Email Discovery: Worst-Case Scenarios Versus Best Practices

Email has not only evolved into a primary form of business communication, but also has become a primary weapon in a prosecutor's arsenal. A 2004 survey of 840 US companies, co-sponsored by the ePolicy Institute, found that 21% of respondents had had their employee email and instant messaging subpoenaed in the course of a lawsuit or regulatory investigation, up from 14% in a 2003 survey.¹ This trend of using emails as evidence in court is expanding outside of the United States. In June, 2005, the Singapore High Court allowed emails presented as evidence in a dispute over negotiations for the lease of a warehouse.

Searching through volumes of backup tapes for requested emails is costly and time-consuming, with no guarantee that all the requested records will be recoverable. A company's inability to produce all subpoenaed records can result in multimilliondollar fines and long-term damage to its reputation. Organizations should therefore use email archiving and discovery software technologies to ensure that email records are retained in a secure repository. This will make records readily available for everyday business use—and companies can quickly and completely respond to an electronic discovery ("e-discovery") request.

Traditionally, companies save emails to backup tapes at regular intervals, such as the end of every business day, week or month. This means that thousands of emails and attachments are kept on volumes of unindexed tapes, usually stored offsite. These backup tapes are excellent for disaster recovery where an entire mailbox, system or data center needs to be recreated quickly. But backup systems are not designed for information discovery, where responding to a request means finding specific emails and attachments based upon the context (e.g., date, sender, recipient) and content (e.g., keywords, subject line, attachments) of the information requested.

Another source of unstructured email is employee laptops. These local email caches, known as .PST files in the Microsoft® Outlook® and Microsoft Exchange environments, pose a challenge during the legal discovery process. These files are highly susceptible to corruption and/or accidental loss (e.g., if the laptop is stolen) or destruction (e.g., if the laptop crashes). Retrieving these .PST files means laboriously copying all business records off each laptop and then searching through them to find specific documents. Often this information is on the laptops of company executives, and when these units are taken away to be imaged, key employees suffer inconvenience and lost productivity.

Once the data is restored, it must then be extracted for presentation in court. Depending on the size and scope of the discovery request, this process can take days, weeks or even months, especially when attachments in formats that cannot be searched electronically, such as PDF files, must be converted to text-searchable files. The cost of this process usually falls on the company being asked to produce its own records.

Fortunately, preparation for the e-discovery request can go hand in hand with meeting the requirements for secure email retention and supervision. Many companies are mandated by industry regulations to retain their records. Securities and Exchange Commission (SEC) Rule 17a-4 requires retention of all communications involving broker-dealer employees. Companies can also be forced to retain communications that have been placed on a litigation hold because they are related to open or pending litigation.

An email archiving system relieves employees of the responsibility of deciding what messages and attachments to retain and for how long. Employees are often expected to read and comply with long-documented retention policies, which flies in the face of the reality of the typical employee's daily work behaviors. Litigation hold requests are frequently enforced by asking employees to preserve specific emails, but already deleted emails are rarely backed up and won't appear on imaged laptops.

If the company is unable to produce requested email records—or worse, if the plaintiff or opponent produces them—the company can face significant penalties. Even non-regulated businesses should retain records in a consistent manner. Case law has shown that companies that have haphazard or inconsistent approaches to records management place themselves at serious risk.

To ensure compliance with laws and regulations governing email retention, to avoid the high costs of electronic data recovery and restoration, and to eliminate the risk of heavy fines for not producing all requested information, a company must develop a proactive email retention and discovery policy. All organizations, regardless of their business or industry, should implement the following three steps:

1. Determine which emails should be retained and for how long. This could be based on a specific segment of employees, such as C-level executives, or based on the nature of the email (for example, emails that are truly business records, or those that are on a stated litigation hold). Retention varies depending on the relevant industry regulations and laws. Each organization should consult its legal counsel when developing its records retention and deletion policies.

2. Implement an email archiving system that immediately archives and indexes all messages passing through the email system (e.g., Microsoft Exchange, Lotus Domino®, Lotus Notes®), stores them in their original form (emails and attachments) in a centralized repository with specified retention periods, and ensures the emails are not altered or deleted inappropriately.

3. Implement a software-based system that allows authorized reviewers to pinpoint quickly specific emails required as part of litigation support. This reduces the time spent searching for and recovering requested email records from weeks to just a few days. This in turn cuts the costs of meeting the e-discovery request and ensures all requested records can be produced. The support of global marking schemes eliminates unnecessary duplication of a review effort when discovery requests overlap, as they frequently do.

If all information is captured and retained, it is possible to prove that an action occurred or did not occur. One example would be a harassment case where the plaintiff accuses a defendant of sending inappropriate emails. If all emails are retained, then it is possible to prove whether or not such a correspondence took place. The worst-case scenario is when the plaintiff can produce emails that the defendant cannot. In some cases, courts have ruled "adverse inference" and have instructed the jury to assume that the data was intentionally deleted.

Email archiving and discovery technologies can play two important roles in helping an organization achieve regulatory compliance and better manage its response to e-discovery requests. The first is to ensure the secure retention of electronic records in a manner compliant with laws such as the Sarbanes-Oxley Act, and industry regulations such as the Health Insurance Portability and Accountability Act (HIPAA), SEC 17a-4, and National Association of Securities Dealers (NASD) Rules 3010 and 3110. The second is to reduce significantly the time and costs associated with searching for and retrieving relevant email records.

Once companies have established proactive policies for data retention and e-discovery, the next step should be to look more holistically at how they manage information availability and security to prevent future policy violations. Examining information security with an eye toward preventing issues like data leakage can safeguard critical intellectual property and customer information from loss or theft.

The Symantec Solution
VERITAS Enterprise Vault, now from Symantec, enables organizations to implement automated, policy-based archiving of e-mail and related files to a fully indexed, searchable online archive. This "information warehouse" of personal and corporate data can be mined as a knowledge resource. Special-purpose products such as Enterprise Vault Compliance and the Discovery Accelerator then offer solutions to specific problems such as regulatory surveillance and legal discovery. The Discovery Accelerator offers the following functionality:

• Fully managed legal review process;
• Hierarchical review by a set of privileged reviewers/investigators;
• Flexible searching to produce potentially admissible email;
• Flexible marking schemes;
• Production of items for disclosure; and
• Activity logging and report generation. Enterprise Vault acts as an "information warehouse" of personal and corporate data, allowing it to be leveraged and/or located during legal discovery.

---

Symantec is a world leader in providing solutions to help individuals and enterprises assure the security, availability and integrity of their information. Headquartered in Cupertino, CA, Symantec has operations in more than 40 countries. Visit us at: (www.symantec.com)

1. "Send and Save," Peter Loftus, The Wall Street Journal, September 19, 2005.