The expression for prosecutors used to be 'follow the money.' These days after cases like that of Wachovia Bank in which senior bank officers readily admitted in e-mails to knowing of a multi-million dollar fraud involving Wachovia accounts, investigators may now have to replace 'follow the money' with 'check the inboxes.' Corporate boards and senior management may have to adopt a new mantra altogether--'update the records retention policy.'
After years of shareholder lawsuits and criminal prosecutions made on the backs of explicit e-mails or executive memoranda, companies appear still to be woefully behind in their awareness and implementation of
policies to determine when, how and why records should be retained or destroyed--particularly once you get outside the Fortune 100. "We just completed a survey of in-house counsel at 400 U.S. and U.K. companies," says Michelle Lang, director of legal services at Kroll Ontrack, an IT consultancy specializing in records control. "And I was pretty shocked at the results." She reports that only 25% of corporate counsel offices reported being "up to speed" on Electronically Stored Information (ESI) case law or on how compliant their own companies' policies were. Only half of U.S. companies surveyed had any policy at all for retention or the regular culling and destruction of unneeded records. "That also means," says Lang, "that half the companies in the U.S. probably have no plan for how to handle any ESI litigation that comes their way."
Admittedly in the case of Wachovia, it would seem that the lack of a corporate governance policy or internal controls to detect such fraudulent activity was the real culprit. But legal experts warn that an entire company can sometimes be held financially accountable for the actions of rogue executives simply because of few random remarks electronically preserved for all time.
Ed McNicholas, an attorney specializing in information law with the Washington D.C. law firm of Sidley Austin LLC, agrees. "Most of the Fortune 100 companies are very aware of the records retention issue," he says, "but among the top 1000 companies, most are not as prepared as they need to be. Most are thinking that maybe they can wait on this. But particularly given recent federal court decisions regarding records discovery, they could end up facing serious litigation issues."
Significantly, one of the big developments over the past two years has been the willingness of various courts to assert that electronic records are 100% discoverable. Companies can no longer use the argument that they "cannot retrieve" existing electronic records on their systems because it is too difficult or costly. "A lot of this is out-of-sight, out-of-mind," says Lang. "Since most companies haven't yet been sued and haven't had to face discovery of their records, they don't think it's an issue they need to deal with right away. But the bottom line is that it's much better to discuss these issues at the top and develop a records retention policy before you're knee deep in it."
Howard Langer, a plaintiff's attorney in the current class action suit against Wachovia, thrives on such discovery and warns that developing such policies gets complicated. "The SEC requires companies to retain certain records," he notes. "They cannot just get rid of all emails, for instance. And if they get rid of only some records, assumptions will be made about why they did that." He adds, "If you do decide to destroy certain records, you may find it's hard to get every copy, and that can cause problems, too."
Plaintiff attorney McNicholas agrees. "Companies need to be very careful about destruction of records," he warns. "They need to be routine about it, and cannot get involved in trying to conceal things."
Kroll Ontrack's Lang gives one example of why even a records policy that regularly wipes employee emails from the company's server can't protect against later problems. "I save on my company laptop all my email communications going back years," she admits. "Especially ones that are about decisions that I made or that a group I was in made. I'd be a nightmare in a lawsuit! The thing is, you can clean your server of emails after 30 days, but you can't tell people to get rid of everything."
Adding to the complexity of the issue is the reality that the rules can change. For example, once an employee or executive knows that a lawsuit might be filed, at that point it becomes a crime to destroy records relating to that issue, even if no case has been filed yet.
Sam Kamran, senior director for financial advisory and litigation counseling at Chicago-based Aon Corp., points out that over the last year or so, the trend has been towards finding a technological solution to records retention and destruction, with companies like PSS Systems, (with its Atlas ERM and Hewlett-Packard (with its IA series) offering systems that tag documents, preserving those that need to be retained and eliminating those that aren't wanted or needed on some scheduled basis. "The problem," says Kamran, "is that the technology is not what it should be. Search and retrieval systems are not that adequate and because the platforms are proprietary, once you've adopted one, you're stuck."
But alleged problems with tech solutions often track back to an absence of policy and procedure, and Kamran admits that there is an over-dependence upon technology. "With a number of clients, we have seen an emphasis on the technology alone, and not on the procedures and decisions that are driving that technology," he reports.
More important than the technology, however, agrees Lang, is having a policy. "At Kroll, we advise our clients to have a litigation readiness and response plan in place. That means that IT, legal and top executives need to come together and develop a plan for how to respond to any discovery lawsuit. Companies that have handled lawsuits well have done tabletop drills: If this happens how will we respond? If that happens how will we respond?" She adds, "That's a lot cheaper than getting caught unprepared."