Category: Retention

A story on Law.com entitled "Outbound E-Mails Spell Inbound Legal Trouble for Corporations" points to a recent study from Proofpoint.com on how corporations are concerned about the content of their outbound e-mail.

This is Proofpoint’s fifth annual study of outbound e-mail and is designed to examine the level of concern about the content of e-mail and how large organizations are mitigating the risks associated with outbound messaging. This year’s study also expanded to include a look at Web-based e-mail, blogs, social networking sites, etc.

The study received responses from a total of 424 "IT decision makers" including CIOs and IT directors from the US, UK, Germany, France and Australia.

Here are a few highlights that perked up my e-discovery ears:

"In non-compliant e-mail messages leaving your organization, what is the most common form of inappropriate content?"

• 30% - Adult, obscene or potentially offensive content
• 26% - Confidential or proprietary business information about your organization
• 17% - Personal healthcare, financial or identity data which may violate privacy and data protection regulations
• 13% - Valuable intellectual property or trade secrets which should not leave the organization

"Using your best estimate, what percent of your organization’s outbound e-mail contains content that poses a legal, financial, or regulatory risk to your organization?" Answer - 12%.

56% of US respondents indicated that they are "concerned" or "very concerned" about e-mail sent from mobile devices (smartphones or other wireless, Internet-connected devices) as a potential conduit for exposure of confidential or proprietary information.

56% of US respondents indicated that they are "concerned" or "very concerned" about Web-based  e-mail (i.e. services such as Google Mail, Yahoo! Mail, Hotmail, etc.) as a conduit for the exposure of confidential information.

Regarding Policies:

• 98% of US companies (100% in UK) have an "acceptable use policy for e-mail" that includes personal use rules, monitoring and privacy policies, offensive language policies, etc.
• 84% of US companies (75% in UK) have an "e-mail retention policy" that defines what information sent or received by e-mail should be retained and for how long.

24% of US companies reported that they produced employee e-mail in the past 12 months subject to a civil or criminal subpoena. In US companies with 20,000 employees or more, that number rose to 34%. Elsewhere in the world, employee e-mail was subpoenaed less frequently - 6% in UK, 10% in Germany, 10% in France, and 3% in Australia.

"How important to your organization is reducing the legal and financial risks associated with outbound e-mail in the next 12 months?" Answer - 57% of US companies answered that it is "important" or "very important" for their organizations.

"How important to your organization is reducing the legal and financial risks associated with outbound HTTP traffic (e.g., Web-mail, blog postings, etc.) in the next 12 months?" Answer - 51% of US companies answered that it is "important" or "very important" for their organizations.

Survey can be downloaded here or Rob Robinson has posted it here on his Complex Discovery blog.

A couple of recent stories provides some tips on creating a document retention policy and my comments are in italics:

• Properly define "document" to include information of all types-electronic or paper, historical or transient business record. Be sure to include all the different types of records. (A good starting place is Wikipedia’s entry for Records Management which points to the ISO definition of a "record" as "information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business".)
• Clearly state who and what function is the relevant retention authority for the most widely used categories of documents. (It’s important to have one person, one authority, that everyone can go to with questions about a document and it’s retention status.)
• Indicate the specific duration of retaining different types of documents. (Any good document retention policy that I’ve seen has listed out every document type and its corresponding retention period. They never cover everything but at least it’s a good starting point)
• Balance the needs of legal, IT and general users. This isn’t easy, because everyone has different needs, but doing so is worth it. (It’s always about communication across departments and across the company.)
• Clearly state the reasons that retention is necessary (e.g. Sarbanes-Oxley rules, HIPAA regulations). As those requirements change, the rationale for retention should be reviewed, and any changes to the retention period should be made. (This may be easier said than done, but it’s very important to revisit the document retention policy periodically to ensure that it’s up-to-date and accurate.)
• Give individual divisions or offices the authority to set retention policies for their own operational documents if approved by or coordinated with the General Counsel or Compliance Office. (This may sound antithetical and a little messy, but it can be a functional way to accommodate the different needs of different departments.)

Tips taken from:

"Effective document retention starts with smart policy" from ITBusinessEdge

"Four tips for crafting a document retention policy" from IDG.no

A story on CIO.com entitled "Electronic Discovery: Are You Really Ready?" discusses a survey done by IDC (commissioned by FTI Consulting Inc.) of 118 IT executives on their e-discovery readiness.

In contrast to the majority of surveys on e-discovery preparedness (such as this recent one from Xerox Litigation Services), this story reports that many of their respondents are actually "confident about their current abilities to respond to a litigation event" because a lot more attention is being paid to records management, archiving and information retention policies.

However, the data from the survey highlights an urgent need for organizations to adopt standardized policies and IT practices for activities related to the identification, preservation and collection of potentially responsive data.

The story states that nearly 79% of the IT executives surveyed rated their ability to respond to a litigation event from "above average" to "very well prepared."

Other choice sentences from the story:

IDC’s research concludes that corporations are enforcing the legal hold on an application and content-store basis.

While 86 percent of survey respondents claim to have formalized litigation communications policies in place, adoption of standardized processes and the ability to automate and document communications across records management, legal and compliance departments is lacking.

Approximately 55 percent of the companies surveyed are still in the early stages of automating the litigation communication process, 29 percent are using voice communications and in-person notices and 13 percent are still using paper-based surveys.

I have my usual spate of questions here: What defines an IT executive in this survey? Is it a CIO? An administrator? And are these IT executives at law firms or corporations?

Fortunately, my questions should be answered in the FTI/IDC Webcast on June 19 that will present the full findings from the study.

Link to story.

A concise list of seven misconceptions that businesses have about ESI and their e-discovery obligations entitled “Why Your Business May Be At Risk…” from The Metropolitan Corporate Counsel. The authors are three attorneys from the New Jersey law firm Norris McLaughlin & Marcus.

Here are 5 of my favorite from the list:

1. Since we are not presently involved in a lawsuit, there is no need to concern ourselves with these new rules. The reality is that there need not be an active lawsuit or court order in place for there to be an obligation on a business to preserve ESI.
2. If we were required to save data every time a lawsuit is threatened, our company would be crippled and we’d lose our business. The reality is that the new rules recognize this problem and provide that a party need only preserve relevant ESI.
3. Even if we were to lose relevant ESI evidence, the loss was accidental and not intended to destroy harmful information; surely a court would understand. The reality is that even accidental or innocent loss of relevant ESI is sanctionable when it could have reasonably been prevented.
4. Many of our employees work from home and use their own personal computers; therefore, we don’t have to worry about those computers. The reality is that the new rules widen the scope of ESI to include personal home computers, cell phones, copy machines, fax machines, voice-mail, instant messaging, PDAs, websites, flash drives, etc. As long as your employees are working for you, it does not matter where they are located or what device they are using to generate electronic information related to your business.
5. We’re too small of a business to have to worry about these changes. The reality is that if you are a business with a computer or any other device that generates electronic data, you are within reach of the new rules.

Link to story.

I discovered a new e-discovery blog today that I’ve added to the blogroll - E-Discovery Bytes from the Quarles & Brady LLP law firm.

Their post “The Problem of Reviewing Electronic Data” caught my eye because it pointed to a ComputerWorld story entitled “Security Manager’s Journal: E-Discovery Prompts a Second Look at Data Retention.” I always perk up when I see an e-discovery story from a non-legal-related source.

The ComputerWorld story records the struggle of a IT security manager (who could be from any company) in comprehending how legal rules written by and for lawyers could have such a profound effect on his every day activities. The only way he heard about the rules was because the general counsel at his company attended a dinner sponsored by an e-discovery vendor.

The story reveals the tortuous balancing act that so many IT professionals have to face when deciding how much data to save. On one hand, you have to backup employee e-mail for disaster recovery and business continuity. On the other hand, this requires ever-increasing storage space and heightens the possibility that you’ll have to expend enormous effort and time to produce relevant e-mails when the company is involved in litigation.

For some IT managers (including the author of the ComputerWorld article), dealing with e-discovery might just drive them to “turn back the technological clock:”

“For paper information, it’s simple: Point the lawyers to the file cabinets and tell them to have a good time.”

Link to story.

My article “The Easy Button” recently posted on InsideCounsel.com where I take a look at four vendors that provide tools for searching and analyzing e-mails. The four vendors mainly sell their products to in-house counsel with the alluring appeal that in-house attorneys can search employee e-mail and discover potential smoking guns before the litigation trigger is pulled.

The four vendors I talked to for the article were AXS-One, InBoxer, Clearwell Systems, and Estorian. Each vendor enjoys a certain sweet spot.

I wanted to talk to AXS-One after I read the great story on ComputerWorld.com about how KeyBank adopted the AXS-One Compliance Platform to help manage the laborious process of collecting and producing e-mails from their 300TB e-mail archive. The story provides a rare insight into how major corporations are dealing with the stress of complying with e-discovery requests.

I am very impressed with InBoxer and have blogged about the company in the past. The big seller to me with InBoxer is that it’s so easy to deploy - you either pop in a rack mounted server or install the software in a virtual appliance and it’s ready to go within an hour, or even a few minutes. In-house counsel search and analyze employee e-mail through an online interface (you can visit www.enronemail.com to test out InBoxer for yourself).

I’ve been following Clearwell for a while now, and I believe they have one of the most intuitive interfaces of the group. They made it very clear to me that they are not an e-mail archiving system, but that they work complementary to systems you may already have set up from Symantec or EMC. A Clearwell system can also get up and running very fast, and provides such a comfortable interface that I can see where some users may not even need training.

And lastly Estorian offers an interesting alternative to the slick-ness of InBoxer and Clearwell. Estorian’s LookingGlass software may not look as pretty, but I found that it provides an extensive array of options for searching, monitoring and saving potentially risky e-mail messages. The company views LookingGlass as more of a compliance tool because users can easily set up searches to automatically and continuously monitor employee e-mail for risky keywords.

I foresee in the near future that every corporation will have some sort of e-mail analysis tool constantly monitoring employee e-mail. And why not? In this country, the company owns the e-mail and has the right to read every message sent by an employee through the company-owned servers. Companies that purchase tools such as the ones mentioned above will enjoy a) the comfort of knowing that something is policing the e-mail servers for naughtiness, and b) the ability to quickly search and secure e-mail messages that are relevant to the latest litigation matter that flys across their desk.

Link to my article.

The August 2007 edition of the terrific e-newsletter Law Technology Today runs a story entitled “eDiscovery Sanctions - Staying out of Harms Way” which provides some practical tips on helping a client index and organize their electronic data.

I particularly enjoy the first couple of paragraphs that discuss the 1970 amendments to the Federal Rules of Civil Procedure.

In 1970, the Federal Rules of Civil Procedure incorporated the concept of “data compilations from which information can be obtained” into its text. From that moment on, digital documents on computers were available for discovery.

In reading the Advisory Committee Notes to the 1970 FRCP Amendments for Rule 34(a) (about midway down the page), it’s obvious that they wrestled with several of the same issues that the Advisory Committee struggled with on the 2006 Amendments.

The inclusive description of “documents” is revised to accord with changing technology. It makes clear that Rule 34 applies to electronic data compilations from which information can be obtained only with the use of detection devices … respondent may be required to use his devices to translate the data into usable form. In many instances, this means that respondent will have to supply a print-out of computer data. The burden thus placed on respondent will vary from case to case, and the courts have ample power under Rule 26(c) to protect respondent against undue burden or expense (copied from Cornell’s Legal Information Institute)

I also like how the article distinguishes between “gaining control of the e-mail system” and what they call the “file system” which refers to the “massive [electronic] system housing many of the corporation’s memos, strategic presentations, financial spreadsheets, corporate intellectual property and plenty of other critical digital assets.”

The point is well taken - with so much emphasis on e-mail (much of it deservedly so) many companies don’t pay enough attention to how their employees are saving and storing electronic documents.

In my experience, many companies simply leave it up to individual departments or employees to determine where documents are stored and how they’re named. Obviously, each department must provide input into how their documents are stored, but a confusing collections of document storage practices will always make it more difficult to find the data you need to produce.

Link to column.

A good article from Processor magazine entitled “How to Archive Email” (via edd blog online) that tackles the subject from a technical perspective.

The article starts off with a good quote:

“For many employees, using email is really only about two things: sending and receiving. But for enterprises as a whole, email is their lifeblood.”

I like that quote because it’s a good reminder that no matter how much the e-discovery industry rants and raves about the need to archive this and preserve that, the majority of folks that use e-mail just see it as a convenient communication medium, and nothing more.

Dean Richardson of ArcMail Technology is quoted:

[…many companies] “opt for email archiving, not for particular compliance reasons but because their users want unlimited email storage without mailbox restrictions.”

Richardson also declares that the trend is bending towards “keeping everything” asking “Do you want to be the only one in court without a copy of your own email?” That’s a valid question since a company may feel safe if they appropriately deleted a sent e-mail from their own servers, but it will turn up in discovery because the recipient of that e-mail saved it on their own server. You don’t want trial to be the first time you see that e-mail message - an e-mail archiving system (based on a well thought-out policy) would have helped you find that message during your own review.

Link to story

Iron Mountain is probably the largest offsite data storage provider. In recent years, as expected, they have expanded their offerings into records management, compliance support, and even e-discovery issues.

Comptuerworld.com ran a short Q&A with Richard Reese, the CEO of Iron Mountain that produced some good quotes:

“A big part of what we’ve been trying to do is educate customers. Half the problem has been customers — it’s their legal departments [that] don’t understand the [technology] processes [for archival and storage]. And the business people don’t understand how [legal rules and responsibilities] have changed.”

Mr. Reese had a good, but fairly generic, response to the question “Should companies destroy or keep all their data to avoid problems under new e-discovery requirements?”

“The strategy of just aggressively getting rid of [data] absent of policy is going to be a loser and it’s going to cost you. But the strategy of keeping it all — and managing and discovering all your data — is going to kill you as well. The right strategy is to put in processes, procedures and technologies to destroy [information] as part of policy. For those companies saying “I’ll get rid of it; I’ll take my chances,” all they’re doing is making an informal risk assessment…”

You’re darned if you do, and darned if you don’t. Lesson: you must insist on a records retention policy.

Link to story

While I don’t necessarily agree with the title of the article, this is a good column by Stanely Gibson, a litigation partner at Jeffer Mangels Butler & Marmaro LLP. The thrust of his article is telling clients not to keep so much electronic data because it will cost them in the long run when and if they run into litigation. Just delete it.

More interestingly, Mr. Gibson tells the story of a $570 million jury verdict that involved a “Death Star” of electronic discovery review. The story is fascinating and does a great job of providing what Mr. Gibson calls a “practical experience and analysis from the trenches.”