Friday, February 03, 2006

Computer Business Records Without Foundation?

A recent decision out of the 9th Circuit (sitting as the U.S. Bankruptcy Appellate Panel) should be of interest to Cyberspace lawyers.

While all of us are familiar with the usual litany of how to get business records admitted under the relevant exception to the hearsay rule, many of us have long wondered if there was too much of a leap of faith in the process where the records were computerized. Well, the naysayers finally have a case to lean on.

In In re Vinhnee, (2005 WL 3609376) the district court had refused to admit evidence proffered by a credit card company regarding the debtor's credit card transactions. The refusal was on the ground of defective evidentiary foundation. The trial court suggested that determining the authenticity of proffered electronic records "necessitated, in addition to the basic foundation for a business record, an additional authentication foundation regarding the computer and software utilized in order to assure the continuing accuracy of the records." Even after the proponent was given a second bite at the apple (by being allowed to file a post-trial declaration to lay sufficient foundation), the court found the witness statements to be overly conclusory and the witnesses themselves to be of unproven qualifications. On that basis, the evidence was not admitted, the proponent lost its case because of the evidence issue, and the appeal ensued.

The appeal affirmed the decision (notably on an abuse of discretion standard, which the court said might allow for a "trial court that is finicky about settled authentication requirements [to be] sustained..."). The court noted some scholarship on point, equating computer evidence to be a form of scientific evidence, and suggested that the problem is more complex than it seems. "The 'built-in safeguards to ensure accuracy and identify errors' ... subsume details regarding computer policy and system control procedures, including control of access to the database, control of access to the program, recording and logging of changes, backup practices, and audit procedures to assure the continuing integrity of the records." In this instance, the best the proponent of the evidence could come up with (even after being allowed to go home and do its homework!) was to list off the brand of computers and software the business used, and restate a conclusory opinion that the system was reliable. The trial court determined that this did not meet its requirements for foundation, and the evidence was tossed.

Astute readers will begin to notice a common element to the above discussion with topics that our members are already frequently touching -- Data Security after GLBA, HIPPA and their ilk, and Internal Controls after SarbOx. We also see these same issues popping up in our discussion of what constitutes "control" of an electronic record in the context of a negotiable instrument under UCC § 9-015. All of these matters begin to turn on the creation, documentation and compliance with business procedures. This continues to point out the problem with relying on canned programs that operate without intelligent oversight -- Be it for credit card records, electronic chattel paper, corporate books or medical records.

Which leads to the question of lawyering. One can only wonder how a written declaration was issued in the above matter which made no attempt to discuss policies and procedures regarding the safeguarding of the data -- But I can suggest that had a well-versed cyberspace lawyer been on the task, the proponent might have had a better chance at crafting a document that would have won the day. Is this yet another reason that our practices should be getting more in the faces of others and pointing out our value?

(The sideline to the case: The trial court turned away the credit card company even though the defendant (debtor) did not even show up or enter any argument, having the company suffer "the ignominy of losing even though its opponent did not show up." The judge himself, Hon. Samuel L. Bufford, raised the issue during a routine hearing, and pointed the company to scholarly materials that dealt with the issues -- And the lawyers still did not comply with his requests. Has any of our membership met Judge Bufford? We should look into how he came to be interested in these topics and where he might be taking these things!)

1 comment:

John Gregory said...

The trial court just wanted *something* to show the integrity of the creditor's (Amex's) records from the time they were made (in compliance with the business records rule) to the time they were produced at trial. It would not have taken much, in my view - the evidence of a records manager about the systems the company used, even evidence that the company routinely relied on the systems they used (the judge notes expressly that no such evidence was led.)

Some have suggested that Amex didn't want to spend a lot of money bringing evidence in a case worth $20,000. Others have said that it didn't want to expose its proprietary information handling systems in a public forum, thus risking their security. I'm not persuaded by these arguments, myself.

I think the courts - trial and appeal - would have been satisfied with less than a demonstration of "control" to support negotiability. Just someone saying that access to the system was closed and that it was tested occasionally for integrity, and that the company relied on the results, probably would have sufficed. But: something rather than nothing, and what was offered was essentially worth nothing, particularly when the witness could not answer basic questions about what the software in place actually did.