When Arthur Andersen partner David Duncan met with his colleagues in their Houston office last fall, just before the onset of their now infamous computer file delete-fest, they did not couch their planned mission as a purposeful endeavor to destroy evidence relevant to an impending Securities and Exchange Commission (SEC) investigation.
Instead, according to reports, Duncan termed the endeavor as merely an effort to ensure that the Houston office was in compliance with Arthur Andersen's stated electronic records retention and management policies.
Records retention and management policies (RRMPs) are all the rage amongst corporate counsel these days, and it largely falls upon IT administrators to help formulate, implement and enforce these policies. However, as the Arthur Andersen/Enron debacle and many other recent cases demonstrate, RRMPs are hardly the panaceas and silver bullets that some corporate counsel appear to think they are. In addition to the possible death penalty currently facing Arthur Andersen, courts and juries in the United States have recently imposed severe penalties in the form of litigation sanctions and adverse judgments as a result of spoliation of computer evidence and the improper execution of RRMPs.
The impact of this form of "cyberliability" - the wrongful destruction of computer evidence, has certainly taken many legal experts by surprise, particularly in light of the number of actual reported cases where the issue proved to determine the ultimate outcome. In contrast, over-hyped cyberliability issues such as the Y2K bug and so-called "downstream liability" have hardly materialized into the massive wave of lawsuits and general upheaval predicted by many pundits. Downstream liability is a theory that companies who negligently fail to secure their networks or design-flawed software from security vulnerabilities could be held liable by third-party victims who are injured economically as a result of their negligence.
While fallout from the Y2K bug and downstream liability never materialized, the improper deletion of computer data has already proven to be an actual and significant form of liability for many companies. In many of these reported cases, including the Arthur Anderson/Enron scandal, the improper execution of record retention policies has been a main culprit.
RRMPs can be very effective and beneficial to an organization when implemented and properly applied. When executed evenly and routinely in the normal course of business, and without notice of actual or impending litigation, computer files can be properly deleted and discarded in most cases. A properly employed records retention policy can also be employed as an effective tool to organize and facilitate information retrieval, thereby reducing costs and the expenditure of resources during the discovery process, when examination of those records is needed. Abuse of RRMPs occur when they are employed while ignoring superceding obligations for retention, such as in the case of law firms, auditors, and other businesses that have professional, statutory, or legal obligations to maintain information for a specified period of time.
Arthur Anderson and Enron are not the only companies to have recently made the often fatal mistake of executing RRMPs while under notice of actual or anticipated litigation. The case of Trigon Insurance Company vs. United States, 204 F.R.D. 277 (E.D.Va. 2001), is a prime example. In Trigon, the court ordered the appointment of independent computer forensics experts to recover emails and computer files, after it determined the files were improperly deleted by a litigation support firm retained by the civil defendant in that case. The Court rebuffed the offending firm's attempt to use its ongoing RRMP as justification for the deletion and ruled that it would instruct the jury regarding the adverse consequences of the destruction of the computer files and emails. Such jury instructions regarding the destruction of computer evidence or failure to produce such evidence have proven to be difference-making rulings in many cases.
Many other companies have faced liability of one form or the other as a result of improper destruction of computer evidence during the course of litigation. In RKI Inc. vs. Grimes, 177 F.Supp.2d 859 (N.D. Ill 2001) the court's finding that an employee of the defendant corporation had improperly deleted presumably relevant computer files on his laptop proved to be a devastating ruling that essentially decided the litigation. A similar result occurred in Long Island Diagnostic Imaging vs. Stony Brook Diagnostic Associates, 286 A.D.2d 320 (2001 NY), where the court dismissed an entire cross-complaint due to Stony Brook's improper deletion of computer evidence on its servers.
Having an entire lawsuit turn against a company based upon improper deletion of electronic documents may cost a company tens of millions of dollars in an adverse judgment or a lost claim. In light of these cases and the lessons of Arthur Anderson, the destruction of computer evidence is one form of cyberliability that cannot be dismissed as a passing fad.
John M. Patzakis is president and general counsel to Guidance Software, Inc. (www.encase.com), the developer of the computer forensic software tool, EnCase. He can be reached at email@example.com