Data Retention and the Cloud

Businesses maintain books and records so an accounting of business activities may be performed. Whether for an audited financial report, a compilation, a review, a tax return, or a specific management report, businesses must gather, summarize, and analyze facts and figures to support reports, tax returns, and conclusions. After the report is issued and/or the tax return is filed, supporting documentation must be maintained for a prescribed period of time depending on the particular circumstances of the organization. Organizations moving to a cloud computing solution must carefully plan the service level offerings to ensure that they still meet all data retention requirements applicable to their organization; hosting data in a cloud-based product does not change these requirements. Additionally, organizations need to ensure their cloud solution includes capability to process a litigation hold should they become embroiled in litigation.

Likely the most far-reaching requirement for retention is Treasury Regulation 1.6001, which requires taxpayers to retain information to support their tax return information:

Except as provided in paragraph (b) of this section, any person subject to tax under subtitle A of the Code (including a qualified State individual income tax which is treated pursuant to section 6361(a) as if it were imposed by chapter 1 of subtitle A), or any person required to file a return of information with respect to income, shall keep such permanent books of account or records, including inventories, as are sufficient to establish the amount of gross income, deductions, credits, or other matters required to be shown by such person in any return of such tax or information.¹

Not very many years ago, record retention requirements were satisfied by retaining boxes of paper documents, folders, and file cabinets, and moving older items to an offsite storage archive. Onsite storage of paper documents was cumbersome and time consuming to manage. The costs of office floor space were significant. Offsite storage costs, including third-party management of offsite storage, were quite expensive as well. Today, many pertinent business records are retained in source computer files, and paper records are scanned for electronic storage. Cloud vendors abound that can host document archives remotely, provide search and retrieval capabilities, all for costs typically below the costs incurred to store paper documents. This has created an entirely new concern for organizations: Technology has advanced to the point that it is now possible to store “everything” on a long-term basis. The decreased cost of computer storage means that it is often perceived to be cheaper to acquire additional digital storage archive space than it would be to manually determine what should be archived and what should be deleted.

An IBM whitepaper highlighted a concern with sprawling data archives in 2006:²

E-mail has proved to be one of the first sources of this corporate pain. Once seen as nothing more than a quick and flexible communications tool, e-mail is now estimated to be the platform for as much as 75% of company intellectual property. E-mail documents figure in some 75% of all cases of corporate litigation. Sheer weight of usage means that the medium has in many organizations become the primary record repository, a fact recognized by legislation requiring the long-term retention of messages.

Companies are now learning the hard way about the need to take e-mail storage seriously. Five US banks were recently fined US$1.25 million each when they failed to retrieve e-mails that were demanded of them. One Fortune 500 company had to spend US$750,000 to dig e-mails out of an archive in response to a legal subpoena. A pharmaceuticals company was forced to devote time and people to searching through 30 million messages for a court case.

Regulatory insistence on data retention looks set to continue unabated in the future. Along with factors like the introduction of megabitrated mobile communications services for consumers, citywide wireless Internet access, and ultra-broadband wireless networking inside homes and offices, this regulatory insistence will add still more momentum to today’s roaring inflation in the demand for data.

Companies and other organizations face an increasingly urgent choice about how to respond to this enterprise-threatening challenge. They can carry on dumping, creating ever bigger and more incoherent “data pits” and paying a soaring price when they need to retrieve items of value. Or they can face up to the problem and find out what it takes to actively manage information from cradle to grave, weeding out the mass of ephemera early on and keeping only what is likely to be of long-term value.³

Cloud computing archival solutions could add to the problem of growing data volumes if not properly managed. Cloud-based archives are based on storage volumes, and the provider will send a summary of the total amount of storage used, year over year. Some solutions may not offer robust file management tools that would allow a manual review and purge of data that no longer needs to be retained. Without such tools an organization can lose visibility into how much data they actually have under their control.

System backup procedures are responsible to ensure that lost or damaged data can be restored when needed, preventing the business costs of corrupt or destroyed data. Although these are not the same as document retention policies, the two go hand in hand. The retention policies must consider the existence of the catalog of backup data, and the time it must be retained. Backup procedures, likewise, create an archive that can support the objectives of the retention policies, but may not address all the data that needs to be archived within the organization. Careful coordination of the system backup procedures and document retention policies is required.

Electronic documents are easier and cheaper to copy, distribute, and store than paper documents. Exact duplicates of electronic documents can be created at the touch of a button, without regard to the length of the document or the cost of creating the printed copy. These copies may be stored in a different location than the original, on a different device or different platform. Attempting to catalog and control these cascading volumes of information can be difficult.

Organizations should develop and maintain a robust document retention policy, and this policy should be extended to the cloud-based storage solution when the organization migrates to the cloud. This policy should clearly define the retention period for classes of documents, both paper-based and electronic, as well as procedures to ensure documents are destroyed when their retention periods have expired. These policies should address all types of information, including documents, e-mail content, and other data as well as all storage locations within the organization, including paper archives, server storage space, cloud-based storage space, personal computer drives, removable media (such as flash drives and optical disks), and smart devices. The document retention policy should be driven by the regulatory requirements that drive the need to retain documents for a specified period. Additionally, the policy should consider the special retention needs for documents related to litigation events.

The retention policy should be supported by a record retention solution to help the organization implement and manage compliance with the retention policy. A single point of retention is ideal, but may not be practical for all organizations. The solution will likely involve a combination of technical infrastructure as well as operational procedures for how to archive and how to purge records who have reached the end of their retention periods. Additionally, procedures must define procedures to retain all records subject to litigation requirements (i.e., litigation hold procedures). These procedures must ensure that normal retention procedures are suspended for records irrespective of the platform or media upon which they are stored.

Management must also implement procedures to monitor compliance with the document retention policies, including consideration of new data sources and storage platforms. Monitoring procedures should help the organization ensure that data continues to be retained according to requirements as the organization’s technology and business process continue to grow and change. Simply having a retention policy is not good enough; an organization must be able to demonstrate that it is implemented and followed by all members of the organization.

Document retention is not an IT responsibility; it is management’s responsibility to ensure an adequate retention policy is developed and executed, and an organization-wide responsibility to ensure the approved procedures are followed consistently. IT is frequently charged with providing the archival solutions to support the procedures, but they cannot be successful without organizational support.

The low cost of cloud solutions can also create entirely new storage areas; these should be included in the document policies to ensure that documents records in that storage is appropriately managed. For example, if a company moves to corporate Gmail as their e-mail solution, users will be provided with storage space in Google Drive, which is an online data storage area within the user account. Microsoft 365, Microsoft’s hosted e-mail application, similarly provides online space in the form of a hosted SharePoint database. Policies should clearly define the appropriate use of this storage and include any data stored in these archives under the overall retention policy. The policies must be resilient enough to consider the appropriate handling of information stored in new data repositories, or outright specify allowable storage locations and forbid the use of ad hoc storage.

Courts have responded harshly to companies that fail to preserve data relevant to litigation matters. In the case of Laura Zubulake v. UBS Warburg LLC & UBS AG, United States District Court Judge Shira A. Scheindlin ruled:⁴

Defendants also argue that none of the correspondence between counsel on discovery matters is relevant to plaintiff’s claims or the adverse inference instruction and seek to preclude plaintiff from introducing this evidence. In Zubulake v. UBS Warburg LLC, No. 02 Civ. 1243, 2004 WL 1620866, at *5 (S.D.N.Y. July 20, 2004) (“Zubulake V ”), I found that “UBS personnel unquestionably deleted relevant e-mails from their computers after August 2001, even though they had received at least two directions from counsel not to.” I also found that “UBS acted willfully in destroying potentially relevant information, which resulted either in the absence of such information or its tardy production. . . .” Id. at *12. I therefore concluded that the appropriate remedy was an adverse inference instruction with respect to e-mails deleted after August 2001. See id. at *13. The text of the adverse inference instruction I intend to give the jury in this case is set forth at the end of Zubulake V. It states, in pertinent part, as follows: “You may also consider whether you are satisfied that UBS’s failure to produce this information was reasonable.”

In light of the above, plaintiff may introduce correspondence between counsel on discovery matters if defendants open the door by introducing evidence as to whether their failure to produce was reasonable. If defendants decide not to offer proof that their failure to produce certain e-mails (or late production of other e-mails) was justified, plaintiff will not be permitted to introduce any of the correspondence between counsel in her case in chief.

2. Back-Up Tapes

Defendants seek to preclude any evidence concerning the failure by UBS to preserve several monthly back-up tapes. In Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, (S.D.N.Y.2003) (“Zubulake IV”), I stated the following:

Whether a company’s duty to preserve extends to backup tapes has been a grey area. As a result, it is not terribly surprising that a company would think that it did not have a duty to preserve all of its backup tapes, even when it reasonably anticipated the onset of litigation. Thus, UBS’s failure to preserve all potentially relevant backup tapes was merely negligent, as opposed to grossly negligent or reckless. Id. at 220.⁵

Developing procedures to manage document retention practices can be time-consuming and detailed; however, given the high cost of production during litigation and the potential costs of non-conformance, they are an essential management tool.

Considerations for Litigation

Rule 34. Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purposes

(a) In General. A party may serve on any other party a request within the scope of Rule 26(b):

1. to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control:
   1. any designated documents or electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form; or
   2. any designated tangible things; or
2. to permit entry onto designated land or other property possessed or controlled by the responding party, so that the requesting party may inspect, measure, survey, photograph, test, or sample the property or any designated object or operation on it.⁶

In litigation, sweeping requests for production of documents can cause an organization to identify, locate, and catalog large categories of records. In today’s electronic world, records may be considered in a variety of sources, platforms, and media types forming a matrix of items that might be responsive to the request. The list below is merely a sample of the types of data that might be available within an organization.

Source

• Electronic office documents, such as Microsoft Word and Microsoft Excel
• Business applications, including enterprise resource planning (ERP) and financial systems
• E-mail records
• Paper documents, and paper documents scanned into digital archives
• Relational databases, such as customer relationship management (CRM) applications, timekeeping records, security access records
• Automotive infotainment systems

Storage Platform

• Internal server repositories
• Cloud-based repositories
• Local computer drives (e.g., laptop or desktop computers)
• Mobile devices (iOS, Android, Blackberry, Windows)

Media Type

• Removable media, including hard drives and flash drives
• Optical storage disks
• Magnetic tapes

Without proper planning, efforts to gather records responsive to the request and simultaneously limit the production to only those records responsive to the request can become a fairly large project. In practicality, many organizations formulate well-intentioned document retention procedures. However, the vast number of sources of data and storage locations for data often can outgrow the capabilities of the organization to handle all data according to those procedures. The document retention procedures of an organization, and the extent to which they are thoroughly executed, are key to identifying data that might be available to parties in a litigation setting; discovery needs and requests will naturally vary with the nature of litigation and the parties involved.

Discovery should include understanding the document retention procedures in place within the organization. This is most easily accomplished by requesting the organization’s document retention policies. All organizations are faced with retention requirements, if only those imposed by the taxing authorities. As organizations grow and become more complex, other retention requirements may come into play. The Securities and Exchange Commission (SEC) has a number of retention requirements placed on the issuers of financial statements; these were enhanced and clarified by the Sarbanes–Oxley Act. Other regulatory agencies, including the Occupational Safety and Health Administration (OSHA) and the Food and Drug Administration (FDA), also mandate retention standards for other organizations. Understanding the specific requirements that are mandated for an organization can provide adverse parties to litigation insight into data types that should be available for discovery and the periods for which such data should be available. Procedures should also define the method of retention, including the technical systems used to perform archival of data. Where cloud computing solutions are utilized for document retention, it will be important to understand the party that controls the relationship with the vendor, as that party would be considered in control of the data. Discovery requests should include the working storage location for the data, for example, a shared network drive, as well as the archival solution used for document retention.

Discovery should also include understanding, to the extent practicable, the systems that generate and store data that might be relevant to a case. If e-mail correspondence is relevant to a case, for example, requests should be made to identify the type of mail server employed by the organization (e.g., Microsoft Exchange), whether it is internally hosted or cloud based; if cloud based, the identity of the host; and whether a client program is used to locally access e-mail content (e.g., Microsoft Outlook). Understanding the technical implementation of systems can help clarify production requests, and provide a benchmark for data that would be expected to be available in response to those production requests.

Production requests should be written to include as many storage platforms and media types as are believed to be used by the organization. It is often possible that data has been removed from one storage platform, either intentionally or accidentally, but may still be available on a different platform or medium. For example, a critical document might have been stored on the network server, but is not available for production at the time a request is issued. A key employee, however, loaded the document on a flash drive to work on the document while on vacation, and returned from vacation and placed the drive in his or her desk. Likewise, relevant data may be available in system backup files and archive volumes. By considering all available data sources, the litigation team increases the chances that key information is produced.

A thorough understanding of the organization’s system backup procedures and document retention policies can enhance the discovery process for litigants and help ensure that all data relevant to the litigation is produced. Often, the use of specialists can help interpret the technological aspects of the document storage, as well as to help manage the volumes of data that may be produced. Robust document requests can be a double-edged sword: they can cause the opposing party to produce a large volume of data, however, that data will eventually need to be read or analyzed to provide value to the litigation team.