Use modern technology to minimise risks rather than create additional ones, urges Tim Rutherford

Email is increasingly becoming the standard form of business communication. It is estimated that on any average working day, 36bn person-to-person e-mails are exchanged. It is also estimated that 90% of all business documents are now created, viewed and stored electronically. Statistics vary, but it is thought that around 70% of these electronic documents never appear on paper.

The use of technology has also led to an increasing variety of different methods of communication and electronic storage. We now have PDAs, instant messaging, e-mail on the go, mobile phones that are more sophisticated than the computers we used five years ago, the ability to make phone calls over the internet, voicemail, the ability to send and receive faxes from a computer, wireless access to the internet in coffee shops, video messaging, and more.

It is accepted that all these new technologies change, and in many cases improve, the way we work, but how many organisations are thinking about the risks involved? The following are some of the potential risks that should be considered.

- Employees are increasingly being provided with a variety of portable devices that hold data. What steps do you take to make sure that the data is backed up onto your company's databases?
- In the past most conversations took place face-to-face or by phone. Nowadays many regard the use of email as equivalent to a 'written conversation' and do not take the same care that they would take in writing a formal letter. Many assume that once deleted an email can be forgotten, but this is not correct.
- Electronic documents are much easier to duplicate than paper documents and copies may easily end up in the wrong hands.
- Little thought is given to the order in which electronic documents are stored. As a result, potentially valuable data is being lost amongst a mass of irrelevant and valueless data.
- While it is not necessary to retain copies of every single document, it is important to understand what documents are being irretrievably deleted.
- Each electronic document (whether it is an e-mail or a word processor document) will contain extensive hidden information called, in technical circles, metadata. This information can range from the mundane (such as the word count of the particular document) through to much more interesting facts, such as details of when a particular document was opened, amended and printed and by whom. Interrogating the metadata can answer many questions which, in the past, would have gone unanswered. In extreme cases it is possible to restore the total history of a document to see how it developed, for example during contract negotiations.
- Delete does not mean delete. Once a document has been created it may be around forever unless proper steps are taken to permanently eradicate it.

As a result, organisations may be creating and retaining vast quantities of potentially damaging information without understanding the risks, while at the same time deleting important documents that should be retained. It is no longer the case that organisations can take the view that information stored on their computer systems is for their eyes only, and electronic information is increasingly having a role to play in litigation.

It is worth remembering that, because of the length of time that it usually takes for a dispute to develop and finally get to court, it may take two or three years for the matter to be dealt with. Therefore, the cases coming to court today are based on documents and information created several years ago using the technology of yesterday. Three years ago it was not common to have a mobile phone that could send e-mails. Today this is much more common. It may be the case that in three years time you will be involved in a piece of litigation that will turn on the evidence of an e-mail you sent from your mobile phone earlier today. Would you be able to locate that crucial piece of evidence and provide it to your solicitor?

The rules have changed

Until recently in the UK it would have been fairly easy in the majority of cases to simply dismiss the role to be played by electronic evidence. However, the beginning of October 2005 saw some fairly dramatic changes to the court rules, which mean parties now have to give serious thoughts to the role of electronic documents in the disclosure process.

During any litigation parties have an obligation to disclose the documents on which they intend to rely and also those documents which adversely affect their own case. In deciding what documents to disclose, a party must carry out a proper search, taking into account the number of documents involved, the nature and complexity of the proceedings, the ease and expenses of retrieval of any particular document, and the significance of any document which is likely to be located during the search.

The search must now extend to cover electronic documents and e-mails that are held on computer systems, servers, back-up systems and other electronic devices, including portable and hand held devices. It will no longer be enough simply to review printouts of a few relevant documents. Searches will have to be made of the computers and devices held by all of the relevant individuals involved with the subject matter of the dispute.

In addition, the courts have now given guidance on what is meant by a 'document'. While accepting that the current definition in the rules is a broad definition, they have gone on to make it clear that it covers: 'electronic documents, including e-mail and other electronic communications, word-processed documents and databases.' In addition to documents that are readily accessible from computer systems and other electronic devices and media, the definition covers documents that are stored on servers and back-up systems and electronic documents that have been 'deleted'. It also extends to additional information stored and associated with electronic documents (metadata).

Practical considerations

If you have not given any thought to how your organisation's information and records are managed, you may face a situation where you have thousands and thousands of pages of documents to review if they are all printed out. A small, low-value contractual dispute may involve considering documents produced by your legal department, your sales department, your finance department and your managing director. That could easily involve four individuals if not more. Assume each individual has a computer and a mobile phone. That makes eight items that have to be searched for documents. If you have not put in place any retention policy, the relevant documents may only be accessible on back up media, and will have to be restored at vast expense. Increasingly the courts will expect parties to reinstall back up media to find relevant documents.

If you have no idea where the documents may be located, you could face the unenviable task of having to spend weeks printing and reviewing documentation.

The overriding point is that the routine warning, given to any clients at the start of litigation to preserve all the paper documents that have been created relating to the matter in dispute, will now have to extend to cover electronic documents too, due to the increasing focus being placed on these documents by sophisticated litigants and the courts. In the next four to five years you may well find it increasingly common that you will be ordered to provide documents in their native format and that you will lose out if you are not able to do this.

In order to be prepared to tackle this problem it is important that all organisations start thinking now about implementing appropriate document management and retention policies. The difficulty is that there is no 'one size fits all' solution.

The starting point in drawing up such a policy is to consider why your organisation needs to keep documents. The traditional view is that documents and information need to be managed and retained for the following reasons:

- statutory and regulatory requirements
- internal organisational requirements (for example the need to keep copies of ongoing contact with customers/clients/other organisations, the need to keep documents for accounting and tax purposes)
- they are of some value to the organisation (for example documents relating to the organisation's past history or performance)
- they are relevant to actual or reasonably foreseeable litigation.

Given the prohibitive storage costs associated with large quantities of paper records, it has always been accepted that an organisation cannot keep absolutely everything, and decisions have to be made as to what documents should be kept.

However, given the rapidly falling costs and sizes of electronic storage, it could be argued that an organisation should keep all of its electronic documents and never delete anything. It is easy to see a direct comparison between the costs of maintaining a significant number of lever arch files as compared to the cost of a DVD. But while direct costs may have fallen dramatically, the indirect costs are increasing, particularly because of degradation in the performance of the software as it tries to cope with the ever-increasing amount of information, and the fact that masses of irrelevant material obscure critical material.

It is important therefore to have a document management and retention policy that addresses the following areas:

- making it easier and quicker to access the relevant information
- controlling the rate at which new information is created
- reducing the operational and storage costs
- improving the organisation's efficiency and productivity
- making use of new technologies
- meeting statutory and regulatory requirements
- meeting any retention obligations imposed by actual or anticipated litigation
- ensuring the integrity and availability of business-critical information is maintained
- improving the decision-making process through better use of information
- enabling the preservation of corporate history.

The policy must be realistic, practical and tailored to the circumstances. It must reflect the actual use of information and not the view of how the legal department would like to see things or how the IT department say you have to see things.

The most important issue to consider is when to destroy documents. For each category of document you will need to consider its life-cycle. How long does the document hold value? Once the value starts to deplete how much longer do you need to retain it?

From a legal perspective, you also need to consider the privacy rights of individuals. Balanced against the desire to ensure that you have all the relevant documents, is the fact that personal data must not be kept longer than is necessary.

It is also important to be prepared for litigation or regulatory investigations. You need to be aware of:

- how you will identify the relevant documents
- who is going to carry out the identification
- where the documents are going to be stored
- what is to be done about the metadata
- how you are going to preserve a snap-shot in time of the documents as they existed when the dispute arose
- whether you need outside help to manage the process.

This area is developing, and there is no right or wrong policy to adopt. The difficulty is that if you do not lay the groundwork now, you may find in two or three years time that you have left your organisation exposed if you are not able to manage and retrieve appropriate documentation. It is not just a question of ensuring that you do not create incriminating documents, it is more about understanding how modern technologies can, if used properly, assist you to minimise risk, provided that their use is carefully planned from the outset.

- Tim Rutherford, IBB solicitors, Tel: 01895 207 828,