Computer Law & Security Report Vol. 18 no. 5 2002ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved

333

Data Retention Policies After Enron

“…an unparalleled initiative was undertaken to shred physical documentation and delete computer files….. Asystematic effort was also undertaken and carried out to purge the computer hard-drives and email system ofEnron-related files”.1 This was the claim made by the Department of Justice against the bankrupt energy com-pany, Enron’s auditor, Arthur Andersen, LLP. Andersen hotly contested this and the other allegations madeagainst it, claiming that the indictment was “wholly unsupported by the facts”.2 The jury disagreed and on 15June 2002, found it guilty of obstructing the course of justice. This article explores the impact of the case ondata retention policies under UK law.

DATA RETENTION POLICIES AFTERENRONDAMNED IF YOU DO, DAMNED IF YOU DON’T? ALOOK AT DATA RETENTION POLICIES IN THE AFTERMATH OF ENRONRowan Middleton, Herbert Smith, London

1. INTRODUCTIONA key factor in that decision centred upon the contents of aninternal email from Nancy Temple, in-house counsel forAndersen, to David Duncan, a former Andersen partner.Theemail concerned suggested changes to an internal file memoregarding the differences between Andersen’s and Enron’streatment of Enron’s third quarter earnings release andincludes a recommendation that Mr. Duncan delete “..somelanguage that might suggest we have concluded the release ismisleading”.3 Somewhat paradoxically, Mr. Duncan – whowas allegedly one of the main figures behind orders todestroy evidence within the company – kept the originalmemo, the revised draft and the incriminating email andhanded everything over to the prosecutors. It is expected thatAndersen will appeal the verdict.

Another recent high profile case involving documentdestruction was that of MMccCCaabbee vv BBAATT.4 The trial judge,Justice Eames, ruled against BAT stating that the company’sdocument destruction policy made a fair trial impossible.Thecase is an interesting one,particularly due to the judicial criti-cism of the role that BAT’s Australian solicitors had to play inthe fiasco.

Lack of document destruction,but rather document reten-tion, played a key role in the verdict against Microsoft in itsanti-trust case. During the trial, a number of extremely embar-rassing and incriminating emails came to light, including onesent by Bill Gates on 8 August 1997 to Paul Maritz and otherMicrosoft executives, asking “Do we have a clear plan onwhat we want Apple to do to undermine Sun?”5

Yes, it’s fair to say that the issue of data retention has beenthrust very much in the public eye recently. So what is a com-pany to do? Should everything be deleted as soon as possible?

No – this is not permissible or practical due to legal andbusiness obligations, which mean you have to keep certaintypes of data for a minimum length of time.Also, retained datacan often be used to defend the position of the company, oreven to establish its innocence.

On the flip side of the coin, retaining everything on the“just in case it might be needed later” mentality, is also to beavoided for a number of reasons: it is not efficient and it canlead to too much data being stored which is expensive (interms of storage and back-up arrangements).More importantly,once a civil action has been initiated, the court will typicallyissue an order for what is termed “standard disclosure” pur-suant to the English Civil Procedure Rules (which are applica-ble to all proceedings in the county courts, the High Court andthe Civil Division of the Court of Appeal).This means that alldocuments upon which either party to the proceedings willrely on in order to defend its own position, all documentswhich adversely affect that party’s own case, which adverselyaffect another party’s case, or which support another party’scase and those documents which the party is required to dis-close by a relevant practice direction must be disclosed to theother party or parties in the litigation.6 “Disclosure” is definedas making the other party aware of a record’s existence and theparty to whom a document is disclosed is generally entitled toinspect that document.“Document” is defined under the rulesto mean “anything in which information of any description isrecorded”,7 in other words it will include all paper records butalso data stored on any other media – from emails to voicemailmessages.Accidental retention of “smoking gun”type evidence,which could resurface years later and cause damage to thecompany, is therefore something you very much want to avoidfor your company.

CLSR SepOct.qxd 9/3/02 2:18 PM Page 333

Data Retention Policies After Enron

However if a company is worried about potentially preju-dicial documents, their destruction may actually compoundits position in a litigious situation. In order to give standarddisclosure, each party must make a reasonable search forthese categories of documents8 which are or have been inthat party’s possession or control.9 So, a disclosable docu-ment may still need to be listed even if it has been destroyedand one must also then explain what has happened to thosedocuments which are listed but no longer in the party’s pos-session or control.10 The disclosure list also contains a disclo-sure statement which sets out the extent of the search made,certifies that the signatory understands the duty to disclosedocuments and certifies that to the best of the signatory’sknowledge, that duty has been carried out.11 To sign such astatement without an honest belief in its truth could be con-sidered to be contempt of court.

A position between the two extremes of “destroy every-thing as soon as possible versus keep everything just in case”is what is required and this involves a complicated balancingact. Your document retention policy should seek to do justthat: balance the different factors and minimize the potentialrisks to your company.

2. WHAT IS A DATA RETENTION POLICY?

There are three main types of data which are valuable to businesses:• Corporate data – this category includes information relating

to the services or products you currently produce, researchand development information etc;

• Customer & supplier data; and• Employee data

A data retention policy is one which deals with the issueof maintaining these different categories of informationwhich are in a company’s possession for a pre-determinedlength of time, how to destroy data once it has been retainedfor that length of time and procedures for handling all typesof data in the case of litigation.

Different types of data must be retained for different peri-ods. This may be due to regulatory requirements, businessrequirements (contractual or business continuity reasons) orfor liability requirements – archived data can be used as evi-dence to establish guilt or innocence. This article does not dealwith industry specific data retention regulations and legalrequirements. Nor does it deal with data retention obligationsin relation to tax or auditing. Instead it focuses on the mainstatutory controls which apply to all industries and which arehighly relevant when constructing a data retention policy.

3. LIMITATION ACT 1980

The Limitation Act 1980 provides for general periods withinwhich an action must be brought,but there are exceptions tothis when the period may be substantially longer. The Actdoes not require documents to be retained but in order tosuccessfully bring,defend or commence an action during thisperiod, it will be necessary to have available all relevant doc-uments. The periods set out in the Act are therefore a highlyrelevant consideration in deciding upon document retentionpolicies. Some of the limitation periods which are likely to berelevant to most companies include:

• AAccttiioonnss iinn ttoorrtt,, ee..gg.. nneegglliiggeennccee.The general limitation peri-od is six years from the time the cause of action accrued,i.e. the time at which the damage was suffered.12

However, section 14A provides a special time limit fornegligence actions where facts relevant to the cause ofaction are not known at the date of accrual. It preventsthe bringing of such actions after six years from the dateon which the cause of action arose or three years fromthe date on which the claimant knew or ought to haveknown of the facts, whichever is later. Section 14B pro-vides an overriding time limit of 15 years from the defen-dant’s breach of duty.

• AAccttiioonnss iinn CCoonnttrraacctt. An action on a simple contract (whichincludes debt) should be brought within six years of thedate on which the cause of action accrued, i.e. the breachof contract.13 An action on documents executed as a deedshould be brought within twelve years of the date onwhich the cause of action accrued.14

• MMoonneeyy rreeccoovveerraabbllee uunnddeerr SSttaattuuttee - the limitation period issix years unless the statute deems the action to be anaction on a deed, in which case it will be twelve years.15

As stated, the limitation periods set out under this Act, andindeed under other statutes,only serve to provide a guide andfrequently, the Articles of Association of a company will setreduced periods for which cancelled share certificates, notifi-cations of changes of addresses etc. and instruments of trans-fer should be kept. When these periods have expired, thedocument in question may be destroyed if the company hasno notice of a claim concerning the subject of the document.

4. COMPANIES ACT 1985

Section 222 Companies Act 1985 (as amended) provides thataccounting records of the Company,16 (including the recordsof the assets and liabilities of the Company, its stocks, salesand purchases, and its day to day expenditure), must be keptfor six years from the date on which they were made in thecase of a public company or for three years in the case of aprivate company. Section 352(6) of the Companies Act statesthat a member’s record can be removed from the register 20years after membership ceases.

Section 450 of the Companies Act states that an officer ofa company who destroys documents relating to the compa-ny’s affairs is guilty of an offence and liable to imprisonmentor a fine or both.

5.THE DATA PROTECTION ACT 1998 (DPA)

Customer, supplier and employee data will consist almostentirely of personal data, as defined in the DPA. Corporatedata may also contain personal data and so issues of data pri-vacy are therefore highly relevant. The DPA is the principalpiece of privacy legislation in the UK. It has a very wide-rang-ing scope and provides data subjects with certain protectionsand rights with respect to their personal data.

Data controllers are generally obliged to comply witheight data protection principles which are set out in Schedule1 of the DPA.All of the principles are relevant for data reten-tion purposes (since merely holding data constitutes “pro-cessing”, as defined in the DPA,and the principles apply to all

334

CLSR SepOct.qxd 9/3/02 2:18 PM Page 334

335

Data Retention Policies After Enron

personal data that is processed). However some of the princi-ples are more relevant than others:• Data preservation is a key part of the data retention policy

and the businesses continuity plan but it is also necessaryin order to comply with the seventh data protection prin-ciple,which provides “appropriate technical and organiza-tional measures must be taken at all times againstunauthorized and unlawful processing and against acci-dental loss, destruction or damage of personal data”.

• Paper documents kept in manual storage systems tend tobe filtered and edited so that only those which are essen-tial are kept – one of the main reasons this is done is dueto the constraints of physical storage space and the asso-ciated costs. In contrast, electronic storage media contin-ues to increase in capacity. It is therefore all too easy toinstinctively click “save” to store electronic records, withthe mindset that it should be saved “just in case it’s need-ed later”. The third data protection principle will bebreached if personal data stored is irrelevant and exces-sive as compared to the purpose or purposes for which itwas originally collected and processed.

• Data must not be kept longer than is necessary.To do sowould be in breach of the fifth principle (data must not bekept longer than is necessary), the first principle (it wouldnot be fair and lawful in the circumstances) and possiblythe fourth principle (data must be accurate and whereappropriate kept up to date – obviously the longer data iskept, the less likely it is to be accurate).This obligation willobviously be of prime importance when considering dataretention policies and data storage facilities. What term isappropriate to retain the data will depend on the type ofdata, the purposes for which it was originally obtained andfor which it continues to be held. For example,certain reg-ulatory requirements apply to the type of data held byfinancial institutions. Under Financial Services AuthorityRules, accounting records and financial reports, togetherwith details of internal control procedures, should be keptfor six years.Generally, transactions involving client money,bank reconciliations and details of custody of documents oftitle in possession or control of the financial institutionshould be retained for three years. Different data retentionperiods will be appropriate for other types of data.Although breach of a data protection principle is not of

itself a criminal offence,it may lead to enforcement proceedingsbeing taken by the Office of the Information Commissioner(OIC) which polices and enforces the DPA in the UK.Details ofenforcement notices are published on the OIC’s website17 aswell as in the Annual Report, which will result in negative pub-licity for offenders. Failure to comply with the terms of anenforcement notice will constitute an offence and may result inthe initiation of criminal proceedings.

A director, manager, company secretary or other similarcorporate officer may also be liable for criminal prosecutionfor the same offence as the company if the offence was com-mitted either due to their negligence or connivance.

6. ANTI-TERRORISM, CRIME & SECURITYACT 2001 (ATCSA)Introduced as a result of the events of September 11 last year,the ATCSA provides increased powers to law enforcement

agencies. Part 11 of the ATCSA contains provisions enablingthe Secretary of State to issue a code of practice in relation tothe retention of communications data by communicationsservice providers, such as telephone and internet companies.Communications data is data relating to telephone, Internetand postal communications which does not include the sub-stance of the communications itself. The code of practice –which was due for release this month but which has beenpostponed due to controversy.The government’s intention isto use the new code to increase the period of data retentionby communications service providers. This will provide agreater pool of data to the UK’s crime and security forces inorder to help tackle terrorist funding.

7.THE INTERNATIONAL INFLUENCE ONDATA RETENTION: PRIVACY DIRECTIVE &THE CYBERCRIME TREATYThe draft Directive concerning the processing of personaldata and the protection of privacy in the electronic commu-nications sector (the Privacy Directive) has been approved bythe European Parliament (on 30 May 2002). It is likely this ver-sion of the text will be adopted by the Member States in thenext couple of months (although it has to receive formalapproval from the Council, it is unlikely that the text willchange substantially, if at all). The latest version of the textprovides that the Privacy Directive will have to be imple-mented into national law within 15 months of its adoption.

Article 15(1) enables Member States to adopt national leg-islation which permits traffic, location and other communica-tions data to be retained for periods longer than is strictlynecessary for the provision of the service where this is a “nec-essary measure to safeguard national security (i.e. State secu-rity) defence, public security or the prevention, investigation,detection and prosecution of criminal offences or of unau-thorized use of the electronic communications system”,although such additional retention periods “must be in accor-dance with the general principles of Community Law”. TheCouncil of Europe’s Cybercrime Treaty, which was opened tosignature on 23 November 2001,18 contains similar provi-sions in its Articles 20 and 21.

The writer’s view is that this is all illustrative of what is tocome – more data retention and legislative controls are cer-tain (with increasing obligations being imposed most notablyon communications service providers and financial institu-tions). Drafting a data retention policy will therefore not beenough – the company will have to monitor new legislativedevelopments and ensure that any additional obligationsimposed by law or regulation as regards data retention areaccurately and effectively incorporated into the corporatepolicy.

8. INFORMATION TECHNOLOGY – CODEOF PRACTICE FOR INFORMATION SECURITY MANAGEMENT:ISO 17799It is also worth briefly mentioning certain codes of practicewhich will be a useful reference point to companies consid-ering the issue of data retention and data storage. Initially pro-duced by the British Standards Institute,19 this code ofpractice has been adopted by the International Organization

CLSR SepOct.qxd 9/3/02 2:18 PM Page 335

Data Retention Policies After Enron

for Standardization. It sets out suggested rules on the keepingof documents electronically, and although these are not legal-ly binding, the guidelines are widely recognized as being theindustry standard as regards best practices in informationsecurity. They provide, for example, that the task of storingdocuments on computer (whether by scanning documentsor otherwise) should be allocated to various individuals, eachfully responsible for his/her assigned tasks.

The British Standards Institute has also published a codeof practice which provides guidance on the operation of elec-tronic document management systems.20 The main purposeof this code is to ensure that documents stored electronicallyare admissible in the English courts and that due weight canbe attributed to their authenticity and integrity. Again, theseare not legal guidelines but they do set out a sensible andpractical regime which companies would be well advised toconsider when drafting their document retention policiesand considering storage facilities and procedures.

9. SCOPE OF THE DATA RETENTION POLICY - WHAT SHOULD IT COVER?A data retention policy should cover all records, regardless ofwhere they are located i.e. whether copies exist on a compa-ny asset (PC, laptop etc) or on a personally-owned electronicdevice (hand-held personal organizer, home computer etc).

In addition, the same policy should apply to all formatsand media; otherwise you run the risk of confusing your staffas to which policy is applicable. For example Joe Bloggs, adatabase administrator, has the task of dealing with legacyrecords. He has been given various data retention policies -one for electronic documents which states they must be keptfor two years, one for manual documents which states thatthey must be kept for three years and one which deals withrecords depending on their subject matter (“standard admin-istrative records”are to be kept for one year and legal recordsare to be kept for six years). He comes across a bulky manualrecord which is 65 pages long and deals primarily withadministrative matters. Right at the end of the document is ashort sentence asking one of the line managers somethingabout health and safety in connection with the packagingwhich the furniture is wrapped in. Which policy applies?What should he do?

This example highlights the dangers of having a policywhich is not totally clear and easily understood by staff. In allcases, it should be obvious what the correct procedure is. Sowhat information should the policy contain? The followinglist contains the suggested basics:• the purpose of the policy;• who is affected;• the type of data and media;• the systems covered;• make sure that key legal and technical terminology is

defined;• outline requirements from both the legal and business

perspective;• describe records that must be retained (give examples

where there could be difficulties);• clearly set out the different record retention periods;• explain exceptions to retention periods and how to

extend/when they should be extended. In this section,

highlight the litigation exception. Litigation overrides theusual document retention periods.All records which may berelevant for litigation must be retained regardless of the fathat under the applicable part of the retention policy theyshould ordinarily be destroyed;

• detail the procedures that must be followed in order toensure records are properly retained;

• detail the procedures that must be followed in order toensure records are properly destroyed; and

• explain whom staff should contact to get additional information if they are unsure as to whether records shouldbe retained or destroyed.

Certain documents should never be destroyed if they arein original format, such as Board Minutes, documents underSeal, stamped documents, documents of title, documentswhich require registration with any government or quasi-gov-ernmental authority and documents relating to legal proceed-ings.

If litigation is likely (but not yet pending), then documentsshould still be retained as deliberately destroying relevantdocuments would result in adverse inferences subsequentlybeing drawn by a court and (potentially) committing theoffence of obstructing or perverting the course of justice.

If an action is already in progress then all relevant docu-ments should be retained until the proceedings are finally dis-posed of (including by way of appeal) - destruction of anysuch documents could be contempt of court and/or lead tothe claim/defence being struck out.

10. STAFF TRAINING

The data retention policy will, of course, be redundant if staffare not aware of it – it should be included on the corporateintranet, be provided to all new joiners and staff should beregularly reminded of its existence and that they are expect-ed to comply with its terms as part of their job description.Staff should also be trained to understand what the provi-sions of the policy will mean in practice to them.

11. CONCLUSION

It is clear that in order to comply with regulatory and legalobligations imposed on companies, and in order that a busi-ness may defend its position in all respects (help establishownership of intellectual property rights, store informationwhich may help to provide a competitive advantage over itscompetitors, help defend claims raised against it, help sub-stantiate claims which it is instigating etc.) a data retentionpolicy is necessary. Getting the content of the policy right isa balancing act, and one that should be undertaken in co-ordi-nation with the key departments in the business, not just thelegal department alone.

An effective policy will help to protect the company’sposition not only from a legal perspective, but it could alsohelp to save it money by maximizing the benefit of its exist-ing records storage space.

RRoowwaann MMiiddddlleettoonn,, Solicitor, Information Technology/E-com-merce Group, Herbert Smithemail: <rowan.middleton@herbertsmith.com>© Herbert Smith 2002

336

CLSR SepOct.qxd 9/3/02 2:18 PM Page 336

337

Data Retention Policies After Enron

FOOTNOTES

1 UUnniitteedd SSttaatteess ooff AAmmeerriiccaa vv AArrtthhuurr AAnnddeerrsseenn, LLP, indictment bythe Grand Jury of the United States Southern District Court ofTexas,14 March 2002.A copy of the full indictment is available at:<http://news.findlaw.com/hdocs/docs/enron/usander-sen030702ind.html>.2 “Updated analysis on the Justice indictment of Andersen: thegovernment’s factual and legal errors”,A background paper fromAndersen’s legal team dated March 15 2002 (copy available at:<http:/www.andersen.com/Website.nsf/Content/MediaCenterBackgroundDocument!OpenDocument&highlight=2,justice,indict-ment,of,ersen>).3 email memo from Nancy Temple to David Duncan dated 16October 2001, available from: <http://news.findlaw.com/wp/docs/enron/tmpl2dunc101601eml.pdf>.4 RRoollaahh AAnnnn MMccCCaabbee vv BBrriittiisshh AAmmeerriiccaann TToobbaaccccoo AAuussttrraalliiaaSSeerrvviicceess LLiimmiitteedd 22 March 2002, Supreme Court of Victoria.Th eorder of the court can be found at: <http://tobacco.neu.edu/Extra/hotdocs/McCabe.pdf>. Further information can also befound at: <http://www.ash.org.uk/html/conduct/pdfs/mccabesumlong.pdf>.5 Government Exhibit 265 – quoted in deposition of Bill Gates,the text of which is available at: <http://www.usdoj.gov/atr/cases/f2000/2051.htm>.

6 See Rule 31.6.7 Rule 31.4.8 See <http://www.lcd.gov.uk/civil/procrules_fin/word/prac-tice_directions/pd_part31.doc> for the Practice Directionregarding CPR 31.9 Rule 31.8.10 Rule 31.10(4)(b)(ii).11 Rule 31.10 (5) & (6).12 see section 2.13 see Section 5.14 see Section 8.15 see Sections 8 and 9.16 defined in Section 221.17 <http://www.dataprotection.gov.uk>.18 <http://conventions.coe.int/Treaty/EN/WhatYouWant.asp?NT=185>.The UK signed on the 23 November 2001, but nocountry has yet ratified the Treaty.19 BS ISO/IEC 17799:2000,BS 7799 – 1:2000, as amended.For fur-ther information see: < http://www.iso17799-web.com/>.20 “Code of practice for legal admissibility of information stored on electronic document management systems” BDI/DISCPD0008.

BOOK REVIEW

The Advanced Encryption StandardTThhee DDeessiiggnn ooff RRiijjnnddaaeell--AAeess –– tthhee AAddvvaanncceedd EEnnccrryyppttiioonn SSttaannddaarrdd bbyy JJooaann DDaaeemmeenn aanndd VViinncceenntt RRiijjmmeenn,, 22000022,, hhaarrdd--ccoovveerr,,SSpprriinnggeerr,, 223399 pppp.. EEUURR 3399..9955;; GGPPPP 2288..0000;; UUSS $$4444..9955,, IISSBBNN 33 554400 4422558800 22..

Rijndael was a surprise winner of the contest for the new Advanced Encryption Standard (AES) for the United States.Thiscontest was organized and run by the National Institute for Standards and Technology (INST) commencing in January 1997.Rijndael was announced as the winner in October 2000. It was regarded as the “surprise winner” because many observershad expressed skepticism that the US Government would adopt as an encryption standard any algorithm that was notdesigned by US citizens.This book is the story of the design of Rijndael as told by the designers themselves. It outlines thefoundations of Rijndael in relation to the previous ciphers that the authors have designed. It explains mathematics neededto understand the operation of Rijndael and provides reference Code and test analysis for the cipher. It also provides justifi-cation for the belief that Rijndael is secure against all known attacks.The book introduces the “wide trail”strategy for cipherdesign and explains how Rijndael divide strength by applying this strategy.

AAvvaaiillaabbllee ffrroomm SSpprriinnggeerr--VVeerrllaagg HHaabbeerrssttrraabbee 77,, DD--6699112266,, HHeeiiddeellbbeerrgg,, GGeerrmmaannyy.. TTeell:: ++4499 ((00)) 66222211 334455 00.. FFaaxx:: ++4499 ((00))66222211 334455 222299.. EEmmaaiill:: oorrddeerrss@@sspprriinnggeerr..ddee..

CLSR SepOct.qxd 9/3/02 2:18 PM Page 337