Imagine the following: You wake up one morning to a flurry of activity in France, where regulators have raided your main sales office seeking documents and information regarding alleged kickbacks to a key customer. You are asked to turn over hard drives, backup tapes and access to your servers. A reporter from Le Monde picks up the story, and by the time the U.S. opens for business there is a story on WSJ.com. Your stock price falls throughout the day; by the end of the week a leading class action law firm has announced the filing of a securities fraud case. The Securities and Exchange Commission (SEC) asks for information about your global sales practices and accounting policies.
Suddenly, you are faced with a swirl of information demands and document preservation obligations. French regulators want to cart your computers away-but the SEC wants the information they contain. American plaintiffs' lawyers will want it as well, and there's no telling whether additional regulators or litigants will become involved.
In today's business, all information is electronic. Paper may have been heavy, hard to store, and time-consuming to review-but it was a tangible thing, easy to inventory, and it tended to be limited in volume, even in the largest cases. More importantly, identifying relevant documents for preservation or production was relatively easy: Either a document was in your possession or custody, or it wasn't, and if it wasn't, either you controlled the people who had it, or you didn't. Electronic communication has led to exponential increases in the amount of data that companies store, and the locations where the information is stored: desktops, laptops, servers, PDAs, BlackBerries™, smart phones, optical drives, thumb drives, iPods™ and more.
Unless you spend a great deal of time talking shop with your IT managers, you probably don't know how many e-mail or file servers your company uses. You probably don't know exactly where your electronic documents are stored, what happens to your e-mails after you delete them, or how frequently your company's servers are backed up to tape. Are you prepared for information discovery across borders? Do you understand how to preserve, collect and analyze data in a way that will meet the requirements of foreign as well as U.S. courts and regulatory bodies? Are you sure?
If you operate internationally, you must be cognizant not only of a patchwork of laws and regulations-many of which could conflict-but also of cultural differences that affect your response to requests for electronic information.
The initial stage in any litigation or regulatory effort is to ensure preservation of relevant materials. But an international scope makes this far more complicated than just issuing a directive to employees to stop deleting e-mails or drafted documents. You need to know where information is located, how it is stored, when it is backed up, and whether backups are rotated or destroyed. Automatic deletion or rotation policies mean that if you do nothing, you may lose files that are subject to a regulatory or litigation request.
Data collection also is far more complicated in an international context than in a purely domestic one. Local laws may prohibit an employer from searching employee e-mail files. As a cultural matter, most Americans are accustomed to the idea that an employee's computer and e-mail account belong to the employer. Outside of the U.S., the cultural understanding is frequently just the opposite: An employee's computer and e-mail account are considered private, and it may be a criminal offense to invade that privacy. Collection of data outside the U.S. may be seen as coercion by an employer, and it may lead to labor union grievances or complaints.
Once the information is collected, getting it reviewed and produced to a U.S. regulator or litigant is also no simple matter. Data privacy and blocking statutes in Europe, Asia and South America may forbid the transfer of personal data outside of their borders to an "unprotected" jurisdiction like the United States-and personal data include names, e-mail addresses and office phone numbers. Indeed, special procedures may be required before individuals outside a company-including the company's outside counsel-may review the data. And local laws may dictate that only data specifically responsive to a request may be exported, requiring counsel to review materials locally rather than shipping them to the U.S. to one centralized location, as is normally done in U.S. litigation.
Do not expect, however, any sympathy from U.S. regulators or plaintiffs' lawyers. U.S. regulators are skeptical of data protection laws and may take the view that international companies hide behind them to avoid cooperating with the regulators' investigations. U.S. courts may not be more understanding. The Supreme Court has held that U.S. discovery rules presumptively apply in civil litigation involving an international company, even if producing data in response to a discovery request would be unlawful in the international company's host jurisdiction.