Data Preservation In Investigations
1. Legal and Regulatory Basis for Data Preservation
(a) Federal Rules and U.S. Laws
Federal Rules of Civil Procedure (FRCP) – Rule 37(e)
Obligates parties to preserve electronically stored information (ESI) when litigation is reasonably anticipated.
Sanctions may be imposed for failure to preserve relevant data, especially if data is intentionally destroyed.
Securities and Exchange Commission (SEC) Guidelines
Public companies must retain financial, audit, and communications records relevant to investigations of fraud, insider trading, or disclosure violations.
Sarbanes-Oxley Act (SOX), Section 802
Requires retention of audit and accounting records for at least 7 years.
Health Insurance Portability and Accountability Act (HIPAA)
Requires retention of patient health records, particularly if subject to compliance investigations.
Banking and Financial Regulations
Agencies like the Federal Reserve, OCC, and FINRA require records retention for internal and regulatory investigations.
(b) State Laws
Many states have data retention mandates tied to consumer, employment, and financial records.
Example: California Consumer Privacy Act (CCPA/CPRA) allows consumers to request deletion but does not override legal hold obligations.
2. Core Principles of Data Preservation
Legal Hold – Upon notification of litigation or investigation, an organization must issue a legal hold instructing employees to retain relevant data.
Scope Definition – Identify all potentially relevant data sources, including emails, documents, chat logs, cloud storage, backups, and mobile devices.
Data Integrity – Preserve data in its original form to prevent spoliation and maintain admissibility.
Documentation and Auditability – Maintain records of preservation steps and access controls.
Access Controls – Limit access to retained data to prevent unauthorized alteration or deletion.
Timely Implementation – Preservation should begin as soon as litigation or investigation is reasonably anticipated.
3. Data Preservation Processes
(a) Identify Relevant Data
Conduct a data mapping exercise to locate data across:
Enterprise systems (ERP, CRM)
File servers and databases
Email systems and collaboration tools
Backup tapes and cloud storage
(b) Issue Legal Hold Notices
Notify employees, IT staff, and relevant stakeholders to suspend automatic deletion or overwriting.
(c) Monitor Compliance
Track acknowledgments of legal holds and confirm that data retention measures are enforced.
(d) Data Collection for Investigations
Use forensic imaging and controlled collection methods to maintain integrity.
Ensure chain of custody for admissibility in court.
(e) Post-Investigation Review
Once investigations conclude, data may be archived, returned, or deleted according to corporate retention policies and regulatory requirements.
4. Consequences of Failing to Preserve Data
Spoliation Sanctions – Adverse inference, monetary fines, or dismissal of claims.
Regulatory Penalties – Fines from agencies like SEC, FTC, or DOJ.
Civil Liability – Increased risk in lawsuits for negligence or breach of duty.
Reputational Damage – Loss of trust with regulators, investors, and clients.
5. Case Laws Illustrating Data Preservation Obligations
1. Zubulake v. UBS Warburg LLC
Landmark case on spoliation of electronic evidence.
Court held that failure to preserve emails relevant to litigation resulted in adverse inference instructions.
Emphasized importance of issuing timely legal holds.
2. Pension Committee of the University of Montreal Pension Plan v. Banc of America Securities LLC
Court sanctioned parties for failing to preserve relevant ESI.
Established that corporate procedures must ensure proactive retention of data once litigation is foreseeable.
3. Victor Stanley, Inc. v. Creative Pipe, Inc.
Highlighted obligations to preserve forensic evidence and maintain chain of custody.
Court imposed sanctions for deletion of relevant emails.
4. Apple Inc. v. Samsung Electronics Co., Ltd.
Data preservation issues arose regarding production of emails, design files, and prototypes.
Courts stressed timely identification of relevant data and preservation across global offices.
5. In re: Bank of New York Mellon Corp. Forex Litigation
Addressed corporate obligations to retain financial records during complex regulatory and civil investigations.
Failure to preserve documents and communication led to judicial scrutiny and procedural sanctions.
6. SEC v. Tesla, Inc.
SEC emphasized that corporate records, emails, and communications must be retained for investigation purposes.
Demonstrates that regulators actively scrutinize data preservation practices during enforcement actions.
6. Best Practices for Corporate Data Preservation
Establish Legal Hold Procedures – Standardized processes for initiating holds when litigation or investigations are anticipated.
Map and Classify Data – Identify all potentially relevant data sources and categories.
Automate Preservation – Implement tools to suspend deletions, backups, or overwriting of relevant ESI.
Audit and Document – Maintain logs of preservation actions and legal hold compliance.
Train Employees – Ensure staff understand their obligations under legal holds and preservation policies.
Coordinate Across Departments – Legal, IT, compliance, and business units should collaborate on preservation.
Integrate with Governance Frameworks – Embed preservation obligations within overall data governance and cybersecurity programs.
✅ Conclusion
Data preservation is a critical obligation for corporations facing litigation, regulatory investigations, or internal audits. Judicial precedents from Zubulake, Victor Stanley, Apple v. Samsung, Banc of America, Bank of New York Mellon, and SEC v. Tesla illustrate that failure to preserve relevant data can lead to adverse inferences, sanctions, and regulatory scrutiny. Implementing formal legal hold processes, data mapping, monitoring, and audit mechanisms ensures compliance while safeguarding corporate interests during investigations.
RELATED Blog
comments