Organizations are woefully unprepared to comply with amendments to the U.S. court system's Federal Rules of Civil Procedure that call for businesses to retain and be able to produce electronic records, recent studies show.
The new rules, which were approved by the U.S. Supreme Court in April and will take effect on Friday, require any business that could be involved in litigation in federal court to retain electronic records -- such as e-mails, instant messages and text documents -- and be able to retrieve them if economically feasible. The rules also require company attorneys and IT managers to be able to show how electronic records are stored, what mechanisms are in place to retrieve them, and when and how they are deleted.
Virtually all businesses are affected by the new rules, analysts say. Companies involved in litigation related to lawsuits that cross state lines, Internal Revenue Service actions, and Health Insurance Portability and Accountability Act or Sarbanes-Oxley violations, for example, are expected to comply. According to industry analysts, events requiring electronic discovery are becoming more common: A survey by Enterprise Strategy Group (ESG) shows that 91 percent of organizations with more than 20,000 employees have experienced an electronic discovery involving e-mail in the past 12 months.
Many businesses are not aware of the new amendments, however. Of 75 company attorneys surveyed by LexisNexis Applied Discovery, more than half weren't aware of the Friday compliance deadline. Just 7 percent said their companies would be able to comply with the new rules.
Similarly, a Cohasset Associates survey shows that nearly 50 percent of organizations have no e-mail retention policy in place. Although not all organizations' e-mail retention policies will be the same, there are three elements that are essential to make such policies litigation ready: a clearly written records and information management policy; a legal hold-and-lift process to secure all information that will be relevant to an action; and an e-mail archiving process that includes services and software.
Vivian Tero, senior research analyst for IDC, says that businesses should "consider putting in place a corporate records-retention program as part of [their] litigation readiness." Organizations also should involve IT, compliance officers, records managers, and in-house and external legal counsel in discovery teams, she says.
Responding to electronic discovery requirements can be difficult for organizations that aren't prepared. According to the ESG survey, 56 percent of enterprises found that retrieving data from such offline media as tape was a significant challenge, and half of the respondents said that a lack of effective software tools to search for and retrieve information was a challenge. Many organizations misunderstood the electronic discovery requirements and thought they applied to only the financial services industry.
Not all enterprises have been caught off guard by the new amendments, however. Some suggest they are simply a formalization of existing requirements. "I am by no means expert in the rules of discovery, but it appeared at first glance to be simply a clarification of already-existing obligations to codify recent case-law decisions into formal rules," says Timothy Hogan from the Office of Business Conduct at Beth Israel Deaconess Medical Center in Boston. "The new language generally emphasizes the importance of policies and standard procedures covering the routine, good-faith operation of an electronic information system," he says.
At Beth Israel Deaconess, CIO John Halamka, is putting in Symantec's Enterprise Vault early next year to archive e-mail.
Such preparedness can pay off. Although the new rules don't stipulate fines for noncompliance, District Court judges have been known to fine companies for not responding to a discovery request fast enough. Last year, the Alabama Circuit Court of Appeals fined General Motors US$700,000 for delaying a discovery process by 98 days.