Slashdot Mirror
New Email Rules Effective Friday
An anonymous reader writes "As of today [Friday], certain U.S. companies will need to keep track of all the e-mails, instant messages and other electronic documents generated by their employees, in accordance with new federal rules. In April the Supreme Court began requiring companies and other entities involved in federal litigation to produce 'electronically stored information' as part of the discovery process of a trial." From the article: "Under the new rules, an information technology employee who routinely copies over a backup computer tape could be committing the equivalent of 'virtual shredding,' said Alvin F. Lindsay, a partner at Hogan & Hartson LLP and expert on technology and litigation. 'There are hundreds of "e-discovery vendors" and these businesses raked in approximately $1.6 billion in 2006, [James Wright, director of electronic discovery at Halliburton Co.] said. .'"
What happens for companies that don't host their own e-mail, particularly smaller companies?
In order to save money, my company hosts our website and e-mail on a shared server. E-mails are downloaded via POP3 and immediately deleted from the server (each account can only hold 20MB online at one time). Most people then delete their e-mails after reading, so we have absolutely no way to retrieve this data.
This doesn't seem to impact my company, but at some point I fear regulators will start requiring more stringent data retention processes (among other IT tech processes). SOX has already hurt large companies, hopefully they don't start pushing some its fundamentals down to the little (non-public) folks.
Crack - Free with every butt and set of boobs
Is congress and the white house. Much like congress is exempt from the Sarbanes/Oxley Act.
Want to see the biggest crooks and ones fudging the numbers, look at congress. Enron couldn't come close. They all would have been locked up years ago if they had to abide by the laws they pass.
Someone have a link to these new rules? The OP, apparently, didn't think it worthy enough to include a link for some folks to read fully what it entails...
So, what are these new rules? And, just who do they apply to? Publicly traded companies? All companies w/more than 50 employees? Everybody?
More details would be appreciated
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
That would be like making the post office open every letter then copy and store them...I guess it's not EXACTLY the same thing because it's all digital, but it's still illogical, and a waste of resources.
In a world of acronyms, the words are the real victims.
This is a bit misleading. Its only "virtual shredding" if you don't keep the records around for a reasonable period (either by statutory requirements or insutry standards) or if you have notice of litigation in which the evidence is relevant, and you continue to shred.
Thats why there is a document retention policy safe harbor in the rules themselves.
FWIW, lawyers, even the "technology experts" don't seem to understand technology as well as someone who came through IT before becoming a lawyer.
(disclaimer: IT guy-turned-lawyer, so I always think I know more than "pure lawyers" when it comes to tech).
If I remember correctly, Microsoft had a policy of deleting email from their servers after a short period, in order to avoid it being used in trial.
This will have to change, then.
When his defense asked, "Which computer has Jon Johansen trespassed upon?" the answer was: "His own."
Supreme Court: All your documents are belong to us.
:)
In Soviet Russia, documents preserve YOU.
Now that that's out of the way, may the intelligent posting begin
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Since the linked article is light on information, I found the actual amendments (note: PDF)
While I'm in favor of measures to curb white collar crime these requirements seems to do more harm that good by encouraging companies to take business elsewhere.
Most impressive! Not only did you not read the article, you didn't even read the summary that clearly states this is for "companies and other entities involved in federal litigation."
It applies to all companies. The length of time you are required to retain documents before destroying can be different for different companies. Like a poster noted, Sarbanes-Oxley defines a time period for publically listed companies. But other than that (and other industries where regulations prescribe time periods for record retention), the courts have used a "reasonable time period" requirement in the past and most commentators expect that to continue under the new rules, which are, in many ways, a formalization of previous court practice.
The company I work for has been implementing this sort of infrastructure over the past year. It's hard. With all the IM clients available, getting one system that will handle all the traffic and maintain usability in the face of changing features across the field is hard enough; couple that with long term storage requirements for corporate e-mail where the culture is to send huge attachments around willy-nilly, and add in all the other changing requirements, and the burden to adhere to this new bit of legislation becomes quite a burden.
Couple that with the fact that the company I work for is a regulated utility that has to convince the local PUC each year that costs to provide service continue to go up, and the margins just keep getting tighter. Every year around March, there's a panic call from Accounting asking everyone to contribute some of their budget back to the bottom line because of some new development that wasn't forseen the previous year. For a cash-strapped IT department wanting to provide good service, the problems just mount up, stresses are high, and the employment door keeps revolving.
The Spoon
Updated 6/28/2011
Practically everyone can scramble our email, like with "Pretty Good Privacy" (PGP). If many of us do it, they might be able to crack it or force our password after due legal process, but private parties won't be able to snoop through all of us on any possible budgets.
Your government can probably crack any nonsymmetric crypto (with help from the US), but might not have the resources to crack everyone's all the time. You can try a tinfoil hat, YMMV.
The real problem is webmail, which can't use any installed crypto on either end (with possible rare exceptions, but the rarity and/or nonintegration makes them useless at only one end of the comms).
If GMail let me upload a PGP applet I signed myself (which I could validate in the pages when I hit them), which they embedded into their pages in Javascript the public could audit for holes, they might actually become by far the best email system for the masses. And win the webmail wars. And really piss off the government(s) that have been trying to pry into their transactions for years.
--
make install -not war
This only applies to compaies under federal litigation, but I'm sure it'll get a lot more pageclicks if you make it sound terrifying and scream things like WE'RE ALL GONNA DIE!
Truth time, kiddies! You absolutely must hold on to email and IM data... IF it is part of a subpoena or a discvoery process, and so on. But there's nothing requiring companies to hold on to such data for any specified period of time.
Then fucking search Google, Google News, and a multitude of other sites that you already know. If you still can't find it (and because we currently have 10 comments I know you didn't do that) then continue to do research until you can.
Slashdotters are not your research assistants.
These are NEW rules? and they refer to an IT worker copying over TAPE? Does this mean I should be saving all my carbon paper too? how about punch cards?
Might all this extra data clog the system of tubes that is the internet?
Techie:- We need to keep more backups of our e-mail database
Bean Counter:- How much do the tapes cost
Techie:- Lots - we need at least one DLT per backup
Bean Counter:- We can't afford it.
Techie:- We have to afford it
Bean Counter:- Just leave the requisition in my intray
Months Pass
Bean Counter:- The courts are on to us. Where are the e-mail backups for the 1st December 2006
Techie:- I had to overwrite them so as to keep a reasonabley current backup
Judge:- Techie, you shredded evidence - now you're for it
init 11 - for when you need that edge.
Now would be a good time to invest in companies that make storages devices
This is disconcerting, if unsurprising. It definitely strikes me as out of place for the government to require companies to keep certain records, so that, if it wills it, the government can snoop around the personal information of people, as long as it can offer a reasonable cause. Next, perhaps, new houses will have mandatory monitoring systems, so that if an "appropriately serious" situation arises, someone can see what occurred. This is already occuring with the black boxes inside of cars, which, in no short order, have been abused as absolute evidence for sentencing people to life in prison. The government exists to enfoce the laws, within reason. Somewhere along the way, we have forgotten this and allowed the government to open Pandora's Box of Orwellian information gathering. Draconian tactics are not necessary for a secure country.
What I don't get is, why the double-standard on communication? I think congress should enact legislation recording all communication within such companies. We should have microphones in every room and every hallway, to record every word spoken in such a company, just in case people do something wrong. We should probably also have video cameras, in case the would-be lawbreakers decide to write paper notes, and every paper shredder should have a scanner with OCR in line with it, so that the letters are stored for possible litigation.
C'mon, if your company isn't doing anything wrong, you don't have anything to worry about. The recordings will only be used if you're doing something illegal.
The Right Reverend K. Reid Wightman,
I am not a lawyer, but I highly doubt this blurb is accurate.
I can understand laws which requires retention for companies that log IMs. But they wouldn't pass a law requiring companies who do NOT log IMs to start doing so!
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
This link goes into a bit more detail than the article in the main /. story.
The pertinent rules appear to be the Federal Rules of Civil Procedure, specifically Rule 16 dealing with pretrial scheduling and Rule 26(f) relating to discovery and disclosure.
Cornell University has these rules online. They might be outdated already.
Rule 16
Rule 26
Wikipedia also has a writeup on the Federal Rules of Civil Procedure.
Do a search for rules on electronic discovery for more commentary.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A company I worked at previously has been using a legacy e-mail system. We've been under the SEC rules for retaining e-mails already, and when they came to inspect our business we learned that even though it's not stated in the rules, e-mail records must not only be retained, but they must also be readable with modern software. SEC wanted us to deliver the e-mail records in either a formated text file or as an Outlook file. We ended up hiring two interns who spent the next nearly two weeks forwarding all the e-mails to a newly set-up account that used Outlook, and it took so little time only because we were a relatively small company. I really feel sorry for large companies with legacy e-mail systems...
I am the walrus!
When I worked for Capital One, all email was automatically deleted after 30 days and pst files were not allowed. When someone asked us how they were supposed to keep information they would continue to need, we had to tell them to print it out.
This is a great example of FUD... programmers need to stick to programming and lawyers need to stick to lawyering. (I happen to be both, but that's beside the point).
This is not legislation.. it is part of the court rules. In a lawsuit, you have to provide all relevant documents to the other side. In the past, there had to be a *lot* of court time wasted on deciding what was subject to disclosure (i.e. a man does work for the company from home... is his home computer subject to examination? Answer: yes). This rule change simply makes standard what most all the court rulings concluded was subject to disclosure anyway.... all it does is save wasted court time in disputes by making the rules clear.
If a company has a "document retention policy" that sais all e-mails will be deleted in 30 days, all backup tapes will be overwritten or erased in 30 days, etc., then they can continue doing that. No one has to retain anything under these rules. These rules say that anything that *is* retained, has to be turned over in a lawsuit. After a lawsuit is started (technically when a company becomes aware of a claim even before suit is filed) the company has to not delete anything they know is relevant.... but continuing to follow the published document retention policy for everything else is fine. This has been so for many, many years. Nothing is changing is this regard.
Companies that do bad things will have evidence of doing bad things.... they will want to delete things. Companies that don't do bad things will have evidence of their proper behavior, and they will not want to delete things. I was once involved in a case where a man was blinded by some chemicals. He claimed there was no warning sign. I found the e-mail in a user's mail archive confirming installation of the warning sign, dated 6 months before his injury. If that company had been deleting all e-mails 30 days old in archives (they deleted 30-day old mail, but it did not reach local archives on the users' HD), they would have lost this exculpatory evidence. As a result, they changed policy to have uses include the word "SAFETY" in the subject line of all e-mails related to safety, warning signs, safety related repairs and maintenance, etc., and e-mails with that in the subject line were excluded from the deleting policy in the future.
So all the email traffic done in the US will be stored somewhere at least once, often twice (sender+reciever) and in some cases several times.
And storing them is not enough: you'l need to browse them for searches!
This is a very very smart move!
And when litigations will go with browsed web pages, we'll need to store all the web we browse!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Don't count out Congress when it comes to holding executives accountable.
I wouldn't be surprised if executives are required to wire themselves and keep the tape running any time they are talking to any employee, client, or anyone else relating to business matters. The company would have to keep the tapes for 2 years, or longer if certain topics were discussed or litigation is expected.
This will come shortly after mandatory phone-recording for executive's business phones.
To get around this, expect lip-reading and sign-language as part of the next generation's MBA curriculum.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"companies and other entities involved in federal litigation"
Odds are you already know if you're one of these.
(Use your best Jeff Foxworthy voice for this next part)
"If your CFO has been escorted out of the building on the national news by people with big yellow letters on their backs..."
"If the new guy in the office spends all his spare time chatting up his sleeve instead of the secretary..."
"If your office phone system now says Press 1 for Customer Service, Press 2 for Public Defenders..."
"If they show Dennis Kozlowski on Biography and your boss snorts "Huh. Pikers..."
"if you check your email and a cheery voice announces "You've got bail!"
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
The scariest parts of the new federal rules are:
I guess this is probly a good time to begin encrypting all your IM's and emails. As previously mentioned there is PGP for email. But for msn there are a couple options. I had a really good experiance with simp: http://www.secway.fr/us/products/simplite_msn/home .php
Can do a pub/priv key exchange or just use a symmetric key and do a Diffie-Hellman exchange. Changes text colour based on authentication type, warns you about possible compromises, etc.
I have nothing to do with the company it is just something i stumbled upon one day. Of course could use skype for all IMing. Probably quite a bit less secure than simp because with simp you can authenticate someones public key in person with hash checking. But it is an option.
It's easier to fight for one's principles than to live up to them.
Once a litigation starts (or is imminent), you can't destroy files. Duh! This is nothing new. The new rules just explain how that applies to email (and other electronic data) in federal court cases. They finally set out one common, rational standard nationwide.
This is not some kind of blanket retain-all-data-at-all-times rule. It only has to do with litigation. (Though, BTW, it applies to individuals equally as it does to corporations and governments.)
YIIALBIANYL. GYOGDL. YMNO.
JAP :: http://anon.inf.tu-dresden.de/index_en.html
Encrypts traffic between the client & nodes; Utilizes Tor. Even works for companies that require an internal proxy.
Mod points are a dangerous tool. Abuse them wisely.
If they can do it for corporations, how long do you think it will be before they require ISPs to store all personal email?
Do yourselves a favor and become a part of anoNet now.
Bullet #2 already is pretty much the case now anyways. If you have been following IBM vs. SCO, IBM had to turn over their CMVC system to allow SCO to inspect code. IBM had to provide a server as well as basic instructions on how to use it, sign in, etc. Just handing them a CD or DVD of all the data and saying "Here, it's in a obsecure binary format, figure it out on your own" doesn't meet discovery requirements. You don't have to make the other side understand every detail of the technology, you do need to assist in letting them retrieve information though.
Um, companies under federal litigation have to turn over electronic communications in discovery. That means you have to already have them. Since any company can be brought into federal litigation at any time, that can be logically extended to mean that every company will have to retain these records.
Wow. What a dick you are.
Good thing my weekly email storage dump was a Thursday thing.
Two notes--
First, these amendments are to the Federal Rules of Civil Procedure, not the U.S. Code (our national statutes). Accordingly, they effect all litigants in federal civil litigation. That will include individuals, not just companies. So, if you ever sue or are sued in federal court (relatively common--if you are suing for over $75K and the opponent lives in another state, you can likely get into federal court as opposed to state court), this rule will apply to you.
Second, the duty of retention on electronic documents is currently unclear. As is (and IANAL (yet)), under the federal rules, you have no general duty to preserve documents if you have no reason to believe that the documents will be used in litigation. Its only once you realize that you've screwed up and are likely to be sued that you need to start preservig documents. (Caveat--there may be some specific rules that I am not aware of that require a short-ish (two-year) retention period for some documents, especially documents relating to securities). So, in effect, what this rule says is you now have to hand over your IMs if they are saved, not neccessarily that you need to be saving your IMs forever,
Nice try, but you are sadly wrong thanks to your slippery-slope fallacy. As long as you have a data collection policy and follow it, you're fine. Documents/data that have been shredded prior to discovery or litigation aren't your problem. If your policy is "shred every 60 days" and you follow it, and the court requests something 120 days old, your policy will stand up in court. This rule applies only to those who are currently under federal litigation or think they soon might be.
Thanks, I pride myself in being a prick. You, OTOH, are a toolshed douchebag.
What about if I don't use my company mail, but Gmail or Yahoo Mail when I am at work. Do they have to track those as well? If so, how?
When you read "...the Supreme Court began requiring..." you know there is something not right about the article summary. What power does the SC have to "begin requiring" anything? Did they suddenly get the power to create laws?
Posting this 400 times will not help you pass your astro-navigation exams...
What if this conversation were taking place in person or by phone instead of email?
I understand the intent of the law, but it's so easy to bypass
because most decisions and discussions are made outside the computer
in most businesses. And if a decision is going to have legal reprocussions,
you can be sure that it won't have a paper trail. I don't see how
this law can be enforced, unless you record all voice conversation
made by all employees (inside and outside the office) and ensure that
employees can't turn off the recorder.
Will they be required to backup spam too? Will it be illegal to delete it?
Comedian and Tonight Show host Jay Leno videotapes not just his business life but his private life 24/7.
He does this for legal reasons. At least that's his story.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This new rule applies to companies that are involved in federal litigation. Email is discoverable, and if you're being sued you'd better not destroy evidence. I usually get upset when some new invasive law comes down, but this is a no-brainer. If you're worried about privacy intrusion or even discoverability then implement a policy of deleting old emails. Don't keep anything older than 1 month or 6 months. If you need a copy print it and put it in the project file. This way when the subpeonea shows up you have minimal exposure. Frankly if you start deleting stuff after the subpeona, you ought to go to jail.
-- QED
The synopsis overstates the significance of the Rules changes. The duty to preserve evidence in anticipation of litigation has a long history in our legal system, and courts have had the power to impose sanctions for spoliation (failure to retain relevant documents) long before these Rules were ever considered. In the past several years, there have been hundreds of cases of sanctions relating to spoliation of electronically stored information such as emails and backup tapes. Sanctions include awarding money to the party adversely affected by the failure to preserve; granting the party an "adverse inference" regarding what was contained in the lost documents; and in extreme cases granting a default judgment against the party who failed to preserve. The new Rules formalize existing trends in the case law and clarify procedures for dealing with electronic discovery but do not create requirements that did not previously exist (nor could they).
=====Then fucking search Google, Google News, and a multitude of other sites that you already know. If you still can't find it (and because we currently have 10 comments I know you didn't do that) then continue to do research until you can.
Slashdotters are not your research assistants.=====
Hey Jerkoff -- I ended up on slashdot.org for the first time today reading this after a Google News search looking for information myself. Still haven't found it. And I sure am not coming back to this website. What an asshole you are. Hope you weren't standing next to me at one of the 100+ Dead shows I went to, you loser.
One of the big features they are pushing is that you can expire email after so many days/months have have it deleted.
Microsoft set a internal policy for delete after a year ( i think, could have been 2 ) after being burnt in court due to old emails..
I was wondering when this would happen.
---- Booth was a patriot ----
Our policy is : when the server's full clean it up.
That really doesn't work with the new ruling. In order to comply with it, we will need to create a policy that's real and adhered to. So yes, the ruling effects everyone. It only changes things for some.
To put this into context, what is being discussed is a new set of discovery rules which are applicable to Federal lawsuits, but not yet (in most places) state court lawsuits.
In the interest of full disclosure:
IAAL (but spent the first dozen years of my working life as system engineer - and I still tend to view issues like one)
this is not a legal opinion and does not constitute representation
YMMV
The new rules govern so-called e-discovery. Different Federal court jurisdictions had developed different rules regarding discovery of electronically stored information. Now the Federal Rules of Civil Procedure address the situation.
For those lucky enough to be unfamiliar with U.S.-style litigation, it is a principle of U.S. procedure that both parties have to cooperate in "discovery." Essentially, each side of the case gets to ask for documents (including electronically stored data) and for the identity of witnesses who have information relevant to the case. The other side, with some limits, has to provide the documents (including electronically stored data) and identify the witnesses. The requesting side gets to use the documents for any case-related purpose and gets (again with some limits) to question the witnesses, under oath, early in the litigation (usually long before trial). So, if you're absolutely certain you'll never be sued or never have to sue anyone, then these rules will never apply to you (and you're clearly living outside the U.S., in a state of denial, or in your parents' basement).
These new rules are intended to create a common set of rules throughout the U.S. They also, in my opinion, tend to naively treat electronically stored data as the equivalent of documents. Once you're sued (or sue) you are now required to preserve copies of all relevant (and that is a really broad standard) documents (including electronically stored data). You will need to preserve all backups. When the time comes to produce this data, you are going to have to produce it in a manner which the other side can use. In other words, you can't just give them proprietary data formats or print spreadsheets and databases to hard copy (both unfortunately common past practice). You may need to provide the other side with tools to access the data.
The problem comes from the volume of data, and from dynamic data structures, which are constantly in flux, coupled with the fact that you never, ever, want to produce something to the other side without having your lawyer review it. (In fact, it may be malpractice for your lawyer to produce something without reviewing it.) Even in medium to large sized businesses, almost noone in legal or corporate has really thought about these issues. I have an analogy that I like to use with my clients and other attorneys, many of whom don't understand the difference between a kilobyte and a terabyte, to give them a grasp of the scope. I keep a cheap copy of the Complete Works of William Shakespeare on my desk. I pick it up and point out that a simple copy of this in plain text and without any graphics or fancy formatting, takes up just a bit more than 5 Megabytes of storage. A 250 Gigabyte disk (now ubiquitous in many businesses) can hold approximately 50,000 copies of this. That is the potential scope of the problem, and it doesn't even begin to address the issue of metadata and what it reveals about your documents, who touched them and when. For example, most people have no idea that the Word document that they are prepared blithely to give to opposing counsel may include prior draft language invisibly within it.
This is a huge boon for specialty information/litigation management firms.
This is not a legal opinion, no representation is expressed or implied.
My company is pushing me to find a copy of the ruling, because *cough* they don't believe it. Any idea where I can find that. I'm searching EFF.org now, and the Supreme Court website is kludgy. I'm gonna dig through the comments to see if I can find it too.
So far, our department has taken on the impression that this doesn't affect them because they are not a public company (though we are an ASP for many companies that are, and host their data). They have NO legal policy governing data protection or retention, and everything is just a YEAR. But, they don't destroy data after that year, they just leave it on the tape.
Which brings me to my next point..... ERASE YOUR EXPIRED TAPES!!!!!! This is how Morgan Stanley lost the 1.45 BILLION dollar case. During Discovery, it was found that the data that was needed to LOSE the case was on tapes that had expired data on them. Welllllll... guess what? It's still there, still viable, and cost them a shiteload of cash. *sigh* It's OUR job to protect our CIO's and CEO's asses... and if we don't, now WE can be held accountable and go to pound-me-in-the-arseville.
Sorry man... the Internet pooped on me.
Our parent company is a US corporation, and as it seems that any US corporation could be litigated by the US government, would the US corporation be in violation if the Canadian subsidiary did not follow the same rules ?
He said SMALL business. Most small businesses I know don't have in-house counsel. Hell, many are lucky if they have ANY counsel, even on retainer.
Good suggestion, but way off base for small business.
I have the same problem the GP mentioned and am not sure if this affects us or not. How would you know if you are "subject to federal lawsuits"? EEOC (discrimination) lawsuits would count as federal -- so do I need to address this or not? In theory, everyone is subject to federal suits so should everyone have to deal with this? I don't know.
That is what the GP was asking.
My company, which CERTAINLY comes under this, last week ordered everyone to pull all their emails prior to 12/1/06 off the servers. You know, we're, uhm, saving space. Yeah, that's the ticket.
Hmmmmmmmmmmmmmmmmmmm...
My experience with ths sort of thing dates back about half
a decade to a former employee who was governed by the SEC.
Workstations were locked down so only "authorized apps" could
be used.
All web traffic was run thru a proxy to create a pervasive
running history.
All IM traffic was run with one vendors client thru a special
app (I won't say the name lest it point out my former employer)
and captured and stored for a certain period of time.
All E-mails, no matter how inconsequential, were stored for a
certain period of time.
The "certain period of time" was more than five but less than
ten years.
The storage system in place for this data was quite impressive
and no doubt cost quite a lot of money.
The guys responsible for architecting and running that particular
system got gray hair well before their time.
I'm curious as to how this effects my company as it is private not a publicly traded company. The article makes it sound like it applies to all companies however. The article mentions no name of the law or rules or where you can find the official rules. Does anyone know where this information might be hiding?
devmage
This is why I think it's very important to use something like GnuPG for email. With a large keysize, it's very hard to break. I encourage everyone who will be affected by this to cryptographically sign and encrypt his or her email, and use something like OTR (Off The Record) to encrypt instant messages.
Conversations are between the intended people, and should stay that way. The last thing we need is people snooping through our emails and private conversations.
If the federal gov't tries to extend their reach too far, the affected companies will just move their IT operations offshore.
Have gnu, will travel.
James Wright, director of electronic discovery at Halliburton Co.
Is Halliburton getting sued so often they need a director of electronic discovery? I wonder how many people work in that department.
Why is this tagged as "bigbrother"? Isn't the point of this legislation to create an e-paper trail for scum like Enron execs? I'm sure that down the line, when small companies are going to be subject to lawsuits for unpatriotic behavior, this will have negative repercussions, but how about painting both the pros and cons of an issue when framing an article (an article which itself was fairly neutral)?
sic
I seriously doubt that this will be followed by most companies, as archive media is REALLY FUCKING EXPENSIVE. I know the small business I work for will not, because our email server is a tiny COAC (computer on a chip) with a 6gb microdrive as it's only storage. We don't get near the amount of mail a day as large companies, only 1-2gb, after the Bayesian filter has its say, but after the MUAs retrieve the mail, it's fucking GONE. And there is no money to buy the new hardware to implement any kind of archive system that this would require, nor space to store it. This is wht we went paperless for Christ's sake, so we would not have to deal with endless archives from like 1997.
Shiny. Let's be bad guys.
I work for a storage company. Cha-ching!!!
As many commenters have pointed out, these new rules only apply when your company is being sued... Or do they? I propose that there's TWO reasons why you cannot avoid implementing systems that (can) comply:
1) These new rules apply to the discovery phase of a trial. Any trial. That means if you do business with a company that is being sued or one of your employees is being sued you're under the "discovery umbrella" and can be held accountable if you can't provide requested documents.
2) If your company were sued tomorrow, would you be able to retain documents in a way that would meet their requirements? That day? That week? How long would it take? The speed with which you must comply with these rules is entirely up to the discretion of the judge. I can only imagine that he will not stand for a typical IT department's, "pace of implementation". In fact, he may not stand for any "pace" at all. Is it unreasonable for him to expect you to hang on to all of your electronic evidence starting the day you get served? Especially when these rules have been around for a while (I give it a year before "But Judge, new rules!" stops being accepted as an excuse).
Then there's the problem of existing implementations that lack pertinent storage controls: A user can download something to their PC and wipe it--erasing evidence--in between nightly backups. As part of the discovery process it may be revealed that the user downloaded the file (via the proxy server logs), but where is that file? Will companies be held accountable for not implementing desktops that can protect against such actions by their users?
I have lots of other questions and theories, but my time is limited. I'll close by saying that I don't think these new rules are a bad idea per se, but I do believe that the courts should be lenient when there's time and resource limitations on the speed of compliance. In a few years I'm sure that compliance will be business as usual, but right now, your typical Windows IT implementations will not be able to meet the needs of the court. Linux, on the other hand...
-Riskable
http://www.riskable.com/
"I have a license to kill -9"
-Riskable
"Those who choose proprietary software will pay for their decision!"
... but is everyone taking crazy pills today?
Since when does the phrase "keep track of..." mean the same as "keep copies of..." or "keep forever..."?
I'm reading comments about "retention policies" mentioned in TFA but it doesn't say anything at all about any particular policy.
I'm reading comments about not being able to overwrite backup tapes anymore but again TFA doesn't say that at all.
What the hell is the panic?!? All it says is that companies should keep track of their documents and - in case of litigation - should be able to produce those documents in a timely manner and readable form. Where exactly does it say anything more than that?
As an aside, the comment about a routine backup being considered "virtual shredding" is a great example of how really crappy journalism has become these days with their sensationalist fear-mongering for the sake of making a dull story sound scary. It makes it suddenly sound illegal or suspicious when in fact there is nothing illegal about shredding in itself... we do it all the time where I work and it's NOT illegal or even remotely suspicious! And there is nothing intrinsically illegal about "virtual shredding" either. But they won't bother to clarify that in TFA because then it wouldn't sound as dangerous. So much for truthiness...
It takes an idiot to do cool things - that's why it's cool!
FTA
It apears that once your informed of the suite, you cannot delete the stuff. Sadly, It will probably take a team of lawers to figure out to what extent you need to save stuff.
Have the IT dept buy several multi hundred GB HDDs, and have the employees save all their emails to this drive. When the courts ask for them, hand over the drives to the law enforcement, and wish them happy hunting. You have to provide access to the emails, not make their jobs easy.
A couple of years ago, it might have to be a high volume list. I get over 1,000 spams a day. In 3 days I have almost 29M in 3200 emails.
Fight Spammers!
The government started out ordering phone companies to finance the cost of government wiretapping. Next they told ISP's they need to finance the cost of government e-mail searches and internet traffic analysis. Now they want companies to pay for keeping data for civil suits. All of this costs money, yet the government thinks it's naturally entitled to another freebie from the private sector using the power of regulations and legislation. The costs will of course be passed on to the end-users of their services. I think it's time for the government to start telling us about the real value of these activities, rather than wrapping itself in the flag and the "Remember 9/11" mantra whenever it wants to pass some new draconian law. How many bad guys have been caught as a result of these new laws? God forbid that you ever try to leave your computer and actually go outside your office to catch criminals. Technology is a useful tool, but sometimes I suspect it's being used as a crutch by some in the government. I think that Al Qaida and the other assorted bad guys out there know by now that anything digital can be intercepted, so try getting out of the house, learning a foreign language, and doing some "old fashioned" work.
I tried Anonet; couldn't get it talking properly with OSX (10.4.7 & Tunnelblick). Any help to GET it going would be greatly appreciated.
"It's time to take life by the cans." ~ Bender ("Bendin' in the Wind", ep. 3-13)