigation as courts have heightened their expectations for how organizations should store, manage and discover their information.

The 2006 amendments to the Federal Rules of Civil Procedure were designed to address these issues. After all, the rules were amended to streamline the discovery process, thereby allowing parties to focus on substantive issues while making discovery costs more reasonable. Instead, it seems the rules have spawned more collateral discovery disputes than ever before about preservation and production issues. Is it any wonder that there is a growing clamor for further changes to the discovery provisions of the rules?

One of the principal changes ushered into the rules in 2006 was Rule 37(e), the so-called “safe harbor” provision. Designed to protect organizations from sanctions when their computer systems automatically delete electronic data, Rule 37(e) has disappointed some in the legal community for supposedly not meeting that promise. Despite efforts to amend Rule 37(e), the prospect for change remains uncertain given the overall lack of consensus on the draft amendments. In any event, any agreed upon changes would still be many years away from implementation.

As a result, organizations and their counsel need to better understand the current iteration of Rule 37(e). As it stands, Rule 37(e) offers organizations the opportunity to reduce both the costs and the risks associated with litigation if they adopt an information management plan supported by the right technology.

The Rule 37(e) Safe Harbor Provision

Organizations can find refuge from sanctions under Rule 37(e) when electronically stored information has been destroyed pursuant to the routine, good faith operation of an electronic information system. Described in layman's terms, litigants may avoid court punishment even though their computer systems deleted email and other electronic data.

Nevertheless, the safe harbor does not prevent sanctions when information is manually deleted. It is only available when data is destroyed due to the ordinary functions of a computer system. For example, Rule 37(e) affords no protection to organizations that rely on their employees to individually archive and delete email or other electronic materials.

The safe harbor also requires the routine operation to be carried out in good faith. This typically entails modifying or suspending certain aspects of a retention policy when a preservation duty attaches.

The Rule 37(e) Safe Harbor Requires Organizations To Develop An Information Management Plan

With this backdrop in mind, Rule 37(e) can be the touchstone of an effective data management plan.  Organizations that have followed best practices for information management have successfully invoked the safe harbor and avoided court sanctions. At the same time, those groups have reduced data storage costs since they have confidently deleted data having little or no business value.

Despite the availability of the safe harbor, few litigants have actually invoked its protections. This is primarily because many organizations fail to implement an effective information management strategy. For example, many organizations still do not have document retention policies. Others do not have a litigation response plan. In many instances, the key players responsible for information governance – lawyers and IT professionals – do not collaborate. Without a plan, companies unwittingly delegate to their rank-and-file employees the duty to manage, archive and discard data.  Allowing employees to arbitrarily manage company information is often disastrous.

Contrast that approach with an effective information management strategy. Such a plan will intelligently preserve data from the top down. It will retain information that is significant or that otherwise must be kept for business, legal or regulatory purposes – and nothing else. While the specifics of such a plan will vary from one organization to the next, effective data management typically has the following elements.

Cooperation between the Legal and IT Departments

Savvy organizations ensure that their data management principals – legal and IT – are cooperating with each other. This means they are actually talking to one another. In addition, these departments should work jointly with records managers and business units to decide what data must be kept and for what length of time. These other stakeholders in data management must be involved if the company is to create effective information governance procedures.

This is especially important for email. Email (and its destruction) generates more discovery motions than any other source of information. But the answer to this problem is not to keep every email. That would cause an organization to needlessly increase operating expenses while stockpiling useless information. Instead, legal and IT should set a period for retaining email that is reasonable in relation to the enterprise’s business, industry and litigation profile.

In like manner, legal should work with IT to develop a process for how the organization will address document preservation and production during litigation. This will likely involve the designation of company officials who are responsible for issuing a litigation hold. It should also incorporate technology that can modify aspects of retention policies and expedite the collection, analysis and production of relevant data. This will ultimately help an organization avoid the mistakes that often plague document management during litigation.

Establishing and Following Information Governance Procedures

Cooperation between legal and IT naturally leads the organization to establish information governance procedures. These procedures typically include the creation of records retention policies that carry out the key players’ decisions on data preservation. Such policies should address the particular needs of an organization while balancing them against litigation requirements. Not only will that permit a company to reduce its costs by decreasing data proliferation, it will also minimize litigation risks by limiting the amount of potentially relevant information available for future litigation.

These governance goals are not overly idealistic. In Viramontes v. U.S. Bancorp, No. 10 C 761 (N.D. Ill. Jan. 27, 2011), the defendant bank defeated a sanctions motion due to its effective governance procedures. The bank implemented a retention policy that kept emails for 90 days, after which the emails were overwritten and destroyed. The bank also promulgated a course of action whereby the retention policy would be promptly suspended on the occurrence of litigation or other triggering event.  Because the bank followed those procedures in good faith, it reduced a stockpile of email and was protected from sanctions under Rule 37(e).

As the Viramontes case shows, a company can get information governance right. By faithfully observing a reasonable retention policy and then modifying that policy when required, an organization can confidently delete superfluous data in a manner provided by law.

Using Technology to Strengthen Governance Procedures

Technology is often an overlooked opportunity to strengthen governance procedures. Having the right tools – both hardware and software – can lower litigation risks, decrease data volume and bolster eDiscovery processes. Object-based storage platforms teamed with archiving software are examples of such technology. These solutions strengthen an organization’s retention and discovery processes by enabling file movement from primary to archive storage.

More specifically, object-based storage and archiving applications provide “metadata aware” technology.  Metadata – the embedded characteristics of electronic files – are the lynchpin for effective data storage and management. By intelligently storing electronic files and their metadata in the same architectural environment, object-based storage enables organizations to expand the search capability of and access to their information. Such capabilities are further enhanced by data classification. Data classification intelligently analyzes and tags data content as it is processed into the software archive pursuant to company retention protocols. By so doing, organizations can search for and retrieve data with greater efficiency. Together, these tools will jointly reduce expenses downstream when data must be searched, analyzed and produced in response to legal demands.

Object-based storage and archiving software will also reduce costs and risks through efficient data storage. This is accomplished in multiple ways. The archive’s automated processes can expire data in accordance with retention policies, thereby decreasing storage costs. Single instance storage also reduces unnecessary data growth by preserving only a master copy of each document in the archive.  While duplicates are eliminated, their metadata is retained. This provides a chain of custody and allows the duplicates to be restored and produced in litigation, if necessary.

To achieve these objectives, the archive must be powered with the right storage platform. Using object-based storage will provide organizations with increased capability to manage unstructured data. This, in turn, will lead to increased data integrity and a more reliable compliance and audit process for the organization.

Deploying these technologies can additionally diminish litigation risks since they remove data management from the exclusive control of operations-level employees. This is significant since those employees often lack the depth of corporate knowledge necessary to determine what documents must be retained for business, legal or regulatory purposes. Moreover, employees may be tempted to conceal their errors.

Not surprisingly, courts frequently fault companies for delegating primary responsibility to their employees for data preservation and production. In one such case from this year, Northington v. H&M International, No. 08-cv-6297 (N.D. Ill. Jan. 12, 2011), a company had no formal policy regarding the retention of company data. Into this vacuum stepped operations-level employees – including some accused by the plaintiff of harassment – who were left with the task of managing, identifying and collecting their emails. Predictably, key documents went missing, and the court had little choice but to promise to inform the jury that the company destroyed evidence.

Rule 37(e) afforded no protection to that defendant. It only shields organizations whose servers have deleted data pursuant to their routine operation. There is typically no safe harbor for organizations that leave information governance to their rank-and-file employees. As set forth, object-based storage and archiving software can obviate this problem and lessen a company’s litigation risks.

In summary, putting an effective information management strategy in place will help an organization invoke the protections of the safe harbor. Just like the defendant in Viramontes, an enterprise that has established information governance procedures will likely maintain pertinent information – and nothing else. Such an approach will help companies better understand and control their data, moderate litigation risks and decrease storage costs.

Philip Favro is a discovery attorney with Symantec Corp. in Mountain View, California. During his eleven-year litigation practice, he advised technology companies and other clients regarding complex discovery issues. He now works with Symantec customers and company stakeholders on information management and discovery matters.

Tish Looper is a Sr. Data Management Specialist at Dell concentrating on Efficient Data Management Solutions leveraging the Dell DX Platform, which enables long-term preservation while ensuring data remains safe and accessible over time. Tish has over 20 years of industry experience focused on Technology Solutions in Data Management (unstructured and structured). For more information please go to: http://www.dell.com/us/enterprise/p/powervault-dx6000/pd.

Please email the authors at philip_favro@symantec.com or tish_looper@Dell.com with questions about this article.