Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Email Risk, by Albert Kassis


Published on

Email Risk

  • Be the first to comment

  • Be the first to like this

Email Risk, by Albert Kassis

  1. 1. gtu ;h furrrt, THE QUARTERLY REVIEW OF ADVANCED RISK MANAGEMENT STRATEGIESvol. 22 NO.3 FALL 2OO8T EunncrNc aNo ONcorNG Issuns tr Social Tiends, Risk Management and Public Policy GeraldF.Indner tr Emerging International Issues for Environmental Programs KmIJ. Russek mAWiLIiamP. Hazehon ! Captives for the Middle Market DonMacMeekin n Coverage Issues in Tiade Dress Infringement Litigation Williarn J . Warfel n Corporate E-Mail and Electronic Documents Albert Kassis n Mitigating the Risk of Payroll Fraud DonaldJ. Fergus ! Loss Development {or the Non-Claims Person DauidF. BrauerI ISO on Enterprise Risk Management Szpply ChninandERMI Commentary TheMyth of ERMI Insurance Strategies DAO mdDIC Policy IsszesT Insurance Law Militnry Tactics in the Cowtroom C T) rr -o^ 1865
  2. 2. E-mails and electronic dan (electonically stored information ESI) are now integral to litigation and inuestigations. - Risk Management eonsiderations in R.gard to Corporate E-mail and Electronic Documents ALBERT KASSIS ) nolr, most risk managers arc aare of thc What Is Included in ESII issues assoc iirte d uitlr e -mails, clcctronic docutncnts, clatal.tascs, alnd recclrtl.s uithin ESI includes anv inftrrmation thzrt is housed andtheir httsiness ent,irttntrent. In Iegal circles zrnd un- ctrntreretrier,eclelectronically.ThismearlsdocumentsJer the Federtrl Rules of Civil Proce,,l-rrc,r tl-rcsc data referred to alretrrll, but irlso can include corporatefall r.rnclcr the legal classihcation of "Electronically databtrses, Wcl-.,logs, r,oicerlails, tcxt messages, andStored Infortnntion," hcrein knoun as ESI. While HTMLliles.ltshouldbenoredtl-ratitcloesnorrnartertl-rese dclctrtnents can bc corporate iissets, thclalso theinfonnationisstorec].Thisinfcrrmutioncancan hc colT)oratc liahilities. bc on your scrvers, cln backup tapcs, or on desktol,s, T1-ris articlc :r.ldrcsses e-uriril, inst:rnt messtrging, laptops, irnd portablc dclices being trsed on- andc-documcnts, :rnd rclatccl risks that cornpnnies face off-site. Additiclnalll, it can be content on your Webin litigation and h.siness. Additionally, it discusses sire or intrancr.what risk ar,oidance strategies irur.l undcrtakings Thc arncndecl federirl nrles spcecl the proccss re-.thould take placc. quiring litigarrts to turn c,r,er this rntrterial. The time 57
  3. 3. bl. 22, No. i, Fall 2008 53p,eriod has been shortened to ,eeks in somr instances. tion invohed. Most recentl),, lcgal circles are hu:ringTlre risk asscrciatc-rl uitl-r ovcr- or uncler-captr-rring data about a casc sitnply knoun as thc Qualconrm case. Int() turn ovcr ls urrnense. To address thesc isstres. risk Qtmlcomm Inc. t,. Brctadcom Corp.,r U.S. N4agistratc.luranagers can unde.rtake activitics and impiemcnt Judgc Barbara L. N[ajor harl sanctioned Qualcornm forpolicies that u,ill redtrcc the risks Llssociated ith "supprs-s5ing" or,cr 40,000 c.lectronic filcs. These lilesthcse rules ancl cther inhcrent risks in thc dav-to-dirt l-rird been prcr,iously requestecl, but did not shouu1.,business activit), dcaling uith ESI. in discor,ery. As it trlrns out, these files uere disposi- tive, btrt adr,ersel). to Qualcomrn. ln this scenarlo,ESI Risks Abound, From Inside and Outside Qualcctrnlns hiing might not have taken place ha.l thesc e-rlrails bcen trncor.ere.{ prior to action bcing Risk manirgers har,e likcllrecogni:cd risks ilssr)ci- taken. A clcar understanding of corporate c-rnililated uith clectronic intnr.lers frtrrn the otrtsidrgctrirrg policies, ri.ith policies and regirne s adhere.l to. rnigirtacccss to corporatc information. While these risk-. havc bror-rgl-it these c-rnails to light irt a juncture uellare still imp1111s1-t1, therc is increasing .langcr that l--cforc a lilii-rg took place.conlcs frorn uithir-r tl-re corporarion. Specilicalll., theprtrliferation clf clectronic infonnation mRy g1921e.rtpror.icle cr.idcnce of liabilitv. Tl-re trouble i.s that in The proliferation of electronicthc clal-to-clalr activities of a corporation, liahilit), i.s ,rlurking that rnayne Ier l.e uncc,rered trntil ESI shous mlormafion mal creete orup in ir lcgal ca.e trr invcstirtntion. prooide eqtidence of Liabiliry. Prior to Deccrnber 1, 2006, l.otl-r e-mtrils andelcctronic c]ocuments uere c]isc-or,crahle, mtrcl-r likcpaper clocuments; thc changes that took placc in tl-rc An equally notoriL)us casc that elcctr()nicFecleral Rules of Cir,il Procedure in Decernber 2006 clata u,a-s the N4orgnn Stanlel cirse. On Ma1 16, 2t)05,incrcasecl tl-re ievel of truarene ss arnong att()rneys ln The Wall Srreet Journcl puhlished an artrcle titled "Houall practice grclups. ln f act, e -discor,er) practice groLrps N4organ Stanlel- Botchcd a Big Casc l-ry Furnbiingantl partrrcrs are nor central in manv lauhrms. Enails." Thc mcrits of tirc rnattcr bcing litigate.l Prior to tl-re federal rulc changes, a ntrml,er of cre supcrse.led by the negative puhlic rcl:rrionslitigating attorr)eys r.r.cre of thc "dont ask, dont tell" associ:rted ,uvith thc ESI issLres that le.l to thc al.ovementalitl, if one si.le to ir legal case didnt ask lor l-rca.llincs. In bclth exaurples, the cases original lcgale-rnails to- be turned over, then oppcrsing crlunscl clairns took a bzrck seart to ESI isstres rrnd hou thcvtypicrrlly u,o,-rld not ask cithcr. lrnagine th:rt scctl.rric) rierc rnishancllc,,, particrrlarly if a lau firnr or attornelr loscs ,l case.If ESI or particular ESI nas ncver sousht our and the Records Retention Policiesuonrequesting sidc the case, there millbc someqr,rcstions to anser frorn both a client and a c.lurt in lf your corrlpalr) cloes not hirve a records retcntionir potcntial uralpracticc clairn. pclic1, in placc nou, consitler instituting r)ne as soon as feasil-,Ie. Records retcntion policies rcduce risk inMishandling of ESI Risks May Cause rnan) rlys. A properly crafter-l policl,pror,ides fore.Negative Publicity thor.rght that inhi[-rits the accrrmulation clf stnrcturcd Negative public pcrccptions of your enrir- can ancl unstructured data that call arnass. Any accumula-der,elop fron-r the mishandling of ESl. This public tion that tlocs tirke place uill be dc,ne so for a legalrelations risk typically arises cluring litigation an enrirl reason or btrsiness prJrlrt) invohed in. Thc corc- legirl issrres in rl-re case :rretl,pically supcrsedecl by the corrrt fcrcusing on onc of Accumulation Pointsthe pirrties mishandling of thc ESI. All trccunrtrlirting pLrintb, L-.t;., sclcrs, Jeskt.rp Sorne of thc most highly publicized cases ir-rr,olv ing colnpr-lters, and off-site locations (e.g., BlackBerricsthe mishantllir-rg of elcctronic discovery have becc,rnc trr laptops ) , should bc trJdressed. 7c recornmenci thatcommonly knor.r,n, to the detriment of the corpora- ir niap of nherc those rlevices are lclcate.l lrithin the
  4. 4. )1 The john Liner Rcr,ieuorgani:ation irncl rvho the stakehrrlders are for each is concemed about storirge ancl retrieval issues. Thatcler,ice be developed into il living docurncnt much department is not necessarill, concerned about hc>ulike an organization chart. Ke1nembers then can bc these decision-s may affect litigation that their cmploycrassigned responsibilities to ensure that thcirpttrtion of may be involr,ed in.the mtrp is kcpt up-to-d:tte uhen changcs occur. An1changcs must bc cliscusscd enteqrriseu,ide, so thart one E-Mail Policiesdepartmerrts irolicidoes not h:rvc an irnpact on thepolic) ,rf a differcnt dcparturenr. For example, if thc Every,organizatior-r nceds a fcrrmal c-rr"rail policl.research ancl clcr,elopmcnt departrnent (R&D) soulcllike to keep clata longer than the htrman resorlrces 1. Organizations should develop irn c-rnail policy(HR) tlcpartrnent, both shotrltl .uvork together to acl- u,ith input frorn each ancl cvery dcpirrtmenr. ThisJrcss anV cfrrrs-l1npnat. policy u,ill hcnelit the organizationls counscl and uill l-tc instmmental in .liscor.-ry requests.OrganiTations should develop an 2. Policic-. shouLl incltrcle nrles fcrr rctenti()n ?lnd usage (as elaboratccl hcrein) ancl shor-rld bee-maiL poLtcy with input fro* each revie.uled :urnuall1,,. Policics sl-rould be rnore {re- quently rer,ieuecl u,hcn acqtrisitions happen, ITand euery department. systenr-s changc, or ncusoftuare is irnple mented. Atl.litional,, st:rlsirir,e infbrrnation rclating tcrArchiving tradc secrcts rulrl attomey-client uork-product Iv{any corporiltions irave adoptcd a basic "tine ancl needs to he .spccifi call1 adtiresse.l.spacc" polic), at least for c-mail. For e.xample, c-mailsthirt have been creatcd :rncl have existetl for a periocl 3. Policies r-rcecl to be communicated and broarlca.t,of time uoulcl pror,oke either a dcletion or irrchiving uith face-to-face and .lepartmenterl training ses-signal. The sarne nou[1 ap,pl1 for data accunrulation for a sions.user. Regarding thc "space" compongnl, some cmpkrl ersaddress this issue b) lirniting the sizc of a user.s "inbox." 4. Policies slrotrl.l inch,rrle "insranr rnessaging" ( Ilvl )Once a thrcshol.l hrrs lrccn llret, the uscr rlrust archive if reler:rnt.e-tuails, or he or she uill not be able to -sentl clr rcccive.Practically, cmployees uould not keep 100,000 pop.t The voltune of usagc of IM ,lithin the .,r,orkdocuments in ol-lice uithout t.akins acticln. Thc forcc l-ras grown exponentiall),. There are riskssane should irpply to clectronic docurnents. associatecl lvith the cotporation taking a passir-e IT kceps data around for as long as possitrle, bccirusc a approach tovr,arcls messaging. Some corporarionssh()rt-storage policy may give the appearance ofdeleting aliou their crnployces to tse third-parr) lnes-data tc, hide thcm. Archiving, a cornponent of recortls saging senices, such as Yahoo. IN.,I that is norrcter-rtir)n, r1pically cones in the fonn of btrckup tapes. c{)mpany-lnitrraged can creatc problclnatic logThcse tapes ma) retain previcrusly delctecl infirnntttron trails on cory()rate assets. S()nc of these ktgs canancl are fair qame vgith reslrect to an ES] e-discoverJ be storcd on local harcl clrir,es, causing headachesrequcst. The questic-tn, hocver, becomes uhether for any entit: tnring to respond to a cliscorrerybacktrp tapcs are "reasonably accessible" uncler the request, uhile increasing risk rhat a trail existsFederal Rules,l and whcther zr corporare litigant should unbekno,1n tcl the sublect to thc expense of seirrcl-ring hackup tapcs. Litigation Hold IssuesRelated Issues Relatecl issr"res concem uhetherdifferenr dcpirrtlnents The "Strfe Harbor provision" of Federal Rules ofsl-rould have .lifferent retention policics. Also, are all Civil Proccdurc, Rr.rlc j7, safeguards an entity frornthc intercsted parties cL)mmunicating u,ith each otherl charge s of .spolitrtion, This tcrrn rcfers to the intcn-Thc inforrnation technologv .lep2rrrment ( IT) qpical11 ti<inal or neglige nt uithholtling, hiding, or desrrucrion
  5. 5. V<rl. 22, No. 3, Fall 2008 55of er,idence if the cntiry destroys documents pursuant sitc and off-site. Employees need to undcr.stanil uhatto a records retenti()n f,c,lic). Spccifrczrlly, I7(f) pro- a hol.l i.s and uhirt their srrbsecluent 2rcti()ns,ides a safe h,rrbor fcrr litigants that fziil to preserve bc. As a rnca.surc of assurance, s()rrlc organi:ationsESI Juring lr.rtl,tl Ittr.incrs ()llcrtti()n:. require affirmatir.c hold-receipt noticcs u,hereh) the Tl-ris rtrlc is designe.l t..r relier,e entities from sanc- ernplo)ces ackntxvlcdge reccipt of the hold; a log istions for the krss or Jestnrction of ESI as a rcsult of creater1 of all the trfhrmative rcsfonses. Tlris heips tcrftrt11i11g, gocltl-faith operations of an electronic infor- rc.luce risk anrl cre atc rr recorcl of f our efforts.mation systcrn. Tl-ris provision irllous cornpirnies ttror,erurite or cle lete olc-lcr inkrnnation to make uaifor neu, information. A collateral hcnefit is cost sar-ings associatccl uith the possibilitl,of rc.dtrced stnrase A litigation hoLd requires anrequirernents. entity to preserue ESI andPreservation Letters disable a records retention policy Whilc tl-re salc lrarhrtr u,orks to offer sornc 1-,ro- curr ently deleting inf ormation,tecti()n, it is lirnitctl. Thc recc,rds retcntior-r antlclestrtrcticlr policy ma1 be susper-rded in regarrl to aspecilic legill rnattcr. This occurs u4ren a cornpany Both corporations and their employees are strbjecthirs heen provicle.l a litieation hold or "preservation" to:r litigation hold. While it is r,ittrlthat a con"rpanyletter or n()tice. Sucl-r a document reqlrires alr entir) understancls its oblig:rtions un.lcr a hold, it is eqtrallyto preserve ESI and disablc a records retcntion polic), vital that crnplovees do, irs uell. Irr a rcccnt districtcrrrrcntll Jclcting inf.trtnrtri,,n. colrrt decision, the court imposcd a $1 rnillion hnc Whcn orgnni:ations are sucrl, generally, a l.res- after it cclncludc.l that spoliatiorr took place uhen thccnation letter is sent froln ()pfosing counscl. lt is colrpany eln1"rlo1.ees destroye,-l doc,-unents dcspite thc-the responsibihty of the organi:i,rtion, trpon reccipt, corporations efforts to prcservc ther-n in accorJanccto preserve all information clehned uithin this let, r.lith a court order.ter that dcais u,ith the litigation. Tl-re preser;rtir)n Risk mirr-i.rgcrs neeri to utlrk r.l ith ltcltl-r insi.le andohlig:rtion sornctirrcs occr.lrs before Lr lctter acttrally or-rtsidc counsel to assess hor.rcommunications takeis 1-rrescntccl. When tl-re cntity has reason to bclicie place tcl irnplement holds. Cornmunication rcgirrcl-it is goir-rg to he strecl, tlte lrescnation obligation ing the i-rol.l Iras to be 1rervasir,e and recurring. N4irn1arise-s at that time. corporfrti()ns hirve cstablishcd conrrnittees thart dcal nitl-r issues re lating to prcservation h,.llds and rcltrtcrlImplementing Litigation Holds lnatter:. Tl-rese cornurittees come uncler a nunl.ter clf ln both large and srnallorganizations, preservation .1ifferent .lescriptions, inclutling one callecl L)iscov-should not be take n Iightl],. Frorn a br-rsiness-operatior-rs ery Action Response Teanr (DART). Tliis tcam isstandptrint, litigation discoverl holds are intrusive. marle up of ir cross section of ir-rdividual.s. Dcpend-They require athrmatir,e action. Thc interscction ing on tl-re organi:t-rticln, it maV involve corrn.scl, IT,betr.reen the cffbrts of presen,ing d:rta for this hold antl departnrer-rt heads. Sorne DART tcarns invoheand the diry-to-day functions of your ()rgani:atir)n r.arious.1ep3111n.11s, incIuding sales, R&D, an.l HR.ttecJs trr l.c aJJrcseJ. DART tcarns arc intcndctl to dcvelol-r and meintrrin 2l pr()ccss and mctl-rodologr- frrr respontling tc, ESIContmunicarion Regarclln g a llokl requests in litigation. Thc necessity for prescrvation of spccific dat,r l-r,r,. tobc comrnunicatecl tcl all th<lsc n ho are rclateJ to the Locaring ESIlitieirtion and ."rh.r control thc infbrrnation delincd Whcther il corporati()n c()n(hrcts a centrali:ed oruithin the prescrr,irticlr-r letter. Thc risk is that sorueone dccentrali:cd approach to preserv.rtion, infrrrmationlna) n()t llet n()tice and ma1delcte infonnrrtion that ".silos" uilI rlatter.falls undeL the litigation hold. In respen.5g to litigirti()n ()r 11 g()crntncntal "dis- Litigation hr,lds appli tt> thosc vr,<rrking both on- covcrl", entitics mnst he trhle to locate Lncl
  6. 6. 56 The ]ohn Liner Revieurcvieur ESl, no matter uhat the format may be and job responsihilities led to the er,cntual eliminationrcgardless of language. Nttances abclund that maf in- of her job shortll after shc returncd to rnork. Anhibit locating this rclevant information. An cxample e-rnail frorn the plaintiffs Suprslvi5sl contained au,ould bc organizational changes in software applica statement that thc pclsition $as eliminated due totions or versions for instance , uhen a corporation thc reduction from eight to three in the number of -sr.litches frorn WordPcrfect to Microsoft Word. peoplc superr,iscd by thc plaintiff. This e-rnail copy lr,as obtained by the plaintiff from a sourcc other than the cmployer-defendant, rvho failed to procluccMany entpLoyees &re not this e-mail in res1,olr.lir-rg t., tlt. ;tlaintiffs discc,.ery requcsts. The court held that plaintiff rvas prejudiccdnecessariLy aware of the by the failure of SunTrust to producc the cmail. Spc-intersection of Litigation and cilicalll, this failurc raised thc question u,hcther all other rclevant e-rnail h:rd been p,roduced. Thc ctturttechnolo,,g) as it reLates to adclitionall1noted that the dcfenclant actcd in bad faith. In the courts opinion, the plaintiff s sttpervistrr,electronic documents. u,ho authclred the e-mail, mllst havc affirmatively dcleted thc e-nail from her scnt itetns. Additionalll, a recorrls retcntion policy rnust Would a properly irnplementcd litigation holdprohibit routine overuriting of servcrs and data. have prcventecl .,rhat had occurred in the SunTiustSpecial attention tnust be paid to serrcrs that may casclCould thchold har,c precluded deletionlFrorna"crash" and the resr-rlting subsequent action taken, softuare standpoint, it very uell coulcl hirrte. Bc)ondparticularly if a pre scrrration hold is in place or is ex- softwarc, a properly educatecl uork force cotrld alscrpected. Also related are scenarios u,hen nell softuare havc precltrdecl nn1, intentional delction. SunTiustis irnplemcntcd and conversions of legacy clata takc may never har,c knoun about tl-re c-rnail. Both insidcplace. Occasionalll, uith harduarc upgrades, relcr,ant counsel and <iutside counsel to SttnTrust uere likelydata rnay get rnovcd to a temporar) storagc device, unavarc, becattse thc strpervisor ma) har,c been lessuhich requires an r-rpdatc to any data map that thc than forthcoming and cor,erecl her tracks hy clclet-risk manacer Llses to monitor data silos. ing copies of thc c-mail and not telling attornc)s handling this rnattcr.Was the Hold Succes-s/nh Ultirnatcly, uhether a preservation hold ras suc- Steps to Consider in Protectingcessful or not is tested by cr,iclentiary production to Your Organization From ESI Risksthc other sidc. Cornplete documcnt productions uillresult in turning over all tl-rc relevant non-privilegcd Houu,ould a risk managcr protect a corptrrationdocuments. Thcre have l-tcen numcrous instances from a scenario like the case? There arellhere prclductions harte not produced all relcrtant ccrtainly bodr liability issues and public relationse-mails. Whethcr these omissions are due to inad issues associated uith the SunTiust case.equatc procluction holds is not ahvays clear. Shouing Properly cxecuted rccords-retention, c-mail, anda court that your organization has a ucll-thought-out litigation-hold policics are necessary. X.4-rile properlyhold strategy Irelps thuart any "spoliation" charge. exectrted policies u,ill assist in adclressing sotne is-In some statcs, spoliation is a separate civil action sucs, they uill not stop an cmployee"rho is trf ing ttrwhere a corporation can be held liable. cor,er his or her tracks. If the elnployec knolls that dcleting an c-mail frorn his or l-rer sent hox could beFsilure to Produce ESI: Cr-,nnor t,. Bank technologically uncor,ered, this knorrledge rnight An e-mail not shorving up in production has thuart the action. lndeed, rnany ernployees are notliability impact. Thke, for example, the case of Con- necessarily auare of the intersection of litigation andrtor rr. SunTiusr Bsrrk.6 ln that case, tl-re plaintiff, technc,l.rgy as it relates to clcctronic clocuments.luho had adopted a child, contended that removal It is r,ital for risk nanagers to cnsure that employccsof direct reports to her position and changes in her are aware of the frrllowing facts:
  7. 7. Vol. 22, No. 3. Fall 2008 57 1. Deleted e -mails and ESI can be recovered. munication methods to get the message across. Sorne, for exarnple, rrtili:e their oun cmployces to generate 2. l)atc zrr-rd timc of deletion can be deter- in-house training hroaclczrsts. C)thers usc podcirsts tl-rat nincd. c:rn be r.ieue.l at it uorkstation, uhicl-r arc iclcal firr thosc employee s rvorking remotely. These cli;s can j. Ernployee Internert activit) can be traced bc use,-l to cducate cmplolces on rnandates regirrding litigation l-rolds, c-maii policies, and inherent risks. 4. l)ocument "travel" from co4r,rrate el-rvirotl- ments to ncrs<.rnal e-rnail can bc traced. While e-maiLs mal be perceived ESI copiecl tr) rcr.notr- devices (e.g., thumb- drirres) or scnt to printers typically can cirsil) as informel in nature, they can bc detected. satisfy the Starute of Frauds and 6. Vriccrnails potentitrlly alsr-, cotrlcl bc rctricvecl Create Legally binding contracts. anJ rr..J ftrr litierrtitrn. Risk rnanagers employed by cntities tl-i:rt are As note.l, e-n-rail can hirve a bintling cffect. C)nlitigior-rs in nature and hnd thernsc-hcs in cotrrt thc onc han.l, r.rhile e-rnails rnay bc perceir,ed .rsfrequcntll, are in irn nc]rantagetttts p6sitictn to *ork infonnal in nature, thev can satisfi the Statutc ofsith counsel to safcguard against or.ltcomcs sirnilar Fraucls ancl crcatc lcgall-v binding contrircts. The caseto the SunIu-sc llratter. rrf Al-Bctlaba.ccnn Inc. r,. N.stein Techs. Corp. is an Safcguarding not only lncans that litieation holds examplc rihereir-r c-nrail l-ra.l a l,inding cffcct.; Thisare properly executcd, hut alsc-r tl-rat emplol,ces bc- casc c()ncerned a liccnsing agreernent in r.lhich thecoore ln()rc fluent in the l-ridclen ancl not-so-l-ri.1.len scn.-ler hird t1,pctl his name irt the bottorn of the e-nuanccs of electronic documents ancl clata. Such rnail. The court I-relcl thirt "the sendcr rnanilestecl hisfh-rcncy is part of the vital knoulc.lge needed fbr intention to rruthentic:rtc tl-re e-rrlail firr purposcs ofcorporati()ns and crnplovees to rctlucc overall risk. the Startute of Fratrds by t1ping his name, l)cnis,at the l-ottom of the J:rnuary 1 2, 2007, e-rnail rcfcrcnc-Have NeuEmployees Been Schooled in the ing the partiescor-rtractual agrecment."Policies of E-Mail Communication Within So, even thotrgh the inf<rrrlality of e-rnail may heYour Corporation? rclicd ul.on nerely to f:rcilitate ccxnrnunicatior), a possiblc unintcnded result rnalbe that an emplo,vec From au cntcrprise perspectivc, consitler spccilic is ablc to bind a corporatir)n in a contrac.t merel) byactions in regard to empkryecs stirrting uork at e-rr-rail. Ad.litionalll, the binrling cflcct of c-mails canyour business. Neu .mployeer need to be taught also iravc an inpact in thc persc,nal affairs of tlrosethe fbllouine: etnplolcs5 tl-rat usc uork to concluct per,.c,nal br,rsiness. Tl-re implication is that any future enf,rrce- 1. the policie.s of c-rnail communication lrctuecn ment Of agrecmc-nts or contracts can subject data on )our corporation an.l the rttrt.side $Orl,-1, in- the employers netuork to cliscor,erv requcsts be cause cluding br-rsincss partners; of tl-re L-in.ling el{ect of e-mail. trap5 6f informalitv in e-n-riril trnd thc legacy ESI Corporate Policies Should Be cvidentiary issues that lic therein; i,rnc1 Communicated and Rein{orced Regarding neu and ex isting employces, you should l. the bintling effcct of e-rnail that may occur in be al.le to affrrm:rtively ansuer tl-re follou,ing qucs- enforcing contracts and agrecments. tt()11s. Corpo1311.11rs utilizc virrious training aud com- 1. f)oes your orientati(rn lrogrirln adclress
  8. 8. 5B The John Liner Revieu, employees use of corporate systems and e data are under the employers control. mail-usc policiesl Exit Interviews as a Mechanism in Reducing 2. Arc there training programs in place that Risk address these issucs for the contintling vork Exit interr,ieus are alu,ays important to empktycrs. force ? They offer rnany advantages, inclucling insight trn enpiolccs attitudes tou,ard thcir former p()sitions, 3. Is there an "Acccptable ESI Use Policy" touard superr,isors, and toul ard the ge neral corporate drafted, disscnrinate.l, ancl conrtnruricated? enviroltrncnt. Eq.tally irrr1..1114r-ra is tu gaugc t :rn cxiting ernpl,ryee intends to take legal action after 4. Are employees educatecl on thc ramifrcations lctrving ernploymcnt. Ernployers take r,ariou-s actions that c.mails can har,e on creating tr binding regar.ling data arnd e-mails previously uithin thc cxit- contract, provicling proof in litigatitn, an.l, ing employecs control. For exarnple, etnploye rs often generally, cln creating liability? "uipe" harcl drir,cs of cxiting crnployees, resulting in lost data. It is ahvays best tcr uait to takc action of hnaginc thc overall benehts of creating, ftrstering, this nature. Arr altcrn:rtir,c uor-rld be tcl makc a mirrorar-rdeducating ernl,loyees as to the above policies. coplr or image of tl-re harcl i-lrir,c if it is possiblc thatSpecific examples such as thc scenario thert plal cd out the exiting empkrlee uill pursuc the Sunllusr casc abovc slrotrld be communicated.An ernployers proactivc aptr-,roach u,ill inhibit risk ESI as an Investigatory Assetalong nany fronts. Cornpanies :rre subjectcd to a rnultittrdc of regu-Personnel- and Employment-Related latorv btrrdcns. Consider the utilization of c-mailsESI Risks or e-iiocurncnts in inYestigatrons as a mechanisn-t to reduce risk. HR or legal counsel can search an Use of e-mails :rs cvidcnce in litisation is more emplovccs c-footprint to investigatr. i:Sircs relatingcornlnon in legal actic)ns reiatcil to pcrsonncl and to the follouing:employrncnt matters. E-mails have a unique itnpacton crnployee-relatecl claims against an cn-rployer or 1. of HR rtrles uncl policics, strch riolartion-smanager. of sextrally orientecl e-rnails; as sending Almost threc-quartcrs of all litigation against cor- 2. conduct in viol:rtion of Sarbanes-Oxlcy;porations is ernploycc-related. Frorn a risk standpoint, 3. riolations of the Foreign Corruptemp,loymcnt-rclatcd litigation is different from other Practices Act;fonns, since the plaintiff-ernployee is actually part 4. involr,ing the Securities and issr-resof the r.vork forcc. The corlrnunications betu,een Exchangc Cotnnt ir:ion;all the parties arc embodied r.rithin the e-rnail and 5. tracle sccret mis:rppropriation; andelectronic docurnent enr,ironrnent of the employer 6. rarious state and federal regulations.and can casily bc moved to a third-party e-rnail orprintcd as evidence tl-rat the cornmunication hap- Consider that on a rcgular basis, many high.proiilepened. As noted, in Connor r,. Bank, tl-re inclir,iduals find thcrnsclr,es at the centcr of atten-ernployee hacl ccrpies of the c-mail in hand, uhich tion bectiuse of e-rnail comrnunication. Considerrnade it rnclre diflicult for the en-r;,loyer to prove that firuncler Bill Catesc-mails, introtluced in support ofnone cxisted. the gor,ernments antitnrst cirsc against Microsoft.1" In Zubalake r,. UBS Warburg LLC, thc plaintiff, Morc rccently, tu,o hedge ftrrrd managers for BearLaura Zubalakc, had copics of pertiner-rt e-rnaiis in Stearns were taken into cr-rstody over roles they hadhand. When those e-mails ucre not pirrt of the pro- in the collapse of thcir hedge funds. Ralph Cioffrcluction set, the jtrdge ordcred [-,ackup ta1]es 5g.t.1l.6.ct and Mzrttlreu Thnnin are facing criminal cl-rargesIn a numbe r of tl-rcsc mattcrs, judge s appear to irnpor,c becausc Tannin allcgcdly said in an e-mail that hea rrore stringent discovery requircment because the uas "arfraid that the rnarket for hond securitics thcy
  9. 9. Vol. 22, No. i, Fall 2008 59had inr,ested in u,as t(,ast."Accordir-rg to Bloomberg tations of this qpe of soft,are involr,e establishing shrrtting the funds. Several da1,sNetr-s, l-re strggcstctl "acceptable use" 1rolicies. Sor-ne policies inclr-r.lelater, though, th. to managers told inr,estors that key uor.1s that are btrnned. Thesc u,ords are thcntheluere comftrrt:rt-rlc in holding their programrned into the lexicon of the sctfnlare that The tcnn "srnoking gur-r" is used frrre-urail.s that are scans c-rnail messngcs. Sorne softu,irre allous forcleariy d:rr-naging to an cntity or individual. Bectrlrse multiplc lcxicons f..rr.lifferent l.usiness units. Solncc-mail is treated nruch likc chatting, ofien treatcd apflications prevent rnrrss c-rnails that may be uscdas private and unofhcial, it is ver)r uqccrptiblc tcr in rnarkcting antl m.ry reqr.rirc disclairncrs in certainmisinte4rrettrtion. A properll executed collection of industrics. Softuarc can also be used to preicnt useESI policies ancl proce.llres, continuirlll reinforccd, ctf c-mail u-ithin ccrtain departncnts of a cornpany.uoulcl go ir long r.ray touilrd 2r,erting risk. This rvould pr,tentially prcicnt tl-reft of tradc secrcts ln Nrlay 2008, Forrester Rcscarch, alons uith an or other inf<rnnation.c-rlrail sccr-rrity colnprrny, rcleasccl a sur.e) .rf morcthan 100 U.S. companies.r: The lindings dcirlt uitl-r()utbollnd secr.rrity and e-mail. The survey caflre Llpu,ith the follou,ing hndings: A properly executed colLection o/ ESI policies and procedures, 34 pcrcent of tl-rc companies survclcd ha.l had c-mails subpocnacd in the pzrst 1eirr; continually reinforced, woul"d go aLong wey toward aq)erting rlsk. Z6 percent of the cornpanies l-rird terminate(l clr1- ployecs for violirtions in e-rnail policies; Messagcgate Inc. hirs conchictecl studies of the 27 perccnt of the companies had inr,estigated a r-rscs of c-mail. In onc such study, involving several leak in sensitir,e inforrnation r,ia a lost or stolcn salnpls e-mails ancl violations of acccptirble trse, tl-re rnobile devicc; and virrlatiotr: arr ( )rtlt n()tin{. {1 percent of tl-re large coml,irnies uith tnorc o lJ-se1-s rnisa.ldress e-mails, leaking sensitive data. th.rn 20,000 etnplttl,ecs cr.npltty staff to e-rnail. r Etnplo)ce5 flpirss Ctrrp1r1 11* scctrritlrn.-rrstrres l-.r1 scnding docurnents to person:rl Web-basc.l c-mail Thc results are e)e-oferring, at the least. Consicler accounts.thc prospect that these percentages uill onl1, gethighcr, given proliferation of thesc requests as per- o Social Sccuritl nlrmbcrs qere inchrded in sorn.-mitted b1 the Fedcrirl Rulcs of Civil Proce.iurc and c-rnzrils.the soon-to-bc-rnirjority rrf states that hzrr,e adoptc.lrules that enrulate tire federirl rules. o Offensivc c-rnirils arc colnlrronllsent uithin thc entcrprisc.r Proactive Data Mining Using ESI as irn invcstigatorv asset shoulcl be a pre- Inherent Risk of Metadata Within ESIcllrsor to engaging in litigation. Nlany organizationsarc no, hc.lging risk l-y rnining J:rta on theit oun "Nletacltrttl" rs dehnecl as dirta ahout data. It is r,italservcrs prior to liling a ltrnsuit. Thi-. allorls discor,er), to ensllre thilt )()rlr orglini:ation is au,arc of thc risksprior to hiing, of any unforeseen scen:rrios uhere uith rnetatlata. assoc iartctlsmoking gLlns that may hindcr a lausuit cxist. itviug ir L()rl()ratL cnvir( )nlilcnt in l)116111111111. le Adr,ancecl techntllogy atrcl soft,rare allou com- thcir nativc applications can pL)sc ruaj.rr risks. lv{i-panics to .lutolnaticallv detcct vioL-rtions of e-nrail crosofts V/ord softuarc has thc ability rrr capture clatirpolicl. This techr-rology can sequester risky e-rn:rils behir-rcl thc scenes thzrt cirn create substantial risks.frrr tl-re purposc of limiting liahilit; It4ost implenen- Specifrcally, thc netirdata ctrftulgl and associatccl
  10. 10. 60 Thc John Liner Rer.icuwith a Word document can reveal the original author Risks of Human Errorand the date of the documcnts creation. Additionalll,if a document is being drafted and a tool knoun as Other ESI risks mal, corne about by human cr-"track changes" is being used, all the revisions and rclr. Some e-rnail softuare has an "auto look trp" orcomrrents betueen the parties are trackcd and can "auto-fi11" leature that allous freqr-rently uscd c-mailh. rrncover.d if the Jocurnenr rernains in its narile addresscs to be inserted uithin an e-rnail "send line."form uhen given to a third party. Consider a recent sccnario inrolr,ing an Eli Lilly in-housc attorney uho uas u,c,rking on a rer) Iarge settlctncnt. After drafting an e-rnail full of cc,rnl,any- sensitive infonnation, ul-rich includcd information onDocuments Leauing a corporate a hne to be paid, tl-re in-l-rousc Llttorncy inadvcrtcntlyenuironment in their natiqte scnt thc c-rneril to a Neu.York llmes reporter instead of outside counsel. The reporter hacl a similar lastapplications can pose major rlsks. nalne to outside counscl. Tl-rc auto-hll c-rnail featurc in thc e-mail softuare facilitated an inadvertent subrnittal. Neus of the e-mzril became r.r,iclesnread Consider sone ramifi cations. Indir,idLurls, uho may soon thereafter.lrbe customers or cvcn conrpetitors, receiving thc docu-mcnt can utilize their or.r,n softwares "track changes" Strategies With Service Partnerstool to sec r.lhat the sending partys changes uere. Help Reduce RiskThcy can also see if the sencler as actually tl-recreator of thc document. Thel can also dctennine In years p.rst, hen cr)rp()rati(rns crc inr,olYedif an agreement as drafted for a ilifferenr enriri, in litigation, they t1pically looked at tl-reir outsidepotcntially yoLrr compzlnys other clients. cotrnsel to rnakc dccisions on uhich serr,ice partnersThc1, may gain advantage 1",1 seeing tcnns negcrti- to Llse to stlpport the cfforts of counsel. Risks uereated for other clients that arc not part of the tcrms minirnal bccatrsc information, particularll electronicof thc asrccrnent ."1ithin their l-rands. Prir,ate and dater, u,as conlined ancl not of the sarnc signilicanccconirdential infonnation lnay be rnadc public. as todary. Currently, thc cnvironment is cl-ranging, Tuo publicized metadata snafus follorv. in that corporations arc fcrrmalizing internally uhat serr,icc partners to use ancl are irnposing those tleci- 1. During thc nornination prtrcess of Judge sions on otrtside cc-runsel. Sen,icc partners are of Samuel A. Alito to tlrc Suprcrne Court, the critical importance. A particular decision on a serr, ice Dernocratic National Comrnittee put out partner cirn increase or decrease the risks associatecl a mcrrorandum criticizing his nomination. u,ith ESI. Equally irnportant arc the ccrsts associated This docurncnt as disserninated in rrs na- uith the sen ice-partner decisions. tive fonn. It uas latcr discor,crcd tl-rrough tl-re There are tr ntrmber of risk-rcduction benefits in mctadata that the docurnent utas urrittcn rvcll clroosing scrvicc pnrtncrs intcn-rally. before the judges nomination.ra o Corporations are establishing fonnal reqllests 2. An announcemcnt by the law firm Bois Schll. for proposals (RFP) for service partners, tailored ler regarding a lau,suit rcr,caled throtrgl-r thc touard thcir spccific needs, architectr-rre, and mctadata a potential future defendant uhose orkflour. identity tht hrm u,antcd to keep o h-rside and outsidc cotrnsel are collaboratinp t() Many corporations require that clocurnents establish RFP rcquirelrrents that pror-1trce overallleaving an electronic environmcnt uithin the efliciencies.organization do so in a static or petrificd "imageformat," For thc nost Dart, Adobes PDF fonnat . Workflows are recognlzed. Selectcd senrice provid-accomnlishes rhis. ers unclerstancl their clients ancl marimize that
  11. 11. Vol. 22, No. i, Fall 2008 ot knoulerlge to handle ESI glol-,allv across an cntcrprises data pursuant to a discover) request. Serr,ice prorldcrs can establish husiness practices that confrrrnr to the corpclrate clients rcqttire- r Evidence-rcvicu applications streaurline rcvieu ments, includine specihc billing l.roceclures. of data. L)ou,n timc associated u,irh training and interact- ing uith lau-lirm-selected service partners is kept Insurers are taking a hard Look at a ttrinirntrm. at couerage for discouerj cosrso Legal technology can be coordinirted ruore appro- essociated with ESI. priatelluith the corporations IT .staff, re.sulting in cfficicncies antl other hcnchts to i,t nr.rmber of departnents. Corporate Insurance Implications. ESI te-chrrokrgies associated uith flagging and Insurcrs arr- taking a hard look at coverage for indexing sork product and those associ:rte.l uith discovery costs associated uith ESI. Ser.eral in,.ur- privileged ESI can bc intcgratcd, rcsulting in less ers have generated specific eicctronic ditcoverl risk of .locumcnts l.cing rcleasctl in a litigrrtion in.surirncc coveragc tlr:rt provicles -solne degrce of prorl,rction tlespitc counsels technologic:rl protec- protcctic)n agtrinst discor.-ry costs. Some insurcrs tions that uoLrld prcvent such relcasc. that offer coverage are mandirting training progralns or requiring exclusions.ESI Solutions for Enterprise E-Discovery Therc arc ancillarl hencfits to purchirsing this c()erage. ln conjunction uitlr uriting a 1rolicy, While se.lecting service partners is benehcial, it t1pically, thc insurer irudits the ESI structurer uhichlna) nr)t mirkc total sense zrll tl-rc time. Some com- assists risk rnanagcrs in uncovcring ucakne.s-scs :rtrdpanie-s ancl industries are m,rc suhject than otl-rers addre ssing shortcolninss. Chul.b Grou}., fclr exarnple,to all the issr.res tlescribed in this article. lf the isstres has issuc,-l publication-. and advicc on records rnan-raiscd arc routine and part of the Jay-to-cla1corportrte agenlcnt an,,l issucs relating to ESl.ri Insr.rrers erre incxistclrce of the c.rrl.rr.rrittiiltt, risk rnanagcrs p()ssibl) :r ur-rique pc-r.sition to () thi.s, in thatneed to seck out enterprisc solutions for rr-rirn1of thcse tl-rey ilre comrnonly hotli litigant antl untlerlr-riter.issues. Nou is the timc to consider nraking sr-rch a In that rcgart1, thc) likcli will he a resource for be stntove, since clata are !lr()irlg at an expLlnential rate. pracf ices for somc tirnc to c(lme.Whilc outs()urcing soure of tl-rese tzrsks, sLrch :r.s ESIcollcction, rer,iell, und rnonitoring, makes sen:c in Conclusionorganizations uith infrcquent litigation, it doc-.ntuith those cnritics in court on rr ueekly birsis. The At tirncs, thc 1-roliferurtion of clectronic data andsoftu:rre that prevcnts u.*e of e-miril b1certain tlepart- the currcnt habits of the qork fc,rce collidc, creirt-ments, referred to atrovc, providcs onc cornponent trt ing increases in risk. In regartl to ESl, risk managersthc- enterprise solution. Other irpplicatior-rs pmvidc Ferfrrnn a sirnilar role to that of safety of6cers. Bcstother coml-rt)nents ..rf the striutiou. practices mrrst bc comlnLrnicated ancl thcrr r,rse monitorecl; pe rpctrators rnust be sanctioned if viola-o Litication Irold softu,arc isolates rcler,rrnt custodial tions crccur. The hLrsiness commllnity has recognized data for prescrration pllrposes. ESI risk. T;ci-rnologics arc bcing clevck>pcd to hclp increase manlrge lnent of ESI trncl curh trctivit) thilto l)irta architecturc softr.rare rntrps and updirtes clilta ,"rou1.1 bc advcrse to ESI lnallagement. The educa- silos and stakeholdcrs. tion, monitoring, and continr.ral rcinfcrrcement of ESI policics uill lea.l to 2rn cntcrpriscuicle dccreasc . Ccrtain ,.ofnvare isolate.s, collccts, and hanests in risk.