The US case of Columbia Pictures versus Justin Bunnell raises an important issue for organisations that have a presence in the US, namely the extent of the obligation to preserve records that may be relevant to actual or contemplated litigation.

The case concerns the film industryís efforts to fight piracy. Bunnell is the founder of TorrentSpy, which facilitates the downloading of video and audio content. No doubt with an eye to potential litigation, TorrentSpy states that it does not retain a transaction log of who downloads what. This information can allow the rights holders to identify downloaders. The judge ordered TorrentSpy to retain the server log data, overturning TorrentSpyís document retention policy.

This case deals with the obligation that arises when litigation is contemplated or under way, which is to preserve all records that are relevant to the case. In both the US and UK, as soon as litigation is threatened, businesses have to put a stop to all document destruction procedures and must preserve all relevant records.

The key issue for IT managers raised by the Columbia case is the extent to which businesses must start recording transitory information. The US case is being appealed, but in the meantime TorrentSpy has been ordered to record all transaction data held in RAM to a more permanent form of storage.

Does the litigation preservation rule now require firms to log transitory information? If so, what information does this cover? Some information is easy to log, such as web server transactions, and many businesses do so already. The retention of email and instant messaging traffic is already commonplace. However, the Columbia case raises the prospect of firms having to arrange for the permanent storage of other transitory traffic, such as web sites visited.

Not only are the data volumes potentially huge but there are also major issues about the collation, storage and use of that data, particularly in light of various privacy rights and data protection rules. The necessary investment to adequately manage the data would be significant.

I have felt for some time that companies can only cope effectively with the management of data by limiting what users can do and by requiring them to use pre-established procedures where possible. At some point, businesses are going to have to make value judgments about the creation of records.

Companies may yet be forced to move towards a more restrictive regime, where procedures are established and systems only allow certain actions. Users wonít like it, but there may be no other way to limit the risk of litigation.