NY Appellate Court Explains Burdens on Corporations to Search Their Computers
A recent New York court opinion has highlighted the potential for unanticipated expenses that even bystanders to ongoing litigation can face. Until now, generally businesses and other organizations could be satisfied with a record retention policy that met their internal requirements. Record retention policies were of limited concern outside the context of direct litigation in which such entity was a named party. Now, however, it appears that courts will impose significant obligations upon non-parties to a litigation (even where the connection is extremely tenuous), and as a result, an entity’s record retention policy can have implications well beyond its involvement in direct litigation.
These obligations require not only adoption of, and compliance with a company’s record retention policy, but also a thorough understanding of how such policies interact with the technical capabilities of the company’s systems and operations. The issue in the case, Tener v. Cramer, arose in the context of Electronic Discovery. ESI (Electronically Stored Information), as it is generally known, now plays a significant and sometimes costly role in civil lawsuits. While lawyers have long been accustomed to dealing with discovery in civil cases, the responsibilities that arise in matters where ESI is involved are often far different than those that develop in terms of traditional discovery techniques.
In Tener, the Appellate Division, First Department, focused on “the obligation of a nonparty to produce electronically stored information…deleted through normal business operations. Tener isa defamation lawsuit filed in Manhattan, and the plaintiff served a subpoena on New York University seeking the names of all persons who accessed the Internet on the day that the defamatory statement was posted on a website. A “preservation letter” was sent along with the subpoena. This letter directed that NYU should take steps to protect against any normal practices that would result in the destruction of information relating to the posting of the defamatory statement.
NYU did not produce responsive information and the plaintiff asked for a court order finding that it was in contempt. NYU responded by arguing that “[c]omputers that simply access the web through NYU's portal appear as a text file listing that is automatically written over every 30 days. NYU does not possess the technological capability or software, if such exists, to retrieve a text file created more than a year ago and written over "at least 12 times.” The plaintiff offered a different view from an expert, asserting that the information could still be recovered if the appropriate software was used.
Although the trial court agreed with NYU and denied the motion for contempt concluding that the plaintiff failed to dispute the former’s expert, the appellate court took a different view. It pointed out that “NYU offered no evidence that it made any effort at all to access the data, apparently because it believed that it could not, as a nonparty, be required to install forensic software on its system.” The appellate court noted that NYU had relied upon case law for its position from the early 1990s.
Quite, simply, the court found that NYU’s argument did not keep up with the times: “In this day and age the discovery of ESI is commonplace.” The court pointed out that state and federal courts have been generating rules for dealing with ESI and focused particularly on those which had been developed by the Commercial Division for the Supreme Court in Nassau County. The court wrote that the rules in Nassau County “are appropriate in cases, such as this, where a nonparty’s data is at issue.” Most specifically, the Nassau rules acknowledged that “deleted” ESI may not truly be deleted and that litigants should be prepared to address retrieving such information on a cost-benefit analysis.
In this case, the appellate court sent the case back to the trial court to determine,
- “Whether the identifying information was written over, as NYU maintains, or whether it is somewhere else, such as in unallocated space as a text file;
- Whether the retrieval software plaintiff suggested can actually obtain the data;
- Whether the data will identify actual persons who used the Internet on the specified date;
- Which of those persons accessed the website;
- A budget for the cost of the data retrieval, including line item(s) correlating the cost to NYU for the disruption.” (Footnote omitted.)
While there are a number of important lessons from this case, perhaps most important is the court was not deterred from imposing discovery obligations upon NYU either by its status as a non-party, nor by a claim of hardship. Armed with the knowledge that NYU might have the information in some form, the court was willing to impose the requirement that the lower court explore compelling NYU to make available what it could.
The implication of the above for anyone operating a business or organization is that retaining records in any form when there is no legal or business requirement to do so could create unnecessary exposure, subjecting your organization to unanticipated expense and the need to divert resources to time consuming data retrieval. This is of growing concern in an environment where business is largely done by computer, online and via mobile devices and with communications and access to systems growing exponentially through channels such as cloud computing and social networking.
A well-drafted document retention policy adheres to all legal and practical business considerations of your business and at the same time regularly and routinely destroys records which no longer have utility when such destruction is not barred by those requirements that might be applicable to regulated industries or professions. To be effective, a well-drafted document retention policy also needs to be capable of compliance in the ordinary course of business and must reflect the realities of your operations across all methods and categories of data retention whether paper or electronic.
In light of this decision and the overall trends in ESI, corporations need to carefully review their document and ESI retention policies, their system capabilities to understand how information is stored, including what is archived and what is “deleted”, work with any outside vendors that supply information technology services concerning ESI retention, and take appropriate steps to prepare for the day when a legal request for production of ESI will implicate these issues.