Link to home
Start Free TrialLog in
Avatar of PotreroHill
PotreroHillFlag for United States of America

asked on

Legal hold, eDiscovery: device or data

I'm being asked to hold on to laptops of employees after they leave. The rationale is in the event of legal issues the claimant's lawyer might "ask for the laptop". I've suggested we turn over only data; if our internal policies support only turning over data, any claimant's lawyer has no justification for demanding 'the' laptop the employee used. We have policies and procedures in place, we do not backup employees laptops, we operate with SaaS infrastructure. All data is supposed to be stored in our cloud service provider.

I work in California; laws here, especially labor laws, tend to be more employee focused than other states, and thus precedent may be different. The company is a start-up in SF with ~150-160 employees.

For those of you in IT, or even law, with experience on IT policies and retaining data, inclusive of format, what is your experience with this and what was the justification for the outcome that drove your policy?

Thanks!
Avatar of Russ Suter
Russ Suter

Your policies and procedures should have this spelled out very clearly. You need to make sure that you have the following items in place:

1. What is the data retention period? It should be finite.
2. What are the mitigating circumstances for extending the retention period?
3. What is the method of securing the stored data?
4. What is the method for data disposal once the retention period has lapsed?
5. What are the audit procedures for verifying all of the above?

If a former employee later has a claim and the lawyer asks for the laptop it falls within or without the retention period. If it falls outside the retention period and has been disposed of in accordance with company policies AND those policies are consistently maintained and enforced then that's pretty much the end of it.

Ultimately, the laptop, and ALL data contained thereon are the property of the company. The company is generally under no obligation to retain the data on behalf of any 3rd party unless they are under a contract stating otherwise.

Saving the whole laptop seems a bit excessive and a waste of resources. Backing up the data, imaging the hard drive, or even physically replacing the hard drive are all viable alternatives which will free up the resource (the laptop) for immediate future use.
We generally back up all critical data and email, verify the backup and then format the computer and reinstall Windows.
You should look up the record retention requirements for California.  Most of it applies to employee records and employee payroll records.  There are additional rules for Sarbanes-Oxley if you fall under its purview.  There generally isn't a requirement to keep the employee's entire laptop, just the data they've stored on it.
https://www.management-advantage.com/products/retainrecords.htm
https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act

Holding on to the entire laptop is excessive.  Worst case is you keep the hard drives keep one spare laptop model for each generation of laptop type that your disks booted from.  I suspect that copying the laptop disk is sufficient to maintain data integrity.
Are they the companies laptop or there personal laptops?
Avatar of PotreroHill

ASKER

@Russ I think that's the point, 'laptops' don't fall within data retention policy unless they are explicitly called out, it's about the data, not the asset it lived on. And that's what I'm trying to educate folks here about

For our company, all our data is in the cloud, and users aren't supposed to be keeping 'data' on their laptops; we don't even back them up.
There is a precedent case in NY where the defendant (company) was aware there may be litigation and the court ruled against them saying they should have had a re atonable idea that this data would have been needed, even before they were served notice of the lawsuit. But holding a laptop aside after a termination presumes you suspect you may have done something wrong... and that speaks for itself.
users aren't supposed to be keeping 'data' on their laptops; we don't even back them up.

You can still take the laptop, back off any data that is there, format it and install Windows again.
ASKER CERTIFIED SOLUTION
Avatar of Scott Carlson
Scott Carlson
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
One or more of the above answers must have given the author enough information to make a determination. There's lots of good information here. Closing the question without giving anyone credit is not an acceptable resolution.
https:#a41672197 ; https:#a41672269  ; https:#a41672527  and http:#a41695235  are all decent answers here
We are a Mac house, all drives are encrypted, we use only SaaS services specifically instructing users to save all important work on Google or Dropbox. All laptop are wiped, without decryption, and re-imaged prior to redistribution.
Recalling a laptop already released into the user pool under such conditions is futile, and our best practices specifically instruct users to save all work files in 'the cloud'. Legal insisted on recalling the laptop from the user it was re-provisioned for saying they would use it a proof of bad faith that the original owner deleted all files before returning it.
If called to testify, I'll have to say the real issue was allowing an involuntary termination to go back to their desk, access their laptop, and possibly delete its contents. I cannot say definitively if they were malicious and deleted files or attentive and stored everything in 'the cloud' as instructed.

Eventually I was able to compromise with the Exec Team, we decided involuntary term laptop wold be held for two weeks before redeployment, and any position Director or over, I would image the laptop and retain it per our retention policy.