United States: Fostering a Compliance Culture: The Role of The Sedona Guidelines

Management of electronic information and records must reflect requirements emanating from the litigation process. This has become as much an area of focus in compliance efforts as accurate financial reporting, avoidance of employee misconduct, and antitrust matters. Anecdotal evidence shows a strong upsurge in self-examination by all types of organizations in order to meet the higher expectations.

Against this backdrop, the Sedona Working Group has published The Sedona Guidelines: Best Practice Guidelines and Commentary for Managing Information and Records in the Electronic Age. The guidelines are designed to promote effective approaches to addressing the key issues of electronic records management.

Unlike the recent ANSI/ARMA or ISO standard-setting efforts, The Sedona Guidelines focuses on legal imperatives that are driving the issue. Compliance with these new requirements can best be fostered by adopting the approach underlying the five Sedona guidelines.

This article identifies the new paradigm emphasizing litigation integrity over information management judgment suggests that creating a culture of compliance at all levels is essential outlines five steps from The Sedona Guidelines to help create that culture explains the proposed amendments to the Federal Rules of Civil Procedure

The explosive growth in electronic communications and related e-discovery failures has energized courts to impose their own priorities in the absence of guidance from higher courts or legislatures. These court decisions touch on fundamental aspects of information management previously thought to lie solely in the realm of good business judgment. For example, in Danis v. USN Communications, a court fined a chief executive officer for improperly delegating to others (who were deemed by the court to be unqualified in records management) the responsibility for ensuring that information in hard copy and electronic form was reliably made available for future use. In In re Prudential Ins. Co. of Amer. Sales Practices Litig., a court imposed a records management system after concluding that the "haphazard and uncoordinated" treatment of records in various sales offices threatened the litigation process. Misconduct in regard to information handling has resulted in severe criminal penalties for both entities and individuals under federal law. In a dramatic recent example, Arthur Andersen’s conviction for destroying documents in the face of investigation was affirmed despite the fact that participants thought their own conduct was in compliance with existing records retention policies. Another recent example was a prominent Wall Street trader’s conviction (now on appeal) for endorsing a records retention approach to cleaning up files under inappropriate circumstances.

It is clear that this new emphasis on strict compliance will not go away. It reflects what the court in Rambus v. Infineon Technologies called "the societal need to assure the integrity of the process by which litigation is conducted." Further, Zubulake V cautioned that those that ignore this new paradigm "act at their own peril." Congress has confirmed the shift’s lasting nature by increasing fines and penalties for obstruction of justice as part of The Sarbanes-Oxley Act of 2002.

Effective detection and prevention of law or ethics violations require publicizing the values and imperatives deemed important by an entity’s leadership.Most corporations have promulgated codes of conduct and provide training in the entity’s significant values. Nonetheless, recent corporate governance lapses led many to conclude that more effort must be devoted to involving all entity levels in such training. The U.S. Federal Sentencing Guidelines now explicitly require promoting an "organizational culture" that "encourages ethical conduct and a commitment to compliance with the law." Most corporations also understand that core values must include an effective information and records management program that meets all legal requirements, including those of the litigation process. Senior executives, chief compliance officers, audit committees, and general counsels should therefore reassess and amend existing codes of conduct, training programs, and corporate policies and procedures to reflect the new emphasis. The Sedona Guidelines offers a practical framework for this reappraisal.

The key to the effort is a "reasonable" approach to managing electronic information. Structured information involved in non-desktop applications, such as databases,Web sites, and the like require active management, although their dynamic nature makes this no easy task. An inventory and assessment of each application’s characteristics and uses should be promptly undertaken with an emphasis on identifying the predictable role each plays in business and litigation contexts. However, it is the unstructured or user-managed desktop applications – those involved in creation and management of e-mail, documents, shared spaces, and similar data types – that demand special attention. Practical solutions that balance competing considerations can best be achieved by calling on the collective wisdom of ad hoc or standing committees formed with representatives of information technology, business units, records management, and legal, along with tax, audit, finance, human resources, and other functional groups operating within the financial constraints imposed by the entity’s nature and mission. The legal department should provide leadership and guidance in this effort with strong management support. One suggestion is for the top executive to issue a specific charge providing specific deadlines and designating authority to undertake necessary steps to all affected units.

Traditionally, records schedules identified information life cycles without regard to litigation process demands. It was assumed that the only relevant legal obligations were those arising from static recordkeeping requirements imposed by tax codes, environmental laws, or regulations. This is no longer true (if it ever was). While these pronouncements and ongoing business needs are certainly key factors, all such considerations must yield to information’s role in litigation processes. Thus, in Stevenson v. Union Pacific, the United States Court of Appeals for the Eighth Circuit questioned the practice of adhering to an established retention approach without considering the impact of future litigation that might arise from the incidents involved. In a parallel development, section 802 of the Sarbanes-Oxley Act imposes criminal sanctions on those who act to destroy information "in contemplation" of any investigation, regardless of records schedule requirements for that item.

This concern can be met by adopting a robust "legal hold" process as discussed in guideline five. New approaches to records scheduling involving assessment of both litigation and business needs may also be helpful. One such approach could be to reduce drastically the number of categories involved in schedules, especially if pre-classification of electronic information is involved, and to energize the annual or other periodic review process to integrate legal concerns, practical issues, and the existing legal holds process. For example, a functional rather than departmental approach could be used for schedule development with broader categories of similar records series rather than narrower groupings. In addition, careful attention should be paid to clarifying the actual purposes of business continuation or disaster recovery plans so as to avoid giving users or courts the impression that such systems are intended to serve as an ad hoc storage for active data. Without such clarification, it may be necessary to routinely make these collections of information available for production.

Sedona’s guideline three states, "An organization need not retain all electronic information ever generated or received," thereby emphasizing that, under appropriate circumstances, it is perfectly acceptable to destroy electronic information. The test should be whether there is any continuing value or need to retain it. Transient electronic information without long-term value should be removed promptly while business-critical information should be retained – all within a framework of compliance with existing litigation imperatives. There are constraints, of course. In Rambus, the court criticized adoption of a records management program intended to prevent information from being available to people the entity planned to sue. However, in Arthur Andersen, the court of appeals noted that information destruction necessarily includes denying its future use in unknown litigation but that there is "nothing improper about following a document retention policy when there is no threat of an official investigation." Excessive storage costs, increased review costs, and possible interference with efforts to locate information that is needed for regulators or the courts could reasonably prompt such an approach.

For example, programs that routinely delete information as part of a management approach are lawful. Due consideration must be given to providing practical alternatives for storing information that does not meet the deletion criteria, such as information that relates to work in progress or is otherwise deemed to have continuing value. Automatic and routine deletion of e-mail may well be accompanied by opportunities to move e-mail to other storage media. A company with a unified message system that converts voice messages into digital formats may mandate retention of only one of the formats. There is no need, absent an express requirement imposed by law, regulation, or a specific court order in pending litigation, to preserve metadata when information is migrated from one form to another. (Whether metadata must be routinely produced in litigation is an open question, although most parties seeking and using e-mail have no need for the literally dozens of metadata fields provided. The proposed amendment to Federal Rule of Civil Procedure 34 would require, as a default, production of electronic information in either an electronically searchable mode or as maintained. This would have implications for the method selected to archive e-mail for long-term record purposes.)

Just as technology has helped to create the new requirements, it may also assist in their solution. Sedona’s guideline four describes procedures that can help address practical issues surrounding identification, retention, retrieval, and disposition of electronic information and records. Currently, most entities appear to rely upon a "print and file" approach requiring users to select electronic communications that should be preserved as records. Compliance with this approach is apparently spotty, at best. For example, in United States v. Philip Morris, a court exhibited frustration that the existing print and file document retention policy – which would have preserved a copy of missing information - had not been followed and levied a fine of $2.7 million for deletion of e-mail by executives despite notice of the need to preserve.

Archiving solutions are now widely available for electronic information, in large part due to regulations by the Securities and Exchange Commission and others that necessitated the development of creative retention methods. These can include fully automated tools or user-managed pre-classification or "drag and drop" opportunities. Some entities are using a "prioritization" archiving approach whereby a limited percentage of users are entitled (or required) to place their e-mail in a digital archive. Any solution adopted should provide quick, accurate, and effective search and retrieval capabilities. Individuals should still weed out transient, duplicative, personal, and other non-business-critical information and, of course, there must be adequate procedural and technical safeguards to preserve information subject to legal holds. Choosing appropriate e-mail archiving and automated processes will necessarily be at the heart of the interdisciplinary working group or oversight committee charged with assessing policy choices.

Most organizations now understand the need to implement an adequate legal hold process. Generally speaking, a legal hold consists of practices and procedures, usually managed by the legal or tax department, which suspend deletion or destruction of electronic and other forms of information. Legal holds also lay the groundwork for identification and collection of such information. Zubulake V includes the need for counsel to assess the effectiveness of current legal hold processes. Sedona guideline five provides a detailed outline of considerations, not only for litigation purposes, but in anticipation of such "businessrelated scenarios" as mergers or acquisitions, technology reviews, and bankruptcy where information sources for future use can be crucial.

The need to review existing practices is particularly important with regard to legal holds. Courts have never accepted "willful blindness" in advance of litigation, as evidenced in Wiginton v. C.B. Richard Ellis. Moreover, it is now abun- dantly clear that some courts and juries are unwilling to accept such blindness no matter why it occurs. The need to extend the culture of compliance to include all individuals, regardless of their level, may require compliance training with increased emphasis on records management and preservation, annual certifications of understanding relating to preservation requirements, and, in some cases, use of automatic preservation options.

The review of existing practices should focus on legal hold process elements. It should start with developing an integrated litigation response plan identifying a subset of functions and personnel responsible for playing roles in implementation. The legal department cannot do it alone.

Any process adopted should include a reasonable assessment of all possible sources of discoverable information and should prescribe a checklist of possible steps to make sure that information is available for future discovery, whether or not it has explicitly been requested. The focus should be on clear communications to the key actors who may control the information. This must include all forms of electronic information. It is unreasonable to require that every conceivable step be taken in every case to preserve all potentially relevant evidence. A more nuanced approach is to tailor the response on a sliding scale that weighs the burden of accessing and preserving the information against the likelihood that its other sources will be captured as part of the legal hold process.

There are clear signs that thought leaders among the judiciary understand this sliding scale approach. For example, in Zubulake IV, in the context of a discussion of backup media, Judge Shira Scheindlin explained her view that preservation of all backup tapes not used as archives was unnecessary unless key actor e-mail captured on the tapes was not otherwise available. Indeed, the Federal Rules Advisory Committee’s recent proposals regarding production of inaccessible information, including a limited and highly restrictive "safe harbor" from sanctions under some circumstances, can be seen as an endorsement of such an approach.

Many issues that form the underlying basis for the current requirements are under review. Since 1999, the Federal Rules Advisory Committee, the body that the Supreme Court’s Judicial Conference charges with rule-making oversight, has monitored electronic discovery in the federal courts with an eye toward assess ing the need for distinctive amendments on the topic. After a series of national hearings and consideration of practitioners’ comments, the Standing Committee of the Judicial Conference published for comment a report making 10 specific proposals. The proposals cover a wide variety of issues involved in discovery of electronic information and are based on the assumptions that viable information and records retention policies, including robust legal holds, have been or will be widely adopted.Hearings were held in January and February of 2005 at locations across the United States, and written comments were accepted through February 15.

One key proposal with implications for records retention acknowledges that inaccessible electronic information is burdensome to preserve and produce and would require a prior showing of "good cause" before production could be required. The committee cites as examples backup media not actually used for archival purposes, deleted information whose remnants may still exist on hard drives, legacy data not easily accessible due to storage or hardware issues, and the like. This distinction would help simplify planning for compliance because, by and large, inaccessible information would not be required to be preserved without a court order or special circumstances.

A related committee proposal would limit a court’s power to issue sanctions for failure to preserve or produce information lost due to routine operation of business systems.As originally proposed, the safe harbor was intended to provide a "bright line" test based on the business systems’ nature and satisfaction of a good faith requirement. However, even in its more limited current form as proposed, it would provide significant assistance by signaling the types of considerations involved in assessing compliance with preservation obligations. On balance, the proposals could help bring stability to the process of incorporating litigation concerns into information and records management.

Allman,Thomas Y.Ruling Offers Lesson for Counsel on Electronic Discovery Abuse.Washington Legal Foundation (October 15, 2004).Available at www.wlf.org/upload/ 101504LBAllman.pdf (accessed 6 January 2005).

_____. The Case for a Preservation Safe Harbor in Requests for E-Discovery, 70 Def. Couns. J. 417 (2003).

Blair, Barclay. "An Enterprise Content Management Primer." The Information Management Journal 38,No. 5 (September/October 2004).

Danis v. USN Communications,No. 98 C 7482, 2000 WL 1694325 (N.D. Ill. Oct. 23, 2000).

Federal Sentencing Guidelines,U.S.S.G. § 8B2.1 (Revised as of Nov. 1, 2004). In re Prudential Ins. Co. of Amer. Sales Practices Litig., 962 F.Supp. 450, 497 (D. N.J. 1997).

Rambus Inc v. Infineon Technologies, 220 F.R.D. 264, 282 (E.D.Va. 2004). Sarbanes-Oxley Act, Pub. L. 107-2004, 116 Stat. 745 (2002).

Sedona Conference. Sedona Guidelines, The: Best Practice Guidelines & Commentary for Managing Information & Records in the Electronic Age. Sedona, AZ: The Sedona Conference, 2004. Available at www.thesedonaconference.org (accessed 6 January 2005).

Stevenson v. Union Pacific, 354 F.3d 739 (8th Cir. 2004).

U.S. v. Arthur Andersen, LLP, 374 F.3d 281 (5th Cir. 2004).

United States v. Philip Morris, 327 F.Supp.2d 21, 25 (D.D.C. 2004).

United States v. Quattrone, Case No. 03 CR 00582 (S.D. N.Y.May 3, 2004) (Jury verdict as to Frank Quattrone).

Wiginton v. C.B. Richard Ellis,No. 02 C 6832, 2003 WL 22439865, *7 (N.D. Ill. Oct. 27, 2003).

Zubulake v. UBS Warburg, LLC, 220 F.R.D. 212, 217 (S.D. N.Y. 2003) ("Zubulake IV").

Zubulake v. UBS Warburg,LLC,No. 02 Civ. 1243 (SAS), 2004 WL 1620866, *12 (S.D.N.Y. July 20, 2004) ("Zubulake V").

Information and Documentation – Records Management Processes – Metadata for Records – Part I: Principles ISO/TS 23081-1 – 2004. Available from www.ansi.org.

Report of the Civil Rules Advisory Committee. Available at www.uscourts.gov/rules/comment2005/CVAug04.pdf (accessed 6 January 2005).

Requirements for Managing Electronic Messages as Records (ANSI/ARMA 9-2004). Lenexa, KS: ARMA International, 2004.

The U.S. Federal Sentencing Guidelines. Available at www.ussc.gov/GUIDELIN.THTM (accessed 6 January 2005)

Copyright © 2007, Mayer, Brown, Rowe & Maw LLP. and/or Mayer Brown International LLP. This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mayer Brown is a combination of two limited liability partnerships: one named Mayer Brown LLP, established in Illinois, USA; and one named Mayer Brown International LLP, incorporated in England.