For most companies, it is among the worst things that could happen: a lawyer's letter lands on the managing director's desk informing them that a disgruntled customer, a former employee with a grudge or a regulatory authority seeking to enforce labyrinthine mandates, intends to take the company to court.
The pressure is now on to assemble evidence – and quickly. But in many cases, that evidence is not held in paper files, but in a myriad of electronic formats: emails, human resources or customer management systems, scanned-in faxes and application forms.
Most companies recognise the importance of securing the confidentiality, integrity and availability of these communications as part of a corporate-wide records management strategy. But many are confused as to what extent they will be accepted by a court of law as irrefutable evidence that the company was in the right all along.
"Rejection of a company's electronic documents by a court can have a crippling effect on the company's legal case," says Sanjay Bhandari, a lawyer at Baker & McKenzie.
In determining the admissibility of a document, he says, expert legal opinion has relied on the ‘best practice rule', meaning that a court will give most credence to the best evidence available, such as original documents or oral testimony.
Evidence that is not original – for example, a printout of an electronic document or a scanned-in version of a paper original – is considered more remote and is thereby classified as ‘hearsay'.
There are a number of reasons for that. Unlike traditional paper copies, surreptitiously altering electronic documents is relatively simple. Furthermore, malicious intent is not necessary to damage data, which is at the mercy of the programming of that company's computer system.
|
||
That does not mean, however, that electronic documents cannot be used as evidence, says Bhandari. In fact, the Civil Evidence Act of 1995 changed the common law rule that hearsay evidence is not admissible in proving the truth of an argument. Section one of the Act provides that "evidence shall not be excluded on the ground that it is hearsay", provided that reasonable notice of a party's intention to rely on the hearsay is given.
That, explains Bhandari, involves the accused party's lawyers filing Civil Evidence Act Notices prior to the court date – and means that electronic evidence is likely to be taken more seriously by the court. "Generally speaking, in civil cases, lawyers are not dealing with issues of liberty, so the burden of proof is lower when it comes to hearsay evidence," he says.
However, in criminal cases, he adds, hearsay evidence is likely to be scrutinised much more closely. For that reason, companies need to think hard about keeping at least some of their documents in their original paper format.
Evidential weight
If an electronic document is considered admissible, the next question surrounds its evidential weight – the value a court will place on the information presented to it, alongside surrounding corroborative evidence that can convince it that a document is what it purports to be.
With that in mind, companies need to ensure that electronic records are captured, stored and managed in such a way as to maximise their evidential weight.
The principles behind evidential weight are relatively straightforward: That a company is able to demonstrate the authenticity and reliability of electronic records.
There are two main elements to this. First, that it is possible for systems to ‘freeze' a record at a specific moment in time; and second, that a documented audit trail is maintained.
‘Freezing' means that from a specific moment in time, no further changes to the contents of a file are permitted – for example, from the time when a word-processed document is stored. An audit trail, meanwhile, provides supporting information about the records that are being stored.
"A court may reject anything presented as evidence if the associated audit trail information is either incomplete or contradicts the information itself. If they don't reject it outright, they may only accept it with a greatly reduced weight, equivalent to a greatly increased doubt," says Bhandari.
That supporting information should include : author's name; the date the document/record was stored; the names of anyone who has accessed or made changes to the document; details of the changes made to the document and version control; details of movement of the document from medium to medium and from format to format; the authentication measures used when the file is moved; and evidence of the controlled operation of the system in which the document is stored.
That is a complex task but there is plenty of guidance available. In particular, the British Standards Institute (BSI) has issued a code of practice on the legal admissibility of electronic records, called BIP 0008.
Previously known as PD008, the code underwent a significant review in 2004 to assist understanding of compliance requirements such as the Freedom of Information Act and the Data Protection Act. It also now includes case study material from recent implementations.
In addition, the rewritten code takes into account improvements and enhancements to electronic document management (EDM) systems. While compliance with the code does not guarantee legal admissibility, it does define the best practices that are most likely to influence a court in the defendant's favour.
BIP 0008 applies to organisations in both the public and private sectors. But for certain kinds of organisations, there is added pressure. For local authorities to comply with the Freedom of Information Act, for example, the Lord Chancellor's Department (the Depart-ment of Constitutional Affairs has issued a Records Management Code of Practice that states: "Authorities should seek to conform to the provisions of BSI's BIP 0008 – especially for those records likely to be required as evidence."
In the financial services sector, meanwhile, Basel II obliges banks and insurance companies to identify and define operational risks – and admissibility and evidential value of electronic documents falls within its scope.
The issue of managing operational risk is reliant on formulating a set of policies and procedures, best described as operational protocols, designed to curtail any factors that would call the credibility of a company into question.
"In light of that, compliance with BIP 0008 would enable companies to demonstrate the authenticity of their electronic documents and reduce the risks of a challenge by the opposing party in litigation," says Reem Shather, a lawyer at Faegre Benson Hobson Audley.
BIP 0008 may only be a starting point for legal admissibility, but it will likely prove "good enough" in most cases, says Lars Davies, a senior research fellow in computer law at Queen Mary and Westfield College at the University of London and chief executive of Kalypton, a company specialising in electronic documents and compliance technologies.
"It's my experience that the side that can demonstrate the most certainty as to the source of its information will win a case, because the judge will direct more questions their way. They will certainly be held to be more reliable, so even if their case is found wanting, that may go some way to mitigating losses," he says.
But there is no time to waste, he adds: "Waiting for a court battle to arise is insane: Why find out what you should have done when it's too late?" "If a company can demonstrate that they have started to tackle the problem, then the courts will look more benevolently on them," he says.