Electronic Data Risk Management

Electronic data exists in many forms, including the active data (accessible to users, such as e-mail, word processing and spreadsheet files, electronic calendars, databases and electronic images), replicant data (automatic copies of data created by the application itself) or back-up data (copies of data created according to an organization’s policy, used in the case of emergency). Another significant category of computer-generated data is residual data, or information that appears to have been deleted, but actually still exists and is recoverable.

All these forms of computer-generated data are subject to discovery rules in a litigation proceeding; electronic data is also considered evidence and can be used in the courtroom. Thus, failure to properly manage the storage and retention of electronic data can be costly.

Potential discoverability of electronic evidence creates serious new risks for corporations. Trends indicate that there is an increase in use of discovery to obtain electronic information, but even more troubling is the increased use of discovery to obtain litigation-support database information. That information, once considered privileged or work product, may no longer be protected. Thus, corporations and the law firms that represent them must begin focusing on how to limit the risks.

Litigators are becoming more aggressive in their efforts to obtain electronic information in discovery. They are beginning to recognize that people will transmit messages by e-mail they would never put in a formal, written memorandum.

For some reason, many people have a false sense that their e-mail communications are secret or private (and thus delete really means delete) when, in fact, it must be produced in response to properly framed discovery requests and could end up before a judge or jury.

Litigators have learned that the internal e-mails of their adversaries can provide a treasure trove of damaging information and admissions. Litigation systems and databases have been a fertile avenue for electronic discovery.

There are a number of steps that corporations can take in order to improve the management of its electronic information.

  1. Assess how the electronic data is being stored and secured. Investigate how similar corporations handle their electronic data. Obviously, the information systems personnel will be critical to this process, but don’t forget to meet with the users themselves. There is often a gap between policy and everyday practice, so it is important to understand your current electronic environment in order to effectively limit the risk.

  2. Design and implement electronic data policy. If your corporation already has one, it is probably time for a re-evaluation, given the climate of electronic discovery. Be sure to take into account the legal requirements for electronic data and document retention, the needs of your organization relative to accessing the electronic data and the privacy rights of your employees.

  3. Communicate and train. Communication is critical to the success in electronic data risk-management programs. Simply distributing a hard-copy binder containing all of your company’s policies may not be the best answer. Tailor the method of communication according to your corporation’s culture and train your staff on how to adhere to the policy.

    Communication and training are the keys to success — and may not be successful if not done once a year. Consider using a variety of methods to show your employees that electronic data risk-management is an important part of a company’s business strategy. Also consider using a variety of ways to communicate, such as your company’s Intranet site, a mass e-mailing, a written memo and an easy to read summary brochure.

  4. Monitor compliance with the policy. Consider whether ramifications for failure to comply would be useful or possible. Without strict enforcement, any policy is moot.

Be sure to create an infrastructure to support your electronic data risk-management policy. That means identifying adequate resources to manage the program, setting up monitoring procedures, performing and documenting the monitoring, and evaluating trends, your company’s use of electronic data, as well as the business and legal climate. It is important to modify the policy in response to changing legal and business environments, in order to limit the risk while providing access to the data.

Being highly selective in determining what information to include in a database is another avenue to protect against disclosure. This selection process should be conducted by an attorney or under an attorney’s specific direction. Furthermore, any summaries or abstracts included in the database should be written by an attorney or someone under the attorney’s direct supervision.

Following these guidelines can dramatically improve a company’s management of its electronic data. Moreover, the implementation of an electronic data policy, and a careful approach to creating litigation databases and systems can save a company from potentially costly disclosures of sensitive information and work product.


Provided as an educational service by John Raymond Dunham, III, Esq..

This publication is intended to serve you. If you would like certain topics covered, or have any questions or comments, you are invited to contact Mr. Dunham at: 941.951.1800, Ext. 250, Facsimile: 941.366.1603, E-Mail: jrd@jrdlaw.com, Web site: www.jrdlaw.com or write him at LUTZ, BOBO, TELFAIR, DUNHAM & GABEL, Two North Tamiami Trail, SARASOTA, FLORIDA 34236.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered and report on issues and developments in the law. It is not intended as legal advice, and should not be relied upon without consulting an attorney.