Reports this month that the Securities and Exchange Commission is threatening to fine Morgan Stanley more than $10 million for failing to keep certain email highlights the perils that exist for companies that fail to manage electronic communications properly.
The risks that organizations face when it comes to email retention—or failing to have and follow established policies—is “increasing and substantial,” says B. Jay Yelton III, a partner in the Kalamazoo, Mich. office of Miller Canfield. But the liability risk varies by organization and industry. “To the extent that a company is more regulated, or is more subject to litigation, the greater the risk,” adds Yelton.
Securities brokers and investment advisers, for example, are subject to stricter SEC rules concerning retention of email and documents than other public issuers. However, all companies have to comply with a complex and evolving set of rules at the federal and state level for retaining documents.
Although email falls under the rules that govern most other corporate documents, it is a particularly desirable target for regulators and plaintiffs’ lawyers. “Whenever there is any litigation or investigation, people are looking [to email] for the smoking gun,” says Jin J. Lee, a consultant with PriceWaterhouseCoopers’ Advisory Services group in Chicago.
The liability risk with respect to email retention practices is difficult to gauge, according to Ethan A. Berghoff, a lawyer with Baker & McKenzie in Chicago. “A lot depends on how casually companies treat these issues or how dramatically they ignore them when they arise,” he says.
Berghoff notes that some of the cases in which companies have been punished for treatment of email started before many of the electronic discovery rulings came about. “Companies may not have been fully aware of the risks at the time they were taking some of the actions,” he says. But Berghoff adds that companies have also made fatal mistakes. “Regardless of the number of lawyers or the quality of the representation they had, people who should have been on top of the situation were not.”
Record Retention vs. Electronic Discovery
The threatened SEC fine against Morgan Stanley is not the first time that the company has found itself in hot water over email. Earlier this year, a Florida judge found that Morgan Stanley deliberately failed to turn over emails sought by financier Ronald Perelman in a fraud suit. As a result, the judge shifted the burden of proof in the case and Perelman was awarded $1.45 billion in damages.
Both the Perelman suit and the SEC inquiry focus on Morgan Stanley’s treatment of email in the context of “electronic discovery.”
“There is a distinction between record retention, which looks at whether or not you have an obligation to preserve a document, and electronic discovery, which looks at, if document exists, whether you have an obligation to produce the document,” notes Berghoff.
General record retention refers to how long companies have to retain a particular record, notes Michael S. Mesnick, a partner with Baker & McKenzie. “That is an extremely difficult exercise for any enterprise to undertake,” he says. “Depending on what the particular document is, there may be a legal requirement to retain it for some period or time, or there may not be.” As a result, companies need to define policies to manage the different types of records. “You have to come up with a policy that identifies the various categories of documents in some logical fashion and specifies the amount of time that the particular category of time that it needs to be retained, and in some cases in what form,” says Mesnick.
Mesnick adds that companies are “not well advised” to keep all documents forever, nor are they well advised to destroy all documents immediately. The key question, of course, is now long should documents be retained? “Most well advised companies in this day and age are investing significant resources in attempting to answer that question,” says Mesnick. “Companies don’t answer the questions in the same way—some companies make a decision to retain records for 10 years because [they] believe that 10 years ought to satisfy all potentially applicable record retention [laws]; other companies make the investment to analyze the various bodies of law to see to see what the law itself has to say about record retention.” As a result, companies can ultimately have fairly detailed record retention policies.
The biggest challenge, according to Mensik, is to devise a policy that actually gets implemented and followed. “Some of these policies have 200-300 categories, each with their own record-retention period,” he says. “Expecting employees to understand [such] rules and follow them with any precision is perhaps expecting too much.”
Yelton at Miller Canfield notes that there is “good news” in the form of recently developed software programs that will make the management of electronic records more practical. “As organizations begin utilizing those programs over the next few years, it will be easier and less expensive for organizations to manage and retain information, including emails,” he says.
Unfortunately, Yelton adds, many companies find themselves in the “middle stage,” where data outweigh solutions. “There’s so much more information but, unfortunately, the processes and procedures haven’t caught up to manage that information.”
Once a company is aware of potential litigation or regulatory enforcement, the focus shifts from general email retention to potential obligations to produce documents for litigants and regulators.
“The typical business document is located in 11-19 different places,” notes Miller Canfield’s Yelton. “The trouble hits when the organization gets served with a lawsuit or becomes the subject of a regulatory investigation, and the broad discovery requests follow soon thereafter—when that occurs, an organization will have to spend considerable lawyer time and internal resources to locate and review all the records that were saved.”
The challenge, he notes, is getting organizations “to make records management a high priority before it’s too late.” And, although organizations are increasingly aware of the risk, Yelton believes that many companies believe the risk applies to other companies, not theirs. “There’s still a lot of denial,” he says. “I’d be surprised to find too many large organizations that are unaware [of the risk], but many if not most still feel that it’s not a risk that’s real great for [them]—at least not yet.”
Managing email effectively requires a company-wide effort, says Mary Mack, technology counsel for Fios, Inc., an electronic discovery services provider in Portland, Ore.
“In the absence of litigation or regulation, compliance people, the records management people, the IT people—they need to get together and do a training for compliance and records management purposes,” she says. “It’s not easy at all but it is doable.”
Mack also recommends that companies make sure someone with knowledge of electronic discovery processes is coordinating efforts and getting answers to critical questions. “What are the issues of the case and what segments of the business is it likely to affect?” she asks. “Get a verbal picture of what you’re looking for. … get a sense of the magnitude of the case and then apply that to the IT infrastructure.” She adds that senior executives should be involved where appropriate. “The people at the top are probably not the people who can answer the questions, but they should know who to talk to and ask the right questions.”
Companies that want to deal with the issue of email effectively, “have to put their mind to it, they have to budget for it and they have to have process, procedure and training for it,” Mack says. “Are we there yet? No way, no how. But I think we’ll get there,” she adds. “Storage is dirt cheap [and] advances in search technology are coming out monthly. So we will get there. But it takes a super-human effort to respond to this stuff.”