Slashdot Mirror
Document Retention And E-mail
innocent_white_lamb writes "An interesting column by Jim Carroll about email within companies, document retention, how hard it is to actually get rid of an email, and how all of this can come back to bite you later on. "
(Disclaimer: I'm cofounder and cto of HavenCo, an offshore colo and supporting services company on Sealand)
This is one of the main reasons people put email servers offshore now, even if they're operating onshore. This got started with HavenCo's gaming clients, but we now have general-purpose mail server customers who just want to company with their existing onshore document retention policies without the risk of someone subpoenaing their mail server and then trying to recover the disk.
One of the features I'm working on now is some basic intelligence to detect out-of-character behavior by a mail server client -- such as attempting to download all messages, which would indicate they've been subpoenaed. If that happens, then we would attempt to contact the customer and get positive confirmation that they are *not* being investigated before allowing the transaction to continue. It's a trade-off between allowing normal function and protecting against legal attacks.
Perhaps an extension of normal document retention policies for companies can be to keep them locally for 3-6 months, then move them to offshore "cold storage" where they will only be released when the offshore agent holding the files is certain a request is not due to legal duress. Trade a bit of latency for a lot of security, and otherwise the documents get destroyed anyway.
So what is the lesson here? If you are planning on committing fraud, illegally maintaining a monopoly, or postponing a defective product recall to maximize profit, you should first make sure you have a document 'retention' policy? And then everything will be OK? What is wrong with this picture?
What about a story on the benefits of keeping old emails? I'm tired of hearing about the costs.
Fucking lawyers. Oh, my mistake. It isn't the lawyers, it is the legislators. Fucking legislators. Oh, my mistake. It isn't the legislators, it's the voters. Fucking voters. There, that's better.
jkljkl
I find it fascinating that people openly discuss ways of destroying evidence in case of possible legal action. Is this going to be a standard MBA course from now on: "How to cover your tracks" or "Case Studies: Failures in Shredding Policy from Watergate to Enron"?
It makes you wonder why nobody looks at it from the opposite side. If you don't do anything illegal then your e-mail archive could prove valuable for your own defense. Trading companies, for example, keep all records of customer interaction, including phone calls, for use in the event of a dispute. You can never claim that your broker did something without authorisation because they archive everything.
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
Back when I worked at a .com years ago it seemed the exchange server crashed so much we could'nt keep our email longer then a few weeks if we did'nt back it up!!
:)
Then the CEO told us to auto delete mail older then 90 days... well the exchange server crashes took care of that too
I'm having a hard time figuring out what his point is. He's saying "we need a policy for archiving e-mail" and then he talks about Enron, where any policy regarding e-mail would have resulted in evidence being destroyed. Is he saying we need to start pre-emptively destroying email in case there's something incriminating in it?
"Digging up the dirt" isn't a new problem. Back when everything was done on paper, you could make copies and stash them somewhere, so shredding the original was never enough to ensure the document didn't exist anymore.
And as for saying "e-mail will play a role in many other unfolding corporate stories", well, duh!
Jamie Zawinski has a rather unpleasant story about this on his site:
http://www.jwz.org/gruntle/rbarip.html
A very good example of how essentially harmless email can be seriously misinterpreted.
Emails can be forged so easily, how is their authenticity established?
I guess any decent sysadmin in the world could show the court a whole bunch of threatening emails from the CEO of his company, what would a court do in such a case?
Look, that's why there's rules, understand? So that you think before you break 'em. (Terry Pratchett)
The email for my State government is covered under the freedom of information act.
What this means is that anyone can walk into any State agency and under this act require that the agency provide copies of it's email.
There is a charge to cover costs and a waiting period to allow the information to be gathered.
This can cause real problems for agencies that delete email without a policy covering the removal of this information. Basically, if the agency deletes email without such a policy they can be required to "recover" their email. If they don't have the expertise to do so they can be required to contract out to a company who does have the ability. This could cost them tens of thousands of dollars.
Better to have a policy and to stay within the guidelines!
The race isn't always to the swift... but that's the way to bet!
I've read a few comments already implying this is all about companies covering their tracks after commiting fraud or other criminal acts. These comments rightly ask why should we be concerned about policies and technological solutions to aid this.
However destroying evidence is only a small part of what this debate is about - it just makes for the flashiest headlines.
The issue is about the way email is used - many people write emails with an informality similar to speech, forgetting that email often has a 'lifespan' equivalent to many physical documents. When you also consider that emails are being used as documentary evidence in legal cases this begins to be a cause for concern. Why? Because people don't always express themselves precisely and may give a misleading impression - especially if the email is taken in isolation.
And it's not just the informality it's the 'working document' status of email. Let's say a particular business decision is the subject of scrutiny in a legal case, and let's say it was a decision reached after some discussion. If that discussion took place in a meeting then the documentary evidence would be the minutes - which would express the decision reached. If that discussion took place over email - would you be able to discern later that an email saying "We should do X" was expressing the final decision or merely a point of view in an on-going discussion? What if you had to prove than Y not X was the final decision?
So the policies that need to be implemented are not necessarily about covering up wrong-doing, they are about making sure that documents (emails) which may be treated as written communcation, have the clarity and riguor that they need. If they are informal working documents then they may need to be either clearly marked or destroyed at an appropriate time.
In my view the heart of any sensible policy should be education about how to write emails appropriately. The guideline I always use is "am I still happy to send this knowing that my customer/competitor/a.n.other could potentially see it one day?" If the answer is no then the email either needs re-writing or possibly a different form of communication is needed.
A corporation is a legal construct designed to give a business the same rights as a person, right? If so, in the face of a subpoena duces tecum, why can't a corporation plead the fifth amendment? I assume there's a clear legal answer, but IANAL.