Risk e-business: Minimising the perils of an electronic world

Feature

posted 26 Apr 2005 in Volume 7 Issue 10

Risk e-business: Minimising the perils of an electronic world

The legal market has changed dramatically in recent years, with technology enabling greater speed, volume and efficiency across all business processes. But with such advances come a range of dangers, the worst of which could seriously unhinge a law firm that does not even realise the peril until it is too late. Guy Hodgson, a partner at Mills & Reeve, assesses the changing market and the steps firms must take now to reduce the risks.

As we all know, life is inherently risky. Put simply, it is impossible to avoid risk, but we can behave in ways that reduce the inherent risks of our activities. The first step to managing risks is to identify them. Some of the risks that we face through electronic communication are:

Non-delivery: e-mails blocked by the recipient organisation without reference to the sender or the intended recipient;
Misdirection: sending e-mails to the wrong person by choosing the wrong address when using predictive e-mail, for example, addressing Stephen Thompson rather than Steven Thompson;
Delayed receipt: either due to an absent recipient having no ‘out of office’ reply or a system failure;
Breach of confidence: through misdirection or by delivery of the document with metadata attached, including information about the document or file such as the dates of creation and modification, the authorship history
and details of the route the e-mail has followed;
Interception: e-mail is not secure;
Lack of integrity: the possibility of editable documents being tampered with;
Loss of data: through a system failure without adequate back-up;
Undisciplined use: committing to e-mail indiscrete comments;
Breach of regulation: for example, the Data Protection Act;
Spoliation (see below).

Why is this important?

There are a number of reasons. At the forefront of these are money and reputation. By way of example, consider the impact on the companies concerned of the following events:

CIBA-Geigy (1995)
This pharmaceutical multinational was ordered to produce e-mail documentation during a 1995 case against it. The company contested the order on the basis that it was “untimely, overly broad and overly burdensome”. It was eventually made to comply with the order, being forced to search through 30 million e-mail messages at a cost of some £60,000.

Norwich Union (1997)
In a well publicised case, Norwich Union was forced into an out-of-court settlement for alleged defamation by e-mail against a competitor, Western Provident. The objectionable e-mail falsely claimed that Western Provident was insolvent. By the time a writ was issued, the relevant e-mails had been deleted within Norwich Union, which was subjected to an order to search its back-up systems to retrieve the data. To settle, Norwich Union made a public apology, and paid £450,000 and costs.

Merrill Lynch (2002)
While talking-up the prospects of the high-tech companies they were hoping to float, Merrill Lynch’s highly rated investment analyst Henry Bloget and some of his colleagues were advising private-investment clients to steer clear of many of the very same companies. Bloget, unfortunately from Merill Lynch’s point of view, used e-mail to do so. Regulatory investigation followed, during which Bloget’s e-mails were considered. Some of these described Merill Lynch’s recommendations as poor.

Reportedly, a staggering $100m was paid out in penalties.

Arthur Andersen
It is hard to imagine a more extreme example of a misguided attempt at risk management than that which was central to the demise of this firm. In January 2002, David Duncan, partner in charge of Enron at Arthur Andersen’s Houston office, was dismissed for what was described as “an expedited effort to destroy documents”. While the systematic shredding of documents by Duncan and his team is well known, their sins extended to the deletion of e-mails. As one of the investigators colourfully said to Duncan: “Enron robbed the bank, Arthur Andersen provided the getaway car and they say that you were at the wheel.”

Marsh
More recently, Marsh’s difficulties have been well reported, leading to a reported settlement with Marsh providing a compensation fund of $850m. It is apparent from the complaint brought by Eliot Spitzer, the New York attorney general, that e-mail provided much of the evidence on which the complaint was based. By way of example, an internal e-mail between ACE employees states: “Original quote $990,000… We were more competitive than AIG in price and terms. MMGB [Marsh] requested we increase premium to $1.1m to be less competitive, so AIG does not loose [sic] the business…”

Another e-mail from a European company with which Marsh had a trading relationship, discloses ethical concerns: “This idea of ‘throwing the quote’ by quoting artificially high numbers in some predetermined arrangement for us to lose is repugnant to me, not so much because I hate to lose, but because it is basically dishonest…”

Iraq dossier
The above examples relate to e-mail use or policies for retaining and backing-up data. As other well publicised stories reveal, however, the risks are broader.

The so-called ‘dodgy dossier’, prepared in support of the Iraq war, was posted on the internet as a word document. Analysis of hidden information in the document showed, among other things, the names of the four civil servants who worked on it.

As a result, Alastair Campbell, then head of the Downing Street press office, had to explain who these people were to the House of Commons Foreign Affairs Select Committee, which was investigating the genesis of the plagiarised document.

It is perhaps no coincidence that the UK government has now largely abandoned Microsoft Word for documents that become public and has turned to documents converted to portable data format (PDF).

Internet banks
One of a number of recent internet-banking stories illustrates the impact of errors in client-facing technology applications.

Cahoot, an internet-banking facility run by Abbey bank, did not generate the goodwill that it doubtless hoped for when recently upgrading. The website, was closed down for ten hours to carry out urgent repairs. This followed the discovery by a Cahoot customer that he could access the website with only a user name.

Tim Sawyer, head of Cahoot bank, said: “I believe that we need to look closely at our processes because this has not been our greatest moment.”

But Cahoot’s pain does not stop with this adverse publicity as it is likely to face an investigation from the Information Commissioner’s Office, the organisation that oversees data protection.

These examples have been in the news because of the nature of the businesses and the seriousness, scale and notoriety of the issues concerned. There are a number of threads that apply to the risk management of professional firms, both in respect of potential professional claims brought by clients or former clients, and in relation to professional-conduct issues or claims brought by employees.

Zubulake v USB Warburg No 5

What standards are we expected to meet in terms of retention and management of electronic documents? Guidance is provided by an American decision of July 2004, Zubulake v USB Warburg No 5, which is also being treated as influential on this side of the Atlantic.

In a sex-discrimination, failure-to-promote and ‘retaliation’ claim against her former employer, Laura Zubulake, an equities trader who had been on a salary of $650,000, requested that the USB produce “[a]ll documents concerning any communication

by or between UBS employees concerning the plaintiff”. USB produced 350 pages of documents, including approximately 100 pages of e-mail.

Zubulake knew that additional e-mails existed, which USB had failed to produce, because she had in her possession approximately 450 pages of e-mail correspondence. She requested that USB produce the missing e-mails from back-up tapes.

Claiming undue burden and expense, USB urged the court to shift the cost of production to Zubulake on the basis that this electronic data was relatively inaccessible. The court ordered USB to produce, at its own expense, all relevant e-mails existing on its optical disks, active servers, and five back-up tapes as selected by Zubulake, stating that only after the contents of the back-up tapes were reviewed and USB’s costs were quantified, would it be appropriate to consider whether Zubulake should bear the costs. This was a significant order as USB estimated that the recovery costs would be $175,000. This summary accounts for the first three Zubulake decisions.

In Zubulake 4, after the parties discovered that certain back-up tapes were missing and that e-mails had been deleted, the court held that even though Zubulake had not by the relevant time brought a claim, there was an obvious prospect that a claim might be brought. For this reason, the court found that USB had a duty to preserve the missing evidence, even before the claim was made, since it should have known that the e-mails may be relevant to future litigation. The court also found that USB failed to comply with its own retention policy, which would have preserved the missing evidence.

There is currently no duty in our jurisdiction on a party to retain documents pending an order for disclosure, although there is, of course, a duty on lawyers to advise clients to retain relevant documents. The Cresswell Report (see below), questions whether parties should be subject to an earlier duty to identify and retain documents.

These skirmishes set the scene for Zubulake 5. As the judge held that USB had wilfully deleted relevant e-mails, despite contrary court orders, she granted Zubulake’s motion for sanctions. Significantly, because this ‘spoliation’ was wilful, she directed that the lost information should be presumed relevant. She observed that the late disclosure had additionally resulted in a ‘self-executing sanction’.

This was because some USB staff had already given testimony that was contradicted by the newly discovered evidence. Unsurprisingly, the court refused to alter the burden of the cost of producing the evidence from back-up.

I referred earlier to spoliation as an e-risk. The judge defined this as “the destruction or significant alteration of evidence, or the failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation.”

The judge ruled that the defence lawyers were partly to blame for the loss of documents because they had failed to locate relevant information, preserve and promptly produce it. She held that affirmative steps must be taken to monitor compliance so that all sources of discoverable information are identified and searched. This is a high standard, apparently applied to in-house and external lawyers. Her further statement that “both counsel and client must take some reasonable steps to see that sources of relevant information are located” sits comfortably with the requirements of proportionality under the Civil Procedure Rules. Reasonable steps were defined as:

Issuing a litigation hold over relevant documents;
Communicating directly with the key players in connection with their duty to preserve evidence, additionally providing periodic reminders;
Instructing all employees to produce electronic copies of their relevant active files and ensure that all relevant back-up media is identified and stored in a safe place.

Ineffective communication with IT personnel was identified as a primary reason for the loss of electronic data.

The Cresswell Report

What is the English position? This has recently been considered by the Cresswell Working Party (Cresswell).

The disclosure duties of a litigant are to disclose documents on which he relies and those that either adversely affect his or another person’s case, or support another party’s case. Where most controversy arises in relation to electronic documents is the extent to which a party is expected to carry out a search for them. A reasonable search has to be carried out, which depends on the number of documents involved, the nature and complexity of the proceedings, the ease and expense of retrieval of any particular document and the significance of any document that is likely to be located during the search.

In considering this issue, Cresswell identifies five categories of documents:

Active or online data (for example, documents held on hard drives, filed documents and e-mail inbox and sent items);
Embedded data or data that is not normally visible when a document
is printed, although it can be viewed on screen;
Replicant data (otherwise known as temporary files or file clones), which is automatically created by desktop computers, for example, to save a document if there is a programme failure;
Back-up data or data held in a storage system. Most organisations use back-up data to preserve information in the case of disaster. This can be in a variety of forms and is usually compressed, making it difficult and costly to retrieve;
Residual data or material deleted from the user’s active data and stored elsewhere on the database, which can usually be retrieved with sufficient expertise and time.

These categories sound as though they are the realm of our IT departments, not lawyers. However, research suggests that in the business world, 90 per cent of documents are created and stored electronically, with a huge proportion of these not being converted into paper copies. Inevitably, therefore, in managing our own risks and advising our clients in the management of their risks, we are plunged into the electronic arena.

Cresswell recognises that it is not just the scale of our reliance on electronic documentation that complicates disclosure, but also:

The ease with which electronic documents can be duplicated;
The lack of order in their storage;
The differing retention policies of organisations;
The existence of metadata;
The difficulty of disposing of electronic documents;
The fact that deletion of e-mails or electronic files does not usually erase the data from the computer’s storage system;
The lack of guidance in the Civil Procedure Rules.

Cresswell acknowledges that all of this raises new challenges for businesses, lawyers and their respective IT departments, with significant cost consequences, in that a party to litigation will, in relation to electronic documents, have to:

Identify how many of the case-relevant documents have been created by electronic means;
Identify whether these electronic documents have been preserved and where they might be stored;
Search for, and retrieve, any relevant electronic documents;
Conduct a review of the electronic documents;
Produce the electronic documents, ideally, in an agreed format.

The report identified that disputes are arising as to:

The number of individuals to be included in a search;
How many replicated versions of an e-mail should be searched for;
What key words should be used for the search;
Whether a search should be restricted to e-mail folders, or whether it should extend to word-document systems, accounting and other databases, laptop computers, Blackberrys and mobile phones;
The number of business locations and departments that should be searched.

The Cresswell Report identifies that proportionality will provide the basis for resolving these issues. It recommends changes in the Rules to deal specifically with electronic data and documents, both by expressly including the types of electronic documents referred to above, including metadata, and by providing a framework for co-operation between the parties as to disclosure of electronic documents, and identifying factors that may be relevant in deciding the reasonableness of a search for electronic documents.

Managing the risks

Most of the risks identified above arise from human error. Fundamentally, disciplined use of e-mail and adherence to appropriate e-mail policies remove most of the day-to-day risks of communicating in an electronic world. Just as each letter should be written with the care that would be taken if it were to be read in court, so should the same rigour be applied to the drafting and approval of e-mails.

Human error in the operation of e-mail systems is one of the two most obvious candidates for risk-management attention. The other is the IT infrastructure. Some of the obvious solutions are:

Security policies, for example, password regimes;
Firewalls;
Encryption capability;
Mail filtering;
Metadata stripping;
Document-management systems, version control, document comparison, collaboration, etc.

Should we be unfortunate enough to face a claim of the type brought by Laura Zubalake, how can the time and expense associated with our disclosure obligations be minimised? I have three suggestions.

First, and rather obviously, we must place a high value on integrity and the strict adherence to carefully prepared policies for the preparation, approval, dissemination, retention and deletion of documents. This approach will minimise the opportunity for subsequent embarrassment, which might be costly.

Second, firms should use document-management systems to collect in specific electronic files all electronic documents relating to a single matter, whether an internal matter or a client file. The existence of a policy to manage electronic documents in this manner and evidence demonstrating its application will go a long way to satisfying a court that a search of the documents on that file is an appropriate and proportionate search.

My third suggestion is that we need to have a clear understanding of the back-up systems that our firms operate and the ability to change those systems to avoid the risk of a Zubulake situation.

What advice should we give clients? It follows that clients need to be advised, in time, of the need to retain and search for relevant documents. This advice will necessarily be much more complex than the advice historically given to clients in connection with the disclosure of paper files.

Guy Hodgson is a partner at Mills & Reeve. He can be contacted at guy.hodgson@mills-reeve.com