WHY SHOULD BANKING PROFESSIONALS AND LAWYERS BE INTERESTED IN BACKUP TAPES?
Tony Dearsley, Head of Computer Forensics and Orion Wisness, Disclosure Services Consultant at Kroll Ontrack
Email has become the corporate memory
Why should legal or other professionals involved in the financial world worry about backup tapes? Surely backup tapes are to do with data storage and something for the IT department to worry about – and haven’t they gone out of fashion anyway now that the cloud has taken off?
This seems like a reasonable response, until an investigation or litigation is on the horizon. Then suddenly historic data becomes potential evidence and where and how it is stored, and how accessible it is, becomes mission critical.
As the court noted in Earles v Barclays Bank Plc, ‘‘It’s not realistic to expect human beings to remember with any reliability what they said three years ago about run of the mill business transactions.’’ For most companies email has become their ‘‘corporate memory’’ and it is usually permanent and retrievable. Email is often targeted in civil litigation because it provides immediate insight into the events that gave rise to a dispute and key documents are usually attached to emails. Email is always targeted in regulatory investigations such as the highly publicised investigations into alleged manipulation by banks of LIBOR and FOREX rates. It is also indispensable where there are allegations of wrong doing such as insider trading, bribery and corruption, misappropriation of client assets, data theft, fraud, and serious cartel activities). Since investigations and litigation often examine events in the past and due to limits in the size of mail boxes, relevant data has often been archived to tape. Backup tapes are therefore a source of evidence and always need to be considered when searching for electronic evidence
If tapes hold potentially valuable evidence and litigation is on the horizon then the legal obligation to preserve evidence needs to be considered as well. If evidence is missing you run the risk of losing a case and / or facing fines or other penalties from the court for not complying with your obligations to produce relevant evidence.
To have and to hold or face the wrath of the court
The question of preservation is very pertinent to companies facing ediscovery or litigation. All organisations need to evaluate systems and processes before the EU commission arrives on their doorsteps or a disclosure obligation in litigation arises. The reality of modern business is that everyday information is lost and this conflicts with litigation hold and preservation duties.
In Earles v Barclay Bank Plc,[ii] the central issue in dispute was factual—whether the Bank was instructed to make certain transfers either orally or by email. The Bank did not take steps to preserve phone and email records after litigation was anticipated. Telephone records and other documents recording instructions were not produced during pre-trial disclosure, which was described as a “gross omission.” An email account for a Bank employee was also not disclosed. The court noted that it was a “lame excuse” to say that he had retired, since steps should have been taken to retrieve electronic information from other back-up sources. The judge was critical of the way in which the Bank conducted its disclosure of documents, and stated that evidence should have been retained. As a direct consequence of its failure to efficiently disclose electronic documents that would have otherwise negated the need for trial procedures, the judge ordered a reduction of fifty per cent in the costs recoverable by the Bank.
The preservation process is, however, very challenging for companies. Serious problems have arisen as companies have tried to adhere to the preservation standard set out in the Zubulake v.UBS Warburg LLC litigation.[iii] According to Zubulake, if the duty to preserve is in any way bypassed, through accident or otherwise, that constitutes negligence per se and mandates sanctions. In more recent US cases such as Chin v. Port Authority of New York & New Jersey[iv] this trend has been reversed by applying a case-by-case approach, in which failure to preserve documents is one of multiple factors in the determination of whether to issue sanctions. Some of the changes currently being proposed to the federal rules of court in the U.S. are designed to address the challenges modern companies coping with big data face when addressing preservation. Under a proposed amendment to the preservation rules, in all but very exceptional cases in which a failure to preserve information “irreparably deprived a party of any meaningful opportunity to present or defend against the claims in the litigation” sanctions could only be employed if the court finds that the failure to preserve was wilful or in bad faith and that it caused substantial prejudice in the litigation. Accordingly, a negligence standard for sanctions relating to the destruction of evidence is explicitly rejected.
Even though the UK has not seen many preservation rulings, the issues experienced in the US are likely to become more prominent. Challenges around preservation are already arising in relation to some of the litigation surrounding the LIBOR investigation and other financial investigations. Banks and financial services companies in the UK do need to be prepared to put litigation hold policies in place and to have thought through the practicalities of preserving evidence stored on tapes when legal action is contemplated. This does not necessarily mean stopping the recycling of backup tapes if that would be impractical and disproportionately expensive but it does mean taking steps to agree with other parties on reasonable preservation parameters and steps to prevent the destruction of potentially relevant data
The tapes have not all disappeared into the cloud
Generally speaking, tape seems to be favoured by companies for long time archiving solutions and storage on disk and in the cloud for routine backups. An archive is created for long term storage of corporate communications and documents, often for a period of five to seven years or even longer depending on legal requirements, whereas a backup is created so that data, and therefore a business, may be restored in the event of a critical systems failure.
Structured archiving is not a mature discipline and is often based upon an ad hoc solution, for example, it may consist of retaining a copy of every routine month-end backup, kept at a specialist storage provider or in-house. Alternatively, it may comprise a targeted backup of specific information conducted every week, month, quarter, year (or even all of these options). Whichever approach is taken you will end up with a lot of tapes in storage.
Challenges retrieving data from tapes
There is a risk that a bank of financial institution will not be able to access the data on their tapes as quickly as they would like to when they need to, for example, when a regulator is asking for information.
Over the last seven years tape technology has continued to change and there are at least 20 physical formats of tape still in use, all of which require the appropriate hardware. Given the frequency of technology refreshes, it is highly unlikely that tapes from seven years ago can be read in your current solution. To add to this complication there are probably 20 software solutions used to write to the tapes, each with its own format. So you may be looking at choosing between 400 combinations of hardware and software to access the data. Having the correct equipment and knowledge of the software used is essential (and the latter is often missing due to a fragmented or incomplete approach to retention).
Of course, once you have the tapes and before selecting a recovery option, you need to identify which tapes go together as spanned sets. Very often tapes are not labelled or catalogued in any way or the catalogues and other tape lists, encryption keys and passwords used to secure data have been mislaid. Because it is not always necessary to restore all tapes in a collection it is can be extremely cost effective to work with external forensic specialists to catalogue the tapes and select only those required for restoration.
The expertise needed to respond to legal requests
Requests in litigation cases and from regulatory bodies and other investigators can be demanding and have stringent deadlines. So when the request arrives and you have 15 years of tapes to consider, what are you going to do? Hopefully the request will relate to a specific time period, but if you cannot identify the relevant tapes you may have to investigate all of them, causing delay in the response to the regulator and even the impression of non-cooperation.
Let us take a request for email for six data custodians in say 2007 and 2008 for a specific project. There are 24 monthly backups comprising five tapes each month; a potential restore and extraction of 120 tapes. In the case of Exchange server backups you need to know which server each individual was on and what the retention period was for deleted email at that time.
Many organisations do not implement email retention policies so the need for mailbox management by the individual is limited, thus there can be a very large amount of duplication of email across the time periods. It may be possible to examine one month’s tapes and from there determine a strategy for restoring others. Certainly when faced with these issues we have in some instances been able to mitigate the restores to three-monthly periods, which is 15 tapes instead of 120.
The starting point for handling any data that is on tapes is therefore to look at a company’s document retention policy and actual habits. Typically there is a need for an investigation into the tapes themselves and negotiation about the scope of the discovery request before any data is restored. This is essential if costs are to be contained and proportionate when weighed up against what is at stake.
Technology to cut through the data
The latest LTO6 tapes can contain a massive 6.25 terabytes of data and the prospect of trawling through enormous volumes of data looking for evidence is daunting. In the era of big data, there are fortunately sophisticated technologies that help companies target the data they need in legal proceedings. Data filtering technologies have been around for some time and rely on key word searching and other criteria to help reduce the huge universe of data to a manageable and relevant subset for review and production. Significant advances have also been made in document review technology. Companies and their lawyers can now leverage technology assisted review (TAR) to separate relevant data from irrelevant data more quickly and efficiently than review teams that consist only of humans, saving significant time and costs.
You can always bank on a good plan
Tapes are often a key part of any banking investigation or litigation. How to handle them should be considered not only in a bank’s risk management and information retention policy but also in a bank’s litigation response plan and in any subsequent case strategy. It also makes sense to keep a finger on the pulse of the latest technologies available and to consider whether these should be brought in-house or whether discovery needs should be out-sourced to experts.
-  EWHC 2500 (Mercantile).
-  EWHC 2500 (Mercantile).
- There were five Zubulake cases. See Zubulake v.UBS Warburg, 217 F.R.D. 309 (S.D.N.Y. May 13, 2003) (Zubulake I); Zubulake v.UBS Warburg, 2003 WL 21087136 (S.D.N.Y. May 13, 2003) (Zubulake II) (addressing issues unrelated to e-discovery); Zubulake v.UBS Warburg, 216 F.R.D. 280 (S.D.N.Y. July 24, 2003) (Zubulake III);Zubulake v UBS Warburg, 220 F.R.D. 212 (S.D.N.Y. Oct. 22, 2003) (Zubulake IV); Zubulake v.UBS Warburg, 2004 WL 1620866 (S.D.N.Y. July 20, 2004) (Zubulake V).
- Chin v. Port Auth. of New York & New Jersey, 2012 WL 2760776 (2d Cir. July 10, 2012