On June 6, 2013, the US National Archives and Records Administration published a call for comments on its draft Bulletin regarding a proposed “Capstone” approach to email retention at federal agencies. NARA was having technical problems with its comment system when I tried to submit my comments, so based on their instructions I have submitted my comments to them directly by email, and I am also posting them here.
You can find the request for comment and the draft Bulletin on NARA’s website.
Feedback on NARA’s Capstone Email Records Management Bulletin
As requested, I am providing comments on the “Capstone” approach to email management outlined in the June 6, 2013 draft NARA Bulletin provided above. Thank-you for the opportunity to provide input on this important issue.
I am the founder and principal of an information governance consulting firm based in New York. Since 2001 I have advised many organizations and government agencies on the development and implementation of email retention strategies.
Based on my experience and research, I believe that most organizations currently fall into one of two email records management camps.
The first camp does very little. While they may impose mailbox size limitations, they provide sparse guidance to employees who are forced to delete messages to meet these quotas. Consequently, business records are likely lost – especially if no storage space is allocated for retention of records that simply happen to reside in the email system. Others allow – or turn a blind eye to – the practice of employees exporting email messages out of the corporate email system so they can be tucked away in shared drives, thumb drives, or taken home for “safekeeping.” This practice results in an effective loss of management control over records found in the email system, and can greatly increase collection costs and increase spoliation risk in e-discovery.
The second camp “manages” email, but treats all email messages equally, regardless of their content. Some – seeking to minimize the cost and potential risk of email – automatically purge all email older than 30, 60, or 90 days. In the absence of a method to capture email messages containing record content, records are surely lost – violating laws that require retention of specified records, regardless of their form. Others – perhaps inspired by SEC Rules 17a-3 and 17a-4 and the email archiving software industry that those Rules singlehandedly created – capture a copy of all messages sent and received and keep them in a separate archive for a fixed period of time. This approach ignores the reality that such an archive will undoubtedly contain both trivial content and critical business records. From a compliance perspective, this may be just fine if you are a broker-dealer subject to these unique, email-specific Rules, but is less fine if you are, like most of the business world, subject to retention rules that do not exempt or treat email in special way, but rather require identification and retention of business records regardless of the form they take.
There are of course other approaches to email retention, one of which is outlined in your draft Bulletin. As I understand it, Capstone is a role-based method that uses the role of the email creator/recipient as a predictor of the content of that user’s account. In the past I have advocated such an approach to clients as a pragmatic method for improving otherwise nascent email records management practices.
NARA should certainly be commended for embracing such pragmatism, and in recognizing that complex user classification systems are often impractical and lightly adopted.
However, I would like to share two additional ideas that may be helpful as NARA finalizes its guidance.
First, while a knowledge worker’s role can certainly be a predictor of an email message’s content, our research has shown us the limits of this approach. We have assessed role-based approaches at client organizations by analyzing actual email accounts sampled from a range of user roles. We have then estimated the percentage of email content that would require retention under the client’s own retention rules. Across a range of users we have found as little as 5% and as much as 95% record content. There is certainly some correlation between the percentage of record content and the role of the user, but it is not always categorical. For example, some users are mostly information processors, and thus may have an extremely high percentage of email records in their inboxes.
Consider for example, a claims processor who receives a partially completed claims form attached to an email message, opens that form and completes it using information they possess, and than sends the completed form to an employee who represents the next link in the processing chain. This scenario is very common, even in large organizations. Assuming that these completed claim forms are records, and that they are not otherwise captured in a content management system, this user’s email account is quite important from a records management perspective.
However, a Capstone system based solely on seniority (i.e., “officials at or near the top of an agency,” as described in the Bulletin) may miss this important account and result in such records disappearing as “temporary” records. Conversely, senior officials may have a relatively low percentage of record content in their email system when they use other systems to communicate their decisions, document those decisions formally, or otherwise use other official or formal systems to complete their work. Capture and permanent retention of their entire account then, would result in retention of largely trivial content.
These issues can in part be addressed by careful examination of the way email is used by each agency and its users, as mentioned in the Bulletin.
Second, I wonder if NARA is turning away from a content-based approach to record identification and retention too soon – in fact, act just at the time in history when technology to enable semi-automated, content-based approaches is becoming widely available. Our clients are currently evaluating and implementing technology from OpenText and Recommind (there are other providers in the market as well) that marries human and machine intelligence to remove the classification burden from the user. Such systems are by no means trivial to implement and configure, but I believe that they point the way forward for email records management. The effectiveness of automated statistical methods for content classification has been demonstrated effectively in the intensely observed world of US civil litigation; a demonstration that I believe provides a foundation for it application to the records management problem.
Further, while the Capstone method would seem – as noted in your Memo – to foster compliance with the “OMB/NARA M-12-18 Managing Government Records Directive” requirement to “manage both permanent and temporary email records in an accessible electronic format,” I wonder to what extent it addresses the spirit of Section A3 of the Directive to “investigate and stimulate applied research in automated technology to reduce the burden of records management responsibilities?”
Once again, thank-you for the opportunity to provide feedback on this important Bulletin, and I am confident that NARA will continue to provide leadership as federal agencies continue this critical transition.
Here is the fifth and final (except for a bonus video coming soon) in our five-part video series where I asked 30 Information Governance the same 5 questions. This video is the longest of the five, as I ask our interviewees to tell us their favorite story about IG – something that illustrates what it is, why it is hard, challenges they have faced and so on. There are some great stories, so get yourself a fresh cup of coffee and a snack and enjoy.
Update: Interesting article from NY Mag claiming that SnapChat is, “absolutely blowing up right now” on Wall Street because “the chances of incriminating material ending up in the hands of a boss or a compliance officer – or in a Daily Intelligencer story, for that matter – are low.”
This weekend I was finishing up my next opinion piece for the fine Law Technology News. My piece is about how making more and more data “easily accessible” is both essential for Big Data to fulfill its promise and also a huge risk to privacy, intellectual property, and so on. Look for that in the next issue.
Part of what inspired me to write about this was the success of Snapchat, a mobile app that lets users “chat” using photographs instead of text. Neat idea, but the twist is that the images automatically disappear after 1-10 seconds (the time is set by the sender). As you would imagine, Snapchat has gained a reputation as a teenage sexting tool, despite some indications otherwise. I set it up to see what all the fuss was about, and cajoled my wife to install it as well. Frankly I would say that any service that automatically deletes any self-portrait I have taken after turning 40 is doing me a huge favor. Anyway, Snapchat was quickly copied by Facebook, with its Poke application, although Poke seems to be less popular than Snapchat to date.
I did some more digging around in this space, and it turns out there are a number of startups focused on so-called self-destructing messages. For example:
- Vaporstream offers “secure recordless messaging” technology aimed at enterprise users
- A startup involving Phil Zimmerman, crypto-hero and creator of PGP, called Silent Circle offers secure mobile voice and messaging, including “burn notices” for text messages
- Burn Note: self-destructing email
- Wickr: self-destructing texts, pictures, video
- Gryphn: self-destructing text messages, with screenshot capability disabled
- Privnote: web-based, self-destructing notes
- Tigertext: enterprise-focused secure texting with message timers
- Burner: temporary phone numbers for calling and texting (hat tip to Bill Potter at The Cowen Group for pointing me to the last two on this list)
The category of “disappearing email” has been around at least since the late 1990s. In that era, a company called “Disappearing Inc.” got a lot of attention, but was not successful. A similar company called Hushmail from that era is still around, but suffered from some bad press when email that users thought had been “disappeared” was turned over in the course of a lawsuit. In any case, neither company ushered in a new era where email automagically goes away. However, given this new crop of startups, I wonder: were these 90s companies ahead of their time, poorly managed, or just a bad idea?
On the corporate side, I don’t see a large appetite for this kind of technology. I have had this conversation with clients many times, and although they love the idea in concept, they are very worried that using the technology will create the appearance of evil (just as the first thought we naturally have about Snapchat is that is must really be for sexting). Executives in particular feel that the use of the technology creates the impression of having something to hide. Perhaps if email had had this capability from the beginning, the risk would not be there. Corporate culture is conservative by nature, and no company wants to draw attention to itself in this area.
This fear is not without justification. Many general counsels are fearful of deleting any corporate email messages at all, which is why many of the world’s largest and “well-managed” companies have hundreds of terabytes of old email sticking around. Remember that in the world we live in, prosecutors sometimes chastise companies for not keeping all their messages forever because, after all, tape storage is “almost free.” There certainly is a case to be made that spoliation fears are generally overblown, given the number of times spoliation actually leads to a a fine or judgement, but the fear of throwing away the wrong thing is not groundless. Getting rid of junk defensibly requires a logical, justifiable process.
Unless an organization is in a highly classified environment, I think most general counsels and their litigation partners would tremble at the thought of explaining why most of the company used “normal” email but their executives/salespeople/take your pick used “special” email that disappears. It does not pass the smell test. Selective use is problematic.
On top of that, you have users who find operational benefit from having records of their business activities in email. You also have the emerging world of Big Data, where email in aggregate potentially has big value if you get it onto Internet-scale infrastructure and point the right tool at it.
In any case, check out the full piece when it runs in the next issue of Law Technology News.
Author: Barclay T. Blair
“Here, a fine against [the company] serves the dual purposes of deterrence and punishment . . . Because [those responsible for spoliation] are the sole principals of [the company], a fine directed at [the company] will affect them directly.”
Passlogix, Inc. v. 2FA Tech[i]
A partnership between two businesses failed, and litigation ensued. As the relationship unwound, a number of email messages, text messages, Skype® messages, and log files were created that became relevant to the case. However, the defendants failed to take any formal action to ensure that this evidence was properly preserved, and in fact attempted to hide evidence that they felt was unfairly damaging. As a result, the court fined them $10,000 – a fine large enough, in the courts’ judgment, to ensure that the two founders of the small company felt its sting.[ii]
What went wrong?
The defendants in this case apparently did not have a formal process to ensure that email messages and other information responsive to litigation was properly identified, preserved, and produced. This process, called a “Legal Hold,” is essential to ensure that legal obligations are met.
In addition, the defendants specifically failed to preserve email messages that they thought made them look bad – something the courts have specifically addressed, stating “[t]he duty to preserve documents is meant to prevent these sorts of ‘judgment calls’ by litigants and, instead, requires parties to preserve all documents that may reasonably lead to the discovery of relevant evidence.”[iii]
Finally, it appears as if the defendants believed that preservation obligations did not apply equally to information less formal or traditional than a paper document, and as a result did not preserve email messages, text messages, instant messages, or computer log files. The law is clear that the duty to preserve applies to all responsive information, regardless of its format.
What can we learn?
The requirement for formal Legal Hold policies and processes is well established. As the court notes, failing to issue a written legal hold notice is, on its face, gross negligence.[iv] In addition, the courts do not expect us to take our preservation obligation any less seriously just because the evidence is in a form we might think of as informal – such as email and text messages.
Other lessons we can learn from this case include:
- Use intelligent tools. Look for tools that can help you identify and preserve responsive email messages. Does your email management solution enable to you to easily find, flag, and preserve responsive messages? If not, you may fall short.
- Get smart about Legal Holds. Ensure that Legal Hold policies are up-to-date and consistently followed, and that you routinely create and keep records of who received Legal Hold notices, their acknowledgement of receipt, and other key details of the Legal Hold process. Also, ensure that employees have the tools and education they need to comply with Legal Hold notices in your email environment.
- Treat “informal” content the same. Treat email messages with the same formality as any other type of information when it comes to litigation. Email is always a target and as a result, must be treated with the utmost care.
[i] Passlogix, Inc. v. 2FA Tech., LLC, 2010 WL 1702216 (S.D.N.Y. Apr. 27, 2010). Note that this case addresses many other issues, including a lengthy investigation into how the genuine authorship of an anonymous email message may be ascertained – it is a fascinating read.
[ii] “The Court holds that a monetary fine of $10,000 against 2FA best suits “the facts and evidentiary posture of [this] case.” . . . 2FA is a small company founded only in 2006, and [the founders] -who the Court both finds responsible for the spoliation of evidence in this case-are 2FA’s sole principals and co-founders. Here, a fine against 2FA serves the dual purposes of deterrence and punishment . . . . a fine directed at 2FA will affect them directly. In concluding that a fine of $10,000 is the most appropriate sanction, the Court balances 2FA’s litigation conduct with its status as a small corporation.”
[iii] Passlogix, Inc. v. 2FA Tech., LLC, 2010 WL 1702216 (S.D.N.Y. Apr. 27, 2010), citing, Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, (S.D.N.Y. Jan. 15, 2010).
[iv] “Once on notice of litigation, “the failure to issue a written litigation hold constitutes gross negligence because that failure is likely to result in the destruction of relevant information.” Passlogix, Inc. v. 2FA Tech., LLC, 2010 WL 1702216 (S.D.N.Y. Apr. 27, 2010), once again citing, Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC,F.Supp.2d, 2010 WL 184312,(S.D.N.Y. Jan. 15, 2010).