perilous future of decision making in information management, The

We live in an increasingly complicated world. The legal

environment that constitutes such an important part of our world

is also becoming increasingly complex. This is true in our lives

in general, and is equally or perhaps more true in our

professional lives. New doctrines and ever more complex versions

of existing doctrines govern our professional existence in areas

as varied as civil rights, environmental issues, and information

management. The proliferation of laws, cases, doctrines, and

experts sometimes appears to create an impossible and hopelessly

confusing situation for an ii manager, but this is not

the case. This article examines the increasingly complex an-ay

of duties surrounding the professional information management

environment and some methods for responding to them.

There are a number of issues whose complexity has grown over time, and will continue to grow in the future. Each requires ongoing attention from today's information manager. Survival - in several senses - may well depend upon it.

Records and information management as a discipline began life as a relatively straightforward process. A business developed and maintained a basic set of business and operational records - accounting, personnel, inventory, operating records, and the like. Many of these were not governed by much law, and the rest were governed by straightforward legal provisions setting forth very basic requirements as to content and retention period. All such information was initially captured on paper, and most was maintained in this format for its entire period of retention. Any information not retained on paper was transferred to microfilm or microfiche, again in a straight-forward process with well-- understood ground rules.

Over time, this simple process underwent what is - when viewed in its entirety - a staggering increase in complexity. The basic set of business records has been transformed into a vastly increased data set including information on environmental monitoring and compliance, civil rights compliance, anti-terrorist regulation, and a host of other information collection requirements that were unheard of a half-century ago. Further, the once-simple media environment has also become vastly complicated, with electronic information now the norm, and huge numbers of data types, data formats, media types, and hardware platforms complicating the picture.

The reasons for this change are varied. Perhaps foremost among the driving forces is a drastic change in the legal environment surrounding commercial information.

Prior to the 1960s, the legal system's attitude toward commercial information was essentially one of laissez faire. While information capture and retention were required for certain basic purposes such as tax collection, those purposes were few. Beginning in the 1960s, however, commercial information collection took on a vastly increased role in society as first the federal government and then state governments began to use it as an instrument of social and governmental policies considerably outside the then-normal scope of the government-business relationship. Consider, for example, employment records. Prior to the 1960s, the only data required to be kept was basic payroll information, to ensure that taxes were paid and that employees were properly compensated.

In the interim, substantial new burdens have arisen, driven by dramatic changes in the social climate of the country. Many employers now find that extensive information must be maintained to comply with requirements under civil rights laws, gender and age discrimination laws, the Americans with Disabilities Act, the Family Medical Leave Act, many environmental laws, and other legislation. Similar complexities have arisen in many other areas of commercial information collection.

The changing nature of the legal arena is not the only source of additional information collection impetus. Dramatic advances in information technology have been similarly responsible. For example, air pollution monitoring is performed by automated recording devices that continuously monitor pollution emissions. Although the law requires this monitoring, it is nonetheless only possible to impose such requirements because of technological advances that permit the imposition of such a requirement. Technology, therefore, drives the legal requirements in this case. In a similar manner, we now capture and retain vast amounts of unregulated information primarily because we now have the capacity to do so, and only later do we develop data mining techniques that allow us to utilize it.

Changing Legal Duties

Our legal duties with respect to organizational information in our possession have significantly changed over time as well. For many years, our basic duty was to create and maintain a basic set of records and to produce them for regulators should we be audited. There was no duty to maintain records on behalf of an opponent in a lawsuit, provided only that we did not improperly dispose of the records after commencement of the lawsuit. The precise nature of our record keeping and information management practices was not an issue. If we complied with minimum regulatory requirements and someone didn't like it when we didn't have what they wanted, that was too bad.

The legal landscape has changed drastically in this regard. In addition to the capture of vastly more and more complex information, as discussed earlier, we now have a host of duties that were previously unheard of. If anyone - auditor, litigant, or other party - seeks information from us and is dissatisfied with our response, we are likely to find our information management practices under intense scrutiny, and a court or jury deciding upon the legal adequacy of our efforts. This reality is no small matter since there are few existing standards used by the courts to determine the adequacy of a records retention program or an organization's good will in implementing it. Thus, an organization will often find itself alleged (and those allegations ultimately judged upon) to have violated a duty that has never been previously articulated.

The process involved is not one of rational extension of existing doctrine and duty. Rather, any mistakes or omissions that can be proven or strongly implied by the opponent are characterized as the most nefarious of misdeeds. The correctness of the characterization is left in the hands of parties with little knowledge of the realities and complexities of modem information management, or the many potential pitfalls that await even the most diligent and law-abiding of parties. Thus, the duty arises ex post facto from the failure, rather than a failure arising from a pre-existing duty.

Evolving and Increasingly Complex Legal Doctrines

Most legal principles begin as relatively straightforward concepts. Over time, however, many become increasingly convoluted and full of exceptions. This is natural to some extent: as new factual situations come before courts, they sometimes find that a doctrine that previously applied equitably in all cases does not apply equitably in a new situation. Rather than force an unfair outcome, the court will sometimes carve out an exception to a doctrine. Over time, these exceptions may be fairly numerous.

Other factors are also in play. Litigants and attorneys, faced with the necessity of obtaining information from their opponents, often construct ingenious and convoluted arguments for the purpose of persuading a court or jury that a heretofore unknown duty exists and that the opponent breached that duty. The greater the departure from existing doctrine and duties, the more convoluted and ingenious the argument. Should the argument be accepted in whole or even in part by a court or jury, the result may well be a new doctrine that is a considerable departure from prior practice. Even when not urged on by litigants, courts may of their own volition create similar departures from past practice.

This progressive complication of the rules leads to unpredictable and often counterintuitive results. Consider the situation of a police decision to look through the closed curtains of a house in order to attempt to catch a suspected drug dealer red-handed. Such police activity is governed by the U.S. Constitution (Amendment IV, Clause 1), which provides that citizens shall be free of unreasonable searches and seizures. One might suppose that the police either may (because such behavior is reasonable) or may not (because it is unreasonable) look through the curtains. Yet this is not the case.

The extent to which the behavior of the police is reasonable or unreasonable depends upon who they see, or expected to see, when they looked (and thereby "searched"). If the person behind the curtains is the owner of the dwelling, there is an expectation of privacy, which makes the act of looking through the curtain an unreasonable search. If the person seen is not the owner (or a permanent resident), the question of whether the act was reasonable remains unanswered. If the person seen is a guest, the search might be unreasonable if the guest were an overnight guest but would be reasonable if the guest was there for a period that did not include an overnight stay, or if the guest were there for business rather than personal purposes.

Questions obviously arise: how can they know in advance who they will see and how do they know how long they intended to visit? What if they expect to see a visitor but see the owner instead? What if they see the owner and a visitor, both of whom are committing an illegal act? Is the search illegal with regard to one but not the other? What if the person is the owner, but the owner does not live there and is only visiting? The answer to all these questions is that what matters is not what the policeman did, but who was caught and who is seeking to have the search declared unreasonable. If the right person (for example a resident owner) was caught and seeks to have the search ruled illegal, he may win. The visitor will likely lose on exactly the same facts.

This state of affairs may seem ridiculous, but it is the law of the United States (Minnesota v. Carter, 97 U.S. 1147 [1998]). Writing a police department procedure manual based upon case holdings of this sort is, to say the least, a formidable challenge.

Case holdings in information management cases can be equally muddy. Consider Willard v. Caterpillar Corp. (40 Cal. App. 4th 892 [1995]). A plaintiff sued and won over an injury allegedly caused by a bulldozer manufactured by the defendant. Central to the plaintiff's case was the alleged improper destruction of engineering documents by the defendant. Rather than sue over the defendant's alleged negligence (the plaintiff's case in this regard was very weak), the plaintiff sued over the destruction of the documents themselves.

The documents in question were all more than 30 years old and had been destroyed at least 10 years prior to the injury and filing of suit. An appellate court threw the case out but did not say that a lawsuit over document destruction could not be prosecuted in that state. Instead, the court said only that these particular facts did not justify such a case. What facts might successfully overcome this objection the court did not say. Once again making the formulation of a policy that adequately addresses this state of affairs challenging.

In another case, a defendant was required to absorb an estimated $70,000 in costs related to locating and producing for its opponent a large number of documents from a corporate e-mail system (In re Brand Name Prescription Drugs Anti-Trust Legislation, 1995 U.S. Dist., LEXIS 8218 [N.D. Ill. June 13,1995]). The court concluded that production of documents from an e-mail system for an opponent was a foreseeable need and therefore the organization should have developed or purchased an e-mail system capable of meeting that foreseeable need. Thus, an organization must now ensure that its e-mail system is capable of organizing and retrieving information, not based upon its own needs, but upon the needs and wishes of as-yet-unknown opposing litigants.

In yet another example, two courts have ruled that e-mail created on a federal government computer system is a federal record, and that e-mail and the metadata surrounding e-mail must be preserved in original (electronic) format (Armstrong v. Executive Office of the President, 1 F.3d 127 11993]; Public Citizen v. Carlin, U.S. Dist. Ct. for Dist. Of Columbia, 96 CV 02840). Unfortunately, the courts declined to define "metadata" and articulated only the most general of statements as to the nature and extent of this newly found duty. The additional question of whether these duties will now or ever apply to state or private entities remains unanswered.

This scenario repeats itself in many other areas. New but vaguely formed and articulated duties and doctrines are created by legislatures and courts, leaving the bound parties in a serious quandary as to exactly what their response should be. This in turn invites litigants to formulate still more new duties in an attempt to gain an advantage in a lawsuit, which in turn results in more vague case law and more opportunities for litigants to take advantage of the vagueness. The result is an ever rising spiral of new duties, exceptions, and loopholes. The end result is often a legal doctrine imposing duties so convoluted and full of exceptions that the regulated party can have little confidence in the legality or resistance to challenge of any course of action.

New Technological Developments

Our increasing dependence upon new technologies also imposes upon us the hovering specter of new, unknown legal duties. For example, e-mail has become a favorite target for litigants seeking damaging evidence for lawsuits. As yet, however, an organization's duty with respect to managing and preserving its e-mail is not governed by any recognized legal standard. An organization using e-mail is left to develop its policies in the absence of such a standard (perhaps using as guidelines industry standards -- where they exist). The organization further risks the possibility that its policy will be alleged to have violated some duty or standard that in reality it could not have taken into account because, again, the standard was nowhere in place prior to the allegations in this case.

Similar conundrums exist in other areas. Does an organization have a duty to encrypt electronic communications? What about alleged misleading information on its Web site? The legal authorities have just begun to consider these issues and for now the answer is "no" (see Bibliography). However, current authority is in the abstract - expressions of general notions of duty. For example, nothing prevents a party from filing suit should an electronic communication be compromised due to lack of encryption, and alleging a duty to have done so. This in turn raises the question of what level of encryption satisfies that duty: 40 bit, 56 bit, 256 bit, public key, private key? These issues will all be decided by a judge or jury with virtually no understanding of the technical issues involved. Similar muddy waters await in areas such as intellectual property law, where the Internet and related technologies have raised issues never before contemplated.

Another example is the so-called "Y2K problem." Predictions on possible outcomes range from the cataclysmic ("There is a possibility we will lose all electrical power forever...") to a complete dismissal of the problem (de Jager 1998). The reality -- and legal liability - probably lies somewhere in the middle, but where no one is sure.

The Challenge

The future is a veritable thicket of unforeseen and unforeseeable issues. Furthermore, the complexity of that array of issues grows exponentially. This will increasingly be the case as time passes. The challenge facing records and information managers in the future is to somehow move forward in the face of situations for which there are no answers and often no inkling of any to come. This is not impossible. The legal maze can be managed by remembering a few general principles:

1. Legal duties rarely, if ever, go away. This is due to the simple fact that, once created, any duty inevitably produces a group of parties with a vested interest in the continuation of that duty. Those parties will vigorously oppose any dilution of the duty. This includes not only duties arising out of court decisions, but those arising out of statutes and regulations as well. Notwithstanding much ballyhooed efforts such as the Paperwork Reduction Act and the Presidential Downsizing of Government initiative, the Code of Federal Regulations has gotten larger, not smaller.

2. Legal duties spread to more and more obligated parties. As the benefits of a duty to some class of parties (e.g., government) becomes obvious, the motivation naturally arises to seek that benefit from as many parties as possible by placing the duty on as many parties as possible.

3. Legal duties become more complex and convoluted. Since a duty will not go away, the only way for an individual to escape it is to think of an exception. This eventually results in more complicated and convoluted duties.

4. New technologies give rise to new duties. There would be no duty to preserve e-mail metadata if there were no e-mail. And every new technology is an opportunity for a litigant to gain an advantage by discovering a new duty.

5. Many duties are discovered after the fact. Remember the McDonald's case where the woman was burned by a cup of coffee? A juror told the press "the coffee's too hot out there." There was no preexisting law or legal standard of any kind on coffee temperature, and the verdict provoked general amazement (1994). But that is how you learn the coffee is too hot - you get burned in court. Never mind the fact the plaintiff knew the coffee was hot, never mind that she was in a car with that cup of coffee held between her legs.

6. Duties are discovered by judges and juries, not experts or practitioners. Just as we are a nation of laws and not men, so are we a nation of citizens and not experts. The people sitting on a jury will surely be citizens and not experts - experts are kept off juries at all costs. Judges are lawyers - rarely have they done anything else.

The Response

The practical reality is that taking this hodgepodge of laws and court decisions and formulating policies and actions which successfully account for all of them is impossible. That is not to say, however, that a response is impossible. Although no such response will be foolproof, a skillful navigator can avoid most of the pitfalls. Again, there are principles to keep in mind:

1. Never read into a statute, regulation or court decision the interpretation most favorable to you. Look for the most unfavorable interpretation. That most favorable interpretation is very likely wishful thinking. The most unfavorable one is the one your opponents will use against you in court. Make sure you know how to address it - then you are ready for the worst.

2. Never explain anything in a way that requires an expert to understand. That expert will not be on the bench or on the jury. Those folks will be laymen so your explanation must make sense to them. This includes such things as policies and procedures.

3. If it would not sound good when read out loud in court, it needs to be reconsidered and rewritten. If this is not self-evident, read it again, slowly.

4. Never assume that a duty which could conceivably apply to you does not apply to you. Your opponents see it differently, and they may win.

5. Keep it simple whenever possible. More complexity means more mistakes and more opportunities for others to find inconsistency, vagueness, and other problems. For example, 500-page contracts get litigated a whole lot more than two-page contracts.

6. Don't overestimate the risk. The cases that make the headlines are the disasters. That's why we use them - they get our attention. The risks, the duties, and the burden are still there, but judges and juries, by and large, try to respond to the issues in front of them as reasonably as possible, and lots of allegations get nowhere in court. Chances are, if you act reasonably, you will not get seriously burned. The real risk is a steady ratcheting up of the total management burden, the cost of document production for litigation, and smaller sanctions such as fines. This translates into lots of stress and lots of money, but only in extreme cases does the company really go under.

So how do we respond? In some instances, worst-case planning is justified. That is, after all, what disaster recovery and vital records programs are all about. But even in those cases the amount of resources allocated to dealing with the worst case scenario must be carefully thought through and justified. On the other hand, all of those terrible statutes and regulations and court decisions are out there, and they really do apply to you. You can't ignore them because if you do you might be the next disaster mentioned in an article like this.

Think Ahead

By and large the answer is to take a reasonable middle course and reasonably document that course using plain, simple language. Having done that, do not expect an end of it. The number of pettifogging regulations will continue to increase as will the number of convoluted court decisions. Staying that middle course will necessitate continual readjustments in order to take these changes into account.

The prudent manager also will plan for some annoyance, inconvenience, cost, and ultimately losses. The course to be charted is not a straight one. It is like navigating a very crooked hallway blindfolded. Bumping the head on a wall every once in a while is to be expected. As long as the mistake in navigation is not so grave as to leave the navigator unconscious on the floor, the prospects for success are not significantly impaired by the bumps. And that is the real answer. If you are a large corporation, you will never win all of your lawsuits no matter what you do, and you will never totally escape fines and other penalties from regulators. This is a fact of life and must be planned for. What can be avoided are the egregious violations and the catastrophes and the major mistakes. Recognizing that typically the legal consequences are in proportion to the size of the violation, that minor infractions tend to produce minor penalties, the prudent manager will make the best possible effort and simply plan for the inevitability of those minor violations.

BIBLIOGRAPHY

Alaska Bar Ass'n Opin. 98-2, Colorado Bar Ass'n Formal Opin. 90 (1993), Illinois Bar Ass'n Comm. on Prof. Ethics Opin. 96-10, Iowa Formal Opin. 97-1, Kentucky Bar Ass'n Ethics Comm. E-403, North Dakota State Bar Ass'n Ethic Comm. Opin. 97-09, Vermont Bar Ass'n Comm. on Prof. Responsibility Opin. 97-5, South Carolina Bar Ethic Advisory Comm. Opin. 97-08, all deal with attorney responsibilities in the area of encryption of electronic communications.

de Jager, Peter. "Y2K: So Many Bugs...So Little Time." Scientific American Magazine. December 1998.

The Atlanta Journal-Constitution. September 13, 1994

ABOUT THE AUTHOR: John C. Montana, J.D., is Chief Records Brain at BrainCore, a records management consulting group headquartered in New Castle, Del. He assumed this position after nine years with Information Requirements Clearinghouse, a Denver, Colo. consulting firm, where he was associate editor and staff attorney. He has been actively involved in the development of Legal Requirements for Business Records and has provided consulting service in records and information management. He is also an active attorney in Colorado courts. Montana is a contributing editor for "Legal Issues," a regular department in The Information Management Journal. He holds a bachelor's degree in geology from Metropolitan State College of Denver, and a law degree from the University of Denver. He is a member of the Denver, Colorado, and American Bar Associations. The author may be reached at montana@csd.net.

Copyright Association of Records Managers and Administrators Inc. Apr 1999
Provided by ProQuest Information and Learning Company. All rights Reserved