Making electronic documents legally valid – When it comes to the legal admissibility of electronic documents, it’s all a question of evidential weight.

After several years of struggling to comply with a slew of regulatory and legal mandates, most companies now recognise the importance of securing the confidentiality, integrity and availability of their electronic documents as part of a corporate-wide records-management strategy – even if they don’t yet practice it with the stringency required of them.

Few, however, are confident that those documents would be accepted as evidence if the company landed up in court, thanks to a disgruntled customer, a former employee with a grudge or a regulatory authority seeking to impose penalties for non-compliance.
These companies are right to be nervous, says Sanjay Bhandari, a lawyer with international law firm Baker & McKenzie. “Rejection of a company’s electronic documents by a court can have a crippling effect on its case,” he says.

This is an increasingly pressing concern as more and more important business information is stored electronically in e-mails, human resources or customer management systems, scanned-in faxes and application forms.

In determining the legal admissibility of an electronic document or file, he explains, expert legal opinion tends to rely on the ‘best-practice rule’, meaning that a court will give most credence to the best evidence available, such as original documents or oral testimony.

Evidence that is not original – for example, a printout of an electronic document or a scanned-in version of a paper original — is considered more remote and thereby classified as ‘hearsay’.

There are a number of reasons for that. Unlike traditional paper copies, surreptitiously altering electronic documents is relatively simple. And, moreover, malicious intent is not necessary to damage data – files are frequently damaged or lost forever by accident or computer malfunction.
However, electronic evidence is increasingly presented in court as evidence – and the law has adapted to accommodate that. The Civil Evidence Act of 1995, for example, changed the common law rule that hearsay evidence is not admissible in proving the truth of an argument. Section 1 of the Act provides that “evidence shall not be excluded on the ground that it is hearsay”, provided that reasonable notice of a party’s intention to rely on the hearsay evidence is given. That, explains Bhandari, involves a company’s legal representatives filing a Civil Evidence Act Notice prior to the court date.
Hearsay evidence, Bhandari points out, can still be a powerful weapon – especially in civil suits. “Generally speaking, in civil cases, lawyers are not dealing with issues of liberty, so the burden of proof is lower when it comes to hearsay evidence,” he says.

However, in criminal cases (and particularly fraud cases), says Simon Halberstam, partner and head of e-commerce law at Sprecher Grier & Halberstam LLP, hearsay evidence is likely to be treated to far closer scrutiny and, for that reason, companies need to think hard about keeping at least some of their documents in the original paper format. “Destruction of original documents will prevent the use of forensic techniques such as analysis of impressions, creases, ink, source or age of paper and so on. Generally, this is not relevant; however, if there is a suspicion of forgery in relation to a particular matter, there should be a procedure for marking the file for retention in hard copy form,” he says.

Evidential weightThe issue of hearsay evidence highlights an important distinction between the legal admissibility of electronic documents and their evidential weight, says Lars Davies, a senior research fellow in computer law at Queen Mary and Westfield College at the University of London.
The evidential weight of a document, he explains, is the value a court will place on the information presented to it, alongside surrounding corroborative evidence that can convince the court that a document is what it purports to be. “In most jurisdictions, virtually any electronic data can be submitted before a court of law. The real question is that of evidential weight. Evidential weight is the extent to which the court can rely upon the electronic information,” he says.

With that in mind, companies need to ensure that electronic records are captured, stored and managed in such a way as to maximise their evidential weight. That has created a great opportunity for suppliers of electronic-document and records-management systems, because these systems fulfil two of the most important criteria underpinning the concept of evidential weight: First, that it is possible for systems to ‘freeze’ a record at a specific moment in time; and second, that a documented audit trail is maintained for documents, detailing when (and by whom) they were created, altered, accessed and stored.

Companies that can demonstrate that their document-management systems provide these functions can generally expect the authenticity and reliability of their electronic records to be considered credible in court.

Enterprise-content-management (ECM) systems from companies such as IBM, EMC Documentum and FileNet address the ‘freezing’ of information for evidential purposes in their records management functions. By definition, a record is static (or ‘frozen’) evidence of a business action, transaction or decision.

Records-management software not only recognises the necessity of capturing static information in an unalterable format for legal purposes, but also defines how long records are kept and what happens to a record at the end of the retention period, including the regulated archiving and subsequent destruction of documents. In the UK, the National Archives provides certification to records-management software that complies with its own standards.
In addition, ECM systems provide an audit trail for documents, contents and records that can provide supporting information about them. That, says George Parapadakis, a solutions architect with ECM company FileNet, can enable electronic evidence to be viewed within its wider context. “There are certain types of information retained in ECM systems that may complement or contradict the legality of electronic documents,” he says.

These might include additional information stored in metadata; information about contextual relationships between documents; information associating documents with particular business processes where these documents have participated in the decision-making process; and finally, the overall association of documents with people and the roles and responsibilities they are given. “In other words, how the document has been used may be just as much a part of the evidence as the words contained in the document itself,” says Parapadakis.

That could prove vital in a court of law, says Bhandari of Baker & McKenzie. “A court may reject anything presented as evidence if the associated audit trail information is either incomplete or contradicts the information itself. If they don’t reject it outright, they may only accept it with a greatly reduced weight, equivalent to a greatly increased doubt,” he says.

In particular, metadata should include: author’s name; the date the record was stored; the names of anyone who has accessed or made changes to the document; details of the changes made to the record and version control; details of movement of the record from medium to medium and format to format; the authentication measures used when the file is moved; and evidence of the controlled operation of the system in which the record is stored.

Further guidanceHowever, different ECM systems have different ways of addressing these issues, and prospective customers should quiz their vendors thoroughly. It is also important to ensure that these systems are approved by the employees that will be using them as part of their day-to-day activities, says Robert Markham, an analyst with IT market research company Forrester Research. “The number one reason that records-management implementations fail is that the records-management system is overly burdensome to end users like the corporate legal department. This results in end users circumventing records declaration or, worse, randomly selecting a records classification just to get by the declaration screen,” he says.
As a result, getting the right systems in place to support the legal admissibility of electronic documents can be a complex task. Fortunately, there is plenty of guidance surrounding it. The British Standards Institute (BSI), for example, has issued a code of practice on the legal admissibility of electronic records,

BIP 0008. Previously known as PD008, the code underwent significant review in 2004, to assist in the understanding of compliance requirements such as the UK’s Freedom of Information and Data Protection Acts and so that it might include case study material from recent implementations. In particular, the rewritten code takes into account improvements and enhancements to electronic-document-management systems.

While compliance with BIP 0008 does not guarantee legal admissibility, it does define the best practices that are most likely to influence a court in the defendant’s favour. For that reason it will likely prove “good enough” in most cases, says Davies of Queen Mary and Westfield College. “It’s my experience that the side that can demonstrate the most certainty as to the source of its information will win a case, because the judge will direct more questions their way. They will certainly be held to be more reliable, so even if their case is found wanting, that may go some way to mitigating losses,” he says.

Legal admissibility pitfallsElectronic documents can easily be scuppered in court where so-called ‘compliance points’ are found to be missing in systems from which a company sources evidence, according to experts at the British Standards Institute. These include:

■No information policy document;

■No retention schedule;

■Inappropriate security controls;

■Lack of procedural documentation;

■Insufficient control on document input procedures;

■Insufficient information about the technology from the system supplier;

■Use of inappropriate facilities, such as image clean-up;

■No thought of future migration requirements;

■A lack of documentation on audit trails and access procedures.

Signed, sealed and deliveredA recognisable signature can play a vital role in securing the legal admissibility and evidential weight of documents, both paper and electronic. The signature has been used for centuries to authorise documents, contracts or payments and is seen, says Francois Roux, managing director of digital signature specialists Simplicity UK, as the one way of unequivocally stating that a document has been read or approved by the signatory. “And of course, people take a great deal of care before signing because they know that they can be held to account for it,” he says.
But the situation, he says, is complicated when it comes to electronic documents. “It is perfectly possible and now commonplace to send a document across the world in an instant, but what if that document needs to be verified and signed by several people?” Until recently, he says, the options available significantly slowed that process down: the document might be sent in the post, delivered to signatories by a courier or a meeting may be organised at which all signatories are present, incurring significant travel expenses.

“We now have an online signing facility to complement online contract negotiation and finalisation,” says Michèle Rennie, head of intellectual property and internet law at legal specialists Computalaw. “Prior to this, even though every other stage of our client’s contract drafting, amendment and finalisation would be carried out online, the actual signing, by comparison, involved all signing parties meeting, or signing the relevant pages and faxing them to each other. The signed originals would then usually be couriered to the other party or back to one of them for consolidation into a single signed version. The process was not only prone to delay and uncertainty (if the signed original did not turn up), but could also be the most costly part of the contract preparation if all parties had to meet for signing,” she says.

Data detectives“In today’s business environment, more and more computer related crime is ending up in the courtroom,” says Adrian Reed, managing director of computer forensics company, DataSec. DataSec employees spend much of their time plundering computer files looking for evidence to defend legal claims and often act as expert witnesses in trials.

DataSec employees experienced forensic analysts, criminal investigators, technical and security experts, legal professionals and crime pattern analysts. The company is registered with the National Crime Faculty and the Law Society as providers of computer forensic expertise and works closely with corporate clients, the police and the judicial system to present the most accurate electronic evidence in legal cases.
In the course of their work, DataSec’s analysts have uncovered numerous scams by which electronic evidence, and especially e-mails, can be tampered with.

“An e-mail creates a digital audit trail of information, including where it came from, where it’s been to and where it’s supposed to be going. To the everyday e-mail user, this information is invisible, but to the person who understands the process, it can be easily accessible,” he says. Anyone in the know can potentially change, hijack or falsify the digital audit trail. “It is important to remember that an e-mail that has been changed in transit will almost certainly look like a normal e-mail to the everyday user,” he says.

If ‘best evidence’ is to be presented, says Reed, then verification of this digital audit trail is essential to ensure that the electronic process of e-mail has not been altered at any stage nor has the whole trail itself been fabricated. “In a case where allegations are made that an e-mail was never sent or received, a printed copy of an e-mail without the verified audit trail is significantly devalued evidentially,” he says.

http://www.eimagazine.com/xq/asp/sid.0/articleid.1F44B088-72B9-4119-A5ED-C5DEAE6FBF20/qx/display.htm