Proposed Federal Rules On E-Document Destruction

runner345 writes "The Federal Advisory Committee on Civil Procedure is evaluating a series of 'e-discovery' rules that will change the way litigation handles electronically stored information for the federal courts. Included in this is proposed Fed. R. Civ. P. 37 which would exempt parties from sanctions for electronic evidence destroyed in a 'routine operation of the party's electronic information system.' Microsoft and other technology heavy-hitters have strongly backed this safe harbor because it judicially validates electronic document retention policies (perhaps the most effective Orwellian misnomer for outright document destruction). If you thought it was hard to get incriminating documents from the tech industry now, think about what this rule will do to a plaintiff's chances. You can get the proposed rule here (when their site works) and read what Microsoft and Intel have to say about it here. You can also read my law school thesis on the topic (still only in draft)."

Simple!

[sandstorming]

Destroying E Documents for dummies... Place on Hard Drive Give Hard Drive to 3 year olds with knives Tell then there is candy inside.

Re:Simple!

[deutschemonte]

Or...
Install Windows, place on hard drive, give an open internet connection three days to install candy inside.

Re:Simple!

[Tuxedo+Jack]

No, there's an easier way.

Give machine to any typical clueless user. Tell them to go on the Internet without protection (just IE, no firewall, et cetera). Watch the fun begin.

Re:Simple!

[iamthemoog]

...or buy one of those Fujitsu or deathstar hard drives from a while back... that should easily define your data retention policy.

Click-of-death zip disks work well too.

Re:Simple!

I have one of the death star disks. It has gone click-click-click quite a few times now. The first time, I was about to throw out the disk, when I read somewhere that the disc is made to withstand 90 G (that's a lot).

Well, it was already defective, can't hurt to try... WHACK... I slammed it down from about 4 inch / 10 cm above the table. Not dropped, but with my hand accelerating the drive towards the table.

Now the drive works fine. I don't use it for anything critical, because I don't trust it, and who knows when it will go bad.

Once every few months the clicking starts again. No problem, there's always a table near :-)

Re:Simple!

[puke76]

Or, if you're the UK Government, tell staff to delete email more than three months old .

Re:Simple!

[Tethys_was_taken]

Defrag it. Works every time :)

Re:Simple!

[HEXAN]

Any plan that involves 3 yr. olds with knives already has problems.

Re:Simple!

[d34thm0nk3y]

If you thought it was hard to get incriminating documents from the tech industry now, think about what this rule will do to a plaintiff's chances.

Keep in mind that this works both ways. Websites that want to protect user data from subpoenas could have a very limited document retention policy that allows them to delete logs daily and not get in trouble. Of course they should document this policy in the event of a subpoena.

Re:Simple!

It's funny about those zip drives. Both of mine have done that for YEARS and except for some occasional trouble getting it to read the disk I've never had any real problems with them. At worst I've had to reinsert the disk a couple of times to get it to read.

Of course that was on win95 and years ago. Have had absolutely no problems using them in Linux.

Not necessarily bad

[GigsVT]

It gives you an excuse to tell people to delete their mess of shit that is all over your server. Be it mail inbox with dozens of 10mb DOC files or their home directory that is constantly pushing quota.

Re:Not necessarily bad

This has nothing to fucking do with that. A person's personal documents can always be asked to be erased by a sysadmin. It is up to that person to make sure his/her documents are retained as necessary. This is about companies intentionally erasing as many documents as possible to avoid the liability (for wrongdoing) they would have if those documents had not been erased. You think it's difficult to get a corporation to follow the law now (it is), wait till after this law is passed by the same corporate shills who "reformed" bankruptcy law. Hello, Fascism 2.0!! So good to be an American.

Whats new

[sprzepiora]

This sounds a lot like regular document destruction rules.

Re:Whats new

[BoomerSooner]

Exactly what's the big fucking deal. If you're a software comany, or hell any company now days you've got gigs upon gigs of data and backups. If you had to save it for X number of years it could easily become a burden. For example, one of my companies stores patient related data subject to HIPAA laws. If I have to store the data for 10 years who knows how much space that could end up taking, not to mention the greater likelihood of something getting lost in the shuffle.

As long as a company has a policy about document retention and follows it, it shouldn't matter if it is electronic or paper based. Now if you're intentionally shreading/erasing documents when you know they are under investigation that is illegal regardless of your policy.

Re:Whats new

[OnlineAlias]

Every health care provider in the country is worried about this...not because they want to hide stuff, but because it is a huge burden on SANs and tape robots, especially when we are talking about huge files that may be included in an Electronic Medical Record. Also it makes it nearly impossible to have a reasonable "system" lifecycle because a provider cannot simply "retire" a system. Providers often have to go to outrageous lengths to migrate old data in old formats to old data in new formats. Since HIPAA says nothing about how long one should keep patient data, these kind of regulations or, *standardizations* are very much appropriate and necessary.

document rentention policies

[alatesystems]

We already have electronic document retention policies, and we do get rid of things on a regular basis. I don't really understand what this rule would be for, except to validate practices already in place at almost every major company.

The submitter makes it sound like it's horrible for the plaintiff, but would we really want to live in a world where we have to keep every single file forever? I think not.

Re:document rentention policies

[Invalid+Character]

Maybe if we all got subsidized hard drives? How does 200Gb HD for $20 sound?
Think of all the lawsuits that would result ;-)

Re:document rentention policies

[natrius]

The submitter makes it sound like it's horrible for the plaintiff, but would we really want to live in a world where we have to keep every single file forever? I think not.

Do we really want to live in a world where there is no such thing as electronic evidence, since anyone can just say, "oops, it got deleted in the routine operations of my business... last night." I think not. See Burst v. Microsoft.

Re:document rentention policies

The submitter makes it sound like it's horrible for the plaintiff,

Having posted a link to an encrypted version of his own "thesis", I'd suggest that the submitter's intelligence is already somewhat in doubt.

Re:document rentention policies

Sounds like the submitter has no clue how many backup tapes a large campany like a bank can generate in a month. At my job we have millions of tapes stored at an offsite vault and currently the retention policy on most of these is 'infinite'. Does the submitter think it is a good idea to store backup tapes from an email server that is backed up every single day for periods longer than 100 years? The tapes would have disintegrated into dust by then.

Re:document rentention policies

[corporatemutantninja]

Actually, I do see a change. And this applies to rules about paper, email, and now IM retention as well.

All that currently happens is that companies avoid putting anything potentially incriminating in writing. "Call me about this," the email says. So companies spend huge amounts of money ensuring "compliance" with retention laws, plus they are unable to get all the efficiency out of communications technologies that are possible because they still end up having the important conversations in person, and we still can't prove anything in court. What's next? Require companies to record and save all phone calls? The ultimate step will be when we don't allow people to have off-record conversations:

CEO: "What do you think, Phil?"
CFO: "I don't think the [FLUUUUUUUSSSSSHHHHH] shareholders will suspect a [ZIIIIP!] thing."

Retention requirements are a huge ball-and-chain for companies without fully addressing the problem they are intended to solve.

Re:document rentention policies

[R.Caley]

would we really want to live in a world where we have to keep every single file forever?

I already do, more or less. I have email dating back a decade, and archived backups and as many things as possible kept under CVS to give acess to old versions.

So far as I can see, given the current cost of storage, keeping things is all win. The only reason that wouldn't be so would be if someone knows they have something to hide.

Re:document rentention policies

[tekunokurato]

burst got $60 MM. What's your point?

What this says is that if a firm has a document retention policy for carrying some documents three years, some five, some seven, etc., it's likely to be legitimized and companies don't need to spend inordinate amounts of money keeping, say, automated notices forever. This says nothing to the effect that companies can't be punished for poor document retention policies, such as one in which executive communications are deleted monthly.

Re:document rentention policies

[mccoma]

Thats fine for one person, but when we talk huge companies this keeping everything is a huge problem and storage that big isn't that cheap. Yes, some industries have requirements (Drug Testing), but keeping every e-mail by every employee is a nightmare.

Also, is a POP3 equipped mail server that deletes mail off the main server even legal?

Re:document rentention policies

[Generic+Guy]

burst got $60 MM. What's your point?

The point is that Microsoft claimed they didn't keep the files and messages for the Burst case (a strange 18-month "black hole" in their email records) after claiming in another case that they kept everything. This self-incrimination is the only thing that managed to help Burst.

Re:document rentention policies

[netruner]

You know, somebody needs to post the response to the "only the guilty have something to hide" argument on a webpage so we can just post a link when this fallacy rears its ugly head.

Nothing personal against you Caley, but any type of intrusive laws such as what we're discussing here are the opposite of freedom, and need to be called out as such whenever they're seen.

If you want to keep everything, that's your business. However, you should evaluate your motives. Keeping everything for the express purpose of being able to prove your innocence says a lot about your view of the political climate.

Besides, the idea that making a law to force people to not change the pattern of bits on a disk will actually prevent it is naive. Anyone with any level of proficiency can make it look like the file in question was never there.

Re:document rentention policies

[Spad]

As it stands, there's nothing to stop a company from doing exeactly the same with paper documentation; "Oops, it got shredded in the routine operations of my business...last night".

Re:document rentention policies

[R.Caley]

Thats fine for one person, but when we talk huge companies this keeping everything is a huge problem and storage that big isn't that cheap.

But, surely, it simply scales linearly. One person doesn't create exponentially more data just because they work in a company with 10,000 others rather than 10. They still only have 10 fingers and the same typing speed.

The cost of storage for the email and report etc. output of one person for a year is trivial compared to their sallary, tax, benefits, providing them with office space, admin overheads etc. etc.

Re:document rentention policies

[R.Caley]

``only the guilty have something to hide''

If you read what I wrote, rather than what you would like to read to have a straw man to shoot at, you'll se I said nothing like that.

What I said was, in paraphrase ``only the guilty are subject to a significant cost in keeping everything''. Nothing about hiding anything. There are indeed perfectly good reasons for hiding things, consider the story last week about the anarchist site whose brain-dead admin had his logs confiscated when half a brain cell would have told him not to log his users' IPs in the first place.

But there is no reason for a business not to archive it's electronic paperwork, and lots of sound business reasons to do so. Having this enforced by the state is, as you say, a different issue, but I was just aswering the ``would we want to live in a world where...'' point.

Would we want to live in a world where the state had laws against us sticking our fingers in live electricity outlets? Well, there is a level of insult to our intelligence in such laws, but on the whole their are much more worrying things the state will do while we worry about fighting such trivia.

In the UK, the double jepardy law ceased to exist today.

Re:document rentention policies

[OnlineAlias]

Sorry, but you simply don't know what you are talking about. In a little system, you can keep things forever, no problem. But in massive systems, it really isn't the space that is a problem, it is the bandwidth. Moving 600 terebytes of data around all of the time becomes impractial at today's data rates. What is one to do, keep everything spinning? Put it to tape? Go nearline? Think about it. Little mail servers are one thing, but the computers that really run things, like RS/6000's, Suns, and Mainframes, etc.etc. with apps like CICS, SAP, and Lawson, etc.etc are what this regulation helps with.

Re:document rentention policies

[Brian+See]

Guess what?

Voicemail is discoverable. And because of the way it's stored, it's an "electronic document" within most definitions.

Saner preservation plans/orders are specifying that voicemail need not be preserved. Less sane plaintiffs are trying to force people to save (and review and produce) voicemails. And yes, it costs a heck of a lot of money to do.

Re:document rentention policies

[R.Caley]

Moving 600 terebytes of data around all of the time becomes impractial at today's data rates.

Well, as the doctor in the joke says, don't do that then. The issue was retention, not copying everything across your network every night. Leave it where it is. Don't even need to back it up, if it gets eliminated by a disk crash after 5 years, ho-hum, no one gets put in jail when their paper records are destroyed by fire, unless they are holding the match.

In any case, by definition you are already shipping all this stuff around. Email which doesn't get sent to anyone and reports which don't get transfered to anyone other than the author to be read are not very useful.

Re:document rentention policies

[OnlineAlias]

Except: What are you going to do with the new data that is created? Move the old stuff? Buy new stuff to hold the new stuff? This is what people aren't understanding. When you have a *SHITLOAD* of data, both being created and being retained, things start to change significantly. At some point, you must choose to destroy it and have a rock solid data retension policy on what it is you keep and what it is you destroy. Till now, there have been *no* standards on this and it was usually left up to corporate attorneys who had no understanding of what it means to keep eveything, or it was up to the datacenter managers who had no clue of the legal ramifications.

Re:document rentention policies

Just like with paper document, once you receive the supenia(sp?), you have to take all possible steps to preserve anything that might relate to the case. This has been dicussed in legal circles for a few years now. As I understand it, what this is doing is allowing you to delete the electronic versions just as you would eventually shred the paper versions. But like with paper, it will likely requier you to have a written, long standing policy on the destruction of these documents/backups/etc.

Re:document rentention policies

[bigpat]

Do we really want to live in a world where there is no such thing as electronic evidence, since anyone can just say, "oops, it got deleted in the routine operations of my business... last night." I think not. See Burst v. Microsoft.

Sure they can say that, but will the courts believe them? Judges are not all stupid.

Re:document rentention policies

[R.Caley]

When you have a *SHITLOAD* of data, both being created and being retained, things start to change significantly.

But when you have a shitload of data being created, you are clearly a big operation with a shitload of resources.

Aren't we talking about the same volume of data per day as would be added to the backups? Tapping that off into an archive isn't going to involve a volume of data which isn't already being handled. So it comes down to cost of the actual archive storage, which is going to be cheaper in proportion as the organisation gets larger.

Re:document rentention policies

What's next? Require companies to record and save all phone calls?

Many companies (especially financial ones) do exactly that.

Re:document rentention policies

Yes, I would *much* prefer to live in a world where (1) the government does not mandate IT policy and (2) where I am protected against self-incrimination.

Stuff your bogeyman scare tactics in a sack. What's the great harm that will befall us if system administrators are allowed to rotate their log files and purge old files? You know what, potentially incriminating evidence gets destroyed every second. It's called speech. You push air through your vocal cords, move your mouth, air vibrates and transmits a message to a listener, and then *poof*, the message is gone! Oh no! Maybe we should all be required to carry portable recording devices to record every moment of our lives, so that busybody lawyers can get their grubby little hands into everybody's dirty laundry.

There's absolutely no reason we need to make it even easier for people to accuse others of committing crimes. It's too easy as it is.

Re:document rentention policies

[Chaostrophy]

It is that email was missing for a month before and several months after each meeting with Burst, over a long period, and not just on servers, but also on peoples personal machines.

Re:document rentention policies

[quarkscat]

Corporations absolutely hate the Sarbanes-Oxley
law, particularly those portions that require
them to retain electronic evidence that can be
used against them later. Between MSFT's legal
shennanigans in their lawsuit with Burst, this
new regulation, as well as the new DRM initiatives
from MSFT (Palladium & patented XML), corporations
(and their legislative stooges) will effectively
have eliminated this threat to their malfeasance.
A whistleblower cannot "blow the whistle" if he
or she will not have the capability to reveal
insider documents. MSFT has gotten away with
the selective destruction of pertinant electronic
documents in court proceedings. This does not
bode well for "open democracy" either, since the
same trends are occurring within the government.
George W. Bush has not only sequestered his
prior records (Air National Guard/Governor of TX),
but has overriden the law regarding the National
Archives with an Executive Order.

As far as I am concerned, where there is smoke
there is fire. Corporations that resist storing/
archiving electronic files do have something to
hide. Governments that resist storing/archiving
public documents (or sealing them forever) also
have something to hide. There is no other real
rationale for such subversive behavior, especially
with Sarbanes-Oxley as law of the land.

Re:document rentention policies

[mr.newt]

I think Martha Steward would like a word with you.

Re:document rentention policies

[mr.newt]

Err, Stewart, Steward, whatever. That scary lady that makes the cookies.

Re:document rentention policies

Give up. Nothing will convince him that there is a difference between backing up his personal mail server and backing up 10,000 mail servers for a multinational corporation. Don't waste your time.

Re:document rentention policies

[Nefarious+Wheel]

Get into finance industry IT -- the banks -- and there's a very clear code as to not just how long you need to keep the data (in Australia it's 7 years except for registry, which is 5 years) but also at what point you must destroy it.

Incidentally the 7 year rule was because that's how long a 9-track tape reel was supposed to last before magnetic print-through would manifest on the old media. Anyone looking for an update on this, or will this be another business standard that lasts forever based on obsolete technological limits?

Re:document rentention policies

[mccoma]

But, surely, it simply scales linearly.

No, you gotta count the number of connections. Businesses have a lot more e-mail then your average person. Not to mention the automatic stuff sent by programs and systems. Throw in the attachments and other fun things and you get a nightmare. The cost isn't trivial and it adds to the administrative overhead. Adding a sudden need to do proper backup (and offsite storage) of what should be transient.

I understand it for certain industries (I used to work in Clinical Trials and as another poster mentioned that has strict rules). Although, you can use those industries as an example of costs being driven up by the information storage requirements (the cost of I.T. for clinical trials is very high in the US).

Re:document rentention policies

[Vombatus]

That '7 year rule' has been around since biblical times, with many many variations on why it is 7 years, but that is the first time I have ever seen it linked to the life of media. I will add it to my knowledge store.

I'm not sure (but I could be wrong) that any of the Australian banking legislation has a mandatory requirement to destroy records. In 26 years in the records business, I can only recall 2 laws that had a mandatory destruction requirement. Of course, after 26 years, senility might be affecting my recall.

Re:document rentention policies

[Nefarious+Wheel]

I've just spent an uncomfortable week or five plowing through the dozen or so regulatory bodies' requirements. Once you get past simple custody and into the feeding frenzy involved in Basel II ratings, they seem to all get into the act. I think iirc the destruction rule came from APRA but it could have been one of the others.

Remember how IBM vs. The BUNCH was resolved? Litigation had gone into critical mass (i.e. the collection of suits and countersuits would complete three minutes after the heat-death of the universe) and the one tape with the index to the warehouses full of punch cards was "inadvertently" erased, and CDC paid the relatively small fine for destruction of evidence as a way of finishing the mess off. Shortly after that a number of technology-specific laws arose regarding backup of media (this was in the US of course). I remember the debate as to 7-track vs. 9-track longevity -- 7 track was perceived as being more durable, but they forsaw 9 track would become the standard and thus went with the puny 7 years it was supposed to last.

Informative? Probably, but boring too. Mod me up for it and your dog will die.

How long

[Invalid+Character]

If i understand this right then how much of a time buffer would one get before destroying data is considered "destroying evidence"?
What if your regular clean up procedures begin just after you've gotten wind of a warrent or other legal issue?

Im sure there are provisions and details about these situations ( IANAL and i dont speak legalese) Can anyone with more knowledge elaborate on exactly what this all means?

Re:How long

[ReggaeFire]

As pointed out above, this is no different then the rules governing retention policies for paper documents. For records management people this is a basic function of their job. What this means is that you have a regular cycle (a document "lifecycle") where a document is no longer needed for business use, and it is legal to destroy it. You cannot simply invent a lifecycle and destroy at will once a discovery process has begun (this is what Enron did, and a big reason we now have Sarbanes-Oaxley), but if you already have this automatic process in place (which a growing number of companies do for electronic records), this will keep the lawyers from claiming you are destroying evidence to willfully avoid prosecution (the same rules apply for electronic records as paper ones, you must keep certain records for x amount of years, etc.). This isn't groundbreaking, in fact it's pretty basic and surprising it didn't exist before.

Re:How long

At least with paper documents if you get information about a warrant or other legal issue you are supposed to halt destruction until the issue is resolved. I don't see why electronic documents would be any different. Most (all?) electronic document retention (destruction) managment software has the capability to halt all destruction of data if a warrant or something comes up.

Re:How long

[permaculture]

While we're on this topic, here're the Electronic Frontier Foundation's Legal and Technical Policy Suggestions for Data Logging

Best Practices for Online Service Providers:
http://www.eff.org/osp/

It's a good thing...

[zegebbers]

Microsoft and other technology heavy-hitters have strongly backed this safe harbor because it judicially validates electronic document retention policies (perhaps the most effective Orwellian misnomer for outright document destruction).

That would be a terrible, Orwellian scenario! It's a good thing that people haven't suggested this in scenarios such as the indymedia.org raids!

Sorry IBM

[FidelCatsro]

SCO apear to have lost every bit of evidence you were looking for during some "routine mantience" work

Re:Sorry IBM

Suck it you fucking communist dictator.

Re:Sorry IBM

I think i deserve a better troll than you , come on ... i used to have a better one , where did he go

Re:Sorry IBM

This was actualy a joke , not a redundant comment or an informative one . As i can imagine SCO losing some evidence

Routine Operation?

[datafr0g]

...for electronic evidence destroyed in a 'routine operation of the party's electronic information system.'

What is a routine operation - how do you define this? I assume we're talking about scheduled backups but could this be a possible loophole or is it defined in some cunning way in the actual proposal?

Re:Routine Operation?

[brianf711]

Would it still count as routine if it was scheduled every day, but you could just postpone it if you were using the computer, like chkdsk at windows startup? If you don't postpone, it could be defined as routine because the schedule was in place before the request for documents. It would only be lack of user action to save the documents that leads to their destruction. Legally, this could be a very different case, though practically it is identical.

I agree with this legislation

Broadly, my company "EvilCorp" has a document retention policy, that simply states

"Don't retain anything incriminating".

I'm glad to see, government is catching up, with trends set by industry leaders like myself !!

God Bless America.
God Bless Corporate Malfesence.
Death to document retaining, Commie Linux Users!

Also, it's worth noting.

We've always been at war, with East Asia !

[Seriously folks]

Am I the only one who thinks that government should be requiring companies to move the *other* way?

Ie, retain, *everything*... absolutely *everything*, why should email/*doc* be an acceptable domain, where, one can simply erase data under dubious circumstances ?

Because corporation (x) wants it that way ?

[Aside]

Corporations are too powerful now.
Increasingly, law is coming to reflect the interests of Corporations, instead of the interests of countries citizens.

It's not so absurd to suggest, that.. eventually, the little guy will revolt.

Think the French revolution, think the American revolution...

Eventually, when the little guy gets done taking enough crap from those on top... the little guy gives the other the boot.

In this light, Bill Gates is the King of France.

"Let them eat Patent-Cake".. etc.

Re:I agree with this legislation

[djmurdoch]

Ie, retain, *everything*... absolutely *everything*, why should email/*doc* be an acceptable domain, where, one can simply erase data under dubious circumstances ?

*Everything* is a lot. Do you want every revision of your swap file to be backed up?

On the other hand, every email you send does seem like a reasonable requirement. But what if your email contains a URL. Should you be required to back up that version of the web page?

Re:I agree with this legislation

Every email.
Every electronic document.

Swap files no.

Caching URLs, again, no, there are quite a few caches of Web pages around the internet.

To me, it just doesn't make sense, to make it easier for companies and individuals, to effectively destroy evidence, and worse yet, for the government to rubber stamp it.

It's like handing a right wing militant a gun... giving him a nod and a wink and saying "go ahead".

That's how big companies that abuse, the system *as it is* will see legislation like this.

Re:I agree with this legislation

"Let them have trustworthy computers"

Re:I agree with this legislation

[MoralHazard]

"Am I the only one who thinks that government should be requiring companies to move the *other* way?"

Um, have you ever heard of a little piece of legislation called Sarbanes-Oxley? Yeah, you might want to check that out before you start assuming you're on a one-man crusade. Corporate ecords retention requirements have only increased over the past 10 years.

"Ie, retain, *everything*... absolutely *everything*, why should email/*doc* be an acceptable domain, where, one can simply erase data under dubious circumstances ?"

This would be fine... except for the fact that you'd have to remove the "delete" function from every application on every desktop. If I'm composing emails, and I decide not to send something I halfway finished, do I have to save it? How about drafts from 10-year-old memos? And what happens when you just have too much shit for your hard drives? Preserving EVERYTHING is a pretty goddamned big burden on businesses.

"Corporations are too powerful now.
Increasingly, law is coming to reflect the interests of Corporations, instead of the interests of countries citizens."

Go back and RTFA. These standards have NOTHING TO DO with corporate versus non-corporate entities. We're talking about a rule that applies equally to all parties in civil litigation, whether they're incorporated or not. If you run a small business as a sole proprietor, and you get involved in a lawsuit, this applies to you, too.

Is slashdot so easy that any pseudo-Marxist anticorporate ranting passes for "informative"?

"Eventually, when the little guy gets done taking enough crap from those on top... the little guy gives the other the boot."

Yeah, whatever.

Re:I agree with this legislation

Oh noes, anticorporate ranting!

Maybe if corporations would climb out of the gutter for a few years, people would stop ranting about things like this, but no, Enron, Worldcom, KBR... and these are just the recent ones, its not like corporate scum is a new invention. It just never stops, does it? An endless cycle of greed and taking advantage of everyone within arm's reach for the almighty holy dollar.

Maybe if apologists like you would shut up and think about the image corporations have for about 3 seconds, you'd see that theres plenty of room for improvement. These days companies don't even pretend to be good, they flagrantly disobey laws and get away with it.

Re:I agree with this legislation

[frank_adrian314159]

But what if your email contains a URL. Should you be required to back up that version of the web page?

No, silly person.

That's why we have Google.

Re:I agree with this legislation

[Brian+See]

If your email contains a URL, and the URL is a link to a website on a server outside of your possession, custody or control, then of course you're not going to have a duty to preserve the web page.

If it's YOUR OWN web server, though, it's a different analysis.

Also, if you have cached a copy of the web page (say in your individual browser cache, or if your company has a caching proxy server), there is arguably a duty to preserve that cached copy.

Oops, you overwrote your cache through routine web browsing? Congratulations, the lawyers on the other side will argue that you've just committed spoliation.

Re:I agree with this legislation

[Money+for+Nothin']

And the alternative is... what? Government provision of goods/services, i.e. socialism (government ownership of all economic output, i.e., 100% taxation)?

And don't governments fail to "pretend to be good, they flagrantly disobey laws and get away with it" too? They do, and in part for that reason, socialism failed; the Berlin Wall fell, Soviet Russia collapsed, and every significant genuinely-socialist nation (former Soviet Russia, China, India, Vietnam, Nazi Germany) is no longer fully-socialist, having undergone a process of slow conversion to capitalist economics. The sole exception is North Korea, the last holdover from the Stalinist era -- and I wouldn't call them a "successful" country by any means (not even at extorting the U.S., which seems to be its goal as of late).

So if corporations are big and bad, and if governments are big and bad, what's the solution? Communism (i.e. a system in which all property is equally owned and there is no government and everybody works for "the greater good" of the community)?

But communism (real communism, not the "communism" people claimed Soviet Russia and China and North Korea live(d) by (i.e., they were communist in ideology, but socialist in actuality)) doesn't work because there's no incentive for people to care about the things they own. The problem is known as "tragedy of the commons." Real-world examples of communism -- including Chairman Mao's experiments in rural China during his "Great Leap Forward," and for a short time in pre-Revolution America (America was once a communist land - until they figured out that nobody was doing any work) -- have been a proven to be utter failures.

So, that leaves 1 other economic system: fascism (governments and business working together). But by definition, govn't and business works together; if you think things are bad now (and it could be argued that we have a fascist economy), things could be worse.

Milton Friedman once said it best in his book Free to Choose:

We have been forgetting the basic truth that the greatest threat to human
freedom is the concentration of power, whether in the hands of government
or anyone else. We have persuaded ourselves that it is safe to grant power,
provided it is for good reasons.

(emphasis mine)

But then that brings us back to a capitalist system, in which we balance the power of the people against the power of business and against the power of a minimal (but powerful in the parts we do create) government; it's a 3-way balance that needs to be maintained, and all too often, the citizenry fails to keep its end of the bargain...

Consider 2 final facts:

1) Wal-Mart routinely tops the Fortune 500 list as America's biggest corporation. It's total revenues last year were around $260 billion. It seems pretty huge... until you consider that the U.S. Federal government took in tax revenues of about $2.4 trillion (or, $2,400 billion), making the government's tax revenues still 9 times larger than that of America's biggest (and some would say most-evil) corporation.

2) How many people did Wal-Mart kill last year? None? Or maybe 1 or 2 due to negligence (e.g. slip-and-fall)?

Now how many people did the U.S. government kill? Well, simply looking at Iraq and ignoring our death penalty laws, the "war" in Afghanistan, and so on, we know the U.S. government has killed thousands of people. So which entity is more-dangerous and more ruthless?

Corporations aren't perfect, governments are *far* from perfect, and the citizenry often makes stupid or uneducated decisions (like re-electing President Bush, hence the problem of mobocracy). Avoiding the concentration of power is critical.

Me, "I love my country; it's my government I'm worried about."

Re:I agree with this legislation

[jdiggans]

Don't you have a World Bank protest to get to? ;P

Re:I agree with this legislation

[MoralHazard]

Okay, I've read my share of Milton Friedman and Hayek and Mises and all that, and I won't argue the damn philosophy or economics like the other reply poster. I WILL, however, point out a couple of things for your edification that are pretty simple facts:

1) There are tens of thousands of incorporated companies in the USA. If you include sole-proprietor LLCs, which share certain liability features of corporations but not the management structre (they're essentially traditional small business with a liability shield), the number is probably in the hundreds of thousands.

2) Some of these corporations do bad things. Some are caught and some get away. But the Enrons, KBRs, and Worldcoms are the exception, not the rule. There were a few dozen high-profile dot-com related corporate malfeasance cases, and every year there are at least a dozen or so SEC efforts on other random corporations that Do Bad Things. So, NOT the majority--a small proportion.

3) FBI crime statistics suggest that the rate of violent and property crime perps, nationwide, is greater than 1 in 10,000, but probably less than 1 in 1000. So the rates for corporations and individuals are roughly the same order of magnitude.

4) One could conclude that corporations an individuals commit crimes in about the same proportion. Not equal, but close enough.

5) Many of the high-profile dot-com criminal cases were against individuals (i.e., Frank Quattrone) or partnership-style companies (Arthur Anderson).

6) One could conclude that whether an entity is a corporation or not is a pretty shitty way to predict whether it will engage in criminal behavior, because the correlation is so weak.

Re:I agree with this legislation

[djmurdoch]

Also, if you have cached a copy of the web page (say in your individual browser cache, or if your company has a caching proxy server), there is arguably a duty to preserve that cached copy.

This doesn't sound very practical to me. The people who know what's in the cache won't know which items in it are mentioned in email messages like this one: "Hey, you see what Enron did in that story on news.com.com today? We did the same thing!" So should they back up everything in the whole cache?

Lawyer Tax

This is why the Democrats are out of power: they go to bat for the lawyers but can't raise minimum wage.

Losers.

Thesis

[Cruithne]

There's a good idea.

1. Post unfinished thesis on slashdot for us to review
2. Incorporate feedback from users who read it
3. Profit!!!

Only problem is.... I dont think anyone is going to want to read it, especially not on a monday morning :D

Re:Thesis

[gowen]

On Linux, acroread tells me the document is encrypted, so quite what the purpose of posting the link is, I'm not entirely sure...

Excellent

Every cloud has a silver lining.

Re:Excellent

[brianf711]

Every silver linings got a touch of grey:
http://www.fcw.com/fcw/articles/2001/0820/news-nix on-08-20-01.asp
http://nixon.archives.gov/index.php

Call me stupid but...

Is there a need for electronic documents to ever be deleted? Call me stupid but to back up forever a companies information doesn't really cost all that much. Can someone explain why it is necessary?

Re:Call me stupid but...

[tomhudson]

Call me stupid but... (Score:0)

Okay ... you're stupid.

Is there a need for electronic documents to ever be deleted? Call me stupid but to back up forever a companies information doesn't really cost all that much. Can someone explain why it is necessary?

"Electronic documents" could also be the server logs showing you surfing those gay porno sites, as well as all those ethnic/sexist jokes you posted/received.

Then there's the backups of the backups of the backups problem.

And the time and manpower necessary.

And, when your current backup procedure has to be moved to a new media, because your current media are no longer available/obsolete...

Yep, I'll call you stupid.

School kids wil like this one, though ...

evidence destroyed in a 'routine operation of the party's electronic information system.'

"My computer ate my homework" is now a valid excuse.

Re:Call me stupid but...

[jwilkins13]

* Cost of storage: getting cheaper all the time, but still not free * Cost to backup - still only 24 hours in a day in MY world, and when you're backup up hundreds of terabytes, that gets to be an issue * Cost to restore as required to produce for discovery, or because the server slagged * Cost to search & retrieve information * Cost to continue to migrate stuff every 5-10 years (and see recent threads on /. about optical storage lifespans) * Cost to keep hundreds of different file formats *after* they are swallowed by MicroDobeSoft (do YOU have any Wordperfect 4.2 or Wordstar documents?) * Cost of having to sift through and provide only responsive documents: IANAL, but I'm guessing judges aren't as big anymore on the "drown 'em in paper" tactics - and everything provided is fair game for opposing counsel

Many different organizations, from technology companies to ARMA, the Association of Records Managers and Administrators, thinks the proposed changes are, by and large, a good thing. I agree. Anonymous document technologies consultant :)

Re:Call me stupid but...

[OnlineAlias]

Agreed, seems there are the people who know what this regulation means and why it is a good thing to clarify something that has been a huge problem, and then there is everyone else. These naysayers need to step into one of my datacenters for about 5 minutes....I suspect their opinion on data retension would change mighty quick.

Re:Call me stupid but...

[admsteiner]

Call me sad but...

I actually do have lots of WP 4.2 files...I also have the 5 1/4" floppies with the program files and a drive to read them! :-)

I like the idea that I don't have to keep my 10,000+ *personal* emails that I've accumulated over the last 4-5 years. Imagine how bad it is for a business. My emails are adding up to 1GB now...

Re:Call me stupid but...

[Solstice]

It's not a question of backup and time required to backup, it's more of a question of what happens when your company gets sued. The plantiff's legal team could request that all of your records relevant to the complaint be turned over. It could take hundereds of man-hours to go through decades worth of data to find the relevent documents. After all, you don't want trade secrets and the like to be entered into any sort of public record.

This is especially important in the healthcare field. Hospitals and Doctors get sued all of the time. To respond to discovery requests and subpoenas, they can waste a lot of the IT team's time just scrubbing through years of personal e-mails. When I worked at major hospital a few years back, this was a huge concern.

the miracle of encryption...

[torrents]

use encrypted volumes... when the feds come knocking forget the passwords... there's no law against being stupid... and if there was, i wouldn't know... i'm stupid!

Re:the miracle of encryption...

[stry_cat]

There sure is. It's called obstruction of justice. and after the judge orders you come up with the password it is called contempt of court.

Re:the miracle of encryption...

[terraformer]

Nope, not that simple...

Re:the miracle of encryption...

[lachlan76]

I thought your country didn't require you to incriminate yourself?

routine, huh?

[sugapablo]

"...which would exempt parties from sanctions for electronic evidence destroyed in a 'routine operation of the party's electronic information system.'"

So I suppose the following is perfectly acceptable:

30 0 * * * rm -rf /var/log/incriminating/*

Re:routine, huh?

Better yet:

30 0 * * * find /var/log/incrimating -type f -exec shred -u {} \;

Just make sure your logs are stored on a partition without a journaled file system.

Amen

The last thing I want is some asinine law that manadates the retention of every stupid file for ten years.

Think of the law suits and jail time for sys admins that didn't have the good backups that they thought they had.

Re:Amen

[GigsVT]

The last thing I want is some asinine law that manadates the retention of every stupid file for ten years.

Yeah, this one is funny.

---
"Reasonably Accessible" The term often means information that the party itself routienely accesses or uses or that is easily located and retrieved. By contrast, information stores only for disaster recovery is generally expensive to restore and is disorganized.
---

That's pretty damn accurate in a lot of companies!

i see nothing wrong with this proposed rule

[awb131]

For instance, under HIPAA and other state insurance regulatory laws, my company is required to maintain all documentation related to a customer file for 7 years. Right now this constitutes about 2 million pieces of paper weighing approximately 14 tons and taking up about 1500 square feet of floor space in my office for filing cabinets. We go through things once a year and toss anything that's older than 7 years.

When we move to an electronic imaging system, everything will probably fit on to a couple of high-capacity disks. In 7 years, the cost of that amount of storage is probably going to be negligible, so there's no technical reason we couldn't keep things forever. But I'm still going to configure the document management system to toss anything older than 7 years. Why? Because 7 year old information is not useful. The only reason it's there is because of state/federal rules of evidence that require me to keep it around. It's only useful to someone who's suing me, and when those 7 years are up I'm glad to get rid of it.

One of the things that keeps people from modernizing their filing systems is the fear of losing this "protection," of being able to throw away old information. There's a fear that if you go electronic, it's always going to be "out there" somewhere and potentially a legal threat to you, even if you've done nothing (intentionally) wrong.

I for one support this rule. And if it seems like a good idea for our small company, imagine how it would seem if you're, say, Citibank.

This rule is obviously not designed to support policies of "oh, we're getting sued, so I'm going to throw out this particular subset of information related to the lawsuit and try to claim it's a standard practice," because any attorney worth the price of his suit would get me thrown in jail for destroying evidence.

Re:i see nothing wrong with this proposed rule

[japhmi]

Part of the reason it's easy is that you have a set area where you put all your patient information, and that's the only thing you put there.

Reading some of the actuall testamony put out there, some good points show up. If a company can say "you have automated backup tapes from 2000, and one one of them you may have *whatever* piece of information, so I want it." You have no idea which tape it may be on, so you go through your massive pile trying to find it. If you're a small, but data intense, company it may cost more to find the piece of data than it's worth to defend the lawsuit. And more and more of these lawsuits are coming from some company who doesn't make anything, they just sue to make money.

That doesn't even begin to think about the cost of not being able to recycle backup tapes if you go through over 20,000 200GB tapes a week...

Re:i see nothing wrong with this proposed rule

Over 7 years old not useful?

On the contrary. I want my medical records that I have with Kaiser. I don't care if you think they're useful or not. They document things that happened to me and decisions that doctors and practitioners decided were appropriate treatments for ME, and I am still living with the consequences.

Those records, for me, begin in 1981.
For my wife, they begin in 1979 and contain records of the onset of adult asthma and the results of allergy tests. Seven years does not magically make this irrelevant.

Kaiser Permanente keeps its records in pure electronic form. They have done so for the last 5 years at least, and were the first major HMO to do so.

Here's the kicker. "reasonable cost" defined for paper records affects how much I have to PAY to get copies of MY information.
Kaiser requires $25.00 for the first 50 pages + $.25 per page for any additional information.
When pressed for why such a high cost, given the cost savings of electronic forms, and that I would be happy to accept an electronic format, I was told 'HIPPA permits us to charge this.'

How special.

They will provide (gratis) a copy to my new doctor, but only going back 5 years except where specifically requested.

Basically, I'd have to pay about $150 for my own records, and my wife would have to pay about $245 for hers, based on estimates by Kaiser's records department.

Frankly, I'm surprised and appalled that you (or anyone) throws away patient records. Those are the property of the patient, not your organization, and when you're done with them you should be returning them to your patient.

Re:i see nothing wrong with this proposed rule

[awb131]

Did I say they were patient records? I sell insurance. But because the laws are so broadly written, my agency falls under HIPAA.

And yes, HIPAA does permit a reasonable charge to provide a copy of records. Don't bitch to me, bitch to your congresscritter.

Re:i see nothing wrong with this proposed rule

[Nefarious+Wheel]

Our bank doesn't even use tape anymore. We just buy another whacking great cheap storage array when we need one. We've done the sums, and tape is gone. Yes, we do buy a lot of bandwidth. Yes, we are heavy into compliance and massively parallel remote storage. Look at MAID storage (massive arrays of inactive disks) and EMC's Centara -- if you add up every cost, right down the the little rubber feet, it's cheaper to keep it on disk. YMMV, but when you have to archive each and every transaction and provide search to it for 7 years or face a seven-figure fine, tape is well and truly feet-nailed-to-the-perch.

Establish retention/destruction policies first...

[sczimme]

[IANAL but have researched this issue to some extent. No statements I make should be construed as legal advice.]

Organizations should establish data retention and destruction policies and follow them consistently.

Suppose an organization has a policy that states that a) all email older than N days will be purged from the server and b) all email must remain on the server (i.e. no local storage of messages). Another party initiates legal action based on an email sent on $DATE and the discovery process begins. If the order comes through on the (N+1) day for the organization to produce its email, the organization will be in the clear because it followed its own already-established policy. However, if the order comes in on the (N-1) day and the organization purges older email early, it [the org.] will be in hot water.

However, the organization must be sure that it includes all sources of this information. Does the site backup/restore policy parallel the 90-day destruction rule? Many sites pull a set of tapes/media from the rotation once a month or so and put it aside for archival purposes. If the site policy is to destroy email but the backup tapes are available...

IIRC this was a serious mistake on the parts of Enron and Arthur Andersen: they had no such destruction policies in place and began deleting sensitive items only after they knew proceedings were about to begin.

Too Much STUFF!

[Hasai]

Y'know, judging from the submitter's slant on this, I would guess he's never had to maintain multi-gigabyte document repositories bursting at the seams with obsolete documents. Nor, I suspect, had to restore and rebuild five years worth of old email databases just to satisfy some little ambulance-chaser's fishing expedition.

Bah.

Re:Too Much STUFF!

[1u3hr]

Y'know, judging from the submitter's slant on this, I would guess he's never had to maintain multi-gigabyte document repositories bursting at the seams with obsolete documents. Nor, I suspect, had to restore and rebuild five years worth of old email databases just to satisfy some little ambulance-chaser's fishing expedition.

"Multi-gigabyte" sounds like a lot, but it's only a couple of DVDs.

Instead of deleting, you could just as easily back it up and file the DVD, hard disk, or whatever. Should be able to keep decades' of correspondence in a cubic metre.

Aside from the legal risks that seem to motivate all this destrucion, this is in the short term losing the corporate memory; in the long term losing history. I personally have every email I've sent, and most I've received, over the last 10 years, periodically backed up into zip files on CDR, currently these are about 20 MB. Maybe it's because I use plain text, and convert anything that comes in to that as well. (I don't keep Xmas card flash animations and crap like that.) Storage is getting cheaper even faster than Moore's Law; and file bloat isn't keeping up, thank God.

On a personal basis, when the files are gone all that's left is what someone remembers happening. They may not be able to sue you, but if it's your boss, he can hang you out to dry. I had a dispute with a former employer, it was decisive to show email that disproved his claims, e.g., that I had "agreed" to take my salary late, that I had never worked overtime.

Re:Too Much STUFF!

[digitac]

Let's see here, we've got ~3TB of data that we back up weekly, and differentials during the week. So that's going to be 654 DVDs to burn and archive each week. At 16x speeds it will take about 71 hours just to burn. And then there are a lot of documents that get created and deleted durring the week so they never make it to our full backups, and even stuff that doesn't make it to backups because the documents don't even last a day! I know, you want us to put key loggers on everyone's computers and archive those forever.

It's nice that all of your e-mail fits on a CDR, but where I work we have mailboxes in excess of 13GB, and that's just the stuff they wanted to keep!

Look, at some point you've just gotta say that stuff doesn't last forever. We shred paper documents that aren't needed any more and we delete electronic data that isn't needed. We keep backup tapes for 28 days before reusing them (currently that takes about 300 LTO2 tapes) so anything that is deleted we can still recover for 28 days. That's our official policy and we stick to it as best as we can, so when someone comes to us and asks for a document that was deleted last June, they're SOL.

Re:Too Much STUFF!

[1u3hr]

Let's see here, we've got ~3TB of data that we back up weekly, and differentials during the week. So that's going to be 654 DVDs to burn and archive each week.

You're not creating 3 TB of data a week. (Not of email, anyway.) As I said, archive what you'd delete. I know, you want us to put key loggers on everyone's computers and archive those forever.

Calm down.

we have mailboxes in excess of 13GB, and that's just the stuff they wanted to keep!

How long did it take them to accumulate this? I didn't say keep everything online forever and back it up weekly, but to take it offline, make a backup or two for luck, put it in a safe place. Most never will be referred to again, but you never know what you might have a despreate need for at some time.

when someone comes to us and asks for a document that was deleted last June, they're SOL.

That seems amazing to me. Don't you have any business relationships that last several years? Don't you need to review things discussed several years ago, especially when all those on your end have left? I've had to pick up the threads and continue, digging through dusty old faxes. If it was all done on emails, now deleted, I'd have had no hope. How many man hours are wasted for lack of a backup that would have cost a few cents and minutes?

Storage is cheap, and getting cheaper. It quite likely costs more to sort out old files and decide what should be deleted than just to archive the lot.

Re:Too Much STUFF!

[jez9999]

I've got to ask - how do you run your mailbox up to 16GB worth of stuff? I mean, combining all the emails I've EVER received, including spam (which really ought to be deleted PDQ and no archiving necessary), I've maybe used a few gigs. Are your employees receiving 30MB attachments with most e-mails or something?

Re:Too Much STUFF!

[skidv]

I think the OP was saying

1) Maintaining the organization of said backups is not trivial.

2) Having the data means that one must produce it when required by law ... not a trivial task to restore and cull through that level of detail.

3) Most people who don't maintain even small backups, don't understand the annoyance, complexity, difficulty and cost.

Two other points:

Older data requires older media ... remember that writable DVDs is relatively recent. I've got backups on 4 mm DAT. Quantum has discontinued d8000 QIT drives and that means my 40 gig DLT-4 tapes will be hard to restore in a few years.

Maintaining good backups means maintaining duplicates ... 20 mb (or a few gig) of user data grows geometrically when stored as backups.

You're storing 20 mb in your 10 year history of e-mail? I get five times that much in less than a month in only one of the five accounts I maintain. I work for a small company with reasonable amounts of broadcast e-mail (i.e. not a lot).

I haven't even discussed maintaining the SEMANTICS (ie, backup X goes with system Y and held Z kind of data, etc).

I agree with OP point number 3.

Re:Too Much STUFF!

[1u3hr]

3) Most people who don't maintain even small backups, don't understand the annoyance, complexity, difficulty and cost.

I set up a daily backup of our entire accounting systeytem. HAd to restore or refer to them a few times, so I know, soemthng. Maybe not "Enterprise clas terabytes", but the principle is the same.

You're storing 20 mb in your 10 year history of e-mail? I get five times that much in less than a month in only one of the five accounts

It's humanly impossible to either read or write 100 MB of text in a month. Maybe if you get lots of mailing lists and CCs you don't actually look at; or people like to send you "funny" flash animations. As I said, I boil mine down to plain text as they come in. I've got some mailing lists, but don't keep most of them as mail, just excerpt anything that looks useful, they're archived online anyway. I'm talking about mail sent by me or personally sent to me, basically stuff that there is only a mine and a handful of other copies of (and after a while, only mine apparently). My average mail message is about 4k, most less than a page of text (so your 100 MB would be about 1000 messages a day -- who are you kidding if you say you read this -- or are they one page Word files weighing in at 500k? -- I just convert these to 1k of text and paste it into the message). For one thing, makes it simple to grep through the mailboxes when I need something -- a name, date, address, remark that becomes important in retrospect. Sneer if you like, but I've got my entire career's correspondence available should I need it. With the cost of storage less than a dollar a gig, there is no economic reason to destroy records any more. The only reason is the one MS and the big companies have, to destroy evidence. It's just as easy to move data to permanent archival storage as to send to trash, once you've spent a few days setting up a system.

We have clay tablets that tell us of daily life in Meosopotamia. We're going to have nothing equivalent of this century with scheduled data destruction, DRM locking up files forever, copyright making it illegal to reproduce and preserve decaying information.

There are Already Policies in Place

[lbmouse]

Industries that have governing bodies already have policies. I know the insurance industry is required to store documents (electronic, microfiche, microfilm, paper, etc) for the amount of time each state insurance department requires. Do we really need more government regulation or maybe just some clarification for certain industries and types of documents? How long do we have to keep everyone's e-mail attachment of the dancing baby?

Re:There are Already Policies in Place

[benjamindees]

Industries that have governing bodies already have policies.

Those are few and far between. Insurance companies are an exception and are highly regulated because 1) they're basically an arm of the state and 2) they're legalized gambling.

Re:There are Already Policies in Place

[lbmouse]

2) they're legalized gambling.

You can look at it bothe ways... it's a gamble NOT to have insurance. Technically insurance is just the pooling of reserves of many people to cover a claim for an individual. I'd rather win the lotto than get sick or have a car accident.

Submitter has no idea what he's talking about

[jizmonkey]

Clearly this "law student" has never worked at a firm involved in litigation. He's going to need a lot of luck getting that paper published.

Abuse of American electronic discovery rules is getting worse every year. Defragment your disk? That's a sanction. Copy files from an old computer to a new one? That's a sanction.

Seriously, the legal rules need to realize that asking for documents not normally accessible is extremely expensive and opens up possibilities for extortion. ("Looks like it will cost you three million dollars to restore and examine these tapes... Why don't we just settle the case for two?") Everything the Microsoft attorney said is true.

The judges know this, the attorneys know this, the companies know this. The submitter needs to get out in the real world and get his head out of his ass. There's not even an ideological basis for thinking the way he does. It's not like poor people benefit from these rules (who Democrats like to protect) or self-made rich people (who Republicans like to protect).

Re:Submitter has no idea what he's talking about

[runner345]

Actually I've worked for over a year at a corporate litigation firm. We do corporate defense and I don't really think documents should be saved forever. I just think it's interesting.

Re:Submitter has no idea what he's talking about

I have worked in a firm involved in litigation (note: I am not the submitter). If the judiciary is shortsighted enough to allow this to become standard practice, I will merely make my discovery requests even more specific, demanding, and immediate. Bit for bit disk images of everything at the soonest opportunity. 200 "gigabytes" of storage costs $100 - that's merely half of my hourly rate.

Defragment your disk? Yes, that could be a sanction. There's nothing like jostling the files on a hard drive to erase/destroy the information retained in some of the slack space and formerly unallocated clusters. But, of course, I wouldn't discover anything useful there.

Copy files from an old computer to a new one? Yes, that could be sanction. Everyone knows that "copy the files" means that your tech will copy EVERY SINGLE FILE, including swap files, temporary files, hidden files, and that pesky c:\Documents and Settings\%UserName%\Local Settings\blah blah directory tree that just happens to contain local copies of the Outlook and Outlook Express mailboxes and other gems. I also wouldn't discover anything useful there.

Seriously, the legal rules already permit an attorney to argue that an extortionate discovery request should be denied. Let's review:

Federal Rule of Civil Procedure 26:
subsection (b)(2) Limitations.
By order, the court may alter the limits in these rules on the number of depositions and interrogatories or the length of depositions under Rule 30. By order or local rule, the court may also limit the number of requests under Rule 36. The frequency or extent of use of the discovery methods otherwise permitted under these rules and by any local rule shall be limited by the court if it determines that: (i) the discovery sought is unreasonably cumulative or duplicative, or is obtainable from some other source that is more convenient, less burdensome, or less expensive; (ii) the party seeking discovery has had ample opportunity by discovery in the action to obtain the information sought; or (iii) the burden or expense of the proposed discovery outweighs its likely benefit, taking into account the needs of the case, the amount in controversy, the parties' resources, the importance of the issues at stake in the litigation, and the importance of the proposed discovery in resolving the issues. The court may act upon its own initiative after reasonable notice or pursuant to a motion under Rule 26(c).

If the judge knows this, and you know this, and the company knows this, then why are you collectively so incompetant that you are incapable of using a rule that has been in existence since the late 1940s to protect your client?

Perhaps, according to your point of view, the judge doesn't "know this" quite as well as you'd like.

So God bless electronic retention policies. They're even better then document culling in the "real world", where a human being has to review what is being discarded to some degree (it's described somehow), because the human being might know that they're destroying something related to existing litigation, leading to that nasty phrase "spoilation of evidence". It's much more convenient to delay discovery production aux SCO vs. IBM while your electronic systems slowly chew through your archived emails and files until the evidence blamelessly disappears, never to trouble you again.

Re:Submitter has no idea what he's talking about

[Brian+See]

I will merely make my discovery requests even more specific, demanding, and immediate. * * *
Perhaps, according to your point of view, the judge doesn't "know this" quite as well as you'd like.

Right now, the default is highly burdensome for the producing/preserving party.

The proposed "safe harbor" says you can't be reckless. If you, as the plaintiff, want something more, you can take it to the court, who can assess the burden of complying with the preservation request against the potential benefit to your case.

People argue undue burden all the time. This is about changing what the default presumption is going to be.

And yes, a lot of judges out there aren't familiar with these issues.

Also, the cost of taking and saving forensic image is fairly cheap. What's expensive is having an expert review it, and the attorney time in sifting through the crud. OR, when you have 800+ desktops and laptops purportedly requiring imaging. Good bye litigation budget.

Re:Submitter has no idea what he's talking about

[Rich0]

Also, the cost of taking and saving forensic image is fairly cheap.

Not nearly as cheap as corporate budgets.

I'm always amused to get emails from our Exchange server about how I'm over-quota, when gmail is offering 20x as much space to anybody who cares to sign up for free.

Corporations should simply create a forensic image before reimaging PCs. This could be done in a networked fashion to a central file server. In theory whatever script they use to do the imaging could probably take care of it.

Arguably this doesn't capture all the forensic data (such as data between tracks that require pulling the disks out in a clean room). However, at some point you have to draw a line between preventing corporate malfeasance and just needlessly raising the cost of doing business.

We don't make regular people keep a detailed record of everywhere they do so that in the event of a crime we can determine where they were. Corporations should probably be subject to a little more scrutiny, but do we really need to save everything forever?

Re:Submitter has no idea what he's talking about

[covertlaw]

Well spoken from a person whose Slashdot username is Jizmonkey...

30 pages is about right for the average law review article, isn't it?

Notice from Legal

[ajp]

Please save every business-related e-mail you receive. And you shouldn't be using work e-mail for personal purposes so please save every e-mail you receive. Thank you.

Inbox: 41559 messages (41551 read, 8 unread)
Saved-messages: 4154854884569842455 messages
You are usuing 12090% of storage capacity.

Re:Notice from Legal

[tiny_techie]

lovely! gmail did say they were giving space away exponetially... oh wait - you said work! gee *big sigh :(

Discovery in federal suits

In a real federal-jurisdiction case, when you're into discovery you can't just say "give me everything you have" and mean it to include every file on every computer system in your organization, everywhere. First, they can't practically give that to you. Secondly, you can't practically use it. Even just the paper documents can be overwhelming in a complex case.

This rule change simply means that: if a party in a lawsuit doesn't disclose something electronic, because it was erased, because that's normally how their system works, then the opposing party won't have grounds to impose sanctions if they come across it later by other means.

Sure, it opens the door to "we didn't have it, heh heh." But that door has been open forever, and there's no way to close it.

I don't this that this is bad at all

[ishmalius]

The idea that one must keep email forever, to make it easier to later be sued, is horrible. The burden of proof (and cost, if applicable) should be borne by the plaintiff. We should not enslave the people to the American Bar Association. It should be the other way around.

Re:I don't this that this is bad at all

[benjamindees]

We should not enslave the people to the American Bar Association.

These aren't people, they're corporations. And if they expect to continue being corporations, they'll abide by the minimum civil standards imposed by the nation-state that recognizes them as such.

Re:I don't this that this is bad at all

The idea that one must keep email forever, to make it easier to later be sued, is horrible.

I don't get it.

If the company has done nothing wrong, then they have evidence supporting that claim. This does not make it easier for them to be sued.

If the company has, in fact, done wrong, then they certainly *should* lose a lawsuit, and I have no problem with it being easier to lose such a lawsuit -- I'd ask why you feel this way.

Oblig. News Radio Quote

Taking a picture off the internet is like trying to take the pee out of a pool.

Awwwww

Sounds like somebody has a case of the Mondays!

Of course Microsoft supports it!

[Ph33r+th3+g(O)at]

If their Digital Restrictions Management server becomes a standard and recognized platform for legally circumventing discovery of incriminating electronic documents, sales of the Office platform among the future Worldcoms and Enrons of this world will explode.

some of us do, you insensitive clod!

[RMH101]

i work in big pharma, and for a lot of our systems we *do* have to do this. legally, we've got to keep data for clinical trials for *twenty five years* after the patentable lifetime of a drug. not only that, but we've got to figure out a way of archiving complete systems for that long. suffice to say, it's really, *really* expensive...

Re:some of us do, you insensitive clod!

Its a good thing it's based on the patent lifetime of the drug, and not the copyright lifetime... Now, that would be **really** expensive!

Re:some of us do, you insensitive clod!

And, yet, somehow big pharma affords it. And, yet, somehow big pharma spends more on advertising than those clinical trials or the requisite data retention. Your drugs, some of which cause permanent damage to the patients taking them, are also really, *really* expensive...

Re:some of us do, you insensitive clod!

[Rich0]

Uh, I think I'd like to see a reg quoted on that one. I'm not aware of any regulations that require holding any kind of data for 25+ years.

Now, many companies do hold onto their data for that long and longer for a variety of business reasons, but they do not have to do so. Some reasons for voluntarily holding onto their data might be:

1. The ability to use the data in R&D for other compounds.

2. The ability to use the data as a basis for comparison for other compounds.

3. The ability to use the data in extended uses for the same compound.

4. The ability to use the data as evidence on behalf of the company in some lawsuit that asserts that somebody taking a pill 25 years ago developed cancer as a result.

Legally, nothing could happen to a company that just decided to burn that data after any mandated retention periods expire. The company just loses the side benefits of keeping the data around.

Big pharma companies just love to hang onto data forever just for the heck of it, but often this is the result of overconservatism. Most big pharma workers are shocked to find out that you can legally toss all documentation regarding the manufacture of a lot of product only a few years after the lot expires. Clinical data is probably not subject to retention at all since it gets shipped to the FDA (who can presumably retain it themselves for as long as they care to have access to it). Batch-production data is subject to retention since companies don't have to submit it to the FDA - instead they have to have it available for inspection.

Research-based companies often like to toss out retention periods like 25-50-100 years, which works just fine for paper (if you have a big budget), but requires far more work for digital media. Even if you have archival-quality CDs you might be hard-pressed to find a CD-reader 100 years from now, let alone a program that understands such ancient technology as ASCII or XML/HTML, let alone proprietary file formats. I'm sure the data formats used on punch-cards were completely standardized, but that doesn't mean that it lasted forever...

Re:some of us do, you insensitive clod!

[RMH101]

sorry, but you're wrong. i do this for a living. the point is not that it's unlikely the data will ever be called on again, the point is that the FDA *could* ask for it and the potential cost to the business should that happen and you weren't able to present it is huge. the FDA is, almost literally, a law unto itself: you *have* to gain their confidence in your methods right down to being able to, for example, prove that during the original phase 1 trial where you tested a candidate drug that became one of your megabrands, that the serial number of say the blood pressure meter attached to your bedside workstation was known, and that the service record for that device showed it had been calibrated that year. we really are talking down-to-the-little-rubber-feet levels of detail here.
believe me, we don't hang on to data for the hell of it: it's tortuously difficult and expensive to devise a way of retaining that data with 100% accuracy for years.
as an example: old clinical trial data captured on a bespoke electronic data capture system, several years ago: this system requires novell 3.5, and a precise and very particular model of PC long since obsolete - we're spending considerable amounts of money archiving that data in a neutral state.
export to XML? sure, but you have to (as an example) retain all that applications' audit trail, which a flat export ain't gonna give you. this stuff is HARD and we definitely don't do it for fun.
having just completed my second FDA audit, believe me that just the thought that my data might have gone walkies is enough to make me wake up in a cold sweat - this is one of those cases where an individual IT worker could realistically cause their companies cash cow to be withdrawn from market with a few well placed cock ups.
i personally know of a single system at Another Big Pharma Company which due to poor documentation got a red letter from the FDA and was a knats whisker away from getting that companies entire portfolio banned from selling to north america.
oh, and of *course* you don't archive to CD and expect it to be there years later. you archive to a current standard and then periodically rearchive to a new standard. this is patently obvious. that old punch card data will have been transcribed via double data entry long ago...

Re:some of us do, you insensitive clod!

[lachlan76]

Really? I don't think I ever see any pharma ads...

Re:some of us do, you insensitive clod!

[Rich0]

I'm not sure I saw a reference in there.

That computer systems need to be validated is a clear requirement of the Barr decision and 21CFR11 - no argument there. That they need to have audit trails is also reasonable based on Part 11 as well as comparable standards for paper-based data.

All I really want to know is where the retention period is specified for this data. I won't claim to be an expert on the GCP side of the business, but there is certainly no requirement in the GMP side to hold data for decades. I believe (offhand) the longest mandated retention is life of batch + 3 years. Most batches only live about 3 years themselves. So, in accordance with FDA regs just about everything can be tossed out in as little as 6 years.

Now, there may be a business reason to keep stuff around longer. However, that gets into business concerns and not regulatory concerns, and data held beyond retention periods is probably not subject to audit, so stuff like validation is less critical unless you want to use the data as evidence or in later filings.

Don't get me wrong. There may be something in the GCP regulations or in court interpretations of those regs which requires keeping clinical data around for 30+ years. I'd just be curious to see it spelled out.

Usually when I hear "the sky is falling" in regards to pharmaceutical computer system validation it is coming from a validation services consultant. Validation is important work which all pharma companies should be experts at, but it isn't going to the moon. Some processes are truly critical, and mistakes could kill people. Those need to be very well-controlled. Many processes are important, but minor mistakes won't harm anybody. That isn't to say we should be sloppy - just that we don't need to spend millions of dollars just to make sure there are no uncrossed t's in the paperwork...

Knee jerk!

[redelm]

Just what are "routine operations of an EIS?" The only one I can think of is recovery and reuse of deleted diskspace. Even the cycling of backup tapes should stop once there is a Documents Preservation Order.

Deleteing anything under human control (rather than as part of an automated sweep) is obviously not routine and sanctionable. Said sanctions to increase to the level of criminal with Sarbannes-Oxley. I fully expect SOx prosecutions from civil discovery. Who else is going to look?

better still...

[RMH101]

...C&P it onto your own website with your name on it, and watch as he gets binned for plagiarism later...

7 Years vs 45 Days

I've done some work with a software company where document retention rules are set and enforced by lawyers. They have two jobs: 1) Making sure that the company does not lose any suits; 2) Repeatedly informing the employees that the document retention period is 45 days -- get caught keeping anything more than 45 days without a good reason and you are out of there. The desks have a few drawers, but they don't have filing cabinets for paper documents. The code being maintained is over 100k lines of uncommented business app per developer; it's mostly 10-20 years old; virtually no filing cabinets and virtually no copies of correspondence with customers over 45 days old.

This has some negative impact on productivity in a company where the development cycle is about a year. Even bug fixing sometimes takes more than half a year as developers exchange correspondence with customers to try to figure out what their complaint is. But if they don't have their computer set to flush everything after 45 days, they are looking for -- they must manually manage retention to keep the lawyers and the customers minimally satisfied.

Context of the proposed rule: what's required now

[Brian+See]

I think some of this discussion is lacking in context.

First, if you destroy evidence after the lawsuit gets filed (or when you enter the grey zone of when you "reasonably anticipate litigation"), you have just committed spoliation of evidence. While this makes intuitive sense - the rule prohibits a defendant from having a "shredding party" the day after a lawsuit gets filed - it becomes problematic as definitions of what constitutes "evidence" expand.

Active emails? Check. Files on network servers? Check.

Backup tapes from last night's cycle? OOPS. Yes, several court decisions /orders have taken parties to task for failing to suspend routine overwriting of backup tapes. Taken to the extreme, this means that once you get sued, you can't overwrite any of your backup tapes.

Updating databases that might result in some data (i.e., last accessed, last modified) being modified? Uhoh, better take a snapshot of that database.

Are your server logs at issue? Uhoh, better suspend rotation of your server logs.

Hey, when you TURN ON your desktop, aren't you overwriting some cache space and slack space, that might make recovery of deleted files impossible? Guess what? If the other side wants to do a forensic examination of your machines, you can't even continue using them without taking a bit-by-bit image.

And by the way -- if you miss any bit of this data, you get sanctioned. Monetary sanctions, or an adverse inference ("we don't know what was on that tape that was destroyed, but you can ASSUME it was bad!"), or even a default judgment. Yes, electronic discovery can turn into a game of "gotcha".

Think how expensive this is for a small shop with just a handful of machines. And then think what's involved for a nationwide company with, say, 80 far-flung locations and company databases.

See the problem?

The "safe harbor" to Rule 37 says that you don't sanctioned for failure to preserve information lost from ROUTINE operation of a system UNLESS THE LOSS WAS INTENTIONAL OR RECKLESS. The "reckless" hole is very large, admittedly. But the rule attempts to bring some sanity to some of the broad-reaching data preservation games being played today.

Also, note that a court can order a party to take steps above and beyond what the proposed Rule 37 requires.

I wish

[TubeSteak]

I wish I had backed up my old e-mails. Every now and then (many many many years ago) I had to go through and delete old crap because of hotmail's crummy 2MB limit.

Yea I know, I should have done xyz. But I've lost soooo many CD's, floppy disks, zip disks, jazz disks... the occassional dead hard drive, and then there were those two times I accidentally deleted the wrong partition. Oh how I cried. (admit it, you've been there too)

Anyway, back ontopic: Do you realize just how much volume a cubic meter is?
~187,500 give or take a few hundred discs.
Imagine sorting through that

I am from tech industry

[mi]

And I'm damn glad, it will become harder for litigious bastards to blackmail me into giving them access to my data...

^Bump^

[TubeSteak]

While I mostly agree with what you've said, wouldn't a blanket rule create a significantly greater burden on small(er) businesses?

Even though the SO Act created all kinds of logging/archiving requirements for e-mail, e-document, and even instant messenger chatter, something like this would be awfully convienent for the various super corps.

If I recall correctly, in the wake of enron, some of those corps were restating earns from several years back.

Draft?

[zwei2stein]

While informative, this paper clearly shows all signs of being earn-class one,

double linines? large margins? big font?

come on, just admit it's 15 pages of normal text :)

Re:Draft?

[runner345]

My l-school requires the extra top and left margins and dbl. space. I think dbl. spacing is lame too but courts always do it that way.

Duh

[mazarin5]

If they're so worried about the file being recoverable from the hard disk after being deleted, why not move it to a CD and then snap the CD in half? I'd like to see someone recover that!

(Stop being horrified and laugh.)

Check the actual testimony.

[CDarklock]

(IANAL, but I spent a few years writing software for a legal company.)

Found in the Microsoft testimony:

"One of the better comments I think that was submitted to you was from somebody who does a lot of employment class action litigation. And she expressed that very concern. She also cited a few statutes, like Title 7 and maybe the Wage and Hours Act in the employment area, that very specifically tell companies what they must keep and what they must not.
And I bet those statutes also provide penalties if they are not kept. And I'm pretty sure that they provide -- is it ten to twenty years in prison for the intentional destruction of documents? I mean, I think it would be insanity beyond belief for anybody, any serious lawyer, to advise their client that, oh, yeah, this is a way to get rid of something that might come back to bite us. Because the moment you have that thought, you're engaging in basically criminal conduct.
So the routine operations of systems has to strictly be for the business purposes of keeping your IT systems running."

Where this differs from the "safe harbor" provision (IMO) is that some companies *routinely* engage in the intentional destruction of electronic documents. Last week I had some confidential records for a client, and when I was done with them, I deleted my copy as a routine IT practice: don't store confidential data any longer than necessary. My client has the data, so I don't need to retain it; even if I need it again later, the risk of someone walking away with my laptop *far* outweighs the convenience factor of holding onto the file. When documents are deleted for security reasons, this amounts to intentional deletion for the express purpose of denying access, and *might* be viewed rather harshly under the safe harbor guidelines.

Good idea

I think that, given PATRIOT Act, and similar laws, I want companies to keep as little information about me as possible. If the feds come in, and ask Rob to reveal the IP I posted this from, Rob shouldn't have it, and he shouldn't be required to keep it.

I think it is possible, and likely, that the law needs some work, but overall, laws like this can be made to work for us, rather than against us.

log files...what are those?

[tscrum]

I run an ISP and I maintain log files nada. None from squid, sendmail, nada. I do though monitor aggregate bandwidth, but not outside ip's, from my dummynet box. This way I can legitimately look a judge in the eye and say, "your honor, I know nothing". You don't have to destroy something you never had in the first place. Oh, and nearly all my customers run behind a single natted public ip. Anyone have this beat for consumer privacy?

what is "under human control"

[davidwr]

Compare the following:

1) Outsourcing document retention and shredding, with company under orders to destroy anything over 7 years on the first of every month unless told not to.

2) Electronic document retention and shredding, with cron job shredding/overwriting documents over 7 years old on the first of every month, unless "told" not to.

If I'm the company document-control manager and I hear there might be a lawsuit involving document X, and I "forget" to stop its destruction, IMHO my company's legal liability, if any, should be the same regardless if it's a paper document or an electronic one.

hell, you're right!

[RMH101]

let's just toss all our documentation out of the window, and just tell the FDA scout's honour. perhaps we could just take up making homeopathic remedies out of pixie dust and moonbeams, and let them treat you with it if you ever get sick.
i'm not saying big pharma's blameless for everything, but someone's got to research and make the drugs you use. unless the only drug you're smoking is crack...

Combine this with treacherous computing...

[CustomDesigned]

...and you can delete any electronic copies that may have been made as well.

A quick review for those not familar with "trusted" computing. The hardware uses digital signatures to enforce running an approved BIOS only, which in turn enforces running an approved OS, which in turn will only run approved applications. Documents are encrypted, and the approved applications can phone home to determine whether you are allowed to read a document. If the document is on a delete list, it is immediately erased. Microsoft Media Player already implements this system - except for the hardware enforcement. Microsoft Office is next. Evil Media companies, and Microsoft, want to make the hardware enforcement required by law on all computing devices.

In the not too distant future, having obtained a copy of an incriminating document, you could keep it stored on a banned Linux system running on illegal hacked hardware, and given Microsoft's expertise with security, probably crack the encryption in a reasonable amount of time due to some stupid design flaw (e.g. random seed for session key is derived from Document time stamp). However, the resulting evidence would not be admissable in court. So stock up on tin foil hats.

discovery (evidence, reasoning, proof)

[packrat2]

nice read. Ya skipped out on a few of the basics, like civil/crim burdens of proof ( and taking a few wild swipes at legal person(age) corperations et al... the meta data and obsolence was a cute touch. discovery phase hereabouts (ott.ont.can) is used to AVOID trails... trials, sorry. intenial pun. back into proof again. just a sec... and like digital photots, the stuff is easy to frabricate. packrat

Documents are not destroyed!

[phorm]

Trust me, if you did that you'd probably be able to find your document on P2P networks three years from now! :-)