A Foundation for Responding to Litigation

Ronald J. Hedges

The relationship between an organization’s

information-handling practices and the impact

those practices have on its ability to respond

to electronic discovery is recognized in the

Electronic Discovery Reference Model (EDRM).

But the EDRM falls short of describing

standards or best practices that can be applied

to the complex issues surrounding the creation,

management, and governance of electronic

information. ARMA International’s Generally

Accepted Recordkeeping Principles® and its

information Governance Maturity Model are

designed specifically to provide a scalable, broadly

applicable framework to address these issues.

Note: Subsequent to this paper’s first publication, the EDRM developed the InformationGovernance Reference Model (IGRM), which depicts a framework for unified informationgovernance and complements the metrics defined by ARMA International’s InformationGovernance Maturity Model. Learn more at www.edrm.net/projects/igrm.

he Information Governance Ma-turity Model (the Model) offers anapproach to records managementthat may be of assistance to anyorganization, private or public, inprotecting itself in the use of in-formation assets, complying withapplicable legislative and regula-

tory mandates, and designing and imple-menting effective records managementprograms. It focuses on the internal needs oforganizations, including their obligation torespond to government investigations and toengage (or be engaged) in litigation. Thiswhite paper looks to the Model in the con-text of both investigations and litigation.

An Overview of Government Investigations

For many organizations, government in-vestigations are a fact of life. The statutoryand regulatory net is wide and, depending onthe nature of an organization, there may bemultiple investigations at one time.

The reader should think of a spectrumin the context of investigations. Organiza-tions in heavily regulated industries (such asenergy and pharmaceutical) are routinelysubject to government oversight and inquiry.At the other end of the spectrum may be or-

ganizations that do not routinely draw the at-tention of elected officials, regulators, or lawenforcement. Even at this end, however, in-quiries into workplace safety or employmentpractices should not be unexpected.

What investigations have in common aretheir potential broad sweep and the lack of ju-dicial intervention to limit any such sweep.For example, in FTC v. Church & Dwight Co.,2010 WL 4283998 (D.D.C. Oct. 29, 2010), thecourt enforced a subpoena and civil inves-tigative demand that called for the produc-tion of documents and electronically storedinformation (ESI) from a Canadian sub-sidiary of Church & Dwight Co. related to anantitrust investigation of a domestic market.In doing so, the court recognized the broadscope of authority conferred on the FederalTrade Commission and found that the infor-mation sought was of “reasonable relevance”to the investigation. Nothing more wasneeded.

For another example of the broad defer-ence given to government agencies, look to Inre Subpoenas,2010 WL 841258 (W.D. Va. Mar.10, 2010), in which the court found investiga-tive subpoenas into possible federal violationsarising out of the marketing of a drug and forrelated health fraud to be “reasonable” underthe Fourth Amendment as the information

sought was relevant to the investigation.Government investigations can require

the production of large volumes of informa-tion – in the form of paper or ESI – andcourts are unlikely to intervene in favor of anorganization under investigation. The Modelprovides a process that may help an organi-zation organize its information assets and re-spond to investigatory demands.

An Overview of LitigationAn organization must foresee participa-

tion in litigation, be it as a plaintiff, a defen-dant, or a nonparty subject to a subpoena.Litigation, so defined, may be rare or fre-quent. Nevertheless, we live in a litigious so-ciety. The Model, once again, provides ameans by which an organization can respondto the imperatives of litigation, be it pendingor reasonably anticipated.

To understand those imperatives, thinkagain of a spectrum, illustrated for the pur-poses of this white paper by the ElectronicDiscovery Reference Model (EDRM) shownbelow.

The EDRM recognizes the spectrum ofinformation management in the context oflitigation. Before litigation, an organizationmaintains information to comply with lawsor regulations and to meet its business needs.

T

Source: EDRM (edrm.net)

2

3

We can define these as “records.” This is whererecords management begins in the classicsense. An organization can – and should –create, implement, and evaluate records re-tention policies pursuant to which records arekept and, when appropriate, destroyed.

When litigation begins or is reasonablyforeseeable, a duty arises to preserve “relevantinformation,” which goes beyond what theorganization treats as “records” to encompassall media on which relevant information maybe recorded, from the most formal report tothe board of directors to the most informaland transitory text message. If the informa-tion is relevant to the subject matter of thedispute, broadly defined, it becomes subjectto a litigation hold. This hold is imposed bylaw and requires an organization to preserveinformation that it might otherwise routinelydestroy.

Again, what is “relevant” is generallybroadly defined, at least before adversary par-ties agree on narrowing the scope of whatmust be preserved or a party seeks judicial in-tervention to narrow scope. As we will see,failure to comply with a litigation hold can,under certain circumstances, have severe con-sequences. Simply put, the loss of informa-tion subject to a hold is called spoliation.

After information is preserved, it mustbe reviewed, the information may be subjectto disclosure and discovery by other parties,and, at some point, the information mayneed to be admitted into evidence. TheERDM recognizes the spectrum, as does the“Flow of Litigation” chart on page 4.

Note, again, the theme of a spectrum:The litigation hold may be “triggered” at dif-ferent times for different parties, but the holdruns throughout the course of a given litiga-tion and across various events that may occurbefore litigation is commenced and even afterlitigation is concluded.

Any response to actual or threatened lit-igation begins with a records retention pol-icy, assuming it exists. Once there is a trigger,an organization imposes a preliminary hold,begins to preserve, and identifies sources (orrepositories) of information that must bepreserved. Note that there are two constantsthat run through litigation:1. Preservation of information subject tothe hold

2. An ongoing review and refinement of thehold, as well as the periodic reissuance oflitigation hold noticesNothing is necessarily static with regard

to the scope of preservation but, instead, par-ties should confer with regard to scope and, ifnecessary, seek judicial assistance.

Preservation,of course, is not to be seenin isolation. Once information is preserved,the information must be reviewed todetermine if it is in fact relevant and, if so,whether the information may be withheldfrom disclosure to other parties by reason of,for example, confidentiality or privilege.

After this review, and perhaps subject toa protective order under Rule 26(c) of theFederal Rules of Civil Procedure (FRCP) ora nonwaiver agreement or order under Rule502(d) or (e) of the Federal Rules of Evi-dence, the information should be disclosedin discovery and, perhaps, introduced intoevidence.

The “Flow of Litigation” chart offers aconcise overview of the various stages of acivil action in U.S. courts. Remember, this isjust an overview and that events – and costs –may vary on an action-by-action basis.

Note also that there should come a pointwhen the duty to preserve ceases and an or-ganization’s records retention policies againcontrol the destruction of information.

What can go wrong when an organiza-tion finds itself in litigation? One leading ju-dicial decision that offers a variety of errorsthat can occur at the earliest stage, that ofthe establishment and implementation of alegal hold, is Pension Committee of the Uni-versity of Montreal Pension Plan v. Banc ofAmerica v Securities LLC, 685 F. Supp. 2d 456(S.D.N.Y. 2010). This lengthy decision, au-thored by United States District Judge ShiraA. Scheindlin, gives numerous examples ofactions by a number of plaintiffs that led tothe loss of relevant information, including:• The failure to issue a written litigationhold

• The failure to stop the routine deletionof information after a hold was issued• The failure to secure information from“key players” (employees having infor-mation subject to the duty to preserve)• The failure of management to supervisewhen delegating search efforts to others.

Scheindlin analyzed each failure within aframework of whether the failure was the re-sult of gross negligence, negligence, or willfulmisconduct and imposed appropriate sanc-tions, including spoliation sanctions, whichalter the ordinary burden of proof in litiga-tion and allow juries to presume missing factsor make adverse inferences.

Decisions that cite to and follow PensionCommittee include Crown Castle USA Inc. v.Fred A. Nunn Corp., 2010 WL 4027780(W.D.N.Y. Oct. 14, 2010), in which a duty topreserve had been triggered when employeesdiscussed possible insurance claims and anin-house attorney labeled communicationsas being subject to attorney-client privilegeor work product protection.

For a decision that questions the needfor a written hold notice in every instance(suggested by Pension Committee to be agrossly negligent act), see Orbit One Com-munications, Inc. v. Numerex Corp., 2010 WL4615547 (S.D.N.Y. Oct. 26, 2010). The pointhere is that reading Pension Committee andother judicial decisions can lead to the devel-opment of best practices that benefit, ratherthan harm, organizations.

The reader should be aware that thestandards for spoliation vary in different ju-risdictions (federal and state) across the na-tion. For examples of these variations, seeVictor Stanley, Inc. v. Creative Pipe Inc., 2010U.S. Dist. LEXIS (D. Md. Sept. 9, 2010), af-firmed and rejected in part, Civil Action No.MJG-06-2662 (D. Md. Nov. 1, 2010) andRimkus Consulting Grp. v. Cammarata, 688 F.Supp. 2d 598 (S.D. Tex. 2010).

The reader should also think of sanc-tions for spoliation in the context of a trilogy

When litigation begins or is reasonably foreseeable,a duty arises to preserve “relevant information,”which goes beyond what the organization treats as“records” to encompass all media on which relevantinformation may be recorded ...

4

of the scienter (or state of mind) of the spo-liator, relevance of the information destroyedor lost, and prejudice to the party that was de-prived of the information.

Mere negligence, without a demonstra-tion that the missing information was rele-vant or harmed the ability of the requestingparty to conduct the litigation, will seldomresult in more than a slap on the wrist.

The more egregious the conduct, how-ever, the more likely the court will allow a juryto presume that the missing evidence was rel-evant and that its loss prejudiced the request-ing party.

But in most circumstances, all three ele-ments – a culpable state of mind, relevance of

the missing information, and prejudice to therequesting party – must be proven for a se-vere sanction, such as default judgment ordismissal of the action, to be imposed.

The duty to preserve can also have a widesweep. For example, a party may be deemedto have “possession, custody, or control”under Rule 34(a) of the FRCP over informa-tion held by another entity by reason of con-tract. Thus, the party may be required to takesteps to preserve and produce that informa-tion.1 See, for example, Goodman v. PraxairServ., 632 F. Supp. 2d 494 (D. Md. 2009) andInnis Arden Golf Club v. Pitney Bowes, Inc., 629F. Supp. 2d 175 (D. Colo. 2009), two judicialdecisions that reached different conclusions

over a party’s “control” of a consultant underthe facts presented.

As Pension Committee and numerousother decisions illustrate, preservation has itspitfalls. This white paper now returns to theModel and suggests how those pitfalls may beavoided or, at the least, minimized in an or-ganization’s management of whatever“records” may be defined to be.

Applying the Model toLitigation and Investigations

The Model speaks of Generally Ac-cepted Recordkeeping Principles® and, ineach, establishes levels that an organizationmay aspire to and reach.2 (See page 7 for a full

1 Organizations that use web-based services to create or store information (e-mail, for example) must consider the legal risks this presentsin terms of their ability to locate, segregate, maintain integrity of, and access that information. For guidance, see Guideline for Outsourc-ing Records Storage to the Cloud. Overland Park, Kansas: ARMA International, 2010.

Source: Ronald J. Hedges. Used with Permission.

and there is no apparent or well-defined ac-countability for compliance.” Moreover, al-though the organization has some “holdprocess,” that process is “not well-integratedwith the organization’s information man-agement and discovery processes.”

As with level 1, level 2 is not a place for

an organization to be when faced with aninvestigation or litigation. The organizationhas tried, but it is not yet in compliance withlegal or business requirements. Likewise, al-though the organization recognizes the dutyto preserve, the organization’s preservationprocess is not thorough. Although every or-ganization must be at level 2 at some pointin its corporate existence, the organizationappears ripe for a finding of, at the least,negligence, should it lose information.

Level 3 – EssentialLevel 3 finds the organization on safer

grounds. Here, again among other things,the organization has “identified all relevantcompliance laws and regulations.” The or-ganization has “systematically carried out”its creation and “capture” of records. The or-ganization has a “strong code of businessconduct” and has integrated its litigationhold process into “information manage-ment and discovery processes for the ‘mostcritical’ systems.”

At level 3, an organization is likely tomeet its preservation obligations and, just asimportantly, be able to demonstrate to a reg-ulator or court what it did to preserve, whatit did or did not preserve before a hold wentinto effect, and what it can or cannot pro-duce.

Perhaps more importantly from a riskmanagement viewpoint, an organizationthat has attained level 3 has a strong argu-ment that it is entitled to the protection ofFRCP 37(e) (and its equivalent in manystates), which would shield it from a sanc-tion imposed under the rules for the unin-tentional loss of relevant ESI due to theroutine operation of its electronic informa-

5

description of the principles.) The princi-ples are:• Accountability• Transparency• Integrity• Protection• Compliance• Availability• Retention• DispositionWithin each principle are the levels.

These are:• Level 1 (Sub-Standard)• Level 2 (In Development)• Level 3 (Essential)• Level 4 (Proactive)• Level 5 (Transformational)This white paper will use, as an exam-

ple, the first principle and “fit” the possiblelevels of that principle into the investiga-tions and litigation frameworks describedabove.

The Principle of Compliance The Principle of Compliance states that,

“[t]he recordkeeping program shall be con-structed to comply with applicable laws andother binding authorities, as well as the or-ganization’s policies.”

Level 1 – Sub-StandardLevel 1 is where, among other things,

there is “no clear definition of the recordsthe organization is obligated to keep” and“no central oversight and no consistentlydefensible position.” Plainly, this level is arecipe for disaster for any organization thatmust respond to an investigation or litiga-tion.

The organization at level 1 does notknow what its records are, must respond toinquiries and demands on an ad hoc basis,and cannot demonstrate any rational meansto respond. Under the teaching of PensionCommittee, this organization would likely befound to be grossly negligent should it failto preserve (or produce) information.

Level 2 – In DevelopmentAt level 2, the organization has “identi-

fied the rules and regulations that govern itsbusiness and introduced some compliancepolicies … but “[p]olicies are not complete

tion system, such as the loss of data attrib-utable to an auto-delete function or the re-cycling of backup media.

Level 4 – ProactiveLevel 4 should bring an organization

even more comfort. Among other things,

systems have been implemented to “captureand protect records.” Metadata is availableto “demonstrate and measure compliance.”There are regular audits and training of em-ployees. Lack of compliance is “remediedthrough implementation of defined correc-tive actions.”

All these features are available to an or-ganization when it must demonstrate to acourt and regulator what it can and cannotdo, and militate in favor of the court or reg-ulator finding that the organization acted ingood faith and complied with its obligationsin a reasonable and demonstrable manner.

Level 5 – TransformationalAt level 5, “[t]he importance of com-

pliance and the role of records and infor-mation…are clearly recognized at the seniormanagement and board levels.” Moreover,among other things, “[t]he roles andprocesses for information management anddiscovery are integrated.” This featureplainly describes why an organization mightelect to reach level 5: “The organization suf-fers few or no adverse consequences basedon information governance and compliancefailures.”

The reader should look at each of theother principles and fit each level into theframeworks of government investigationsand litigation, as did this white paper withthe Principle of Compliance.

The Principle of DispositionThis white paper has applied the Model

to litigation and investigations and, for il-lustrative purposes, focused on the Princi-ple of Compliance. The white paper is notintended to minimize the importance of any

… why an organization might elect to reach level 5:“The organization suffers few or no adverseconsequences based on information governanceand compliance failures.”

6

other principle to a successful recordsmanagement program. However, andagain for illustrative purposes only, thereshould be some reference to the Principleof Disposition.

This principle states: “An organizationshall provide secure and appropriate dis-

position for records that are no longer re-quired to be maintained by applicable lawsand the organization’s policies.”

At level 4, “[d]isposition proceduresare understood by all and are consistentlyapplied,” and, vital for the purposes of thiswhite paper, “[t]he process for suspendingdisposition due to legal holds is defined,understood, and used consistently acrossthe organization.”

The maturity reflected in level 4should be of great benefit to any organi-zation that finds itself entangled in a gov-ernment investigation or litigation, eitheras a party or a third-person respondent toa subpoena. The organization has in placesystems to capture and protect informa-tion, has a well-managed litigation holdprocess in place, and understands the needto make any litigation hold effective.

Moreover, the organization recog-nizes that disposition of records is subjectto the duty to preserve and that, once theduty no longer exists, disposition becomesappropriate subject to any records man-agement policies. The protection affordedby Rule 37(e) of the FRCP (see above)should also be available to an organizationat level 4.

Why is disposition important?3 First,although information can be an asset, itcan also be a burden; records managementimposes costs, both in personnel andother resources. Those costs can be man-aged through the creation and enforce-ment of records retention policies.

Second, the failure to dispose ofrecords simply increases the volume of in-formation that an organization possesses,along with the possible need to identifyand process information (with backupmedia being the perfect example) for fu-ture investigations or litigation. There ap-

pears to be no good reason to keepinformation that an organization does notneed to keep.

ConclusionWhen the reader looks at each principle

and level under the Model, its application tolitigation and investigations should spring tomind. Sub-standard levels of performance in-voke the specter of findings of gross negli-gence or negligence in litigation. Likewise,failures to adequately respond to governmentinvestigations can have nothing other thanbad consequences.

Accordingly, this white paper suggests thatas organizations engage in cost-benefit analy-ses to decide which level is appropriate undereach principle, only levels 3 and 4 are sufficientto manage both compliance and businessneeds. Level 5, the transformational level, is, ofcourse, an ideal to aspire to. Nevertheless, thiswhite paper acknowledges the costs inherentin reaching level 5 and acknowledges how dif-ficult it is to reach that ideal.

Indeed, as the reader looks at the Modeland considers Pension Committee and otherdecisions, several conclusions can be drawn:• As these decisions make clear, however aparticular organization chooses whichlevel and principle to meet, the cost-ben-efit analysis must consider, among otherthings, the degree to which the organiza-tion expects to become involved in litiga-tion or investigations and the expense ofestablishing or implementing a legal holdprogram.

• Any cost-benefit analysis must involvecounsel, whether in-house or retained, toinform management of the contours oflitigation and investigations and what or-ganizations can expect.This white paper has explored the inter-

play between records management andlitigation or investigations. It advocates ap-plication of the Information GovernanceMaturity Model from a merged perspective:one that recognizes that the best recordsmanagement policies anticipate the demandsof litigation and investigations.

Levels 1 and 2 are not where organiza-tions want to be. Levels 3 and 4 are adequatefor the tasks of preservation and production.Plainly, level 5 is where every organizationwould like to be, depending on the resourcesand leadership available.

About the AuthorRonald J. Hedges served as a United StatesMagistrate Judge in the District of New Jerseyfrom 1986 to 2007. He is a member of theadvisory board of The Sedona Conference® andseveral of its working groups, including thoseaddressing e-discovery and records manage-ment. Hedges is also a member of the advisoryboards of the Corporate Counsel and AdvancedE-Discovery Institutes of Georgetown Univer-sity Law Center, where he serves on the adjunctfaculty and teaches e-discovery and evidence.Since 2010, he also has been a visiting researchcollaborator at the Center for InformationTechnology Policy at Princeton University. He isthe author of numerous publications, includingDiscovery of Electronically Stored Informa-tion: Surveying the Legal Landscape. Hedgesconsults on varied topics, including e-discoveryand records management. He may be contactedat r_hedges@live.com.

AcknowledgementsThe author and ARMA International alsowish to acknowledge Kenneth J. Withers, Di-rector, udicial Education and Content, TheSedona Conference®, www.thesedonacon-ference.org, for his valuable contributionsto this paper.

3 For a discussion of how an organization might implement disposition, see Contracted Destruction for Records and InformationMedia. Overland Park, Kansas: ARMA International, 2009.

The maturity reflected in level 4 should be of greatbenefit to any organization that finds itself entangledin a government investigation or litigation, either as aparty or a third-person respondent to a subpoena.

7

Records and recordkeeping are inextricably linked with any organized activity.As a key resource in the operation of any organization, records must be created,organized, secured, maintained, and used in a way that effectively supports the

activity of that organization, including:

• Facilitating and sustaining day-to-day operations• Supporting predictive activities such as budgeting and planning• Assisting in answering questions about past decisions and activities• Demonstrating and documenting compliance with applicable laws, regulations, and standards

These needs can be fulfilled only if recordkeeping is an objective activity, insulated from individual and or-ganizational influence or bias, and measured against universally applicable principles. To achieve this trans-parency, organizations must adhere to objective records and information management standards andprinciples, regardless of the type of organization, type of activity, or the type, format, or media of the recordsthemselves. Without adherence to these standards and principles, organizations will have poorly run opera-tions, legal compliance failures, and – potentially – a mask for improper or illegal activities.

Principle of AccountabilityAn organization shall assign a senior executive who will oversee a recordkeeping program and delegateprogram responsibility to appropriate individuals, adopt policies and procedures to guide personnel, andensure program auditability.

Principle of Integrity A recordkeeping program shall be constructed so the records and information generated or managed by or forthe organization have a reasonable and suitable guarantee of authenticity and reliability.

Principle of Protection A recordkeeping program shall be constructed to ensure a reasonable level of protection to records andinformation that are private, confidential, privileged, secret, or essential to business continuity.

Principle of Compliance A recordkeeping program shall be constructed to comply with applicable laws and other binding authorities,as well as the organization’s policies.

Principle of Availability An organization shall maintain records in a manner that ensures timely, efficient,and accurate retrieval of needednformation.

Principle of Retention An organization shall maintain its records and information for an appropriate time, taking into account legal,regulatory, fiscal, operational, and historical requirements.

Principle of Disposition An organization shall provide secure and appropriate disposition for records that are no longer required to bemaintained by applicable laws and the organization’s policies.

Principle of Transparency The processes and activities of an organization’s recordkeeping program shall be documented in an under-standable manner and be available to all personnel and appropriate interested parties.

ARMA International (www.arma.org) is a not-for-profit professional association and the authority on managing records and in-

formation. Formed in 1955, ARMA International is the oldest and largest association for the records and information management

profession and is known worldwide for setting records and information management (RIM) standards and best practices, and for

providing comprehensive education, publications, and information on the efficient maintenance, retrieval, and preservation of in-

formation created in public and private organizations in all sectors of the economy.

11880 College Blvd., Overland Park, KS 66210913.341.3808 • 800.422.2762 • fax: 913.341.3742

headquarters@arma.org • www.arma.org

©2011 ARMA International, reprinted with minor revision 2012; www.arma.org