The Rule 37(e) Safe Harbor Protects Organizations from Sanctions
Did you know that Federal Rule 37(e) can really protect your organization from court sanctions?
The Rule 37(e) “safe harbor” provision shields organizations from sanctions when the ordinary, good faith operation of their automated computer systems causes email, archival data and other electronic information to be overwritten and destroyed. Not without its critics, the safe harbor has empowered numerous litigants to defeat sanctions motions.
Those who have followed best practices for information governance have had the greatest success invoking the safe harbor’s protections. Such practices include establishing and observing document retention policies. The Kermode v. University of Mississippi Medical Center (S.D. Miss. July 1, 2011) decision is instructive on this issue.
In Kermode, the defendant university defeated a sanctions motion due to its effective email retention policy. The university implemented a retention policy that kept emails for 60 days, after which the emails were overwritten and destroyed. Pursuant to that policy, various emails that plaintiff argued were relevant to his wrongful termination claims were deleted. Sanctions, however, were not warranted because the emails in question were overwritten before the duty to preserve was triggered. Because the university followed its retention policy, it reduced a stockpile of email, made relevant documents unavailable for discovery and was still protected from sanctions under Rule 37(e).
The Kermode decision follows on the heels of the Viramontes v. U.S. Bancorp (N.D.Ill. Jan. 27, 2011) case from earlier this year. Just like the university in Kermode, the safe harbor protected the defendant bank in Viramontes from sanctions due to its effective information governance procedures. Please see a post from our blog earlier this year that describes that case and details those procedures.
As both the Kermode and Viramontes cases show, organizations can get information governance right. By faithfully observing a reasonable retention policy and then modifying aspects of that policy when required, an organization can confidently delete superfluous data in a manner provided by law. An organization which follows best practices for information governance will thus retain information that must be kept for business, legal or regulatory purposes – and nothing else.