With the increasing proliferation of electronically-stored information (“ESI”), it is more important than ever to have a well-rounded document retention policy (“DRP”) for your business. The purpose of a DRP is to provide clear guidelines for the review, retention, preservation, and destruction of your documents. A DRP should not only cover documents and ESI created or stored on company equipment or premises, but also regulate the use of the following, as it relates to company business: personal devices, including smartphones and tablets, cloud storage, personal email accounts and websites, and social media.
An effective DRP can become invaluable for a business facing potential or ongoing litigation or a government investigation. In such circumstances, businesses are obligated to preserve and often produce documents that are relevant to the issues raised in the litigation or government investigation. A well-rounded DRP can help a business (and its counsel) efficiently sift through its often-voluminous records and locate, identify, and review potentially-relevant documents. This process can help reduce the internal and external costs associated with discovery compliance, which often represents a significant portion of litigation costs.
An effective DRP can also help companies avoid the penalties associated with spoliation of evidence. Under the recently-revised Federal Rule of Civil Procedure 37(e), parties in litigation can be penalized if they have failed to take reasonable steps to preserve ESI that cannot be restored or replaced through additional discovery. If such spoliation has occurred, parties may face an instruction at trial that the missing information would have favorable to the opposing party, or even a dismissal of the action and a default judgment. A DRP should contain instructions on when and how preservation should occur once a company’s discovery obligations kick in. If document destruction does occur, the existence of a DRP may also help to persuade the court that the inadvertent destruction relevant to a pending litigation was reasonable rather than the result of any malfeasance.
In evaluating your need to develop or update your DRP, here are some additional factors to consider:
- Ongoing Updates are Critical – even if you already have a DRP, it may be outdated given legal updates (including revised Rule 37(e)), the proliferation of ESI and social media, and the increasing amount of work performed outside the office premises. Therefore, a company should re-evaluate its DRP at a minimum on an annual basis to ensure its effectiveness.
- Identify Those Responsible for Compliance – a DRP is only as effective as those responsible for its implementation and compliance. Therefore, it is important to identify an individual or group responsible for making sure that employees are complying with the protocols outlined in the DRP. In the event of litigation, government investigation, or data breach, the company therefore can turn to those individuals to make sure that the DRP is implemented properly.
- Set Strict Guidelines for Destruction – Data destruction is usually a normal part of business, but it becomes more complicated when a litigation or government investigation enters the picture. An effective DRP must contain strict guidelines for how and when data is destroyed during the normal course of business, and how destruction is suspended when a litigation or investigation is pending or underway.
- Vendor Oversight – If you currently use a vendor or anticipate using a vendor for your data storage needs, your preservation and discovery obligations do not end when the data is stored elsewhere. Your DRP therefore must also cover data stored with a third-party vendor. Also, because vendor quality varies widely, it is your responsibility to ensure that your vendor is sufficiently sophisticated and responsive enough so that your DRP can be effective.