As I said in a recent webcast, if you depend on employees to implement whatever your e-discovery and retention policies are, you don’t have a policy; you have a set of suggestions. It looks like Judge David Nuffer of the US Federal District Court for Utah agrees. In the case at hand, the plaintiff, Dr Philip Adams, was suing ASUS for patent infringement. ASUS failed to produce a number of records that Adams alleged should have been produced. Upon investigation, it turned out that ASUS largely left compliance with discovery policies up to individual employees, some of whom didn’t do a very good job of actually following those policies. Individual employees were responsible for deciding what information to keep, then storing it locally on their computers– but they were also responsible for preserving information when they got new computers (which, given that ASUS makes computers, probably happened more often than it does for most of us!) Here’s part of what the judge said:
The culpability in this case appears at this time to be founded in ASUS’ questionable information management practices. A court–and more importantly, a litigant–is not required to simply accept whatever information management practices a party may have. A practice may be unreasonable, given responsibilities to third parties. While a party may design its information management practices to suit its business purposes, one of those business purposes must be accountability to third parties.
In plain English, that means that it’s not OK to assume that your employees will always do the correct thing to safeguard critical business information. This decision is great news for archiving vendors, of course, but it should also be a warning to those who depend solely on employee actions (even when combined with messaging records management) to protect their interests. Two simple takeaways:
- If you don’t have a records management / discovery policy, you’d better get one because letting individuals make up policy on their own is now proven to fail
- If you already have a policy, you’d better have an automated means of implementing and enforcing it.