Legal hold. What does it mean to you? Ask one person and you will be told that it means the preservation of data for the custodians within an eDiscovery process. Ask another and the answer is the notification process (with optional acknowledgment) to all involved custodians. So, which is the right definition? Actually, they both are and that’s where the confusion lies. Legal hold means different things to different people and unless there is full clarity on the subject, assumptions are made. If these assumptions result in non-compliance, severe penalties can be handed down.
In today’s litigious world, legal hold is becoming more and more important. Though technology offers the ability to automate many tasks and processes, the human factor is still vital to fulfilling legal hold requirements. Despite the best laid plans for the security of electronic data, a single individual still has the ability to affect a company’s legal destiny. To help ensure a company has taken all of the necessary precautions they can create a legal hold strategy that mitigates human error.
First, let’s define the three components that comprise legal hold:
1. Data preservation -This process secures the data either in-place or within another segregated location, preventing the custodians (users) from altering information
2. Custodian notification – This process informs the custodians of being placed on legal hold
3. Custodian acknowledgement – This process requires the custodians to acknowledge the legal hold for audit trail purposes.
The best litigation hold procedures include a fourth component – auditing.For maximum compliance, the first three steps should be tested consistently to make sure they are meeting the process goals.
Once litigation or regulatory inquiry is reasonably anticipated, an organization has the duty to preserve electronically stored data relevant to the case or run the risk of spoliation sanctions that can include adverse judgement. This means relevant data cannot be destroyed, deleted or modified.
Preservation is typically done in one of two ways – in-place, where the software and systems prevent the deletion of data where it resides within the application itself, or in a segregated repository where all relevant data is copied to a secure, independent data store outside the host applications. There are pros and cons to both methods. There are caveats to both in-place and data copying.
For in-place data, new data (e.g. email) will be constantly added to the data that is being secured without reference to a specific matter. The preservation rules must constantly be updated. For copied data in a secure repository, the data is static and no new data is introduced. If new parameters or custodians are introduced to the case, data must be gathered again and processed. Both methods need constant maintenance, but which is better depends on your circumstances, available software and the merits of the case. A general rule of thumb is that in place holds work well for constantly changing up to the minute cases where new data is considered relevant. Segregated repositories work well for cases where the legal team wants a snapshot of the data from a specific moment in time.
Data preservation is challenging. There is a mind-numbing variety of available data types and business processes, some of which need to be suspended or enabled to perform a proper preservation processes. Deletion processes must be defensible and data storage procedures must be accounted for. For example, you can journal all inbound/outbound messages that are sent to/from your company and take backups every night of all production data. However, not all data is centralized and under the control of your organization. Data is distributed and probably more so now than ever in the history of mankind. And let’s not forget, not all data is stored electronically or in easily accessible systems. Because of this, proactive planning is necessary to employ reasonable measures to ensure preservation compliance for targeted data stores and to avoid spoliation challenges down the road.
Another difficulty is that many organizations cannot fully automate data preservation. Some software can be configured to prevent users from editing and/or deleting data. Data comes in and leaves the system and it is essential that new data and static data that will be relevant to a case are all accounted for in data preservation.
Forethought is required to determine which method works best for your organization. The tools to manage data preservation should be in-place well before any litigation or regulatory concerns are a reality. This also means that the scope of preservation is well defined in the initial stages of litigation to prevent over or under preservation and the risks and costs associated therein. Most importantly, it is essential to test preservation processes to maintain defensibility of the data preservation procedures.
This step is exactly what you would expect. Custodians (users) are informed they have been placed on legal hold and are given explicit instructions of the actions (if any) they need to take. Though the process is simplistic, what is included within it is not. Just telling the custodian they are included in pending litigation is not enough to satisfy notification requirements. Due diligence is needed by the Legal team to determine the verbiage and instructions to be included within the notification.
Specificity is Legal’s best friend during this process. No assumptions should have to be made by custodians. It should all be spelled out explicitly as what the custodian can and cannot do to data during the legal hold process. But it does not end there. Legal may not be aware of what kind of data is in the custodian’s possession, where it is stored or other useful details. Often, a questionnaire is included within the notification process which asks specific questions that helps the Legal team understand pinpoint the scope of the custodian’s involvement and data harvesting requirements. Custodians may even have relevant information stored on the oldest of technologies…paper!
Users still print a lot of data (emails, etc.) and printed data, where it exists, can be just as essential as electronic data within the context of litigation. In fact, it is a wild card in eDiscovery. Electronic data can be searched efficiently, but printed data must either be manually read or OCR’d (and then read electronically). By including a question about relevant printed material as part of a notification questionnaire, the Legal team can avoid a potential pitfall.
The questionnaire process is very important for legal to help set the scope of the case. It helps identify data stores, data types and other matters that may pertain to the case. Most companies will also want to send out reminders to the custodians on a periodic basis, keeping them informed of the continuing legal hold. Lastly, notifying the custodians when the legal hold has been completed is also a typical part of the process.
Once a custodian receives the notification (typically via email) regarding the legal hold, they must acknowledge that they have read and understand the limitations of what they can do to their data, both electronic and printed. The most common method for the acknowledgement is performed with the custodian clicking a link within the notification. When the link is clicked, both the custodian name and the date/time of the acknowledgement is recorded for audit trail purposes. A custodian would complete any included questionnaire during the acknowledgement process. Additionally, custodians might even need to acknowledge the periodic legal hold notifications that are sent on a specific schedule.
These three components of legal hold are not completely intertwined and the merits of the case or internal policy may dictate that you do not perform all the steps. Sometimes data preservation needs to be performed covertly and where affected custodians would not be informed that legal hold has been implemented. Conversely, you could notify the custodians without performing any automated data preservation. This method, often referred to as self-preservation puts the onus on the user to comply with the data preservation. Both processes are valid based upon the company’s requirements, although self-preservation can be fraught with difficulties.
Each company, and possibly each case, might be handled differently. You need to ensure that you can adapt quickly to whatever components of the legal hold process Legal wants to implement per case. Also, keep in mind that a specific custodian could easily be included in multiple simultaneous legal hold processes, so be sure to make plans for that as well.
In the end, my final advice is to be prepared. Create a plan, but also be aware that change is inevitable in everything. As I like to say “Fail to plan, plan to fail.” Don’t allow yourself to be added to this infamous group.
Free white paper – “The Essential Guide for Understanding & Executing Legal Holds.” Download now!