Archiving and storing e-mails – The legal and practical issues

computer law & security report 24 (2008) 176–180

available at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Regulation of email

Archiving and storing e-mails – The legal and practical issues Stephen Mason St Paul’s Chambers, UK

abstract This article will outline the problems faced by one company in relation to the destruction of e-mail communications in a recent case in the United States, and then set out some of the legal and practical issues that lawyers and their clients should consider if they have reached the conclusion that they ought to buy one of the products that began to appear on the market from 2000 that help with the storage of e-mails in particular, although the issue is wider than just e-mail communications. ª 2007 Stephen Mason. Published by Elsevier Ltd. All rights reserved.

The disclosure or discovery phase of litigation in modern times tends to concentrate on the abundance of evidence available by way of e-mail communications, and there have been a number of high profile cases in the United States of America in particular that have illustrated the problems a party can face if it transpires that e-mail communications have been deleted or entire archives of back-up tapes have been destroyed or overwritten. For years, the author has been advising organizations that deleting or overwriting email back-up tapes is one of the most foolish activities that can be carried out with e-mails, yet such advice is regularly ignored at best, or the legal reasons are challenged as being an incorrect statement of the law1: that is, until the company secretary or legal director is called before a judge to explain why they failed to preserve e-mails within the organization. The usual response by senior management to this issue is to assume that the IT department are responsible for retaining e-mail communications. However, the IT department have no such responsibility. The IT department are, at best only the custodians of the records created by the organization: in a commercial organization, it is the company secretary who 1

carries the legal responsibility for the preservation of business records, yet few company secretaries understand this duty.

1.

Why e-mails must be preserved

People in senior positions and at board level regularly fail to appreciate that an e-mail (for e-mail, include Instant Message) can fall into one or more categories, each of which will have to be retained for the length of time determined by law: (a) An e-mail discussing official business between employees internally is an internal memorandum. (b) A similar e-mail sent out to a third party relating to official business is an external communication, and should be treated as official stationery, by being sent with the same corporate information required by law that is contained on the stationery.2 (c) An extension of a telephone conversation, confirming something, for instance, is a note to be added to a file, whether it is sent to people within the organization or to

E-mail, networks and the Internet: a concise guide to compliance with the law (xpl publications, 6th edn, 2006). The Companies (Registrar, Languages and Trading Disclosures) Regulations 2006 Statutory Instrument 2006 No. 3429. 0267-3649/$ – see front matter ª 2007 Stephen Mason. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2007.09.004 2

computer law & security report 24 (2008) 176–180

external addressees, or a mix of internal and external addressees. (d) A note to a friend to say you enjoyed the party last night is an item of private correspondence using the organization’s resources. The use of e-mail for this purpose may or may not be authorized by the organization. The types of document that have to be retained, and how long they need to be retained for, will partly depend on the nature of the business conducted by the organization. Some documents created during the course of a business are common to all organizations, whether public or private, and provisions are made in the relevant legislation for the retention of such documents. Further, public finance initiatives often have contracts that require the organization to retain all documents for the length of the contract (sometimes 30 years) plus seven years after the contract expires. In essence, document retention periods are set against different criteria: retention periods prescribed by law, rules issued by regulatory bodies and industry best practice.

2.

The failure to preserve e-mails

The case of In re Intel Corporation Microprocessor Antitrust Litigation3 is a classic example of the failure of an organization to have a proper policy in place dealing with the retention of e-mail communications. In the antitrust litigation between Intel Corporation (Intel) and Advanced Micro Devices, Inc (AMD), it transpired that Intel was not in a position to provide copies of e-mails during the discovery phase of the litigation, because large volumes of e-mails had not been preserved. A status conference took place on 5 March 2007, and in preparation for the hearing, Richard L. Horwitz sent a letter on behalf of Intel to U.S. District Court Judge Joseph Farnan Jr, explaining the issues faced by the company.4 In his order dated 5 March 2007, U.S. District Court Frederick L. Cottrell, III set out the problem in broad terms5: Since the last status conference, there have been troubling developments in this case. Through what appears to be a combination of gross communication failures, an ill conceived plan of document retention and lackluster oversight by outside counsel, Intel has apparently allowed evidence to be destroyed. Though all the facts are not in, potentially massive amounts of email correspondence generated and received by Intel executives and employees since the filing of the lawsuit may be irretrievably lost, as may other relevant electronic documents. The damage does not appear confined to low-level or marginally important witnesses; to the contrary, Intel executives at the highest level failed to receive or to heed instructions essential for the preservation of their records, and Intel and its counsel failed to institute and police a reliable backup system as a failsafe against human error. 3

There are a substantial number of references to this case, and the reader is advised to consult a legal database, such as Westlaw, should they wish to follow this case more fully. 4 Case 1:05-cv-00441-JJF Document 293 Filed 03/05/2007. 5 MDL Docket No. 05-1717-JJF, Civil Action No. 05-441-JJF, US District Court (Delaware), pp. 1–2.

177

Intel has not yet fully assessed the magnitude of its problem, but what it has disclosed thus far demonstrates systemic evidence preservation breaches of troubling breadth and depth. Under the best of circumstances, Intel is a company that shuns creating a record of what goes on within its walls. When not under a litigation cloud, Intel automatically purges all e-mail sent or received by its employees every thirty-five days (or in the case of senior executives, every forty-five to sixty days). What backups are made are immediately overwritten the very next cycle. Disturbingly, even after it was sued, Intel allowed this periodic destruction of its records to continue. In a half-hearted attempt at preservation, Intel instead imposed an ‘‘honor system’’ on selected employees, who were asked voluntarily to identify and move relevant materials to off-network storage on their personal computers. Intel also was supposed to create and retain weekly backups to deal with the inevitable lapses that infect a userdriven preservation system. The learned judge then recited the problems that were uncovered at pages 2–3: Everything that could have gone wrong did go wrong. As discussed in greater detail in the balance of this memorandum, until two weeks ago, Intel failed to deliver any retention instructions to more than one-third of its 1,027 ‘‘custodians,’’ who by definition are employees possessing ‘‘appreciable quantities’’ of ‘‘nonduplicative’’ evidence. The two-thirds who were placed on retention received faulty instructions that failed to admonish them, among other things, to save ‘‘Sent’’ e-mail. Other instructions were not clearly conveyed and compliance only cavalierly monitored, with the result that over half of custodians preserved incorrectly, including some of Intel’s highest ranking executives who mistakenly thought ‘‘IT’’ would discharge their preservation obligations for them. Intel’s thirty-five day e-mail ‘‘grim reaper’’ has relegated to the electronic dust bin the messages and attachments that custodians failed to segregate and move off-line, and for as many of half of Intel’s custodians, the back-up systems that were supposed to prevent against this type of loss were never even turned on. In summary, Intel failed in the following ways, as set out by the learned judge on page 5: Intel chose to adopt and rely on a highly-risky system of document preservation. Although it has provided ever-changing descriptions of both its ‘‘normal’’ practices and its retention system, from that AMD can tell, Intel’s preservation strategy:  Allowed the continued, automatic purge on a 35-day (or longer) schedule of all e-mail communications to, from and within the company;  Relied exclusively on a move-it-or-lose-it ‘‘honor system’’ that required individual custodians to correctly identify, segregate and proactively move relevant evidence to media on their local computers before that data was destroyed by a network purge;  Backstopped this ‘‘honor system’’ beginning in October 2005 with a weekly back-up of e-mail that required Intel’s IT personnel to identify and correctly migrate custodians’ data to dedicated e-mail servers subject to the backup.

178

computer law & security report 24 (2008) 176–180

As noted above, this ‘‘honor system’’ was defeated by a combination of apparently erroneous, unclear or incomplete ‘‘litigation hold’’ instructions, lack of adequate monitoring to ensure those instructions were understood and followed, and a wholesale failure timely to deliver any preservation instructions to a third of the employee-custodians Intel itself identified. As a result of this hearing, AMD made an application, at page 8, that was accepted by the learned judge: AMD therefore proposes that Intel be required with all deliberate speed, but no later than March 21, 2007, to provide the Special Master and the parties with a complete accounting of its preservation problems, a custodian-by-custodian tally of issues and identification of data that appears to have been lost, and an inventory of backup tapes that exist and can be successfully restored. With the participation of AMD and the Class Plaintiffs, the Special Master should be authorized to investigate Intel’s culpability and to fashion an appropriate action plan and remediation order. This process should include Intel proposing or the Special Master imposing changes to Intel’s preservation methods that will prevent further loss of evidence. In addition, the Court should schedule a further status conference six to eight weeks from now to consider the Special Master’s recommendations or, at minimum, to be briefed on status. A status conference was subsequently held on 7 March 2007 before The Honourable Vincent J. Poppiti,6 in which the practical issues were discussed about how the discovery exercise has to continue. It was also agreed to appoint a neutral third party to be retained by the court to help the court determine the resolution of any future disputes of a technical nature between the parties. In addition, Intel indicated, both in the letter sent by Richard L. Horwitz before the hearing and during the course of the hearing, that it intended to buy an e-mail archiving system from a vendor with the intention of preventing the loss of e-mail correspondence in the future. The remaining part of this article considers some of the legal and practical issues that a lawyer should be aware of when offering advice to a client in deciding to buy such a solution. It will not escape the notice of the reader that the issues set out below will apply to a law firm that also decides to buy a similar system for their own use.

3. The integrity of e-mails and insurance cover It is widely appreciated that the content of e-mails can be edited, partly deleted, and the names of the people to whom it was addressed and sent to, removed when they are sent on in the form of a ‘forward’ or when replying. In this respect, the original e-mail, unless retained, is being altered. However, providing the original e-mail is retained, then the edited version does not affect the integrity of the original. However, the author has had cause to advise on issues in connection 6 MDL Docket No. 05-1717-JJF, Civil Action Nos. 05-441-JJF and 05-485-JJF, transcript of conference by Gail Inghram Verbano, shorthand reporter, www.corbettreporting.com.

with the filing of e-mails on electronic document management systems. Some organizations require all relevant email correspondence in relation to a particular job or client matter to be manually copied into a document management system. However, where an e-mail does not contain a suitable file reference in the subject field, for example, it is invariably the practice of employees to amend the subject field to include such a reference before the e-mail is placed into the document management system. If this occurs, the e-mail has been altered, and in many instances, the original e-mail as received might be deleted from the e-mail system. Naturally, the content of the e-mail can also be altered by the employee before adding it to the document management system. It should be noted that, from the perspective of professional indemnity cover as well as any other relevant insurance cover, it is important to ensure that if an e-mail is copied into a document management system, that the e-mail (or any other form of electronic document for that matter) is the original, and it is stored in such a manner that it can be demonstrated that it has not been tampered with. Should it be possible to alter any electronic document before it is added to the document management system, and should it also be possible to alter any document once it is placed in the document management system, doubt could be cast upon the integrity of the documents held in the system, which means the integrity of such documents may be open to challenge in legal proceedings, and any insurance cover may be invalid.

4.

E-mail ‘solutions’

The solutions on the market differ in the way they are designed. The design of the software affects the way e-mails are stored. In addition, some products have audit or management trails. Whilst some products provide for pure storage, others have been designed to enable the organization to comply with legal and regulatory requirements. In addition, some products are now very clever and have the potential to be very useful to the better running of the business. For instance, some products do not distinguish between different types of digital object, so an e-mail, for instance, does not need to be treated in a different way to any other document in digital form. Dedicated e-mail archiving or storage is rapidly being overtaken by more complex methods of storing and archiving digital documents, whatever form the document takes. In addition, some of the search engines used to find documents are very effective, and are capable of enabling the user to obtain significant benefits in searching for and locating relevant documents. For instance, search engines can now conduct highly selective searches, and can then find links in the chain of related documents in digital format, regardless of the native format of the document. Hence a user can search for a particular e-mail, then continue the search to find every other document in electronic format that directly relates to the subject matter of the e-mail, whether a letter, report, image or instant message. Invariably, any given solution will not be suitable for every organization, and many organizations will have such complex requirements, that additional analysis will be required for more complex infrastructures.

computer law & security report 24 (2008) 176–180

4.1.

The journalling facility

One point should be made in relation to the facility provided by Microsoft for journalling in Exchange. When an e-mail is sent or received, a copy goes direct to the journal mailbox. However, there are a number of issues that illustrate how vulnerable this facility can be. Some are IT management concerns, whilst others have legal ramifications.

4.1.1.

Managing the problem

It tends to be impractical to leave all the e-mail messages in the journal mailbox for the following reasons: (a) The Microsoft Exchange server message store may continue to increase in size over time, which can cause the server to get progressively slower if it keeps each message store as a flat file. As a corollary to the increase in data, the time taken to backup the server will also increase. The cumulative effect of progressively increasing volumes of data will, in turn, affect the time it takes the IT department to restore a system from a back-up tape. (b) The sheer volume of e-mails stored in the journal makes a search more difficult, especially because none of the emails are indexed. (c) Large numbers of e-mails may be in the journal mailbox that should be stored elsewhere, such as e-mails that have to be retained for long periods, as set out in the document retention and disposal policy. In addition, it may not be appropriate to have every e-mail stored in the journalling mailbox, as it is difficult to search, too big and lacks the basic auditing requirements set out below.

4.1.2.

The legal perspective

A significant weakness with some versions of the journalling facility is the ability of an administrator to switch the facility off or delete the entire database. Further issues include the following: (a) The time and date stamp facility is not protected to prevent the time and date from being altered. (b) E-mails can be viewed in clear text without leaving an evidential trail. (c) A copy of the entire journal can be taken without leaving an audit or management trail. As a result of these weaknesses, it is possible for a person to log into the journal mailbox, extract e-mails, alter their content and then save them back to the mailbox without their actions being preserved in an inviolable audit trail. Where the Microsoft Exchange server logs this activity, the person could then go to the server and delete the entire log file, thus removing any evidence of the action.

5. Points to consider when deciding about buying a software product If a technical solution is to provide for a degree of certainty in ensuring e-mail correspondence is retained in such a way as

179

to prevent employees from deleting correspondence, it is necessary to consider some of the points set out below. Although these features are directed towards e-mail, nevertheless the same principles apply to any other form of communication held in digital format: (a) Prevent employees from meddling with data or logs either entirely or at least in a way that can be detected once they have been stored. (b) Prevent the administrator from having access to communications without an audit or management trail of their actions being immediately apparent on an inspection of the system (this protects the administrator and the organization). (c) As a corollary to the two previous points, it would be useful if a record is made in the audit or management trail every time a communication is recovered and opened during an investigation, which in turn provides details of each person who undertakes this activity; this requires the logs to be able to record metadata about who has obtained access to the data. Such a function can help to demonstrate the organization is abiding by the provisions of the Data Protection Act 1998. (d) Archive each relevant communication securely in real time (or as near to real time as possible), including all forms of metadata, not just selected forms of metadata. If e-mails are not archived in real time, but every hour, say, then an astute employee can delete an e-mail in the knowledge that the deleted e-mail will not be archived. If only one form of metadata is retained, the evidential value of the e-mail will be very light. (e) Ideally, do not archive every communication received for the same length of time, because many e-mails and instant messages may not need storing (such as private e-mails or those that contain comments that do not need to be retained for a business reason). (f) Create a policy that applies at the organizational level that prevents individuals making independent decisions about the retention and disposal of e-mails in their mail account, if on the organizations’ system, or in their personal computer, if they are permitted to use their home computer. Ideally, people at the highest and most suitable levels within the organization should set the appropriate retention dates. Policies are required to set out how long the communication will be stored for; where it will be stored (on-line or off-line); how many copies will be retained, on what type of media, and with what attendant levels of confidentiality protection (such as encryption). Whenever the organization decides to change a policy affecting the life cycles of a category of networked communication, it is important to ensure an audit or management trail is created to document the change. (g) Search quickly and effectively for data to comply with requests and duties under the Data Protection Act 1998 and Freedom of Information Act 2000. (h) The encryption of all e-mails that are archived, which can help the organization comply with the requirements of Principle 7 of the Data Protection Act 1998, and the detection of administrators viewing the content of networked communications by virtue of their use of decryption capabilities. It should also be noted that encryption is not

180

computer law & security report 24 (2008) 176–180

a safeguard against destruction. Logs of all administrative manipulation of the archives should be produced and retained, preferably in a format that cannot be altered. Further points to consider when buying a solution include the following: (a) Where encryption is used in a product, it is necessary to establish: which algorithm is used in the product, whether a royalty is to be paid for its use, whether it has been cracked (and if so, what computational effort was required to crack it); how the keys are computed; whether the vendor uses a single key for every customer, or creates a unique key for each product sold; what the vendor’s key management policy is for any keys that have been assigned by them for the use of the buyer, and what security arrangements are in place to provide for the security of those keys. (b) Verify whether the product is a stand-alone product that only needs servicing by the client’s own personnel, or whether the product requires constant monitoring by the vendor. If the product requires constant monitoring by the vendor, it is necessary to determine whether the vendor’s employees need to monitor the product remotely (which is linked to data protection and confidentiality issues), or whether the vendor requires to visit the client’s premises to undertake the work. (c) Where a product must be monitored by the vendor, consider establishing: the country in which the employees are located; what level of access the vendor’s employees will have to the client’s system (for instance, the ability to see the log files; or to read communications; or to obtain access to the entire system as root authority); what written guarantees are offered, if any, and if necessary, copies of relevant documents to demonstrate the vendor’s employees have been positively vetted and they are in turn monitored at all times; also, consider whether it is necessary to require the vendor to provide a warranty that such checks have been carried out; consider requesting the vendor to obtain and maintain sufficient insurance in place to cover any losses the client may suffer either because, as a result of the vendor’s actions, the client’s system collapses, or personal data is exposed, contrary to the client’s obligations under the Data Protection Act 1998.

6.

Proving a negative

Finally, a word of warning: beware vendors that assert that they can prove your client did not receive a particular e-mail or instant message. No matter how good the product on offer, problems will always occur to your client’s communications system, even if the product works perfectly and never fails. All systems stop working for a number of reasons, even if the rate of malfunction is very low. As a result, the client

will inevitably loose traffic. In such circumstances, there is no categorical assurance that anybody can make that it can be proven that they did not receive a particular communication. In a legal context, any assertion that is made about the degree of certainty that every communication has been received, will quickly meet with some simple cross-examination that will rapidly establish that such an assertion cannot be correct. The issue is not really about proving a negative, but a question of establishing working protocols around when to take action in relation to e-mail correspondence. For instance, if a series of e-mails are exchanged between two parties with a view to entering a contract, and one vital e-mail has not been received by one of the parties, it will rapidly become apparent to the other party, who can then establish, by other means, what has gone wrong. To rely on proving a negative, that the organization did not receive an e-mail or instant message, demonstrates a lack of awareness about the risks inherent in the infrastructure. A number of scenarios demonstrate the difficulties, as illustrated below (the suggestions are not meant to be exhaustive). (a) Where the communication was received, the recipient may chose to do nothing, not even reply, or the recipient may delete it, with or without reading it or taking any action; alternatively, the recipient may not see it for a prolonged period of time because they are away; further, the message may have gone into a spam filter, and was ignored, or the message may go into a spam filter and be deleted. (b) A communication may not be received for a number of reasons, such as the system was not working, or the system was working, but the product failed; it might be that the Internet service provider stopped sending communications because of a failure, or simply that the communication was lost as it was transferred across the Internet. Even if a party can prove they did not receive an e-mail (which in itself may be a difficult task), if the correspondence in question is relevant to a dispute, then the surrounding evidence of previous correspondence, telephone conversations and a range of other evidence will probably act to resolve most problems that occur. There will be occasions that it will be useful to find an important missing e-mail, especially if it was deleted accidentally, or deleted because it was not thought to be of any value at the time it was discarded. Intel have discovered that the expense of recovering e-mails that were not saved or deleted, for whatever reason, can be considerable when legal action is under way – that is why they have, in all probability, decided to consider buying a product that may act to resolve this issue in the future. Stephen Mason ([email protected]) Report Correspondent, Barrister.