Archive for May, 2009

Adams v. Dell Questions Custodian-Based Retention and Litigation Hold Practices in Electronic Discovery

Thursday, May 28th, 2009

I was at the Sedona Conference Working Group’s Mid Year meeting last week where 80 or so electronic discovery practitioners and judges met to discuss hot topics in bucolic Denver, Colorado.  Without getting into the particulars of any discussion, several themes continue to stay on the front burner, including the progress of the cooperation proclamation and the relatively newer issue of proportionality (as highlighted recently by The American College of Trial Lawyers Task Force on Discovery).

Aside from those overarching themes I was struck by how polarizing the discussion was around one recent case in particular.  While many notable commentators have already made this the most talked about cases of the year, Phillip M. Adams & Assoc., LLC v. Dell, Inc., 2009 WL 910801 (D. Utah Mar. 30, 2009) continues to stimulate discussion.   Adams v. Dell is a patent infringement case where the plaintiff, alleged that one of the defendants (ASUS) destroyed critical pieces of evidence and should be sanctioned accordingly.

The underlying facts and timelines are fairly complex, but in summary the dispute centered around the alleged infringement of several patents developed to resolve defects in floppy disks during in the late 80′s.  What makes this decision so vexing is that it starts out as a preservation case, but quickly confuses that concept with data retention and information management practices/policies.

So, starting with the preservation angle…  Both sides fortunately agreed about the definition for the duty to preserve evidence, which in the 10th circuit begins when a party “knows or should know [it] is relevant to imminent or ongoing litigation.”  The triggering of the preservation duty was not surprisingly much more complicated and ASUS (the responding party) claimed that its duty to preserve wasn’t triggered until early 2005, when they received a letter warning it of potential litigation because of the alleged patent infringement.  But, the Magistrate held that “counsel’s letter is not the inviolable benchmark” and the duty to preserve was triggered much earlier (in the 1999-2000 time frame) because similar litigation was rampant in the industry, highlighted by a late 1999 suit where Toshiba paid billions of dollars in a class action settlement related to similar floppy disk issues.

Leaving the murky preservation issue by the wayside for a bit, the Magistrate then moved into ASUS’ claims that FRCP 37(e) provided a safe harbor for its alleged destruction.

“ASUS claims it can find a safe harbor against sanctions because of the recently adopted rule that sanctions may not be generally imposed for ‘failing to provide electronically stored information lost’ if a party can show the loss was ‘a result of the routine, good-faith operation of an electronic information system.’”

Nice try, but strike two for ASUS…

“ASUS provided an extensive declaration from an experienced consultant in e-discovery. While he stated the reasons for and history of ASUS’ ‘distributed information architecture,’ he did not state any opinion as to the reasonableness or good-faith in the system’s operation. And while he says ‘ASUSTeK’s data architecture relies predominantly on storage on individual user’s workstations,’ his 31-page declaration does not show he is familiar with the precise practices pointed out in the declarations of employees. Those employees’ declarations describe the practice of ASUS’ email system to overwrite old data regardless of its significance; ASUS’ reliance on employees for all email and data archiving; and the process of replacement of computers, which also relies on employees to transfer data from their old to their new computers. Neither the expert nor ASUS speak of archiving ‘policies;’ they speak of archiving ‘practices.’

The court’s distinction between “policies” and “practices” seems like a convenient (perhaps “Deus ex machina”) way to discount ASUS’ data retention activities and prevent the use of the FRCP 37(e) safe harbor.  Since in most instances, “bona fide, consistent and reasonable” document retention “policies” have been found to be presumptively valid by everyone ranging from Sedona (Guideline 3) to Carlucci v. Piper Aircraft Corp. and Arthur Andersen LLP v. United States, 125 S.Ct. 2129 (2005).  It’s not clear how he draws the important “practices” distinction and why said practices are exponentially different from presumptively valid “policies.”

It’s precisely this line of thinking that confuses the alleged failure of the duty to preserve (discussed at the outset of the opinion) with the duty to retain information.  The court seems to think it’s an “unreasonable” practice to have custodians responsible for compliance with data retention and this deficiency made the safe harbor unavailable.

“ASUS has explained that it has no centralized storage of electronic documents, email or otherwise, and relies on individual employees to archive email (which will be deleted if left on the server) and electronic documents (which reside only on individual workstations).”

Not only is this custodian-based retention practice, in and of itself, reasonable; it’s probably the most common form of data retention practices seen at corporations today.  While a number of vendors have promised intelligent retention systems that work without any significant human intervention, for the most part those solutions are still in their infancy.  Additionally, there are significant technical challenges to have an application manage *all* ESI (Electronically Stored Information) that exist for a given custodian (including desktop files, instant messaging, text messaging, social media, etc.) As such, most companies must inherently rely upon their custodians to both retain and preserve data pursuant to company policies.  The court not only seems to miss this point, but also attempts to impose an obligation that corporations must prevent the “loss of data” above and beyond specific preservation obligations.

“ASUS’ practices invite the abuse of rights of others, because the practices tend toward loss of data. The practices place operations-level employees in the position of deciding what information is relevant to the enterprise and its data retention needs. ASUS alone bears responsibility for the absence of evidence it would be expected to possess. While Adams has not shown ASUS mounted a destructive effort aimed at evidence affecting Adams or at evidence of ASUS’ wrongful use of intellectual property, it is clear that ASUS’ lack of a retention policy and irresponsible data retention practices are responsible for the loss of significant data.”

Although the exact rationale was unclear, the court held that ASUS violated their duty to preserve and that the loss of evidence could not be excused as a “routine, good faith operation of electronic information systems.” While the court ruled that sanctions were appropriate, it reserved final sanctions pending the close of discovery.   Depending on what those ultimate sanctions look like, it seems pretty likely that this decision will be subject to appellate review.  Until then, it’s probably too soon to treat this questionable holding as gospel.  Wary corporations however should continue to bolster the “reasonableness” of their information management/retention/destruction policies and practices so that in hindsight a court won’t be able to take away the FRCP electronic discovery 37(e) safe harbor by casting those “practices” as being unreasonable.

Foreign Corrupt Practices Act (FCPA) Drives Increased Electronic Discovery Overseas

Tuesday, May 5th, 2009

Ask a European about e-discovery, or e-disclosure as it is called in the UK, and you will often be met with a look of distaste. Much like SUVs or obesity, electronic discovery is viewed as an unpleasant, uniquely American phenomenon. But, in reality, there are fat people in Paris, Range Rovers all over London, and a lot of electronic discovery happening all across Continental Europe – whether people like to admit it or not.

One reason for that is the Foreign Corrupt Practices Act (FCPA). This US law, which has inspired similar legislation in other countries, prohibits companies from engaging in corruption, such as bribing government officials to win large contracts. That sounds simple enough, but it’s not always easy to do. For example, an American friend of mine runs a travel website in China. To advertise, he hired people to hand out flyers at all the major train stations. But after a few weeks, his employees began to get hassled by station officials who said they needed an official “permit”. So he did what anyone would do and paid the “permit fees” even though no paperwork for this “permit” was ever produced. When his US auditors looked at that, they immediately cried foul. He was then compelled to end the practice and bring in a law firm to conduct a full FCPA investigation. The result: lots of legal bills, no more advertising in train stations, and a more powerful Chinese-run competitor who has no such qualms about paying “permit fees”.

In speaking to Daniel Dorsky, Tyco’s Compliance Counsel and an expert in FCPA issues, I discovered that my friend’s experience is no longer the exception. From what Daniel described, enforcement of the FCPA has been stepped up dramatically in the past couple of years. Apparently, 2007 was the watershed. Prior to that, no one really worried about the FCPA too much. But two years ago, the Department of Justice (DoJ) under Mark Mendelsohn, began to take a different approach. First, the fines became much stiffer as, for example, Baker Hughes got hit with a $44 million penalty, by far the largest ever at the time. Second, the DoJ started to prosecute executives personally, bringing 15 criminal cases against individuals. Nothing focuses the mind like the threat of jail time, and FCPA compliance suddenly took on greater urgency.

The number of FCPA enforcement actions continued to increase in 2008, most notably with the infamous Siemens case. By the time the dust settled, the CEO of Siemens had been fired and the company was reeling from a $1.4 billion fine. Nor do things look like they are slowing down in 2009. In the first few months of this year, ABB took an $800 million accounting reserve for FCPA issues, Halliburton got fined $177 million, KBR $502 million, and the KBR CEO, Albert Stanley, got 7 years in jail to go along with his $11 million personal fine. These companies are also now vulnerable to civil suits. While there’s no private right of action under the FCPA, that does not stop securities fraud class actions or shareholder lawsuits, which charge that defendants either understated the risks or overstated the controls in their disclosures.

There are a number of reasons why FCPA enforcement actions will likely increase further in the coming months and years. The FBI recently created an FCPA taskforce of 8-12 agents, bringing all the standard law enforcement tools to FCPA compliance (e.g., wire-taps, subpoenas, informants, warrants, etc.). Many other countries are starting to enforce similar laws, with much encouragement from the US which does not want to see American businesses disadvantaged by doing the right thing. And international law enforcement agencies are cooperating more than ever before. For example, last summer in Paris, international agencies held their first FCPA conference to share information.

All of this is driving a boom in e-discovery as General Counsels and Compliance Officers regularly conduct investigations of their overseas subsidiaries to ensure FCPA compliance. These investigations often center on “red flag” countries like China, Brazil, or Russia, where compliance is most difficult. They almost always involve outside counsel, and require the processing, analysis and review of large volumes of electronic information. This applies to European companies as much as it does to American ones. Non-US nationals can be prosecuted if either communications or money goes via the US, and many European countries are following the DoJ’s lead (e.g., $600 million of Siemens’ $1.4 billion fine came from German authorities).

So no matter how Europeans feel about e-discovery, or e-disclosure, they will be doing more of it in the coming years, much like their American counterparts. It’s fair to say that, in this domain, as perhaps in others, Europeans and Americans have much more in common than they might think.