When it's time to preserve company data and communications relating to pending legal matters, the IT and legal groups have to work together.

Guest Commentary, Guest Commentary

October 1, 2018

4 Min Read

When litigation looms, a corporation has a duty to identify and preserve relevant documents and other data that may be important to the legal matter. The goal is to avoid the intentional or inadvertent destruction of relevant evidence that might be used at trial. This process is called a “legal hold.”

While a legal hold sounds like it falls squarely into the realm of the legal department, lawyers rely heavily on IT to execute many of the activities associated with a legal hold. This puts a burden on IT and can put legal, IT or the organization at risk if legal obligations aren’t met.

What is a legal hold?

Our judicial system is rooted in the belief that parties to litigation should share documents and other information prior to trial. Each party has a duty to identify, locate and preserve potentially relevant information including electronic files (email, social media, collaboration sites, etc.), paper documents and other tangible evidence.

Failure to issue or properly conduct a legal hold can lead to fines or even more serious sanctions like dismissal of claims or defenses.

Due to their critical role in the legal hold process, IT needs to understand the company’s legal obligation to ensure that relevant data is preserved and collected in a matter than can stand up in court.

In implementing a hold, the following key actions must be taken:

  1. Identify key custodians and data stewards. Custodians are employees who manage or control a certain type of document, such as email or Microsoft Office files, who may hold data relevant to the legal issues that led to the legal hold. A data steward is typically an IT or records management person who has control over the data (and can control deletion policies).

  2. Issue a hold notice. Once key people subject to the hold have been identified, the next step is to notify each person and direct him/her to stop deleting documents that relate to the issues in the hold. Make sure you get an acknowledgement from each.

  3. Document the process. Failing to document legal hold efforts is the surest way for a judge to consider sanctions against your organization for failing to take reasonable steps.

What is the role of IT?

It is critical that everyone view themselves as part of a larger team working together to help the company meet its legal obligations. Since IT knows the company’s networks, servers and systems better than anyone in the organization, lawyers lean heavily on IT to execute many of the mechanics of a legal hold correctly.

IT should lead the following activities: 

  1. Identify custodians and data stewards who are subject to the hold and/or may have knowledge or documents relating to the anticipated litigation.

  2. Identify the data sources, systems and data types.

  3. Manage automated IT tasks appropriate to preservation requirements, including ensuring that auto “housekeeping” mechanisms, such as automated deletions, are suspended.

  4. Collect and preserve data from custodians and systems. IT should collaborate with lawyers to develop and execute a reasonable data collection protocol, ensure chain-of-custody for all data that is collected and preserved, execute data collection, and document all actions with reporting and audit trails to show good faith efforts in executing the hold.

What is the role of legal?

Lawyers ultimately are responsible for supervising the legal hold and collection process and to certify that reasonable steps were taken to meet these obligations. In addition to defining the issues involved in the litigation or investigation, they should help translate them into terms IT can understand and apply.

How should IT and legal collaborate better?

Legal and IT professionals can execute a more efficient legal hold process by adhering to the following best practices.

  • Meet to discuss the nature of the litigation in non-legal terms. Make sure everyone understands what is relevant and what needs to be preserved to meet legal obligations.

  • Determine where relevant data may be located--including sources like cell phones, social media, instant messaging and cloud applications.

  • Create a plain-language written hold notice for key custodians and data stewards.

  • Develop a strategy and timetable to collect data managed by IT, custodians and data stewards.

  • Ensure that routine deletion processes are suspended with respect to relevant data.

  • Set a regular monitoring and update schedule so legal can make sure data is being preserved (including new data) and IT knows that the hold is continuing.

  • When litigation has ended, prepare a hold release process with instructions to individual custodians and data stewards on the interplay between released data and other preservation obligations (e.g., SEC or HIPAA).

By understanding legal obligations surrounding a legal hold, the respective responsibilities of legal and IT and by working with counsel to execute a defensible plan, IT will play its part in mitigating risk to the company.

John Tredennick, an attorney who has written several books on legal technology, is the founder and chairman of Catalyst, which designs, builds and runs platforms for complex e-discovery, regulatory investigations and compliance.

About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights