Morgan Stanley & Co., the global investment bank, got on the wrong side of U.S. regulators a while back, and it has been writing large cheques ever since to try to appease them.

This time, it has agreed to pay $15 million to settle Securities and Exchange Commission (SEC) charges, arising from investigations into various aspects of the firm’s market activities over the period from 2000 to 2005, for failing to meet its electronic production obligations. The SEC charged that it failed to turn over "tens of thousands" of e-mails to regulators in a timely and consistent fashion.

As part of the settlement, Morgan Stanley agreed to pull up its socks and get the necessary help to improve its internal controls and policies to ensure that electronic data is preserved in accordance with regulatory and legal requirements. One might rationally expect better things from a blue-chip, lawyer-heavy, multibillion-dollar operation, but there it is.

At the end of 2002, Morgan Stanley and four other Wall Street banks paid regulators a hefty $1.65 million each to settle allegations that they effectively had lousy data retention policies.

Morgan Stanley’s electronic discovery woes got them into hot water on several fronts — not merely with regulators, but also with the trial judge in a lawsuit with Ron Perelman, corporate raider and proprietor of the Revlon cosmetics brand.

In that case, which is still dragging its way up the appeal courts, the trial Judge became quite incensed at the bank’s Monty Python-esque efforts to locate relevant electronic data, especially in the form of backup tapes and/or archived and stored data, and, as a result, she made some horribly prejudicial rulings against it. One minute, the court was told that backup tapes containing relevant electronic data had been destroyed during the tragic events of September 9-11, the next minute, the tapes, plus more that no-one knew existed, were located on shelves in sub-offices, and so it went.

Take it from someone who knows: If you tell a Judge ‘X’, heart in hand, you'd better be right. Crawling back, cap in hand, to fess up — “Well, actually, when I said we had no data relating to that issue, I was not aware that there were 30 boxes of tape under Johnny’s desk" — is your worst litigation nightmare. At that moment, selling counterfeit watches on Yonge Street from a battered suitcase looks like a wise career move.

It doesn’t take a genius to figure out that companies, small and large, are swimming in data, and that most of them have no idea what data they have or where it resides; whether it is on portable drives and USB tokens, or PDAs, laptops, and home office computers.

It may have traveled across the ether by way of instant messaging or peer- to- peer services that may or may not be tracked and/or stored and archived. It may be deleted in one location, and not in another; it may contain meta-data (such as formatting information) that has nuggets of information that your nemesis in litigation considers of the utmost importance.

If data has been encrypted, are you sure you can recover it? Is the vendor still supporting the underlying software? Do you have key management policies and procedures in place to address these issues? Can you be reasonably sure of the integrity of the data you may need to product in a courtroom? When the regulators come calling, or where litigation is contemplated or threatened, the obligation to produce relevant – and reliable data- works both ways- and you will likely be faced with time constraints to do so.
In addition, if the court, or the regulator, hears evidence about shoddy data management policies, or inadequate security to protect the integrity of data, you may be unable to rely on evidence that supports your case. It may be deemed too unreliable to warrant admission or consideration.

However, retaining too much data can be as damaging as keeping too little.

In the recent European Union (EU) appeal Court antitrust ruling against Microsoft, the regulators, and the Court, placed considerable weight on evidence gleaned from emails from Bill Gates and more lowly MS executives, that tended to throw considerable (negative) light on internal company strategy, and that seemingly contradicted the company’s defensive position.

You need to get input from senior management, legal, IT, and the security and forensics folk, to define a legal, and workable strategy. You will save yourself, and your unfortunate lawyers, a wealth of grief if you do so now.

Don’t leave it to the last minute, when your back is to the proverbial wall. Life is hard enough.