Collaboration

Critical to e-discovery: Messaging retrieval and protection

In this third installment of a series on electronic information discovery, we look at electronic messaging challenges, risk related to improper management of messages, requirements for selecting an automated message archiving solution, and two vendor approaches to messaging discovery management.

When managers think about discovery challenges related to electronically stored information (ESI), they usually consider word processing documents, spreadsheets, and transactions stored in databases. E-mail messages and instant messaging (IM) logs are often forgotten. This is a big mistake.

Let's set IM aside for a moment and take a closer look at e-mail.

Gone are the days when managers called their secretaries into their offices to dictate memos, memos that were typed on paper and distributed via the company's internal mail system. Today, even if a manager is lucky enough to have an administrative assistant, managers communicate with peers, subordinates, and higher-ups using e-mail. Further, employees interact with each other, vendors, and other business contacts using electronic messages. The database, usually called a message store, containing this flurry of messages-hundreds of thousands per day in many organizations-is a rich source of discovery information.

Managers responsible for discovery activities must include message stores when preparing for and processing discovery requests, including legal hold notification and information protection. Failure to do so can lead to significant court imposed sanctions. The following is just one example.

"In 2006, U.S. District Judge Faith Hochberg in Newark, N.J., imposed an array of penalties on Health Net Inc. and two related carriers, stating that Health Net's "repeated and unabated discovery abuses and lack of candor leave this court no other choice...

"Hochberg found that in the face of repeated demands and court orders, Health Net continued to give assurances of compliance even though it failed to search e-mails for thousands of employees... Many e-mails were permanently lost due to e-mail retention policies that were not disclosed until after the [Rule 37 hearing]" (Gallagher, 2006).

Health Net was ordered to pay fines and fees "...that could exceed hundreds of thousands of dollars. In addition, Health Net attorneys were prohibited from using thousands of pages of documentation and barred various witnesses from testifying, all because of "mistakes" in responding to repeated requests for discovery."

The growth of employee use of IM introduces a second dimension to messaging discovery. Use of non-company managed IM creates logs, discoverable information, stored on hundreds or thousands of local hard drives. Distributed IM log data is increasingly included in discovery requests, and the cost, both in soft and hard dollars, can be very high.

Electronic message discovery challenges

Unlike standard documents and database transactions, e-mail messages are usually treated as data to be managed by the sender or receiver. This personal management of information includes deciding what to keep and how long to keep it. Many organizations take a broad, confusing, hands-off approach, including decisions not to apply enforceable email retention policies while establishing message store storage quotas. (Quotas restrict the amount of information users can keep in a message store.) These seemingly innocuous rules cause discovery nightmares.

First, employees often use e-mail mailboxes as online storage of information, including business documents as attachments. Without the existence of easily enforceable e-mail retention policies, large amounts of discoverable information might reside in mailboxes for months or years after it should have been destroyed. Information like this, long past any business need, can be discoverable.

Second, quotas force users who view e-mail as permanent storage to create locally stored data repositories, like Microsoft Outlook .PST files .PST files are archives easily accessed by users but which introduce the following business risks (Redgrave Daley Ragan & Wager LLP, 2006):

  • Increased IT storage costs and inability to identify and destroy documents no longer; needed for legal or business reasons;
  • Increased risk of data loss and file corruption;
  • Increased discovery collection and review costs; and
  • Increased risk of sanctions and penalties for failure to preserve and produce evidence.

The document, "Building an ROI Business Case for E-mail archiving," created by the law firm of Redgrave Daley Ragan and Wagner LLP, describes a set of message discovery challenges that every organization should address before receiving a comprehensive ESI discovery request that includes e-mail and IM logs. They are:

  • Locate - Finding email in it's original form, no matter where it resides (tape, network disk, or local disk)
  • Collect
  • Review - Assessment for privilege issues as well as whether the messages meet the discovery response requirements
  • Produce
  • Restore (if necessary) - Backup tape restoration is expensive and should be the discovery method of last resort

Message discovery management solutions

When looking for a message discovery management solution, there are five basic requirements.

  1. Messages must be automatically archived, regardless of user action, on centrally managed, accessible media (i.e., something other than backup tape).
  2. The solution must index message content for easy retrieval when responding to a discovery request. Messages identified as relevant to a discovery request must be protected from deletion or modification until the legal hold is released.
  3. Business rules must be defined and automatically enforced, deleting messages according to document retention policies.
  4. The solution should include IM management.
  5. There are two basic approaches to implementing message discovery management that meets these requirements: vendor hosted and locally hosted.

Vendor hosted discovery management - Postini (Google)

Figure A is a logical depiction of a common Postini implementation. Organizations using the Postini approach to messaging management gain two capabilities. The first is message scanning, preventing spam and virus infested messages from reaching the corporate email system. The second is automatic archiving of all messages.

Figure A

This solution is actually a hybrid, externally hosted and internally configured. Messages traveling from outside sources to internal mailboxes, or in the other direction, must pass through services located in the Postini datacenter. In addition to anti-malware and anti-spam filtering, the Postini servers also archive all messages. Messages sent between internal mailboxes are journaled onto an internal server, and sent to Postini for archiving. All email sent or received by employees is available for discovery, and centrally managed. Regardless of what employees do to their messages over time, the original content will be available in accordance with document retention policies.

Company (internally) hosted discovery management - Trend Micro

Although Trend Micro's Message Archiver is functionally very similar to the Postini service, it relies on locally hosted infrastructure. See Figure B.

Figure B

Message Archiver provides email malware and spam filtering when complimented with one of Trend Micro's other products or services.

The final word

Message retrieval and legal hold activities can be complex, expensive, and subject to court sanctions if an organization fails to prepare for the inevitable email and IM discovery request. For medium to large enterprises, preparation should include taking the decision for what to keep and how long to keep it out of the hands of employees with business policy driven automation. E-mail and IM are no longer just convenient information exchange technologies. They're repositories for critical, and increasingly discoverable, business information.

About Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks

Free Newsletters, In your Inbox