Document Mismanagement: When the Customer Miscommunicates a Court Order to the Document Managing Outsourcer

October 9, 2009 by

Summary.

For corporations that have outsourced any process of document storage or management, electronic discovery procedures in litigation can be a nightmare.  The lessons of multiple mistakes by both the enterprise customer and the service provider leads us to suggest some “best practices” in relation to litigation management and document management for inclusion in the policies and procedure manuals that accompany sophisticated outsourcing transactions.   Ambiguity and confusion will reign as the “supreme law of the land” if there is no clarity in relation to processing special requests by the enterprise customer for special preservation or management of electronically stored documents.

Background.

UnumProvident Corp. hired IBM to manage certain electronic records. In a subsequent lawsuit by an employee of UnumProvident, a New York court ordered UnumProvident that it and its “agents” “shall not alter, destroy, or permit the destruction of, or in any fashion change any ‘document’ in the actual or constructive care, custody or control of such person, wherever such document is physically located.”   The order provided for the preservation of  a variety of documents, including claims files, policy and procedure manuals, medical files and e-mails for a six-day period.

Miscommunication by Client to Outsourcer.

In reviewing whether UnumProvident had complied with the protective order, a New York trial court determined that UnumProvident had failed to give clear instructions to IBM to preserve the necessary documents.  The court identified a number of problems:

  • The UnumProvident litigator had discussed with the Court the extension of the expiration of the parameters for the backup tapes, but “UnumProvident did not explore that option with IBM in any meaningful way.”   UnumProvident failed to identify technological means of transferring documents from backup tapes having specified expiration dates to backup tapes (or a hard drive or other electronic media) without any expiration date.
  • Both the enterprise customer and the outsourcing service provider were criticized for not having the necessary understanding of the technical steps necessary to preserve the protected documents.  “Neither [the customer’s enterprise security architect” nor the service provider’s Delivery Project Executive] had sufficient expertise to discuss the [document] preservation project in a meaningful way.  Neither of them took the steps that they needed to take to get sufficiently informed advice on the issues involved.”
  • UnumProvident failed to supervise the efforts of its enterprise security architect who had been delegated the task of preserving the electronic documents.  The UnumProvident enterprise security architect “was allowed to make critical decisions about how much and what email should be preserved pursuant to UnumProvident’s legal obligations.   In the end, [he] made his decision based on inaccurate information.  As a result, [one particular day’s] data was not preserved except to the extent that it still remained in an employee’s computer mailbox or had only been deleted within 14 days of the date of the snapshot.”

Outsourcer’s Errors in Compliance. IBM made only one mistake.  Once it realized the mistake, IBM quickly avoided further damage by excellent responsiveness.  The mistake was unintentional:

In creating the December snapshot [to preserve the records as requested by UnumProvident], IBM had unwittingly taken steps that caused the back-up tapes to re-enter the [rotating tape back-up] system prematurely, and as a result many [documents] already had been overwritten [when IBM did the first recovery test].

In this mistake, IBM “inadvertently reset the [rotating tape] settings so that the [rotating tape] retention protocols for the back-up tapes in off-site storage tapes so that the tapes expired before their scheduled time.”  As a result, the backup tapes were either recalled, reused and overwritten before they should have been, with a loss of data.   Neither UnumProvident nor IBM realized this had occurred, nor did they expect it.

After the failed restoration test, “IBM realized for the first time what had happened.  IBM immediately identified all server back-up tapes and preserved them.  It had already extended the [backup plan] expiration date protocol to 365 days as a result of its discussions” with the enterprise customer.

Thus, while IBM made a mistake, it appears that the loss was minimal, or, at least impossible to assess as of the time when the court rendered its decision.

Losses.

As of the court’s decision in September 2003, it was not clear whether the plaintiff had been injured by reason of the loss of protected data.  Other backups were located.  Other methods of proof might have been available to prove the same information.  Accordingly, the case is instructive for what happened, not for the legal consequences.

Best Practices in Document Management.

This case highlights some simple truths about document management in outsourcing.

Tape Rotation Period.
It is a false savings for a company to have a short period for the rotation of its backup tapes.  For any enterprise that is the subject of litigation, a short rotation period will increase the risk of inadvertent loss of data due to expiration or overwriting of data under normal data preservation and destruction policies and procedures.

Trap for the Unwary: Why every contract (or related policy and procedure manual) should address data management.
When the loss of data violates a court order, the loss becomes willful and subjects the enterprise customer to unpredictable losses that might arise from being foreclosed to present evidence that might have been supported (or rebutted) by the lost data.

Service Providers Should Warn Customers about Litigation Issues.
In this situation, both the service provider’s delivery executive and the customer’s executive failed to understand the requirements of the court order protecting documents. This confusion could have been avoided by establishing a “role and responsibility” matrix on third party demands for access to documentation.

Customer’s Duty to Warn the Service Provider.
Ultimately, as a litigant, the customer enterprise is subject to the severe penalties under court rules that may arise out of a willful noncompliance with procedural rules on pre-trial discovery and disclosure of evidence to the opposing party.  The customer has the burden of insisting on clear procedures.   The customer should take the initiative to warn the service provider of the need to make due investigation and implement appropriate protections of the documents and data covered by a protective court order.

Litigator’s Duty to Identify Potential Compliance Risk.
If an attorney’s client becomes subject to a protective order, the attorney should probably investigate promptly who is the custodian of the protected information and find a solution for compliance.  In this situation, the attorney seems to have passed the task off to an in-house attorney, who passed it off to a systems administrator, and no one verified the immediate compliance.  IMMEDIATE COMPLIANCE is what is required by the court order, so all attorneys involved in such situations should take an interest in not merely asking for compliance, but verifying it.   Of course, this notion would convert the trial lawyer to a project manager, but that should be not too difficult in view of the availability of e-mails and scheduling technology, as well as disaster recovery procedures, to implement a mini-disaster recovery plan.

Service Provider’s Sales Pitch.
Outsourcing will no longer serve as a reliable and safe business for the customer if the service provider makes mistakes in anticipating and responding to specific protective orders.   In this case, the service provider was unaware of the problem of overwriting of backup tapes until protected data had already been lost.

Relationship of the Enterprise Customer’s Adversary with the Enterprise Customer’s Service Provider.
In this case, the protective court order was addressed to the defendants and their respective “officers, agents, servants, employees and attorneys.”   One may question whether the attorneys for the enterprise customer’s adversary failed to obtain identification of who was custodian of the protected data.   There had been plenty of time to do so, since the process of getting to agreement on what documents would be protected (and not just a fishing expedition for any documents whatsoever) had taken time and was supervised by the court.  One may ask whether the plaintiffs’ outside legal counsel was not negligent in failing to try to identify such custodians so that the custodians could be notified, or even subject to court order, before protected documents had been overwritten.

Reference:
Keir v. UnumProvident Corp., __ F.3d __, NYLJ Sept. 4, 2003, p. 23, cols. 4-6, p. 24, cols. 1-5 (S.D.N.Y. 2003), Judge Cote.