Document Retention And E-mail

innocent_white_lamb writes "An interesting column by Jim Carroll about email within companies, document retention, how hard it is to actually get rid of an email, and how all of this can come back to bite you later on. "

Offshore email servers (not just with HavenCo)

[rdl]

(Disclaimer: I'm cofounder and cto of HavenCo, an offshore colo and supporting services company on Sealand)

This is one of the main reasons people put email servers offshore now, even if they're operating onshore. This got started with HavenCo's gaming clients, but we now have general-purpose mail server customers who just want to company with their existing onshore document retention policies without the risk of someone subpoenaing their mail server and then trying to recover the disk.

One of the features I'm working on now is some basic intelligence to detect out-of-character behavior by a mail server client -- such as attempting to download all messages, which would indicate they've been subpoenaed. If that happens, then we would attempt to contact the customer and get positive confirmation that they are *not* being investigated before allowing the transaction to continue. It's a trade-off between allowing normal function and protecting against legal attacks.

Perhaps an extension of normal document retention policies for companies can be to keep them locally for 3-6 months, then move them to offshore "cold storage" where they will only be released when the offshore agent holding the files is certain a request is not due to legal duress. Trade a bit of latency for a lot of security, and otherwise the documents get destroyed anyway.

Re:Offshore email servers (not just with HavenCo)

[wangi]

yada, yada, yada... totally missing the point!

There's no need for any legal request for the email - employees will dig them out to protect their own backs and to break the backs of others!

Doesn't matter where the server is, or how many you have there's always going to be masses of duplication - local folders holding copies and such like. How do you handle this? Putting your server on a piss-forsaken rock isn't going to help!

Re:Offshore email servers (not just with HavenCo)

[rdl]

Employees will use them against their employers, but the much larger risk is outside discovery motions. The Microsoft trial was a good example -- none of the Microsoft employees whose email was subpoenaed benefitted from that. When the really-bad-attitude list was taken from Netscape, none of the list members really wanted that, either.

There are threats from inside and threats from outside, and having a document retention (==destruction) policy will protect against outside threats. It will not protect against employees blackmailing their employers.

However, if an employee keeps copies of mail in violation of a document retention policy, that employee can be sued separately. I imagine federal whistleblower laws might offer some protection, but in the case of a civil suit between companies, if an employee maintains a banned archive and then sells access to that archive to the other company's legal team, the employee is likely to suffer.

Re:Offshore email servers (not just with HavenCo)

[rdl]

Yes. Most of our clients for email use secure imap with mail kept on the server, or use web-based mail systems (which offer ticketing and other features as well)

The ultimate system would involve secure laptops with no local unencrypted state -- using RAM for cache, and/or encrypted disk, but requiring connections to a non-US location to unlock the encrypted disk each time the machine is used. You could easily replicate the unlock servers for fault tolerance, and with a cell modem you can easily get a few hundred bytes exchanged from almost anywhere. Desktops and local servers could be handled the same way -- no local unencrypted state when powered off, and no way to unlock them without positive assistance from outside the jurisdiction, which would be revoked if there is evidence of an attack.

Re:Offshore email servers (not just with HavenCo)

[sql*kitten]

This is one of the main reasons people put email servers offshore now, even if they're operating onshore. This got started with HavenCo's gaming clients, but we now have general-purpose mail server customers who just want to company with their existing onshore document retention policies without the risk of someone subpoenaing their mail server and then trying to recover the disk.

I'm unclear about this. If they get a subpoena, it could be worded such that it's the mail they're interested in, not the physical storage device. In JWZ's account of the subpoena'ing of Really Bad Attitude, they didn't seize any of Netscape's servers, they required Netscape employees to print the whole thing out. If a court orders the company to deliver copies of their email, and they refuse, they're in contempt of court which is an offence in and of itself. And if HavenCo assist them, while it may be perfectly legal under Sealand's judicial system (assuming you have a formal set of laws there), don't forget you are surrounded on all sides by the EU who aren't above applying their own laws outside their jurisdiction. Witness pressure from the EU and US on offshore tax havens.

What if they take out an injunction against your upstream bandwidth provider(s)? What if they send Customs and Excise agents to raid you, as the UK has done to vessels at sea suspected of smuggling? (Backed by a Navy frigate and detachment of Marines, usually). What if you personally are arrested as soon as you enter an EU country?

I'm not saying that it's impossible to provide such a service, but that it's becoming increasingly difficult.

Re:Offshore email servers (not just with HavenCo)

[rdl]

Yes, this is definitely an interesting legal area which hopefully will have some precedents set in the next 10 years.

The employees of a company would first receive a subpoena in the discovery process to turn over all relevant mail. If the employees refuse to comply, they will be found in contempt and locked up indefinitely.

However, they can only comply if they are technically capable of complying. It is not contempt to say "that document was shredded a year ago in accordance with our published retention policy", if the document was actually shredded. If recovering mail is blocked by a systems administrator located outside the jurisdiction at hand, then it would be technically impossible for users to recover the mail, and then they would be ok.

It would not be acceptable for someone who receives a subpoena to delete his own key locally and thus lose access; that would be considered a willful obstruction of the legal process. But it is perfectly acceptable for an overseas party not named on the subpoena (or not served) to take arbitrary actions, and it's acceptable for a company to contract with an offshore agent to undertake security monitoring of a site and lock off access in the event of any suspicious activity.

(I would be amused if these slashdot postings themselves ended up in testimony when we finally have a test case on the email servers)

Re:Offshore email servers (not just with HavenCo)

[Eppie]

Legally, offshore servers are of limited value. If you are subject to jurisdiction in the US and a court orders you to cough up the email, you must cough it up. It does not matter where you store it, especially if you have electronic access to those servers in the US.

I represented an American investment bank that was stiffed on a deal with a foreign company. The fact that many of the relevant documents were scattered throughout Asian offices of various companies made little difference in our ability to force our opposition to produce many boxes of documents, including email stored on off-shore servers.

I'm not sure why you would try to detect if your customers are being subpoenaed. Why would you disallow your own customers to download their own documents? If you think you're helping them by refusing to allow them to comply with a subpoena, you're mistaken. Companies that intentionally put themselves in the position of losing control of their own documents to avoid legal process will not be treated kindly by courts. I can think of little better news than opposing counsel coming to me with a sob story about how his client's agent refuses to turn over the documents. In the case of third-party subpoenas, such tactics would quickly result in mounting sanctions.

I can see reasons for getting documents offshore. From a legal perspective, though, this does not do much good. I hope your service wins a lot of customers. I can't wait to litigate against somebody dumb enough to hide his documents in this manner.

From the article....

[RobertTaylor]

Some estimates suggest that once it is all added up, American's send some 1.5 billion messages a day.

1.4 Billion SirCam "I send you this file for advice". Probably.

Easy and secure delete

[tom_newton]

Simply include some extremely useful or important information in every email you send, and voila, you will find that it disappears every time, resisting even the most sophisticated attempts at retrieval :)

NB. This method works best if this is also the only copy of said information.

What about the benefits

So what is the lesson here? If you are planning on committing fraud, illegally maintaining a monopoly, or postponing a defective product recall to maximize profit, you should first make sure you have a document 'retention' policy? And then everything will be OK? What is wrong with this picture?

What about a story on the benefits of keeping old emails? I'm tired of hearing about the costs.

Fucking lawyers. Oh, my mistake. It isn't the lawyers, it is the legislators. Fucking legislators. Oh, my mistake. It isn't the legislators, it's the voters. Fucking voters. There, that's better.

jkljkl

Interesting moral position

[Ami+Ganguli]

I find it fascinating that people openly discuss ways of destroying evidence in case of possible legal action. Is this going to be a standard MBA course from now on: "How to cover your tracks" or "Case Studies: Failures in Shredding Policy from Watergate to Enron"?

It makes you wonder why nobody looks at it from the opposite side. If you don't do anything illegal then your e-mail archive could prove valuable for your own defense. Trading companies, for example, keep all records of customer interaction, including phone calls, for use in the event of a dispute. You can never claim that your broker did something without authorisation because they archive everything.

Re:Interesting moral position

[Scutter]

"Legal" is an ambiguous term at best, the definition of which is determined in the courts, not the boardroom. The U.S. legal system is so convoluted, it's virtually impossible to get through the day without breaking some law. Even if you just stayed in bed all day, you'd probably be guilty of loitering.

Re:Interesting moral position

[Anonynnous+Coward]

Although that is the cynical, (and usually valid, IMHO) interpretation, here's another one:

It's not just about destroying evidence that could be used against you, maybe. I'm not in Records Management, but I bet complying with a subpoena is a lot easier when there's simply less email hanging around--if you have a good, enforced retention policy, you can honestly say "Here is what we have. We don't have anything older than n days, according to policy," and save thousands of dollars in staff time that would have been spent mounting old backup tapes and cruising employees hard disks trying to honestly comply with a court order.

all this seems strange to me....

[phunhippy]

Back when I worked at a .com years ago it seemed the exchange server crashed so much we could'nt keep our email longer then a few weeks if we did'nt back it up!!

Then the CEO told us to auto delete mail older then 90 days... well the exchange server crashes took care of that too :)

So what?

[hcdejong]

I'm having a hard time figuring out what his point is. He's saying "we need a policy for archiving e-mail" and then he talks about Enron, where any policy regarding e-mail would have resulted in evidence being destroyed. Is he saying we need to start pre-emptively destroying email in case there's something incriminating in it?

"Digging up the dirt" isn't a new problem. Back when everything was done on paper, you could make copies and stash them somewhere, so shredding the original was never enough to ensure the document didn't exist anymore.

And as for saying "e-mail will play a role in many other unfolding corporate stories", well, duh!

MS communications

Top level MS officials no longer communicate with email.
All communications happen in closed door sessions.
Verbal communications are also discouraged.
Most of these meetings are like a game of charades.

Netscape history

[the+gnat]

Jamie Zawinski has a rather unpleasant story about this on his site:

http://www.jwz.org/gruntle/rbarip.html

A very good example of how essentially harmless email can be seriously misinterpreted.

Don't Use Email for Everything

[pryan]

When I worked at a Fortune 500 company, I noticed that people use email for almost everything internally. Most of the stuff that large companies are liable for get thrown about in email when there are many other, often better communication methods. Unfortunately, there are a lot of middle-aged administrative assistants and managers that seem to think everything goes in email.

The lesson? Don't use email to distribute that 10 MBib presentation. If you have a memo, then email everyone a link to it and set the web server to spit out a no-cache HTTP header with the page. If you have a file to share with some people, put it on a file server and give people the link via an email, but don't just attach the little bastard file, which probably isn't so little anyway.

What is the legal status of email?

[mir]

Emails can be forged so easily, how is their authenticity established?
I guess any decent sysadmin in the world could show the court a whole bunch of threatening emails from the CEO of his company, what would a court do in such a case?

Re:What is the legal status of email?

[Eppie]

Email is incredibly useful as evidence. In much large litigation, perhaps half of the documents submitted as evidence are email.

Courts aren't like the movies. In real litigation, the parties don't have many fights about whether a document is what it purports to be. They have fights on how to interpret the document, but not about whether it really came from the CEO or not.

The reason for this is that email is largely self-authenticating. Most litigation involves at least one party that is a company. All but the smallest companies keep track of their email automatically. When the request for documents comes in, IT does a keyword search, dumps a bunch of emails to a CD-ROM and hands it to the lawyers. The lawyers filter the emails and hand over the relevant ones to the other side. The lawyers keep their clients reasonably honest.

If a plaintiff comes up with an email that the other side doesn't have a record of sending, they'll have a battle over whether it is real. Both sides present evidence and the jury or the judge makes a decision as to whether it's an authentic document or not.

In a company of any decent size, the person keeping track of emails and other documents is not important enough to have his or her ass on the line. If they are asked to forge or destroy documents, they'll either refuse or else they'll be extremely willing to talk about it. If there is ever a trial over Enron, we'll see a parade of paralegals, secretaries and mailroom clerks testifying about shredding documents until 3am every night. These things have a way of getting out.

So: If a sysadmin forged a bunch of emails from the CEO, the court would either let the jury decide if the emails were real or, if it their authenticity were very clear, rule on the issue before trial. It would be up to the CEO and his attorney to show the court why these aren't real. If the sysadmin gets caught forging, he probably goes to jail for a little bit.

Government email

[Eric+Damron]

The email for my State government is covered under the freedom of information act.

What this means is that anyone can walk into any State agency and under this act require that the agency provide copies of it's email.

There is a charge to cover costs and a waiting period to allow the information to be gathered.

This can cause real problems for agencies that delete email without a policy covering the removal of this information. Basically, if the agency deletes email without such a policy they can be required to "recover" their email. If they don't have the expertise to do so they can be required to contract out to a company who does have the ability. This could cost them tens of thousands of dollars.

Better to have a policy and to stay within the guidelines!

It's not just about destroying evidence

[RatFink100]

I've read a few comments already implying this is all about companies covering their tracks after commiting fraud or other criminal acts. These comments rightly ask why should we be concerned about policies and technological solutions to aid this.

However destroying evidence is only a small part of what this debate is about - it just makes for the flashiest headlines.

The issue is about the way email is used - many people write emails with an informality similar to speech, forgetting that email often has a 'lifespan' equivalent to many physical documents. When you also consider that emails are being used as documentary evidence in legal cases this begins to be a cause for concern. Why? Because people don't always express themselves precisely and may give a misleading impression - especially if the email is taken in isolation.

And it's not just the informality it's the 'working document' status of email. Let's say a particular business decision is the subject of scrutiny in a legal case, and let's say it was a decision reached after some discussion. If that discussion took place in a meeting then the documentary evidence would be the minutes - which would express the decision reached. If that discussion took place over email - would you be able to discern later that an email saying "We should do X" was expressing the final decision or merely a point of view in an on-going discussion? What if you had to prove than Y not X was the final decision?

So the policies that need to be implemented are not necessarily about covering up wrong-doing, they are about making sure that documents (emails) which may be treated as written communcation, have the clarity and riguor that they need. If they are informal working documents then they may need to be either clearly marked or destroyed at an appropriate time.

In my view the heart of any sensible policy should be education about how to write emails appropriately. The guideline I always use is "am I still happy to send this knowing that my customer/competitor/a.n.other could potentially see it one day?" If the answer is no then the email either needs re-writing or possibly a different form of communication is needed.

On public "radar" since 1987

[catfood]

I'm a little surprised the article didn't mention the greatest email bust of all. In 1987, the questionable para-military funding activities of USMC"Lt.Col.OliverNorth were uncovered partly by an investigation of messages that he thought he'd deleted from the White House's internal email system.

North hadn't counted on the "deleted" messages showing on backup tapes.

Partly because of this smoking-gun evidence, North was convicted in 1989 of aiding in the obstruction of Congress, accepting illegal gratuities, and destroying documents.

North's conviction was later overturned (with great irony considering his status as a law-and-order conservative icon) on a legal technicality.

Plead the 5th

[pryan]

A corporation is a legal construct designed to give a business the same rights as a person, right? If so, in the face of a subpoena duces tecum, why can't a corporation plead the fifth amendment? I assume there's a clear legal answer, but IANAL.

Amendment V

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury, except in cases arising in the land or naval forces, or in the militia, when in actual service in time of war or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Off shore ?

[Martin+S.]

This post is completely miss-leading, even assuming 'HavenCo' have a legit claim to be off-shore.

Placing/using an email Server 'off-shore' offers not more protection than refusing to hand over the messages in the first place, you will be in contempt of court and go to jail until you agree to turn them over. FACT!

Causing the destruction of evidence is a crime, in most countries, even if it is carried out by an agent. So in most cases, all 'HavenCo' will achieve is to further incriminate.

BTW: How does a mindless commercial plug warrent +5 Interesting ?

Re:It gets out of control very easily

[baptiste]

It's when that 6gb is sucking up server space when that starts to suck.

Oh I don't know - GB sized .pst files anywhere seem to give Outlook fits. I'm alwasy amazed at people who have all their email in ONE folder and complain about sluggishness. They're amazed when we tell them they can file stuff in folders both on and off the server.

As for storage of email - I've never really figured this out. Yes, some companies log email, etc, etc. Stuff gets caught on backup tapes, etc. But even then stuff drops out after a while. As an IT manager, I'd almost WANT to ditch email serve rbackup tapes after 6 months to a year, less legal hassles :)

Besides - if its not on the server or the defendants machine (IANAL) - its tough to use as evidence - I mean you can spoof an email easily if you're the plaintiff to make it LOOK like someone sent something. Now do courts understand that? I doubt it :)