Jim Shook, Director in EMC’s eDiscovery and Compliance Field Practice, has published an article on the Kazeon blog called Activating Your Information Management Shield whose central part considers two cases where legal hold sanctions were threatened; both cases involved the deletion of data which ought to have been retained. One case turned, effectively, on the fact that the party had systems in place to preserve data even if they had not been effective in this case, and no bad faith was shown; the other is as yet undecided, but includes the complicating element that the legal hold in question was not the only reason why the data should have been preserved – there were professional and ethical reasons why it should have been kept anyway.
The main takeaway from Jim Shook’s article, for me anyway, comes at the end, and applies even outside the rigourous (is that a nice neutral word for it?) context of US litigation. Jim puts it this way:
We all know that litigation holds are difficult to implement and are almost never perfect. Sometimes something bad actually does occur – a custodian is inadvertently omitted, a handful of emails are lost. But more often, nothing bad happens at all. Still, even in those cases it can be difficult (and time-consuming and expensive) to fight off the other side’s claim that something “must have been lost.” A good information management policy, with tools and education to enable it, can go a long way towards showing good faith and protecting your organization from harm.
The risk management exercise, in other words, involves more than just the prospect of actually being punished for eDiscovery defects, whether that involves US-style sanctions or an indemnity costs order as one might get in the UK. What does it cost to resist the imputation, and what wider implications might ensue?
The metrics get difficult once one moves away from the simple (simplistic, indeed) aggregate of penalty plus legal costs. Sure, one can look back at an exercise which went badly and say that the penalty was X and the lawyers’ fees were Y, but that barely touches the total cost of management time and other resources, to say nothing of the corporate and personal downside which comes when the board or the shareholders wants to know how it happened.
The wider reputational consequences may seem unimportant – does anyone outside really care? One can answer that with examples even from the relatively benign UK experience:
- the criticism of the defendant in Earles v Barclays Bank which extended beyond the conduct of the litigation and back into their information governance.
- the mockery which greeted OFSTED’s failure to find documents in folders marked “Haringey Inquiry” in the Baby P litigation about…the Haringey Inquiry.
- the attacks on the British Army as a result of the Al Sweady case which went beyond their conduct of the case and the state of their information management and (unfairly in my view, whatever view one takes of the case) into wholesale criticism of the army itself.
- the very public criticism of the Murdoch media empire on a range of fronts, whose depths we have yet to plumb.
In each of these cases, the bare cost in cash terms, however large, is trivial compared with the wider consequences of management time and public perception. Keen though I am on metrics (in this context, the balance between last year’s cost of paying the price case by case and the cost of investing to reduce the risk of it happening next year) some elements do not have a measurable price tag.
As Jim Shook says, companies must have a “good information management policy, with tools and education to enable it”. In considering what is worth doing and what is worth spending, you need to think beyond the mere risk and quantum of possible court sanctions and beyond even the total outlay of cash and resources under other headings. What is the true business cost of facing the imputation that data has been lost?
One might go beyond even that and ask what positive benefits ensue from being in control of the company’s stocks of information?