Please enjoy this co-authored blog post from Liz Bonelli, IT Analyst, Bayer U.S. LLC and Carolyn Robinson, eDiscovery Associate for the Americas - Office of the Regional General Counsel, Robert Bosch, LLC (RBNA) Legal Department.
To ensure your IT department acts responsibly while managing your company’s data, everyone who makes data-driven decisions needs a baseline understanding of 1. What a legal hold is 2. Why legal holds matter, and 3. What IT professionals should do when legal holds are in place in their company.
- What is a legal hold? The term “Legal Hold” refers to a process that an organization uses to satisfies an obligation to preserve potentially relevant information in connection with a certain legal matter. This obligation to preserve typically arises with pending or reasonably anticipated litigation, third party subpoenas, government investigations/audits or other matters. In essence, a company is under a duty to preserve all forms of relevant information when litigation is reasonably anticipated. For example, a Legal Hold could be in the form of an official document sent to users informing them of their obligation to preserve data related to a case or lawsuit identified or surrounding a product within the company. This process could have the potential for a user to respond positively or negatively about whether they manage data relevant to that case. It’s important to explain how legal holds work for your organization specifically, and the Legal department’s expectation for users who receive a legal hold notice.
- Why do legal holds matter? The bottom line is that mismanagement of data designated as “on hold” for any given matter could potentially cost your organization millions of dollars in sanctions if it appears relevant data/evidence is deliberately or inadvertently altered or destroyed in an active case. There is a risk that significant fines can be imposed, a complaint or specific means of defence can be dismissed or that a combination of these sanctions can be applied. As a result, not only will the outcome of the litigation be affected by an unfavorable defence position in litigation (reversal of the burden of proof to your company’s disadvantage), but your company’s reputation could be in jeopardy. An unwitting IT mistake can easily be misconstrued as destruction of evidence, and ignorance is no excuse. To help those outside of the Legal ecosystem understand, draw a comparison to the late night evidence destruction committed during the famous 2001 Enron Scandal (an extreme example most professionals should already be aware of) - your IT deletions may not be so global, but if you delete evidence relevant to an active legal matter, you could face negative press and reputational harm.
- What IT pros should do when legal holds are in place (Most importantly, who can appropriately delete data and when) Just because legal holds are in place in your company does not mean every piece of data should be retained indefinitely. Legal should lay out a defensible data deletion concept process for how they expect data to be managed, which could vary based on the size of your organization. A defined retention schedule can help define how long documents should be kept, if there are no legal holds in place. Well-defined backup schedules and automated deletion policies are also an important piece of this puzzle. In working with data owners, Legal should be able to collect data and pause automated deletions when they deem necessary, but otherwise data should be deleted according to the organization’s defined document retention policies / When you have a plan, and you stick to that plan, you lend credence to the argument that data was not deleted with malicious intent.
The most effective way to get your IT organization up to speed is to request that representatives throughout IT, if not all IT professionals, attend a presentation of these basics. This should be given by someone with both legal and technical knowledge, including an understanding of the IT organization, and the ability to weigh the practical with theoretical. Finally, ample time should be left for Q&A - there will certainly be questions.
It’s important to balance the healthy fear of what the organization could face if a mistake is made, with the confidence that comes with consistent and defensible deletion practices. When IT professionals know the right triggers and the right questions to ask, they can act as partners to ensure data is retained and deleted properly.