| www.ecommercelawyer.com |
|---|
Head's Up on Backup: Do You Know Where Those Files Are Now?
By: Alan S. Goldberg
One of the most basic rules for keeping a computer network going is regular backing up of documents and other files created by network users. Unfortunately, many businesses -- including law firms -- ignore the risks of too much backing up, and don’t understand the need to be sure that the well-intentioned efforts of information services staffs are tempered by the best interests of the particular organization in protecting itself and those it serves. This is part of a lawyer’s job, but unfortunately in many organizations, the technology folks and those responsible for protecting the organization against information overload do not communicate.
The purpose of this column is to alert the business lawyer to the dangers of not knowing what is being saved and why, and for how long. Whether the concern is protection against exaggerated, off-the-cuff, misleading or other such communications being kept or being inappropriately kept longer than they should be, or responding to the demands of litigation, every business should have an information retention and disposal policy that includes computer-generated documents and other files. Because of their unique nature and the ways in which they differ from information set forth on paper, computer files warrant special treatment and attention but often are ignored when it comes to policies that cover paper documents and retention policies.
There are many reasons to back up files, including general business requirements, maintenance of tax records, ethical requirements and the like, but there are also many reasons why some files either should not be backed up or once backed up should eventually be purged.
The first thing to find out is what procedures are in place to save computer files. This is often harder to do than might be expected, because of the many ways in which, and the many places at which, computer files are created, sent and saved. Start off with an office location and assume that a computer network is maintained. The central computers known as servers, the personal computers connected to the network and laptops loaned to users, and the outside computers used for Internet and other communications beyond the office location, are likely being backed up periodically. The files being backed up might be located on floppy disks, or magnetic tape, or CD-ROMs, or even on a distant computer system that is used for only back-up purposes.
Whatever is being backed up and wherever the backed up files are, the important things to know are what the files are; how long are they are maintained; what happens to them when the back-up period elapses; and how they can be retrieved. Some back-up policies only include final documents and omit e-mail. Other policies include preliminary drafts and not only e-mail but also seemingly deleted files that are thought to be erased but, in reality, lurk on the back-up media. These can sometimes be found using sophisticated electronic search techniques. Many users might not realize what is being backed up and for how long, and they could be in for a rude awakening if the backed up files have to be produced and communications thought to be long gone suddenly reappear in all their stark and unintended glory.
The important features of a proper back-up policy include deciding what is to be backed up and why, and coming up with the appropriate time periods for different communications to be retained and methodologies for backed up files to be purged. One decision that can be challenging is whether to save incoming and outgoing e-mail. The frailty of e-mail is well known to many people who use online computer services or read message boards. The ease of creating and quickly sending e-mail has a tendency to encourage sometimes rude, or offensive, or inaccurate and poorly proofread communications, and sometimes e-mail will contain statements that mistakenly admit or imply culpability or responsibility.
Surprisingly, many e-mail users don’t realize that such statements often are backed up and retained, sometimes for limited periods of time, and sometimes for the indefinite future. At the minimum, everyone should know what the e-mail back-up policy is, and in some situations there should be no e-mail back-up at all or at least a policy that provides for purging of e-mail that has outlived its potential usefulness.
Many users do not realize that any such files, either on an out-of-the-office computer or backed up from an out-of-the-office computer, can remain long after having been created, on this unintended back-up location. And when files are sent over the Internet, they will usually be copied on an Internet service provider’s computer that is regularly backed up, and this creates yet another unintended back-up location. In addition, some computer program vendors, such as financial and accounting program vendors, provide for periodic back-ups of both their own files and files created by users, and those back-up files are retained by the vendor for indefinite periods of time.
In addition to learning about any back-up policy or unintended back-up, consideration should be given to whatever archiving policy exists. Backing up a computer network is usually a day-to-day and week-to-week process that includes an automatic purging of the backed-up files periodically. But archiving can involve indefinitely keeping files either as a back-up source for something that also remains on the network computers or as the only place that the files are saved. So, just knowing the back-up policy is not enough. It may well be that some files are being kept for years even though there is no need to do so and, in fact, a need not to do so exists.
All of this becomes critically important either when preparing for a lawsuit or when a lawsuit begins, because more and more requests for production of documents include both paper documents and computer files. The files that might be sought could be on the computer network, or on home computers, laptops or palmtops, or on an Internet service provider’s computers, or on whatever media is used for back-up or archiving computer files. Even trying to figure out what is where can be an overwhelming task, and a good back-up policy should include a carefully crafted procedure for quickly finding out what is backed up and where.
Internal Revenue Services requirements, professional ethical mandates, court orders and operational procedures for computer networks can require the maintenance and back-up of computer files. While most businesses have document-retention programs, the rapid growth of information technology and the confusing nature of how computer-generated information is created and perpetuated can frustrate even the most well thought-out programs that originally were designed to deal solely with paper. So, in order to help others and to help themselves, business lawyers should bring these circumstances to the attention both of the information services staff and those responsible for loss prevention and risk management. The back-up technology and the retention and purging policy should be complementary and consistent with the best interests of the entire organization.
Having given thought to the issues discussed above, the following steps should be taken:
If you are unable to find and understand your law firm’s or a client organization’s computer file back-up policy and to assure yourself that technological, business, legal and ethical issues are reflected in and are consistent with that policy, you have some serious work to do. Remember, the longer you wait, the more back-up is being created and the harder the job will be.
What are you waiting for?
# # #
Copyright © 1997, Alan S. Goldberg, All Rights Reserved. This is an edited version of an article published in the American Bar Association's Business Law Today magazine.
Last revised: 12/20/97