Slashdot Mirror
Businesses Generally Ignoring E-Discovery Rules
eweekhickins writes "A full year after the institution of new federal e-discovery court rules, only a minority of companies are paying attention. Keeping track of every IM, email, and document for a court order that may never come must seem like a tall order. Researcher Michael Osterman said that only 47 percent of companies have some kind of e-mail retention policy in place. 'I don't think it's difficult to understand the rules,' Osterman told eWEEK. 'I just think that it sometimes takes headline shock to make people move on some things.'"
Time to raise the penalties for violations - and close off any foreign country escape route from this regulation.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
They just don't care. In fact, I commend them for it.
Wow, that's a rare sentiment for companies coming from me.
it is a bad law that failed to consider the impact it would have on business to actually implement the requirements.
RTFG - Read The F#$%ing Google!
Why is this tagged privacy? This applies to businesses, not people.
Is law for all companies or just Public corporations? Seems an excessive burden to put on small businesses?
The law is burdensome on businesses. Keeping track of email is one thing. Keeping all communication archived is ridiculous. We just came up with a solution to archiving email so we can finally delete some mailboxes off of our exchange boxes. My co-worker just wanted to purge the boxes and not back them up. I convinced him that even if this law didn't exist the mail may be useful for us in a court case so it would be worth keeping.
Now we used to use Spector 360 which would satify this ridiculously overbroad law. The software is nuts though and opens all kinds of issues like keeping the data secure since it captures all keystrokes and so people may have CC#, SSN or bank account numbers in their database records kept by this program.
When we moved we stopped using the program.
The Federal Rules of Civil Procedure are being grossly mischaracterized here. The main purpose of the changes is to make it so companies can't intentionally obfuscate their data storage in order either 1) increase the timeline for digital discovery; or 2) increase the costs (especially to the non-business plaintiff) for digital discovery.
The FRCP are not a set of regulations to govern businesses, it just means that parties with digital information will bear the burden to produce it in the event of a lawsuit. Depending on the frequency with which your company is sued, it may or may not be a good idea to make it faster to access your backups.
You aren't under an obligation to save all electronic corresponce unless you are in a heavily regulated industry with special rules requiring that. However, anyone who deletes or destroys documents once a court order has been issued is in pretty big trouble if they get caught. This has been true long before the advent of email.
IMPORTANT NOTE: I am not a lawyer, this is not legal advice, there is no formation of attorney client privilege, this does not serve as an offer to represent you, your family, or anyone you have ever met, consult the advice of a licensed attorney in your jurisdiction before taking any action, the forgoing is for informational and educational purposes only, and any and all warranties inherent in this post whether express or implied are hereby disclaimed.
"If you think you have things under control, you're not going fast enough." --Mario Andretti
You inconsiderate clod, it creates nothing but opportunity for lawyers to charge endless fees for e-discovery. Imagine the new volumes of information available for them to charge $500 an hour to sift through! And if they can charge $1.50 per page to make copies of documents, imagine how much they can markup deleted email recovery services! And the damage awards they can demand from corporation-hating juries for failure to retain data that may or may not have any relevance to the case at hand.
The opportunities are endless!
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
these new rules really don't mean much. you never used to save IM and email conversations.. and you still don't. your company just has to have a policy (a document retention policy) that states what the retention time is on certain types of communications. 0 days.
Our understanding of the new e-disc rules is that you must follow established policies -- and any material that the company has is discoverable, electronic or paper.
the end. this isn't a real news story.
E-mails and IMs give the illusion of being almost costless (although the key cost component, someone's time, is still there); consequently, things get "written down" in E-mail that would never get put on paper. You might have written them on a sticky note, but those never officially existed as far as the formal records were concerned. The ticky thing about E-mail is that it can keep a record of all those formerly off-the-record bits: so you either have to keep everything (costly as well as potentially embarrassing), or you have to try to devise a defensible standard for what's relevant. And, of course, the constant torrent of spam doesn't make it any easier.
Setting up a backup schedule so that you're basically keeping all email is freaking expensive, even when you're only doing incrementals. Tape "rotation"? Forget that. It's tape storage for ever and ever.
You need drives, and tape storage, and a tape inventory system, and let's not forget a never-ending stream of tapes.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
If they were, their lobbists would be be crawling all over this. The cost of capturing and storing all of the digital communications made by employees is non trivial. I know of one company just trying to give their lawyers access to query and retain e-mails. That project is a mess. I can't imagine trying to keep instant messaging along with, etc., etc. .....
Think Deeply.
'cause I do.
Cheers,
W
I wonder if they also retain all incoming SPAM mail. That would be interesting.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
If you want to teach people through headlines, the White House has deleted 10 Million emails and is getting nothing -- not even a slap on the wrist for it.
They're just teaching through example.
There's no way you can have a more egregious example of failure to comply with federal document retention laws, or a more important reason to retain the emails, but absolutely no punishment seems to be forthcoming. Neither half of our political party seems to be even pretending to want to do anything about it.
So why should anyone else get punished for failure to keep their emails or other documents?
Thanks, I'll be here all day. ;-)
They give you, like, a gigabyte of storage. That should be enough for anybody.
I can tell you the following:
1. It is a big business.
2. It is not "pointless".
3. The reason the laws were passed is that people were intentionally deleting documents or worse LYING and claiming they had deleted it when back ups were clearly present. They lied because of the expense it would take to recover the back-ups. Honestly, was it that hard to have the lawyers talk directly to the tech people, instead of too middleman that cared more about money than their legal responsibilities?
4. The law at heart simply states that if you have documents then deleting it BECAUSE of a legal action is illegal.
5. The law clearly allows you to routinely delete documents, say 1/year, or even every month.
6. All it really takes to satisfy the law is a commitment to a reasonable data-retention policy. The only businesses that don't or can't comply are
A. those that have been giving their IT department the short-shift, not providing a reasonable amount of cash for data and back-ups.
B. Those that don't realize that after you are SUED or CHARGED with a crime means you have to spend money on the law-suit. That includes the responsibility of saving and organzing the data you collected.
excitingthingstodo.blogspot.com
It doesn't so much matter what your policy is, so long as your policy is consistent. If your policy is that e-mails are kept for one week and then deleted, that's ok. What is not ok is if you normally keep e-mails for a year, but then suddenly delete everything older when you get sued. There aren't any over all rules for what your retention has to be, however you can't change your policies to try and avoid handing over data.
So if your policy is that nothing gets kept, you have no backups, no retention, you are ok, that's fine. However you don't get to keep backups of your data and say "Oh well you can't have access to those." If you have it, you are going to have to hand it over and you can't drag your feet on it.
The only case where this could get tricky is that if you are involved in a case, you can be ordered to retain data that you don't normally. Maybe you don't normally do e-mail retention, I know places where it is considered non-critical and thus not retained, not backed up. However if you are involved in a case, you may have to retain it, even if you didn't before.
But the parent here is completely correct: They aren't saying you have to log everything you do. They are just saying that you can't have the data, and not hand it over.
The federal rules of discovery haven't really changed - this is just a tweak to address the concerns of the digital era. The government does not want you to keep everything forever, in fact the government is not usually party to these civil suits - besides most corporations waive privilege in government investigations to show good faith.
The primary goal of these changes are to get lawyers to talk about discovery in a meet-and-confer as early as possible. Too many judges were spending too much time dealing with lawyers that didnt know what they were talking about going back and forth about "it's in the metadata" or "it's in the RAM" or "it's on a sector". The judges want the lawyers to bring their geeks in, discuss what each side has and where, and decide on a good process for e-discovery. Then the courtroom is for arguments about merits, not about process.
Unfortunately the perception is that you have to deliver tons of data, which means reviewing tons of data for privilege. Plaintiffs lawyers are using this as a method to pry large settlements out of defendants, who see this as cheaper than hundreds of hours of outside counsel review time. You do know that most civil cases settle before going to trial, right?
That's not to say that e-discovery is not a fascinating and daunting challenge, it actually makes for an interesting career. But bringing a sound preservation scheme and reasonable search terms and methods to a meet and confer will help dramatically.
This kind of archiving would be nigh impossible for some businesses, no matter how heavily regulated. Its partially a matter of resource allocation. I do a nightly backup and a monthly backup for an organization that deals with kids, medical records, and large donations (i.e. heavily scrutinized). 80 percent + of donations must be spent on program services, so I have a limited budget. If something is written and deleted betwixt the monthly backup and the earliest nightly, its gone. There's no practical way for me to keep all that data on hand. I recycle the backup tapes and burn DVDs. If I bought enough tapes to keep an independent backup of each day's activity, there'd be no room in my office for me. Nor do I want to spend money on some kind of IM tracker. If I did, those kids with medical conditions would suffer. Sorry lawyers, you'll have keep doing things the ol' fashioned way
Silicon Flatirons at CU Law hosted a roundtable last week on E-Discovery. A whitepaper is forthcoming soon, but there were several recurring themes. 1) eDiscovery disputes are largely regional. There are a lot of pitched battles happening on the east coast (esp. NY and NJ) and in California; in the middle of the country (Texas, Colorado, Chicago), not so much. 2) Mutually assured destruction - lots of companies in litigation stay away from bringing up eDiscovery issues because they know it will be extremely bad for both parties involved. 3) Cost - it's not necessarily in the retention, as people have mentioned here; it's relatively cheap to produce data. The problem is searching it. It's extremely resource intensive to search 100 million documents for 50 relevant e-mails. There's a software gap here that none of the major players are filling adequately - hint hint! For all you startup developers searching for a niche to fill, here you go! This is software that big firms and eDiscovery vendors and service providers will pay big bucks for. Get on it before Google gets in on the action. 4) Competence - most lawyers are simply not well versed in either eDiscovery or computer technology to sufficiently explore this area of the law. Look for this to change drastically in the next 10-15 years as it starts becoming malpractice or sanctionable behavior to NOT be well-versed. There are more interesting issues in this area - check silicon-flatirons.org after the holidays to read the whitepaper. Disclaimer - IAALSBNAL (I am a law student but not a lawyer) and this is not legal advice, YMMV, etc., etc.
Disclaimer: my employer sells a solution[1] for the email retention market.
As the summary says, a lot of this stuff isn't going to sink in until Directors of limited companies (corporations in the US) are doing the walk of shame because they failed to pay proper attention to IT security. (I consider mail retention to be part of the infosec remit of almost all organisations except those TLAs with very special needs.) Security in general is treated given lipservice, but the best you can hope for really is that officers have had some legal advice that they're personally liable for related issues (eg: if it turns out the marketing dept have been faking customer satisfaction numbers, and the firm's about to collapse in a wave of customer rebellion, and the officers don't know that - tough! You should have known! People invested in the company on the understanding that it was known! You know the score... "...and may god have mercy on your trust fund. Take him down!"
In those situations management tend to fling money at consultants who will install fascistic AUP practices, enforce lots of insane bureaucracy that just gets in the way of people doing their jobs (egs: universal bans on USB media; banning people from listening to music as they work.) Of course that's BAD security, which IMO is worse than none at all - because it makes people work a bit harder to work around it, which makes it harder to know what backdoors people are using to, yes, do their jobs.) And when that happens I'm going to be secure in the knowledge of my own off-site backups of my own internal mails, clearly laying out the risks being run and the controls required to do it properly. And the protests when resources are slashed anyway. I want that stuff on the record, which means a record I can trust - which means one I control.It's interesting that the UK government has suddenly started reporting losses of personal data of the sort that have obviously been going on for years - ten or fifteen years, ever since ubiquitous high-capacity storage such as CDR, outsourcing of IT and administrative functions to companies with no direct interest in maintaining control of data, cheap wide-area networking and the mirage of a working database nation came to pass. (I was just getting into professional IT back in the mid-90s, when the trade press were full of vendors touting datacubes, object-orientated databases, OLAP and datawarehouses and the like. The theory was that by aggregating data from masses of sources, slicing it and dicing it, The Business would gain amazing new insights into customer behaviour. The national security-industrial complex also bought the whole story hook line and sinker, with results we are now starting to see - billions wasted on white elephant systems that suck garbage in and spit garbage out, have enormous opportunity costs and never deliver the promised benefits.
Mail retention's the same story. How many sysadmins would demur when a senior VP pops up in the helldesk room on a Friday night & orders someone to stay late doing 12x overwrite pass disk reformatting on all the mail servers? The same number who care what happens to the disk in that old mail server that got skipped last month when the shiny new quad-core Exchange box arrived - just over none at all. (Yeah yeah, everyone here takes a hammer to the platters before releasing them... ever tried buying a dozen cheap second-hand SCSI drives from a redundant-kit-recovery operation? Give it a go one day, and try practicing your Coroner's ToolKit skills on 'em (or just pop open hexedit at take a peak at /dev/sdc1 or whatever.) It's quite an education, I recommend it to all conscientious sys-admins...
[1] hey I'm not saying if it's a box, software, a service, or a combination of all three. Do your own damn market research! ;p
Despite what the vendors who produce e-mail archiving software may say, there is NO requirement that ANYONE archive all their e-mail/chat/word docs. etc. for potential litigation!!!
The rules say that, once you know that there is a legal case (or can reasonably expect that an issue may lead to legal action) you can't destroy evidence that could be used in the case. The federal rules actually spend more time outlining all the valid reasons you may have for destroying/deleting old e-mails or other correspondence.
There are a lot of vendors generating a lot of FUD about this issue, and even more clueless tech writers and glorified corporate publicity rags like eSchool news to perpetuate it. Don't be sucked in!
Yes, your company/agency should have a retentions policy, but that doesn't mean to retain everything! It should spell out how often you delete materials that are no longer deemed necessary. As long as you follow that policy, you are covered if you delete something that comes up later in an un-anticipated legal action! Once you are aware of a legal action, it is your responsibility to identify and secure any documentation in any form that can have bearing on the case.
Keep passing the open windows...
Of course everyone is ignoring it, we all know a copy of every email/IM/packet etc. exists in the basement of the San Francisco AT&T switching center (and I'm sure many more). Why we should we store all this shit when "THE MAN" already has multiple copies, cross referenced, sourced, vetted and all the boilerplate leagalese to do/charge whatever they want.
This poster is absolutely correct. there is no requirement to retain all your electronic records. See my post "PLEASE help stop the FUD" below.
Keep passing the open windows...
I work for a big vendor of Enterprise Content Management software and solutions, and I can tell you that when a major company finally decides they need to effectively manage retention policies and develop compliant workflows, it costs a bloody fortune by the time they are actually up and running. Just figuring out who creates what is a major business effort involving every single corner of the operation.
I'm the sysadmin at a lawfirm in the Chicagoland area, and we've been following these guidelines for a couple years. However, it is quite a hassle, even though we only have 150 employees. We keep tape backups on a rotating 14-day schedule, with End of Month and End of Year retains kept indefinitely - offsite in a fireproof safe, natch. The amount of storage space we need will soon require us to move from LTO-2 to LTO-4 format and buy an even larger safe.
:)
Most companies may not need to follow these guidelines, but in the legal industry we're literally in court all the time, and it's in our best interest to do so - regardless of headaches it may cause.
And the white house does everything they possibly can to hide email.
Your US government at work.
As covered on NPR
Keep any documentation that can potentially help you, delete the stuff that you know could hurt you.
God: When you do things right, people won't be sure you've done anything at all.
You could just stop caring about internal documents and eliminate or change the laws that depend on them. Treat the corporation as a 'black box,' in other words.
I'm not sure why we should really give a shit about what goes on inside a company. What matters is what it does. If a corporation does something bad, punish it. I don't really care, and I don't think it should matter, whether people in the corporation "knew" what they were doing was bad, and that's mainly what the retention laws are all about. They exist in order to make it easier to pin down when so-and-so knew something. If you just tell companies you don't care, and enforce rigorous strict-liability doctrine (on the corporation -- I don't really agree with strict liability as applied to individuals, but that's a separate discussion), you can leave the internal policing to the corporations themselves.
The idea is that basically, you make the corporations responsible for the actions their employees take in their name and the results of those actions, whether intentional or not, and whether the harm was foreseeable or not. Leave it up to them to decide how they want to manage risk and how much freedom they want to give employees to act without authorization.
I don't really see why we need to peer into companies in order to regulate them. If a company wants to keep its financial records in cuneiform impressed on wads of sodden toilet paper, that's fine by me. The market will punish them for it when nobody wants to buy their stock because there's no way to gain any insight into their performance. Maybe the stock exchanges would even enforce minimum accounting standards for listed companies, as a way of keeping the crap out. But caveat emptor -- do your own research, and don't come whining to anyone else if you put all your money into a company that implodes. If you want secure investments, that's what savings accounts are for.
Similarly, if a company pollutes or otherwise externalizes costs on the public, punish it. If they don't cough up payment for the externality, forcibly seize whatever physical assets they have under their direct control and sell them at auction.
I can train my dog without knowing exactly what's going on in his head every moment; that's exactly the philosophy I'd apply to corporate governance. Reward good overall corporate behavior, punish overall bad behavior with meaningful sanctions (asset forfeiture and seizure), and let them do whatever the hell they want internally.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
it's a bullshit law. so there's no reason to follow it.
there's always denyability (i.e. we don't allow IM, so there is no record of it, because it doesn't exist)...
there's also the "don't incriminate yourself" thing (right to remain silent).
while we're at it, maybe I should record all conversations I have too. just in case some one want to see wat I've been saying.
and my brain waves. just in case some lawyer needs to see if I was thinking impure thoughts over the last year.
like i said. stupid law.
music - http://www.subatomicglue.com
while we're at it, maybe I should record all conversations I have too. just in case someone wants to know what I've been saying. you just never know.
and my brain waves too. just in case some lawyer needs to see if I was thinking impure thoughts over the last year.
I think we could all accept an implanted recording device in our skulls, don't you?
music - http://www.subatomicglue.com
I don't know about everyone else, but I get 50 to 100 Spams for every legitimate e-mail. I do know that a lot of other folks here get similar quantities.
I guess I had better write up a request for some kind of email archiving system, but where oh where to find such a system?
I know, I'll check with the company (MessageOne) that financed this "research".
"The ferrets, they're every where I tell you!"
http://lynxcache.com/Businesses_Generally_Ignoring_E_Discovery_Rules.html
This ruling is about what is and isn't considered destruction of evidence in a court case. The only business which may be required to retain more data that they already would are those who are being investigated for a crime. There are two parts.
The first deals with data deleted prior to the start of an investigation. Basically if you have an data retention plan that states how long you keep documents for, and you follow that plan, then you cannot be charged with destruction of evidence. On the other hand if a bunch of documents relevant to an investigation just happen to be deleted in a manner that deviates from your normal behavior, then you can be.
It doesn't matter what the plan is - it could be that you delete emails from the server immediately after they are download, or you can back them up for eternity, or anything in between - it is entirely up to you. For the sake of CYA, it is a good idea to have this policy documented, and to make sure it is followed closely, but you are not required by law to do so.
The second part gives judges the ability to require companies to retain data relevant to an investigation that would otherwise be deleted as part of their normal data retention policy. This requires a court order, and is no different from dead-tree requirements. Again, you are not required by law to have a plan in place to do this, however, it is good idea to think about it so that you aren't scrambling to figure out how to deal with it if you ever are investigated.
There's a simple solution to that one. We just see if any presents are left in your stocking this Christmas. "He knows if you've been bad or good..."
I never really understood this kind of thing, even paper-based discovery and document retention, and it's always sent my bullshit meter off the scale.
I used to work in a law firm, creating and maintaining a DB of old documents (pdf scans of old paper files). The whole goal was to be able to produce documents when asked by opponent's legal team and sanctioned by statute or by judge. So here I am sitting with a bunch of pdf files to potentially produce as evidence.
Now, they never asked me, and I never would have if they had, but it would have been trivial to alter the pdf files. Why? Well, because they're in our possession of course. Anyone with the sense god gave goats should be able to understand this. And I don't care if you're not technically inclined. An analog would be some company retaining paper documents. You don't even need computers, just whiteout and copy machine, and suddenly, John Smith never received that memo about new regulations.
If there's going to be a government mandate that documents are to be producible, then along with that mandate should come resources for public storage of those documents, which are in the public record (although not necessarily publicly viewable without a court order). AFAIK, this would be similar to marriage records, birth/death records, criminal records, inspection records, etc. If we don't want to waste the resources for that, then I guess it's not really that important is it? This way, we're not putting potential evidence in the hands of those who have the most incentive to alter that evidence.
IOW, this sort of policy is idiotic for the same reason that we don't each get to be the sole maintainer of our own criminal records.
Billy Brown rides on. Yolanda Green bypasses Gary White.