Tagged: e-mail

Response to NARA’s Capstone Email Bulletin

On June 6, 2013, the US National Archives and Records Administration published a call for comments on its draft Bulletin regarding a proposed “Capstone” approach to email retention at federal agencies.  NARA was having technical problems with its comment system when I tried to submit my comments, so based on their instructions I have submitted my comments to them directly by email, and I am also posting them here. 

You can find the request for comment and the draft Bulletin on NARA’s website.

Feedback on NARA’s Capstone Email Records Management Bulletin

As requested, I am providing comments on the “Capstone” approach to email management outlined in the June 6, 2013 draft NARA Bulletin provided above. Thank-you for the opportunity to provide input on this important issue.

I am the founder and principal of an information governance consulting firm based in New York. Since 2001 I have advised many organizations and government agencies on the development and implementation of email retention strategies.

Based on my experience and research, I believe that most organizations currently fall into one of two email records management camps.

The first camp does very little. While they may impose mailbox size limitations, they provide sparse guidance to employees who are forced to delete messages to meet these quotas. Consequently, business records are likely lost – especially if no storage space is allocated for retention of records that simply happen to reside in the email system.  Others allow – or turn a blind eye to – the practice of employees exporting email messages out of the corporate email system so they can be tucked away in shared drives, thumb drives, or taken home for “safekeeping.” This practice results in an effective loss of management control over records found in the email system, and can greatly increase collection costs and increase spoliation risk in e-discovery.

The second camp “manages” email, but treats all email messages equally, regardless of their content. Some – seeking to minimize the cost and potential risk of email – automatically purge all email older than 30, 60, or 90 days. In the absence of a method to capture email messages containing record content, records are surely lost – violating laws that require retention of specified records, regardless of their form. Others – perhaps inspired by SEC Rules 17a-3 and 17a-4 and the email archiving software industry that those Rules singlehandedly created – capture a copy of all messages sent and received and keep them in a separate archive for a fixed period of time. This approach ignores the reality that such an archive will undoubtedly contain both trivial content and critical business records. From a compliance perspective, this may be just fine if you are a broker-dealer subject to these unique, email-specific Rules, but is less fine if you are, like most of the business world, subject to retention rules that do not exempt or treat email in special way, but rather require identification and retention of business records regardless of the form they take.

There are of course other approaches to email retention, one of which is outlined in your draft Bulletin. As I understand it, Capstone is a role-based method that uses the role of the email creator/recipient as a predictor of the content of that user’s account. In the past I have advocated such an approach to clients as a pragmatic method for improving otherwise nascent email records management practices.

NARA should certainly be commended for embracing such pragmatism, and in recognizing that complex user classification systems are often impractical and lightly adopted.

However, I would like to share two additional ideas that may be helpful as NARA finalizes its guidance.

First, while a knowledge worker’s role can certainly be a predictor of an email message’s content, our research has shown us the limits of this approach. We have assessed role-based approaches at client organizations by analyzing actual email accounts sampled from a range of user roles. We have then estimated the percentage of email content that would require retention under the client’s own retention rules. Across a range of users we have found as little as 5% and as much as 95% record content. There is certainly some correlation between the percentage of record content and the role of the user, but it is not always categorical. For example, some users are mostly information processors, and thus may have an extremely high percentage of email records in their inboxes.

Consider for example, a claims processor who receives a partially completed claims form attached to an email message, opens that form and completes it using information they possess, and than sends the completed form to an employee who represents the next link in the processing chain. This scenario is very common, even in large organizations. Assuming that these completed claim forms are records, and that they are not otherwise captured in a content management system, this user’s email account is quite important from a records management perspective.

However, a Capstone system based solely on seniority (i.e., “officials at or near the top of an agency,” as described in the Bulletin) may miss this important account and result in such records disappearing as “temporary” records. Conversely, senior officials may have a relatively low percentage of record content in their email system when they use other systems to communicate their decisions, document those decisions formally, or otherwise use other official or formal systems to complete their work.  Capture and permanent retention of their entire account then, would result in retention of largely trivial content.

These issues can in part be addressed by careful examination of the way email is used by each agency and its users, as mentioned in the Bulletin.

Second, I wonder if NARA is turning away from a content-based approach to record identification and retention too soon – in fact, act just at the time in history when technology to enable semi-automated, content-based approaches is becoming widely available. Our clients are currently evaluating and implementing technology from OpenText and Recommind (there are other providers in the market as well) that marries human and machine intelligence to remove the classification burden from the user. Such systems are by no means trivial to implement and configure, but I believe that they point the way forward for email records management. The effectiveness of automated statistical methods for content classification has been demonstrated effectively in the intensely observed world of US civil litigation; a demonstration that I believe provides a foundation for it application to the records management problem.

Further, while the Capstone method would seem – as noted in your Memo – to foster compliance with the “OMB/NARA M-12-18 Managing Government Records Directive” requirement to “manage both permanent and temporary email records in an accessible electronic format,” I wonder to what extent it addresses the spirit of Section A3 of the Directive to “investigate and stimulate applied research in automated technology to reduce the burden of records management responsibilities?”

Once again, thank-you for the opportunity to provide feedback on this important Bulletin, and I am confident that NARA will continue to provide leadership as federal agencies continue this critical transition.

5 Questions about Information Governance in 5 Minutes: What’s Your Favorite Information Governance Story?

Here is the fifth and final (except for a bonus video coming soon) in our five-part video series where I asked 30 Information Governance the same 5 questions. This video is the longest of the five, as I ask our interviewees to tell us their favorite story about IG –  something that illustrates what it is, why it is hard, challenges they have faced and so on. There are some great stories, so get yourself a fresh cup of coffee and a snack and enjoy.

This Message Will Self Destruct. Or Will It?

Update: Interesting article from NY Mag claiming that SnapChat is, “absolutely blowing up right now” on Wall Street because “the chances of incriminating material ending up in the hands of a boss or a compliance officer – or in a Daily Intelligencer story, for that matter – are low.”

————

This weekend I was finishing up my next opinion piece for the fine Law Technology News. My piece is about how making more and more data “easily accessible” is both essential for Big Data to fulfill its promise and also a huge risk to privacy, intellectual property, and so on. Look for that in the next issue.

Part of what inspired me to write about this was the success of Snapchat, a mobile app that lets users “chat” using photographs instead of text. Neat idea, but the twist is that the images automatically disappear after 1-10 seconds (the time is set by the sender). As  you would imagine, Snapchat has gained a reputation as a teenage sexting tool, despite some indications otherwise. I set it up to see what all the fuss was about, and cajoled my wife to install it as well. Frankly I would say that any service that automatically deletes any self-portrait I have taken after turning 40 is doing me a huge favor. Anyway, Snapchat was quickly copied by Facebook, with its Poke application, although Poke seems to be less popular than Snapchat to date.

I did some more digging around in this space, and it turns out there are a number of startups focused on so-called self-destructing messages. For example:

  • Vaporstream offers “secure recordless messaging” technology aimed at enterprise users
  • A startup involving Phil Zimmerman, crypto-hero and creator of PGP, called Silent Circle offers secure mobile voice and messaging, including “burn notices” for text messages
  • Burn Note: self-destructing email
  • Wickr: self-destructing texts, pictures, video
  • Gryphn: self-destructing text messages, with screenshot capability disabled
  • Privnote: web-based, self-destructing notes
  • Tigertext: enterprise-focused secure texting with message timers
  • Burner: temporary phone numbers for calling and texting (hat tip to Bill Potter at The Cowen Group for pointing me to the last two on this list)

The category of “disappearing email” has been around at least since the late 1990s. In that era, a company called  “Disappearing Inc.” got a lot of attention, but was not successful. A similar company called Hushmail from that era is still around, but suffered from some bad press when email that users thought had been “disappeared” was turned over in the course of a lawsuit. In any case, neither company ushered in a new era where email automagically goes away. However, given this new crop of startups, I wonder: were these 90s companies ahead of their time, poorly managed, or just a bad idea?

On the corporate side, I don’t see a large appetite for this kind of technology. I have had this conversation with clients many times, and although they love the idea in concept, they are very worried that using the technology will create the appearance of evil (just as the first thought we naturally have about Snapchat is that is must really be for sexting). Executives in particular feel that the use of the technology creates the impression of having something to hide. Perhaps if email had had this capability from the beginning, the risk would not be there. Corporate culture is conservative by nature, and no company wants to draw attention to itself in this area.

This fear is not without justification. Many general counsels are fearful of deleting any corporate email messages at all, which is why many of the world’s largest and “well-managed” companies have hundreds of terabytes of old email sticking around.  Remember that in the world we live in, prosecutors sometimes chastise companies for not keeping all their messages forever because, after all, tape storage is “almost free.” There certainly is a case to be made that spoliation fears are generally overblown, given the number of times spoliation actually leads to a a fine or judgement, but the fear of throwing away the wrong thing is not groundless. Getting rid of junk defensibly requires a logical, justifiable process.

Unless an organization is in a highly classified environment, I think most general counsels and their litigation partners would tremble at the thought of explaining why most of the company used “normal” email but their executives/salespeople/take your pick used “special” email that disappears. It does not pass the smell test. Selective use is problematic.

On top of that, you have users who find operational benefit from having records of their business activities in email. You also have the emerging world of Big Data, where email in aggregate potentially has big value if you get it onto Internet-scale infrastructure and point the right tool at it.

In any case, check out the full piece when it runs in the next issue of Law Technology News.

Author: Barclay T. Blair

Formal Legal Hold policies and process are not optional – even for “informal” information

“Here, a fine against [the company] serves the dual purposes of deterrence and punishment . . . Because [those responsible for spoliation] are the sole principals of [the company], a fine directed at [the company] will affect them directly.”

Passlogix, Inc. v. 2FA Tech[i]

What Happened?

A partnership between two businesses failed, and litigation ensued. As the relationship unwound, a number of email messages, text messages, Skype® messages, and log files were created that became relevant to the case. However, the defendants failed to take any formal action to ensure that this evidence was properly preserved, and in fact attempted to hide evidence that they felt was unfairly damaging. As a result, the court fined them $10,000 – a fine large enough, in the courts’ judgment, to ensure that the two founders of the small company felt its sting.[ii]

What went wrong?

The defendants in this case apparently did not have a formal process to ensure that email messages and other information responsive to litigation was properly identified, preserved, and produced. This process, called a “Legal Hold,” is essential to ensure that legal obligations are met.

In addition, the defendants specifically failed to preserve email messages that they thought made them look bad – something the courts have specifically addressed, stating “[t]he duty to preserve documents is meant to prevent these sorts of ‘judgment calls’ by litigants and, instead, requires parties to preserve all documents that may reasonably lead to the discovery of relevant evidence.”[iii]

Finally, it appears as if the defendants believed that preservation obligations did not apply equally to information less formal or traditional than a paper document, and as a result did not preserve email messages, text messages, instant messages, or computer log files. The law is clear that the duty to preserve applies to all responsive information, regardless of its format.

What can we learn?

The requirement for formal Legal Hold policies and processes is well established. As the court notes, failing to issue a written legal hold notice is, on its face, gross negligence.[iv] In addition, the courts do not expect us to take our preservation obligation any less seriously just because the evidence is in a form we might think of as informal – such as email and text messages.

Other lessons we can learn from this case include:

  • Use intelligent tools. Look for tools that can help you identify and preserve responsive email messages. Does your email management solution enable to you to easily find, flag, and preserve responsive messages? If not, you may fall short.
  • Get smart about Legal Holds. Ensure that Legal Hold policies are up-to-date and consistently followed, and that you routinely create and keep records of who received Legal Hold notices, their acknowledgement of receipt, and other key details of the Legal Hold process. Also, ensure that employees have the tools and education they need to comply with Legal Hold notices in your email environment.
  • Treat “informal” content the same. Treat email messages with the same formality as any other type of information when it comes to litigation. Email is always a target and as a result, must be treated with the utmost care.


[i] Passlogix, Inc. v. 2FA Tech., LLC, 2010 WL 1702216 (S.D.N.Y. Apr. 27, 2010). Note that this case addresses many other issues, including a lengthy investigation into how the genuine authorship of an anonymous email message may be ascertained – it is a fascinating read.

[ii] “The Court holds that a monetary fine of $10,000 against 2FA best suits “the facts and evidentiary posture of [this] case.” . . . 2FA is a small company founded only in 2006, and [the founders] -who the Court both finds responsible for the spoliation of evidence in this case-are 2FA’s sole principals and co-founders. Here, a fine against 2FA serves the dual purposes of deterrence and punishment . . . . a fine directed at 2FA will affect them directly. In concluding that a fine of $10,000 is the most appropriate sanction, the Court balances 2FA’s litigation conduct with its status as a small corporation.”

[iii] Passlogix, Inc. v. 2FA Tech., LLC, 2010 WL 1702216 (S.D.N.Y. Apr. 27, 2010), citing, Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, (S.D.N.Y. Jan. 15, 2010).

[iv] “Once on notice of litigation, “the failure to issue a written litigation hold constitutes gross negligence because that failure is likely to result in the destruction of relevant information.” Passlogix, Inc. v. 2FA Tech., LLC, 2010 WL 1702216 (S.D.N.Y. Apr. 27, 2010), once again citing, Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC,F.Supp.2d, 2010 WL 184312,(S.D.N.Y. Jan. 15, 2010).

How well do you understand your email system? Litigation is not the time to find out.

“Had [outside counsel] fulfilled his obligation to familiarize himself with GFI’s policies earlier, the forensic searches and subsequent motions would have been unnecessary.”

In re A & M Fla. Props.[i]

1.1     What happened?

Two companies agreed to a $41 million real estate transaction. However, before the transaction closed, the sellers refinanced the properties in such a way that the buyer would have to assume the seller’s loans. Litigation ensued, with the buyer claiming this maneuver violated the terms of the deal, and the seller claiming that the buyer knew about this upcoming change all along. As such, email messages between the parties during the transaction became critical.  However, in the course of discovery, the buyer and their lawyer repeatedly failed to fully search and produce email evidence, and failed to do so in a timely manner. As such, the court fined the buyer – and its lawyers.[ii]

1.2     What went wrong?

The failure to promptly and comprehensively produce required email evidence in this case appeared to come down to a failure on the part of the buyer’s lawyer to fully understand how his client’s email system worked, i.e., where, how and for long email messages were stored. The lawyer also appeared to have little knowledge about the contents of his client’s email policies. Although responsive messages were eventually produced, final production took over 22 months, and was ultimately the basis for the court’s sanctions. In the court’s view, “while the delays in discovery were not caused by any intentional behavior, [the buyer and their lawyer’s] did not fulfill [their] obligation to find all sources of relevant documents in a timely manner,” and thus sanctions were warranted. In this case, it appears that the delays were exacerbated by a series of issues, including:

  • Messages that employees moved to archive and deleted items folders were not initially searched, although such messages remained on the email system.
  • The sellers questioned the efficacy of the buyer’s email production efforts, as the sellers had several messages in their possession from the buyer’s employees that the buyers had not produced.
  • Even when a forensics expert was hired to conduct further investigation into responsive email, he was not told about the archive folders, and thus did not search them. Subsequent searches of the archive folders revealed thousands of additional responsive messages.

1.3     What can we learn?

The time to learn about the intricacies of your email system is not during litigation. The buyers in this case dodged a bullet of even more severe sanctions including the complete dismissal of the case. Their lack of knowledge about their own email system caused them to inadvertently flirt without outright spoliation, which would not have helped their cause in the face of a judge already tired of the frequent production delays.

We can draw an important lesson from this case. In this example, the sellers produced messages sent to them by the buyer, yet according to the court, the buyer failed to produce those same messages. This understandably raised serious questions about 1) the efficacy of the buyer’s information governance program, and 2) whether or not they were intentionally hiding these messages, as the seller claimed. This teaches us that even small failures in one area of our information governance program can cast all of our efforts in a bad light and reduce the persuasiveness of our case.

Other lessons from this case include:

  • Formalize and document. Ensure that the operation of your email system is fully and accurately documented. This includes practices related to the retention, preservation, and deletion of email from the system and related systems including those responsible for backup, archiving, and records management.
  • Work with your email experts. Ensure that email administrators provide the information that senior IT management needs to understand the email system, and that this information is understood by counsel.

 


[i] In re A & M Fla. Props. II, LLC, 2010 WL 1418861 (Bankr. S.D.N.Y. Apr. 7, 2010)

[ii] At time of original writing, the amount of the fine had not been agreed upon nor published, but it would be based upon the cost of forensic search, costs for bringing various motions, etc.

A New Blog Series on Email Management and Information Governance

Introduction

Email has been a part of our business lives for a long time – at least thirty years. While the basic functionality of email hasn’t changed much since the early 1970s, the way we use it has. From the first tentative, “terse and imperfect” messages sent by Internet pioneers like J.C.R. Licklider[i], to email messages used for effectuating real estate transactions,[ii] executing contracts,[iii] firing employees,[iv] filing documents with regulators,[v] and thousands of other business functions, email is an essential part of how do business.

And yet, we still haven’t figured it out.

For most of us, if the email stops, the work stops. However, many of us still treat email messages as the second-class citizen of our information governance program – ignored, tossed, unmanaged.  Nowhere is this gap more obvious than in the courts. Here, our email failures become very real and very painful – laid out for the world to see in the harsh black and white of court opinions, media coverage, and the relentless and ruthless blogosphere. The courts are where our Friday afternoon meeting-room discussions and head shaking about the out-of-control email system; about how so-and-so has email messages going back to the 90s; about how we should really do something about all those email backup tapes; take on a new and painful dimension.

In the past few years there have been some blockbuster cases involving email – large enough, one hopes, to gain the attention of senior managers in every industry. These cases, such as Judge Scheindlin’s series of Zubulake decisions[vi] and her recent Pension Committee opinion,[vii] set new standards for the way we manage email and other information. Others, like Coleman Holdings v. Morgan Stanley[viii], attracted attention for their eye-popping monetary sanctions.

In the coming weeks, I am going to write about some of these cases, and what they teach us about email management and information governance.

The cases I have chosen to focus on are not important because they are exceptional. Rather, they are important because they are commonplace.

Today, looking for cases that speak to email management issues is like dipping your hand into a river. Every day you can find email management issues being considered by a court, regulator, auditor, or other “finder of fact” in jurisdictions across the globe.  The cases I’ve selected are designed to illustrate key points about email management, and to illustrate the intensity and depth to which email issues are considered by the court today. The intention of discussing these cases is not to embarrass or single out a particular institution. In fact, given the plethora of email-related challenges occurring daily before the courts, it would be difficult to make the case that any particular organization’s failings are unique. Instead, the purpose of examining these cases is to glean important lessons for all of us about email management.

Case Number 1: Producing email may be hard, but do the courts care?

“It seems to me that a ‘costs, time and effort’ argument involving email is the same as when hard copy documents are in issue.  For example, the cost, time and effort to produce hard copy documents which are disorganized or stored in various places could also be considerable.”

GRI Simulations Inc. v. Oceaneering International Inc.[ix]

What happened?

Key employees of a global engineering firm accepted employment offers from a competitor. When they left the firm, their employer alleged that they took proprietary software and other intellectual property with them, thereafter using it to help the competitor build a new product, resulting in $8 million in damages. In the ensuing litigation, email messages formed a critical part of the evidence. However, the defendants argued that they should not have to produce their own email messages because it would be too “time consuming” and “expensive.”[x] The court disagreed.

What went wrong?

When it came time to search, find, and produce email messages responsive to the litigation, the defendants found their email system lacking. Not only did the system make it “inherently difficult to conduct email searches,” but searching archived email was not possible without physically accessing each archive location across the globe. As a result, the company stated that it, “may be difficult to ensure that all archives are searched.”

Furthermore, a company lawyer testified that she couldn’t explain why email messages sent to several employees were found in the mailboxes of some employees, but not all.

As a result of all this confusion and difficulty surrounding email, the defendants argued that they should not have to produce responsive email. The judge disagreed, writing that organizations shouldn’t expect special treatment around email discovery simply because information is in email form: “it does not appear to me that searching email archives . . . is inherently more onerous or expensive than conducting manual searches for hard copies of documents.  In fact, it could be easier.”[xi] That is, if the email is well-managed, which the court apparently believed was not the case here.

What can we learn?

Judging by surveys like AIIM International’s email management “Industry Watch,” which found that a majority of respondents have little confidence in their email program,[xii] most organizations have a long way to go when it comes to email management. Although the business cost of email mismanagement may be hidden, or accrue slowly, email management flaws quickly take center stage in litigation.

There are several lessons to be learned from this case, including:

  • Local email archives. Don’t allow employees to create local archives of email (AIIM’s survey found that almost half of organizations have no policy on this topic). Turn off the ability to create .pst and .nsf files., and look for smart technology like content analytics to help you clean up the ones that you already have.
  • Don’t expect mercy for bad email management. Don’t expect the court to take mercy on you because you have been doing a poor job of managing your information. Email has been around for over three decades. That’s a long time to get it figured out. Courts and regulators in all jurisdictions are demonstrating diminishing patience with organizations that do not take email management seriously.
  • Is your email system e-discovery-ready? Is your approach to email management and archiving e-discovery ready? In other words, could you easily and quickly conduct searches across the entire system for all email messages generated by specific employees, or containing specific keywords? The AIIM survey found that 45% of organizations allow employees to keep email in personal folders  –  “unshared, possibly un-findable and at considerable risk of random deletion.”[xiii] Remember, you may need to be able to do this for all email, even the stuff hanging around in decommissioned email systems, file servers, backup systems, and so on.


[i] “One could write tersely and type imperfectly, even to an older person in a superior position . . . and the recipient took no offense. The formality and perfection that most people expect in a typed letter did not become associated with network messages [e-mail], probably because the network was so much faster, so much more like the telephone.” J.C.R. Licklider, Albert Vezza, Applications of Information Networks, Proc of the IEEE, 66(11), Nov 1978.

[ii] For example, in the case of Shattuck v. Klotzbach, 2001 WL 1839720 (Mass. Super., Dec. 11, 2001), where a $2 million real estate sale was negotiated via email. The seller sued the buyer to enforce the contract, and the court found that the email messages satisfied the legal requirement for “a writing” and the typed names at the bottom of the email messages constituted a signature.

[iii] See, for example, Stevens v Publicis S.A., 2008 NY Slip Op 02880 [50 AD3d 253], where a New York appellate court ruled that “emails were signed writings that modify contract.” Coverage at, Kelly O’Connell, “U.S. Court Decides Email Equal a Signature for Contracts,” IBLS, May 2, 2101. Online at, http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2032 See also, Stevens v. Publicis, S.A. and JSO Assocs. Inc. v. Price.

[iv] See, for example, “Radio Shack Lays off Employees Via E-Mail,” Associated Press, March 2, 2007. Online at, http://www.usatoday.com/tech/news/2006-08-30-radioshack-email-layoffs_x.htm

[v] See, for example, the process for submitting files to Australia’s energy regulator: http://www.orer.gov.au/forms/agent-stat-decs.html

[vi] The most recent of the five decisions being, Zubulake v. UBS Warburg, 2004 WL 1620866 (S.D.N.Y. July 20, 2004).

[vii] Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, (S.D.N.Y. Jan. 15, 2010).

[viii] Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co. Inc., 2005 Extra LEXIS 94 (Fla. Cir. Ct. Mar. 23, 2005).

[ix] GRI Simulations Inc. v. Oceaneering International Inc., 2010 NLTD 85 (CanLII).

[x] Ibid.

[xi] Ibid.

[xii] “Over half of respondents are ‘not confident’ or only ‘slightly confident’ that emails related to document commitments and obligations made by staff are recorded, complete, and retrievable. “AIIM Industry Watch-Email Management: The Good, the Bad and the Ugly,” AIIM International, May 2, 2009. Online at, http://www.aiim.org/Research/Email-Management.aspx

[xiii] “AIIM Industry Watch-Email Management: The Good, the Bad and the Ugly,” AIIM International, May 2, 2009. Online at, http://www.aiim.org/Research/Email-Management.aspx