Document Retention And E-mail

innocent_white_lamb writes "An interesting column by Jim Carroll about email within companies, document retention, how hard it is to actually get rid of an email, and how all of this can come back to bite you later on. "

Offshore email servers (not just with HavenCo)

[rdl]

(Disclaimer: I'm cofounder and cto of HavenCo, an offshore colo and supporting services company on Sealand)

This is one of the main reasons people put email servers offshore now, even if they're operating onshore. This got started with HavenCo's gaming clients, but we now have general-purpose mail server customers who just want to company with their existing onshore document retention policies without the risk of someone subpoenaing their mail server and then trying to recover the disk.

One of the features I'm working on now is some basic intelligence to detect out-of-character behavior by a mail server client -- such as attempting to download all messages, which would indicate they've been subpoenaed. If that happens, then we would attempt to contact the customer and get positive confirmation that they are *not* being investigated before allowing the transaction to continue. It's a trade-off between allowing normal function and protecting against legal attacks.

Perhaps an extension of normal document retention policies for companies can be to keep them locally for 3-6 months, then move them to offshore "cold storage" where they will only be released when the offshore agent holding the files is certain a request is not due to legal duress. Trade a bit of latency for a lot of security, and otherwise the documents get destroyed anyway.

Re:Offshore email servers (not just with HavenCo)

[sql*kitten]

This is one of the main reasons people put email servers offshore now, even if they're operating onshore. This got started with HavenCo's gaming clients, but we now have general-purpose mail server customers who just want to company with their existing onshore document retention policies without the risk of someone subpoenaing their mail server and then trying to recover the disk.

I'm unclear about this. If they get a subpoena, it could be worded such that it's the mail they're interested in, not the physical storage device. In JWZ's account of the subpoena'ing of Really Bad Attitude, they didn't seize any of Netscape's servers, they required Netscape employees to print the whole thing out. If a court orders the company to deliver copies of their email, and they refuse, they're in contempt of court which is an offence in and of itself. And if HavenCo assist them, while it may be perfectly legal under Sealand's judicial system (assuming you have a formal set of laws there), don't forget you are surrounded on all sides by the EU who aren't above applying their own laws outside their jurisdiction. Witness pressure from the EU and US on offshore tax havens.

What if they take out an injunction against your upstream bandwidth provider(s)? What if they send Customs and Excise agents to raid you, as the UK has done to vessels at sea suspected of smuggling? (Backed by a Navy frigate and detachment of Marines, usually). What if you personally are arrested as soon as you enter an EU country?

I'm not saying that it's impossible to provide such a service, but that it's becoming increasingly difficult.

Re:Offshore email servers (not just with HavenCo)

[rdl]

Yes, this is definitely an interesting legal area which hopefully will have some precedents set in the next 10 years.

The employees of a company would first receive a subpoena in the discovery process to turn over all relevant mail. If the employees refuse to comply, they will be found in contempt and locked up indefinitely.

However, they can only comply if they are technically capable of complying. It is not contempt to say "that document was shredded a year ago in accordance with our published retention policy", if the document was actually shredded. If recovering mail is blocked by a systems administrator located outside the jurisdiction at hand, then it would be technically impossible for users to recover the mail, and then they would be ok.

It would not be acceptable for someone who receives a subpoena to delete his own key locally and thus lose access; that would be considered a willful obstruction of the legal process. But it is perfectly acceptable for an overseas party not named on the subpoena (or not served) to take arbitrary actions, and it's acceptable for a company to contract with an offshore agent to undertake security monitoring of a site and lock off access in the event of any suspicious activity.

(I would be amused if these slashdot postings themselves ended up in testimony when we finally have a test case on the email servers)

Re:Offshore email servers (not just with HavenCo)

[Eppie]

Legally, offshore servers are of limited value. If you are subject to jurisdiction in the US and a court orders you to cough up the email, you must cough it up. It does not matter where you store it, especially if you have electronic access to those servers in the US.

I represented an American investment bank that was stiffed on a deal with a foreign company. The fact that many of the relevant documents were scattered throughout Asian offices of various companies made little difference in our ability to force our opposition to produce many boxes of documents, including email stored on off-shore servers.

I'm not sure why you would try to detect if your customers are being subpoenaed. Why would you disallow your own customers to download their own documents? If you think you're helping them by refusing to allow them to comply with a subpoena, you're mistaken. Companies that intentionally put themselves in the position of losing control of their own documents to avoid legal process will not be treated kindly by courts. I can think of little better news than opposing counsel coming to me with a sob story about how his client's agent refuses to turn over the documents. In the case of third-party subpoenas, such tactics would quickly result in mounting sanctions.

I can see reasons for getting documents offshore. From a legal perspective, though, this does not do much good. I hope your service wins a lot of customers. I can't wait to litigate against somebody dumb enough to hide his documents in this manner.

Don't Use Email for Everything

[pryan]

When I worked at a Fortune 500 company, I noticed that people use email for almost everything internally. Most of the stuff that large companies are liable for get thrown about in email when there are many other, often better communication methods. Unfortunately, there are a lot of middle-aged administrative assistants and managers that seem to think everything goes in email.

The lesson? Don't use email to distribute that 10 MBib presentation. If you have a memo, then email everyone a link to it and set the web server to spit out a no-cache HTTP header with the page. If you have a file to share with some people, put it on a file server and give people the link via an email, but don't just attach the little bastard file, which probably isn't so little anyway.

Government email

[Eric+Damron]

The email for my State government is covered under the freedom of information act.

What this means is that anyone can walk into any State agency and under this act require that the agency provide copies of it's email.

There is a charge to cover costs and a waiting period to allow the information to be gathered.

This can cause real problems for agencies that delete email without a policy covering the removal of this information. Basically, if the agency deletes email without such a policy they can be required to "recover" their email. If they don't have the expertise to do so they can be required to contract out to a company who does have the ability. This could cost them tens of thousands of dollars.

Better to have a policy and to stay within the guidelines!

Re:Interesting moral position

[Anonynnous+Coward]

Although that is the cynical, (and usually valid, IMHO) interpretation, here's another one:

It's not just about destroying evidence that could be used against you, maybe. I'm not in Records Management, but I bet complying with a subpoena is a lot easier when there's simply less email hanging around--if you have a good, enforced retention policy, you can honestly say "Here is what we have. We don't have anything older than n days, according to policy," and save thousands of dollars in staff time that would have been spent mounting old backup tapes and cruising employees hard disks trying to honestly comply with a court order.

On public "radar" since 1987

[catfood]

I'm a little surprised the article didn't mention the greatest email bust of all. In 1987, the questionable para-military funding activities of USMC"Lt.Col.OliverNorth were uncovered partly by an investigation of messages that he thought he'd deleted from the White House's internal email system.

North hadn't counted on the "deleted" messages showing on backup tapes.

Partly because of this smoking-gun evidence, North was convicted in 1989 of aiding in the obstruction of Congress, accepting illegal gratuities, and destroying documents.

North's conviction was later overturned (with great irony considering his status as a law-and-order conservative icon) on a legal technicality.

how can you prove it.

[azagthoth]

The biggest question I have about this is how can they prove that the person whose name is on the From: actually sent the e-mail?

We all know just how insecure e-mail really is and how easy it is to forge an e-mail, so how can these e-mails stand up as evidence. I can see some justification in if the headers show the e-mail coming from that person's workstation's IP connecting to ${CORPORATE_MAIL_SERVER}, but even this is not 100% proof that it came from ${PERSON}.

Re:What is the legal status of email?

[Eppie]

Email is incredibly useful as evidence. In much large litigation, perhaps half of the documents submitted as evidence are email.

Courts aren't like the movies. In real litigation, the parties don't have many fights about whether a document is what it purports to be. They have fights on how to interpret the document, but not about whether it really came from the CEO or not.

The reason for this is that email is largely self-authenticating. Most litigation involves at least one party that is a company. All but the smallest companies keep track of their email automatically. When the request for documents comes in, IT does a keyword search, dumps a bunch of emails to a CD-ROM and hands it to the lawyers. The lawyers filter the emails and hand over the relevant ones to the other side. The lawyers keep their clients reasonably honest.

If a plaintiff comes up with an email that the other side doesn't have a record of sending, they'll have a battle over whether it is real. Both sides present evidence and the jury or the judge makes a decision as to whether it's an authentic document or not.

In a company of any decent size, the person keeping track of emails and other documents is not important enough to have his or her ass on the line. If they are asked to forge or destroy documents, they'll either refuse or else they'll be extremely willing to talk about it. If there is ever a trial over Enron, we'll see a parade of paralegals, secretaries and mailroom clerks testifying about shredding documents until 3am every night. These things have a way of getting out.

So: If a sysadmin forged a bunch of emails from the CEO, the court would either let the jury decide if the emails were real or, if it their authenticity were very clear, rule on the issue before trial. It would be up to the CEO and his attorney to show the court why these aren't real. If the sysadmin gets caught forging, he probably goes to jail for a little bit.