Software

Lock IT Down: Manage e-mail risks so you are protected legally

Determine whether your companys e-mail would be covered in a legal emergency


By Suzanne Ross

Picture this: It's 11 P.M. in the bowels of a major law firm. A group of freshly qualified, twenty-something lawyers have been sitting at their PCs for hours, trawling through e-mail messages. Some of these messages could be your e-mails—your personal e-mails. There are messages to mothers and lovers, e-mails slamming the boss and the company, e-mails sending off resumes, a few "angel miracle" chain e-mails promising eternal good luck, a couple of dancing baby MPEGs, and quite a bit of X-rated stuff. Some of these messages were written years ago. Most of them have probably been forgotten about, or thought deleted. The young lawyers are getting a good giggle out of some, and are mildly shocked by others.

But that's an invasion of privacy, you scream! Actually, no, it's all perfectly legal and it's happening in law firms everywhere. It's part of the legal process known as "discovery,” the process whereby parties involved in a legal dispute are compelled to compile and exchange lists of documents which are considered relevant to a dispute and which they intend to rely on in court. And the meaning of the word "document" in this context is very broad. It includes not only paper documents but also all forms of electronic documents, including e-mail messages.

If you work for a company that happens to find itself an unfortunate party to litigation proceedings, there's a good chance your seemingly confidential documents, including e-mails, will be pored over by teams of lawyers—and not just your lawyers, but the lawyers for the other parties as well. You need to know what to expect if this happens in order to avoid major embarrassment and heavy expenses.

What can an IT manager expect in a legal dispute?
When a legal dispute hits your company, your company's lawyers will immediately seek information via a detailed questionnaire or interview about the hardware and software in use, backup cycles, media used, retention of media, handling of user accounts, ghosting of PCs, and archiving. You could also be asked to produce any documentation detailing the company's corporate policies relating to document retention and archiving. These documents can later be used to verify that the routine you have in place actually matches corporate policy. And it is not uncommon for IT managers to have to take the stand in court regarding their document management procedures.

Lawyers use this information to determine the probable volume and type of electronic files they will be dealing with. It also enables their technology support group to ensure that sufficient server space, software, PCs, and other resources are available for the lawyers to carry out the review in the timeframe set by the court.

Next, you will be asked to provide all electronic data for a specified period, probably going back several years, depending on the nature of the dispute. Data requested can also include information contained on backup media. What happens next depends on the resources available. Often, because companies have limited IT resources, and management isn't familiar with the process for determining what is and what is not relevant in the discovery process, electronic material is sent directly to the lawyers to sort out. Specialist technology groups within the law firms generally set up the systems required to review these files. These IT folk have expertise across a wide range of technologies, enabling them to determine the best way to restore and dissect the information for review.

The lawyers will then determine what is considered "discoverable" and what is considered "privileged." It is during this process that the young guns will be trawling through hundreds of files, many of them personal and irrelevant, looking for discoverable information.

The legal implications
The prospect of a company being involved in litigation has serious implications for both management and employees alike. E-mail is the equivalent of the smoking gun for lawyers, often yielding the message that can win or lose a case. What's more, it's very entertaining in court.

The high-profile, but exceptionally dreary, Microsoft antitrust case didn't hit the radar for many people until Bill Gates' e-mails, previously thought discarded, were resurrected and read in court. It's ironic that Bill Gates, head of the largest technology corporation in the world, becomes one of the first victims of electronic discovery. And Microsoft isn't the only corporate giant to fall foul through discovery. Another notable case is the Arthur Andersen/Enron case, where an Andersen technology employee told the jury that although he sent a "strongly worded e-mail instructing others to cleanse their electronic files," the intent was not to have employees destroy specific papers or keep them from investigators. Needless to say, the jury didn't agree.

To avoid your company's dirty laundry being aired in court, as a starting point, you need to consider a few salient points:
  1. Employees should be made aware that any document or e-mail message created during the course of employment could one day be retrieved and used as evidence in court.
  2. The content of e-mail messages requires particular care, as this form of communication is generally quite casual, written in a conversational, informal style, and largely without the controls associated with letters and memoranda. Cases have already been heard in the courts where e-mails containing inside jokes and personal opinions have been used to the detriment and embarrassment of the litigants.
  3. The definition of electronic documents is very broad. It includes files stored on network drives, hard drives, laptops, diskettes, CDs/DVDs, and backup tapes.
  4. Electronic communications, even when deleted, are easily retrieved. Many firms use forensic services to restore information, and old files can also be retrieved from snapshot backups taken at the end of the month or the end of the financial year for permanent retention.

IT managers need to be aware of the increasing business risks associated with the management and storage of information. Be proactive. Get together with senior management and those with a vested interest in or knowledge of records management to develop a legal, workable policy. In an increasingly litigious environment, a poor information management policy could prove expensive and embarrassing—not to mention fatal—in the event of a dispute. Take a look at some of the new software solutions too. Vendors are now entering this market with products such as Enterprise Vault Discovery Accelerator, which is designed to remove some of the pain from the discovery process.

Realistically, though, policies alone are not enough. Increasing awareness through educational programs may well provide the key to changing user behavior. Programs should explore cases where poor e-mail practice has exposed a company (or an individual). The programs should also provide an understanding of how e-mail systems work: where messages are stored, how backups work, and how "deleted" doesn't actually mean "deleted.” With a little more insight, users might just take a little more care.

Editor's Picks