Supposedly, the standard for data retention and disclosure is always "reasonableness," but Rule 34 (b) can lead to difficulties when the format for delivery is considered. Unless otherwise specified, data is supposed to be delivered in its native form. However, there are issues. For instance, if the data is in an Excel spreadsheet, it can easily be altered. But if you deliver the Excel spreadsheet as a PDF document, it won't capture the formulas.

Typically, the acceptable format should be the way the data was managed in the normal course of business -- but suppose you're using SAP software for invoicing. Your company might wish to deliver an invoice or an e-mail in the form of a PDF, while your adversary may demand to see your entire database. "If the metadata for an e-mail is important," PSS's Paknad says, "you may have to produce the e-mail in native format."

Paknad also recommends keeping relevant files in a location that's provably secure from tampering, as whichever party wants to see the data will also want to be assured it was not, and could not have been, altered.

5. Rule 37 (f): Safe harbor

If you can prove that missing data has been deleted during "routine" data expunging, you are probably safe from legal sanctions. However, you must be able to prove that the deletion was indeed part of a routine process and not "event-driven." Here we come back to good-faith effort, where producing an audit trail and monitoring are key.