New Email Rules Effective Friday

An anonymous reader writes "As of today [Friday], certain U.S. companies will need to keep track of all the e-mails, instant messages and other electronic documents generated by their employees, in accordance with new federal rules. In April the Supreme Court began requiring companies and other entities involved in federal litigation to produce 'electronically stored information' as part of the discovery process of a trial." From the article: "Under the new rules, an information technology employee who routinely copies over a backup computer tape could be committing the equivalent of 'virtual shredding,' said Alvin F. Lindsay, a partner at Hogan & Hartson LLP and expert on technology and litigation. 'There are hundreds of "e-discovery vendors" and these businesses raked in approximately $1.6 billion in 2006, [James Wright, director of electronic discovery at Halliburton Co.] said. .'"

What's next?

[Salvance]

What happens for companies that don't host their own e-mail, particularly smaller companies?

In order to save money, my company hosts our website and e-mail on a shared server. E-mails are downloaded via POP3 and immediately deleted from the server (each account can only hold 20MB online at one time). Most people then delete their e-mails after reading, so we have absolutely no way to retrieve this data.

This doesn't seem to impact my company, but at some point I fear regulators will start requiring more stringent data retention processes (among other IT tech processes). SOX has already hurt large companies, hopefully they don't start pushing some its fundamentals down to the little (non-public) folks.

Re:What's next?

[owlnation]

But TFA (I read it, sorry!) doesn't use "some"... even though logically that must be the case.

Re:What's next?

[MoralHazard]

companies that don't host their own e-mail, particularly smaller companies

This is a no-brainer, right? If you're the kind of company that is subject to these retention rules, having a shared email server that immediately deletes DL'd messages, with no user policy
at the local level, either, is illegal. You'd have to immediately move your email in-house and implement appropriate policies, or find a 3rd-party that can handle it, or some mixture.

If you're not the kind of company that is subject to these rules, who the fuck cares?

If you don't already know that your company is subject to these rules, and it turns out you do need to follow them, fire your in-house counsel because they're incompetent.

Re:What's next?

[archen]

I'm an admin in a smaller company as you - shared hosted email. If you really want to play it safe, I would say make the responsibility of saving email the responsibility of each user.

Really this is a bunch of crap anyway. What about companies that don't even CONTROL their employee's accounts and just expect them to use personal hotmail accounts. Catalog all instant messaging traffic? How about clients that might IM that are installed aside from what the company keeps track of. Yeah, let me just start logging ALL network traffic on that 20 trillion terabyte tape I rotate every day.

Besides which how about tracking stuff that's encrypted? What if the messages are IMed through some http system? Now I have to do man in the middle attacks to sniff HTTP connections, then I have to store that information. Because we also do credit card transactions via HTTP I am storing credit card information this goes against Visa's policy for businesses allowd to do credit card transactions. I wouldn't be surprised if it were against the law either.

The Supreme Court can say whatever they want, but I can't do what they're telling me, nor can I raise the dead like Jesus if they required that either. The law is irrelevant unless you PURPOSELY shred / delete documents - and that's against the law already during litigation.

Re:What's next?

[darkmeridian]

The rules only require companies to maintain their normal course of business. The exception is if a company realizes it is going to be sued, or the target of a government investigation. Under those circumstances, the company has to enter into a hold and stop destroying data even if it would have done so in the normal course of business.

Re:What's next?

[kabocox]

This doesn't seem to impact my company, but at some point I fear regulators will start requiring more stringent data retention processes (among other IT tech processes). SOX has already hurt large companies, hopefully they don't start pushing some its fundamentals down to the little (non-public) folks.

Plan for it. If the government doesn't do it, the larger companies that have to will start forcing the government to go after smaller to midsized companies that aren't following the rules that they have to. Why should you be exempt just because your company is smaller? I could see a new e-mail niche open up for those that host business class e-mail where its part of the cost of the business class e-mail accounts to store all e-mail for x number of years. I wouldn't be surprised if there were companies that offer that kinda of service.

Re:What's next?

[brouski]

If you really want to play it safe, I would say make the responsibility of saving email the responsibility of each user.

And what part of that seems "safe" to you?

Re:What's next?

[MrNougat]

IANAL, but I have worked in IT for a company during a time when it was under subpoena.

The summary mentions companies "involved in federal litigation." If you are not involved in federal litigation (you're not being charged with a crime or sued or under subpoena), then you can do anything you like. The moment you become involved in federal litigation, you cannot destroy any electronic data, as it is discoverable by the court.

The fact that this is a new official rule shouldn't frighten anyone - this has been the case all along. The official rule just clarifies the rules as they apply to electronic documentation. The rules were written for paper and voicemail at best, not email, IM, backup tapes, etc etc.

Net effect: no change. If your small company came under investigation last year, you would still be subject to the same spirit of the law regarding data retention as you would be if your company came under investigation today.

Re:What's next?

[Vellmont]

I'm an admin in a smaller company as you - shared hosted email. If you really want to play it safe, I would say make the responsibility of saving email the responsibility of each user.

It's a good thing you're an admin, and not head of the company. Here's how your scenario might play out it court:

Judge: Email 1 is a reply to email 0, but I don't see email 0. These are all emails to Dwayne. Dwayne, what happened to email 0?

Dwayne: Umm.. I guess I must have deleted it by mistake. I do that all the time. I know we're not supposed to delete email, but this email thing is complicated and I must have hit the wrong button or something.

Judge: Ok, but companies keep backup tapes these days. What happened to them?

Archen: Oh I just decided to leave all that stuff up to the users. I couldn't be bothered with buying more tapes and modifying my backup schedule. The backup tapes get over-written every week, and that email was from 3 weeks ago.

Judge: I see. Well you've obviously in violation of the ruling. I can't hold Dwayne here responsible since these systems are complicated, and data retention should be handled by someone specially trained. But since you made the decision, I'm holding the entire company responsible and fining you 1 million dollars. I'm also recommending to the federal prosecutor you be charged with obstruction of justice Mr. Archen. Destruction of data also won't help the case against you.

Re:What's next?

[sBox]

If you are in the group required to do this, I'd print out and retain that message from the boys upstairs saying 'we can't afford this solution' or 'it doesn't apply to us.' I can just imagine someone saying, 'I thought we were doing this?' and the company being sanctioned. CYA never hurts, and the blank spot on your resume will be telling to your next boss.

Exempt from all this of course

[hsmith]

Is congress and the white house. Much like congress is exempt from the Sarbanes/Oxley Act.

Want to see the biggest crooks and ones fudging the numbers, look at congress. Enron couldn't come close. They all would have been locked up years ago if they had to abide by the laws they pass.

Re:Exempt from all this of course

[Spazntwich]

Our government fears transparency because we'd see the damage done to its lungs after years of surviving on tobacco taxes.

Re:Exempt from all this of course

[hsmith]

Lets take an example:

The $61 trillion in unfunded liabilities we currently have for Medicare ALONE. Medicare which is set to go bankrupt in 2018, Social Security in 40 years. "Emergency war spending" so that we can "pretend" we get "closer" to balancing the budget. Printing out gobs of money destroying the value of our savings so they can pretend to pay for all this shit

Please, if you think they are somewhat honest in how they present any of the ways they pay for or fund anything you are kidding yourself.

http://releases.usnewswire.com/GetRelease.asp?id=1 24-03232004/

Post office

[otacon]

That would be like making the post office open every letter then copy and store them...I guess it's not EXACTLY the same thing because it's all digital, but it's still illogical, and a waste of resources.

Re:Post office

[Mr.+Underbridge]

That would be like making the post office open every letter then copy and store them...I guess it's not EXACTLY the same thing because it's all digital, but it's still illogical, and a waste of resources.

No, it's more like saying you have to permanantly store every piece of paper you ever write on. Every memo, every piece of scrap paper. It gets ridiculous eventually.

Misleading

[calbanese]

Under the new rules, an information technology employee who routinely copies over a backup computer tape could be committing the equivalent of 'virtual shredding.

This is a bit misleading. Its only "virtual shredding" if you don't keep the records around for a reasonable period (either by statutory requirements or insutry standards) or if you have notice of litigation in which the evidence is relevant, and you continue to shred.

Thats why there is a document retention policy safe harbor in the rules themselves.

As amended, Rule 37 creates a "safe harbor," protecting a party from sanctions for failure to produce electronically stored information as long as it took reasonable steps to preserve electronically stored information when it knew or should have known such information was discoverable, or the failure results from loss of information during routine operation of such party's electronic information system.

FWIW, lawyers, even the "technology experts" don't seem to understand technology as well as someone who came through IT before becoming a lawyer.

(disclaimer: IT guy-turned-lawyer, so I always think I know more than "pure lawyers" when it comes to tech).

The amendments

[jwaters]

Since the linked article is light on information, I found the actual amendments (note: PDF)

Rising cost of business

[precogpunk]

While I'm in favor of measures to curb white collar crime these requirements seems to do more harm that good by encouraging companies to take business elsewhere.

Re:Nice; tell you about new rules, just not the ru

[calbanese]

It applies to all companies. The length of time you are required to retain documents before destroying can be different for different companies. Like a poster noted, Sarbanes-Oxley defines a time period for publically listed companies. But other than that (and other industries where regulations prescribe time periods for record retention), the courts have used a "reasonable time period" requirement in the past and most commentators expect that to continue under the new rules, which are, in many ways, a formalization of previous court practice.

Legislated expense

[jdray]

The company I work for has been implementing this sort of infrastructure over the past year. It's hard. With all the IM clients available, getting one system that will handle all the traffic and maintain usability in the face of changing features across the field is hard enough; couple that with long term storage requirements for corporate e-mail where the culture is to send huge attachments around willy-nilly, and add in all the other changing requirements, and the burden to adhere to this new bit of legislation becomes quite a burden.

Couple that with the fact that the company I work for is a regulated utility that has to convince the local PUC each year that costs to provide service continue to go up, and the margins just keep getting tighter. Every year around March, there's a panic call from Accounting asking everyone to contribute some of their budget back to the bottom line because of some new development that wasn't forseen the previous year. For a cash-strapped IT department wanting to provide good service, the problems just mount up, stresses are high, and the employment door keeps revolving.

Massive Pretty Good Privacy

[Doc+Ruby]

Practically everyone can scramble our email, like with "Pretty Good Privacy" (PGP). If many of us do it, they might be able to crack it or force our password after due legal process, but private parties won't be able to snoop through all of us on any possible budgets.

Your government can probably crack any nonsymmetric crypto (with help from the US), but might not have the resources to crack everyone's all the time. You can try a tinfoil hat, YMMV.

The real problem is webmail, which can't use any installed crypto on either end (with possible rare exceptions, but the rarity and/or nonintegration makes them useless at only one end of the comms).

If GMail let me upload a PGP applet I signed myself (which I could validate in the pages when I hit them), which they embedded into their pages in Javascript the public could audit for holes, they might actually become by far the best email system for the masses. And win the webmail wars. And really piss off the government(s) that have been trying to pry into their transactions for years.

Re:Massive Pretty Good Privacy

[Beetle+B.]

If GMail let me upload a PGP applet I signed myself (which I could validate in the pages when I hit them), which they embedded into their pages in Javascript the public could audit for holes, they might actually become by far the best email system for the masses.

Don't ever use "PGP" and "the masses" in the same sentence. There's a reason people don't use it unless they really need to. It's the hassle of exchanging keys and building a trust database, and getting people to use it as it should.

It's a very minor hassle for those who use it well, but getting the masses to follow protocol is next to impossible.

Re:Massive Pretty Good Privacy

[NatasRevol]

Well, maybe you could use Squirrelmail.

http://www.squirrelmail.org/plugin_view.php?id=153

Re:Massive Pretty Good Privacy

I often wish for that too, but it's clearly a pipe dream. Google's sole interest in providing email services is to obtain access to messages themselves. They want to know what you're talking about so they can sell you crap--and they want to retain that information, so they can cross-reference it.

Providing an easy interface for you to encrypt your email undermines that goal utterly. For it to be of any value to you, they won't ever have access to your keys or plaintext.

So, it will never happen with Gmail.

Re:Massive Pretty Good Privacy

[fossa]

I agree with your sentiments, but I think no one cares about encryption. For what it's worth, freenigma provides GnuPG webmail through a Firefox extension and an existing webmail account supported by freenigma (includes GMail, Yahoo, Hotmail, others). I have not used freenigma, but last time I read the docs I got the impression it was not compatible with, say, mutt's PGP/MIME which I use for kicks (I have zero encryption using friends).

One thing that always bugged me about mutt's PGP is that attachments are neither signed nor encrypted. I'm not sure if this is a mutt problem or a general OpenPGP issue, but it is certainly unfortunate. I suppose one is expected to manually encrypt attachments prior to mailing? This might be acceptable, even preferable, if computer interfaces were not so cumbersome.

As for no one caring about encryption, I propose creating an animation for sending email, similar to the Windows file transfer animation with the sheets of paper flitting across the screen. This animation would add dozens of little faces watching the email, with visible text, flit across the screen. An encrypted email could perhaps be represented as a closed envelope.

Re:Massive Pretty Good Privacy

[0xABADC0DA]

Yeah google is really going to let you decrypt your email at the client... I can see the ads now:

413b57037 buying guide
replacement 6cf46e1dfc quote
fd8869a15cb936d8e59 Free Shipping!
bee5e2b at Amazon

Re:Massive Pretty Good Privacy

[Doc+Ruby]

Ah, but building demand by promoting the existing tool will encourage new developers to make it more useable.

Re:Massive Pretty Good Privacy

[neoform]

How hard do you think it'd be for the government to get their hands on those PGP keys if they were stored on google's servers.. ?

Google is a US company and should a court request those keys.. they'd give them.

Re:Nice; tell you about new rules, just not the ru

[DerGeist]

Welcome to the wonderful world of scare-mongering!

This only applies to compaies under federal litigation, but I'm sure it'll get a lot more pageclicks if you make it sound terrifying and scream things like WE'RE ALL GONNA DIE!

Truth time, kiddies! You absolutely must hold on to email and IM data... IF it is part of a subpoena or a discvoery process, and so on. But there's nothing requiring companies to hold on to such data for any specified period of time.

Tape?

[Mr.NoMoniker]

These are NEW rules? and they refer to an IT worker copying over TAPE? Does this mean I should be saving all my carbon paper too? how about punch cards?
Might all this extra data clog the system of tubes that is the internet?

Standard Conversation

[Silver+Sloth]

Techie:- We need to keep more backups of our e-mail database
Bean Counter:- How much do the tapes cost
Techie:- Lots - we need at least one DLT per backup
Bean Counter:- We can't afford it.
Techie:- We have to afford it
Bean Counter:- Just leave the requisition in my intray


Months Pass

Bean Counter:- The courts are on to us. Where are the e-mail backups for the 1st December 2006
Techie:- I had to overwrite them so as to keep a reasonabley current backup
Judge:- Techie, you shredded evidence - now you're for it

Re:Standard Conversation

[itlurksbeneath]

I've actually had that conversation with the bean counters, but it went like this:

Techie: We need $5,000 to buy another 100 DLT tapes to comply with this no-rewrite order.
Bean Counter: Again! We don't have any money in the budget to buy any more tapes
Techie: Ok, no problem. Send me an email and CC your boss and my boss and tell them that we can not comply to this federal ruling because we don't have any money in the budget.
Bean Counter: Erm.. Uh.. Oh! Here's some money for tapes you can have.

As long as the gun is pointing at them, they are very cooperative.

invest in storage

[jwegy]

Now would be a good time to invest in companies that make storages devices

Links to the rules

[davidwr]

This link goes into a bit more detail than the article in the main /. story.

The pertinent rules appear to be the Federal Rules of Civil Procedure, specifically Rule 16 dealing with pretrial scheduling and Rule 26(f) relating to discovery and disclosure.

Cornell University has these rules online. They might be outdated already.
Rule 16
Rule 26

Wikipedia also has a writeup on the Federal Rules of Civil Procedure.

Do a search for rules on electronic discovery for more commentary.

Re:Links to the rules

[Your+Pal+Dave]

NPR did a report on this today as well.

This is plain old FUD... heavy on the 'F'

This is a great example of FUD... programmers need to stick to programming and lawyers need to stick to lawyering. (I happen to be both, but that's beside the point).

This is not legislation.. it is part of the court rules. In a lawsuit, you have to provide all relevant documents to the other side. In the past, there had to be a *lot* of court time wasted on deciding what was subject to disclosure (i.e. a man does work for the company from home... is his home computer subject to examination? Answer: yes). This rule change simply makes standard what most all the court rulings concluded was subject to disclosure anyway.... all it does is save wasted court time in disputes by making the rules clear.

If a company has a "document retention policy" that sais all e-mails will be deleted in 30 days, all backup tapes will be overwritten or erased in 30 days, etc., then they can continue doing that. No one has to retain anything under these rules. These rules say that anything that *is* retained, has to be turned over in a lawsuit. After a lawsuit is started (technically when a company becomes aware of a claim even before suit is filed) the company has to not delete anything they know is relevant.... but continuing to follow the published document retention policy for everything else is fine. This has been so for many, many years. Nothing is changing is this regard.

Companies that do bad things will have evidence of doing bad things.... they will want to delete things. Companies that don't do bad things will have evidence of their proper behavior, and they will not want to delete things. I was once involved in a case where a man was blinded by some chemicals. He claimed there was no warning sign. I found the e-mail in a user's mail archive confirming installation of the warning sign, dated 6 months before his injury. If that company had been deleting all e-mails 30 days old in archives (they deleted 30-day old mail, but it did not reach local archives on the users' HD), they would have lost this exculpatory evidence. As a result, they changed policy to have uses include the word "SAFETY" in the subject line of all e-mails related to safety, warning signs, safety related repairs and maintenance, etc., and e-mails with that in the subject line were excluded from the deleting policy in the future.

Stupid thing!

[VincenzoRomano]

So all the email traffic done in the US will be stored somewhere at least once, often twice (sender+reciever) and in some cases several times.
And storing them is not enough: you'l need to browse them for searches!
This is a very very smart move!
And when litigations will go with browsed web pages, we'll need to store all the web we browse!

As the summary says...

[jpellino]

"companies and other entities involved in federal litigation"

Odds are you already know if you're one of these.

(Use your best Jeff Foxworthy voice for this next part)

"If your CFO has been escorted out of the building on the national news by people with big yellow letters on their backs..."
"If the new guy in the office spends all his spare time chatting up his sleeve instead of the secretary..."
"If your office phone system now says Press 1 for Customer Service, Press 2 for Public Defenders..."
"If they show Dennis Kozlowski on Biography and your boss snorts "Huh. Pikers..."
"if you check your email and a cheery voice announces "You've got bail!"

Re:Nice; tell you about new rules, just not the ru

[nm42]

Keep in mind that many states adopt the federal rules with little or no modification for use in state courts. Within the next few years, these changes will be incorporated into local rules for just about every jurisdiction.

The scariest parts of the new federal rules are:

• 26(b)(2) which says that a party can designate information as "not reasonably accessible". It's supposed to protect companies from having to spend huge amounts of money to restore backup tapes from ancient systems, but it's going to lead to a lot of additional motions (and more attorney's fees) to prove whether the data really is inaccessible.
• The Committee Note for Rule 34(a) states that a party may be required to provide access and technical support to an opposing party for inspecting data (which would include things like a database, SAN, or other systems). Not only do you have to give them the info, you have to show them how to understand it as well.
• There are other scary provisions, but the overall theme of these rule changes are a shift in the timing of dealing with discovery issues. Traditionally, many cases settle or are dismissed before the discovery process (usually the most expensive part of a case) begins. The new rules require the parties to evaluate and discuss these issues within the first 120 days. This means litigation gets more expensive for the big companies (usually a defendant), but the small plaintiffs won't see much of a change, other than getting bigger settlements earlier in the case!

Re:Nice; tell you about new rules, just not the ru

[DerGeist]

Nice try, but you are sadly wrong thanks to your slippery-slope fallacy. As long as you have a data collection policy and follow it, you're fine. Documents/data that have been shredded prior to discovery or litigation aren't your problem. If your policy is "shred every 60 days" and you follow it, and the court requests something 120 days old, your policy will stand up in court. This rule applies only to those who are currently under federal litigation or think they soon might be.

In house counsel???? WTF?

[tacokill]

He said SMALL business. Most small businesses I know don't have in-house counsel. Hell, many are lucky if they have ANY counsel, even on retainer.

Good suggestion, but way off base for small business.

I have the same problem the GP mentioned and am not sure if this affects us or not. How would you know if you are "subject to federal lawsuits"? EEOC (discrimination) lawsuits would count as federal -- so do I need to address this or not? In theory, everyone is subject to federal suits so should everyone have to deal with this? I don't know.

That is what the GP was asking.

Re:Copy of the Ruling with Legalese?

[KiahZero]

Which brings me to my next point..... ERASE YOUR EXPIRED TAPES!!!!!! This is how Morgan Stanley lost the 1.45 BILLION dollar case. During Discovery, it was found that the data that was needed to LOSE the case was on tapes that had expired data on them. Welllllll... guess what? It's still there, still viable, and cost them a shiteload of cash.

Maybe avoiding tortious conduct might be a better idea?