The Case for Electronic Conversation Jon Neiditz [email_address] Partner and Information Management Practice Leader Nelson...
Discussion Agenda <ul><li>How the unintended consequences of email got us here </li></ul><ul><li>Current demands on lawyer...
Seeds of the Tragedy of Email <ul><li>The invention of email </li></ul><ul><ul><li>Replacing speech itself due to the effi...
Email and the Myth of Tithonus <ul><li>When Eos asked Zeus for Tithonus to be  immortal ,she forgot to ask for  eternal yo...
How the Story Unfolded <ul><ul><li>Since emails become the central focus of litigation and investigations,  Zubulake  and ...
Pandora's Box of New Media Released by the Nostalgia for Synchrony <ul><li>IM, SMS/Text, Blackberry PIN-to-PIN, Twitter an...
How Messaging has Changed  Counsel's Role  <ul><li>Case law puts increasing demands on counsel to assure and attest to det...
<ul><li>Cache La Poudre Feeds, LLC v. Land O’Lakes, Inc. , 244 F.R.D. 614 (D.Colo. 2007) </li></ul><ul><ul><li>Court fault...
Search Methods and Performance Closely Scrutinized <ul><li>Peskoff v. Faber  240 F.R.D. 26 (D.D.C. 2007) </li></ul><ul><ul...
Consistency:  The Email that Changed Governance <ul><li>AA records retention policy said client documents should be destro...
Surely an ESI Map Will Help….
The Trend in Security Incidents  and Their Detection
Layers of U.S. Information Security Laws <ul><li>HIPAA Security, and now ARRA/HITECH </li></ul><ul><ul><li>Coming soon to ...
ARRA:  Extreme Rights-Based Approach to  Notice-Triggering Information <ul><li>State (More or Less Harm-Based) Model: &quo...
<ul><li>Only 2 approved methods for protecting:  encryption  or  destruction . </li></ul><ul><li>2 types of  encryption  s...
<ul><li>A sound data security plan is built on 5 key principles: </li></ul><ul><li>1. Take Stock </li></ul><ul><li>2. Scal...
PCI DSS – The Ultimate &quot;Encrypt, but When it Really Matters, Destroy&quot; Message * Data elements must be protected ...
Expect Large, Ongoing Legal Changes in These Areas: <ul><li>The Cloud </li></ul><ul><ul><li>Privacy </li></ul></ul><ul><ul...
All We Counsel Generally Have are Mitigation Strategies <ul><li>Records and information management programs that are: </li...
Key Components of a  Records & Information Policy Now <ul><li>Policy document emphasizing accountability and the primacy o...
Three Questions <ul><li>What if we had a do-over, a mulligan?  </li></ul><ul><ul><li>How easy would it have to be for end-...
The Sedona Conference Email Commentary Tries to Help <ul><li>'While some courts are uncomfortable with automatic deletion ...
Will Collaboration Software Replace Email?  <ul><li>The General Counsel of General Motors influenced the Sedona email comm...
Collaboration Software as Email Replacement: Pros and Cons <ul><li>Pros:   </li></ul><ul><li>Takes on the illusion of priv...
Why use a medium designed to create records for: <ul><li>Informal communications? </li></ul><ul><li>Internal, preliminary ...
The Opposite of GM's Approach: Electronic Conversation <ul><li>Email, IM, social networking technologies and other forms o...
<ul><li>“ Business is not required to communicate via e-mail. Unless the law or </li></ul><ul><li>regulators demand a reco...
Go Ahead, Ask the Hard Questions <ul><li>Jon Neiditz </li></ul><ul><li>(404) 322-6139 </li></ul><ul><li>[email_address] </...
Upcoming SlideShare
Loading in …5
×

Transitory Electronic Communication: Recordless Messaging in the Context of an Information Management Program

1,290 views

Published on

This presentation is designed to change the way in which you look at electronic communications, and to pave the way for new communications technologies that offer the privacy and security of a hallway conversation with the efficiency and convenience of asynchronous communication through electronic text.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,290
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transitory Electronic Communication: Recordless Messaging in the Context of an Information Management Program

  1. 1. The Case for Electronic Conversation Jon Neiditz [email_address] Partner and Information Management Practice Leader Nelson Mullins Riley & Scarborough
  2. 2. Discussion Agenda <ul><li>How the unintended consequences of email got us here </li></ul><ul><li>Current demands on lawyers and companies </li></ul><ul><li>Best available means of coping with the complex environment we inherit </li></ul><ul><li>Rethinking communications technology for: </li></ul><ul><ul><li>record creation and </li></ul></ul><ul><ul><li>communications for which a record is inappropriate or unnecessary </li></ul></ul><ul><ul><li>enabling the &quot;hallway&quot; conversations of the past </li></ul></ul>
  3. 3. Seeds of the Tragedy of Email <ul><li>The invention of email </li></ul><ul><ul><li>Replacing speech itself due to the efficiency and convenience of asynchronous communication </li></ul></ul><ul><ul><li>Offering the illusion of privacy as in a conversation between two people </li></ul></ul><ul><li>The tragic flaw </li></ul><ul><ul><li>Emails were given eternal life and ubiquity </li></ul></ul><ul><ul><li>In our society, permanent, public utterances made under a false belief in privacy are the ideal fuel for litigation and investigations </li></ul></ul><ul><ul><li>Social networking, IM, SMS and other electronic communications approaches have the same flaw </li></ul></ul>Much care has to be taken with design and education in order for the change to be positive. We don't have natural defenses against fat, sugar, salt, alcohol, alkaloids - or media. - Alan Kay, 1994
  4. 4. Email and the Myth of Tithonus <ul><li>When Eos asked Zeus for Tithonus to be immortal ,she forgot to ask for eternal youth (218-38). Tithonus indeed lived forever </li></ul><ul><ul><li>&quot;but when loathsome old age pressed full upon him, and he could not move nor lift his limbs, this seemed to her in her heart the best counsel: she laid him in a room and put to the shining doors. There he babbles endlessly, and no more has strength at all....&quot; ( Homeric Hymn to Aphrodite ) </li></ul></ul><ul><li>In later tellings he eventually turned into a cicada , eternally living, but begging for death to overcome him. </li></ul>Tim Berners-Lee forgot to make an expiry date compulsory ... any information can just be left and forgotten. Brian Carpenter, 1995
  5. 5. How the Story Unfolded <ul><ul><li>Since emails become the central focus of litigation and investigations, Zubulake and progeny impose sanctions and adverse inferences for failure to preserve or produce relevant emails. </li></ul></ul><ul><ul><li>Enormous risks and uncertainties have led many to &quot;keep everything.&quot; </li></ul></ul><ul><ul><li>Keeping everything exacerbated the huge search costs of sifting through the terabytes of data in search of smoking guns. </li></ul></ul><ul><ul><li>FRCP changes tried to mitigate the unbearable costs of ESI disputes by encouraging early agreements on ESI, but early discussions only accelerate the searches and their costs if ESI is not limited and organized. </li></ul></ul>Faith in law will not be an effective strategy for high-tech companies. - John Perry Barlow, 1994
  6. 6. Pandora's Box of New Media Released by the Nostalgia for Synchrony <ul><li>IM, SMS/Text, Blackberry PIN-to-PIN, Twitter and other new communications media were born out of the desire to recapture the immediacy of spoken conversation in a multitasking world </li></ul><ul><li>All of them share the tragic flaw of email; they can be recorded, if not by you, then by the other side </li></ul><ul><li>Their proliferation can make the explosion of volume posed by email into a much bigger problem for organizations </li></ul>
  7. 7. How Messaging has Changed Counsel's Role <ul><li>Case law puts increasing demands on counsel to assure and attest to detailed and consistent processes relating to: </li></ul><ul><ul><li>holds </li></ul></ul><ul><ul><li>searches </li></ul></ul><ul><ul><li>record, document and ESI retention and destruction programs </li></ul></ul><ul><li>These demands (together with information security, privacy and other issues) force counsel to control or represent complex controls on information </li></ul>
  8. 8. <ul><li>Cache La Poudre Feeds, LLC v. Land O’Lakes, Inc. , 244 F.R.D. 614 (D.Colo. 2007) </li></ul><ul><ul><li>Court faults Land O’Lakes for simply directing employees to produce relevant information, and then relied upon those same employees to exercise their discretion to determine what information to save, rather than actively supervising a process. </li></ul></ul><ul><li>Google v. Am. Blind & Wallpaper Factory, 2007 WL 1848665 (N.D.Cal. 2007) </li></ul><ul><ul><li>Google alleges American Blind efforts to preserve, collect, and produce relevant evidence inadequate. </li></ul></ul><ul><ul><li>American Blind asserted preservation notices were sent to custodians. </li></ul></ul><ul><ul><li>Court ordered American Blind to provide declarations stating “what they did with respect to preserving and collecting documents.” (emphasis in original) </li></ul></ul>Holds: Attorney Accountability for a Complex Compliance Process
  9. 9. Search Methods and Performance Closely Scrutinized <ul><li>Peskoff v. Faber 240 F.R.D. 26 (D.D.C. 2007) </li></ul><ul><ul><li>&quot;Once the search is completed...Defendant must also file a statement under oath by the person who conducts the search, explaining how the search was conducted , of which electronic depositories, and how it was designed to produce and did in fact produce all of the emails I have just described . . . An evidentiary hearing will then be held, at which I expect the person who made the attestation to testify and explain how he or she conducted the search and ...why I should find the search was adequate.“ </li></ul></ul>
  10. 10. Consistency: The Email that Changed Governance <ul><li>AA records retention policy said client documents should be destroyed after an engagement concluded. </li></ul><ul><li>Federal prosecutors said no partner or employee interviewed had ever known about or followed that policy. </li></ul><ul><li>A “reminder email” concerning the policy was sent by AA counsel to AA’s Enron partners, and they began to destroy Enron documents. </li></ul><ul><li>The Government’s case against AA was based in part on the fact that the policy had not been implemented by AA consistently. </li></ul><ul><li>“Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the party’s electronic information systems.” </li></ul><ul><li>FRCP Rule 37(e) </li></ul>
  11. 11. Surely an ESI Map Will Help….
  12. 12. The Trend in Security Incidents and Their Detection
  13. 13. Layers of U.S. Information Security Laws <ul><li>HIPAA Security, and now ARRA/HITECH </li></ul><ul><ul><li>Coming soon to business associates near you </li></ul></ul><ul><li>GLBA Safeguards </li></ul><ul><ul><li>Applied beyond financial institutions under FTC’s broad Section 5 consumer protection powers (&quot;Unfair Trade Practices&quot;), since 2004 </li></ul></ul><ul><li>State Breach Notification Laws in 45 States, D.C., P.R. and V.I. </li></ul><ul><li>Federal Breach Notification </li></ul><ul><ul><li>HIPAA Breach Notification from ARRA </li></ul></ul><ul><ul><li>FTC Breach Notification from ARRA </li></ul></ul><ul><li>Broad State Requirements of Security for Personal Information in 10 States (now establishing the high bar in several of them) </li></ul><ul><li>FCRA/FACTA: Disposal Rule and Red Flags Rule </li></ul><ul><li>State Secure Destruction Laws in 23 States! </li></ul><ul><li>State SSN Protection Laws in 29 States! </li></ul><ul><li>Sarbanes-Oxley </li></ul><ul><li>Other ID Theft Laws </li></ul>
  14. 14. ARRA: Extreme Rights-Based Approach to Notice-Triggering Information <ul><li>State (More or Less Harm-Based) Model: &quot;Personal information&quot; means: </li></ul><ul><ul><li>an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: </li></ul></ul><ul><ul><ul><li>Social security number. </li></ul></ul></ul><ul><ul><ul><li>Driver's license number or California Identification Card number. </li></ul></ul></ul><ul><ul><ul><li>Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. </li></ul></ul></ul><ul><ul><ul><li>Other factors added in many states. </li></ul></ul></ul><ul><ul><li>Only 6 states cover paper breaches </li></ul></ul><ul><li>ARRA's Pure Rights-Based Model: ANY &quot;Unsecured&quot; Protected Health Information (including paper) </li></ul><ul><ul><li>DHHS tries to infer a harm-based standard from &quot;compromises&quot; in its interim final rule </li></ul></ul><ul><ul><li>Waxman et al. attack </li></ul></ul><ul><ul><li>Congress will probably win given the statutory language </li></ul></ul><ul><ul><li>The outcome will make no sense whatsoever as policy </li></ul></ul><ul><ul><li>Defensible destruction of electronic communications never looked so good </li></ul></ul>
  15. 15. <ul><li>Only 2 approved methods for protecting: encryption or destruction . </li></ul><ul><li>2 types of encryption specified: for data at rest (with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices) and for data in transit (those that comply with the requirements of Federal Information Processing Standards (&quot;FIPS&quot;) 140-2). So if the standards are adopted as proposed, encrypted email should meet FIPS 140-2. </li></ul><ul><li>2 methods of destruction specified: for non-electronic media (paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed) and for electronic (electronic media should be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved). </li></ul><ul><li>Only applies to breach, but DHHS standards for encryption and destruction are likely to have broader impact. </li></ul>Stimulus Act – Encrypt or Destroy
  16. 16. <ul><li>A sound data security plan is built on 5 key principles: </li></ul><ul><li>1. Take Stock </li></ul><ul><li>2. Scale Down (e.g., destroy) </li></ul><ul><li>3. Lock It (e.g., encrypt) </li></ul><ul><li>4. Pitch It (e.g., destroy) </li></ul><ul><li>5. Plan Ahead </li></ul>FTC Best Security Practices
  17. 17. PCI DSS – The Ultimate &quot;Encrypt, but When it Really Matters, Destroy&quot; Message * Data elements must be protected when stored in conjunction with PAN
  18. 18. Expect Large, Ongoing Legal Changes in These Areas: <ul><li>The Cloud </li></ul><ul><ul><li>Privacy </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>eDiscovery </li></ul></ul><ul><ul><li>Records Management </li></ul></ul><ul><ul><li>Authenticity/Admissibility/Enforceability of Documents </li></ul></ul><ul><li>Behavioral Targeting </li></ul><ul><ul><li>Chiefly Privacy </li></ul></ul><ul><li>Defensible destruction of electronic communications will look even better than it does now </li></ul>
  19. 19. All We Counsel Generally Have are Mitigation Strategies <ul><li>Records and information management programs that are: </li></ul><ul><ul><li>consistent enough to be defensible and </li></ul></ul><ul><ul><li>simple enough to be consistently applied. </li></ul></ul><ul><li>Training on document creation and recordkeeping discipline with aggressive, defensible destruction of unnecessary documents </li></ul><ul><li>Electronic resources policies that divide electronic communications and collaboration technologies into 3 large categories: </li></ul><ul><ul><li>Technologies that may not be used to do Company business, period; </li></ul></ul><ul><ul><li>Technologies that may be used to do Company business, but only for &quot;casual&quot; and other &quot;transitory&quot; communications , and not for creation of records or for matters subject to holds; and </li></ul></ul><ul><ul><li>Technologies that may be used for the creation of records and to address matters subject to holds. </li></ul></ul>
  20. 20. Key Components of a Records & Information Policy Now <ul><li>Policy document emphasizing accountability and the primacy of holds </li></ul><ul><li>Simplified, functionally-defined schedule </li></ul><ul><li>Hold Process </li></ul><ul><li>Roles and Responsibilities </li></ul><ul><li>Implementation and Administration </li></ul><ul><li>Imaging Process for e-Records </li></ul><ul><li>Separate but closely linked: Electronic Resources Policy that draws the line on electronic resources that can create records and address issues subject to holds </li></ul>
  21. 21. Three Questions <ul><li>What if we had a do-over, a mulligan? </li></ul><ul><ul><li>How easy would it have to be for end-users? </li></ul></ul><ul><li>Why can we not have the benefits of the information society without always subjecting ourselves to the detriments of the e-discovery society, the privacy of a conversation with the efficiency of text messages? </li></ul><ul><li>If you accept the legitimacy of Category #2, why would you fill that bucket with communications technologies that the other side can record? </li></ul><ul><ul><li>Why keep anything that is supposed to be &quot;transitory?&quot; </li></ul></ul>
  22. 22. The Sedona Conference Email Commentary Tries to Help <ul><li>'While some courts are uncomfortable with automatic deletion of active email after a short period, no court has found such a process to be unreasonable where provisions for litigation holds are included and the user has alternative methods of disposition prior to deletion. If discoverable information is not preserved by a user before the copy is eliminated by automatic deletion, but after a preservation obligation has attached, a court will examine whether the use of the automatic deletion feature was “routine” and operated in “good faith,” which is fact specific. </li></ul><ul><li>'Notably, an organization is perfectly free to choose the degree to which it relies upon the discretion of individuals in managing email and applying records schedules; It is not an indication of bad faith to rely upon individual user discretion. That said, an organization must provide those employees with adequate training and direction to exercise judgment with respect to the retention and destruction of emails.' </li></ul>
  23. 23. Will Collaboration Software Replace Email? <ul><li>The General Counsel of General Motors influenced the Sedona email commentary by taking the position (which it has continued to maintain) that emails cannot be used to create GM records, that records are created only through the use of (engineering-focused) collaboration software. </li></ul><ul><li>Therefore, all emails could with confidence be destroyed shortly after sending or receipt. </li></ul><ul><li>Many organizations similarly now look to SharePoint as the proper future locus of business communications. </li></ul>
  24. 24. Collaboration Software as Email Replacement: Pros and Cons <ul><li>Pros: </li></ul><ul><li>Takes on the illusion of privacy effectively; people are less likely to write silly, colorful, private things in engineering collaboration software. </li></ul><ul><li>Does not merely rely on denial that emails create records; provides an alternative medium for communicative record creation </li></ul><ul><li>Cons: </li></ul><ul><li>30-day email retention policies always drive underground archiving </li></ul><ul><li>Nothing stops the other side from retaining email </li></ul><ul><li>Email is designed to create records </li></ul><ul><li>&quot;Most things that succeed don't require retraining 250 million people.&quot; </li></ul><ul><ul><li>- Waring Partridge, 1995 </li></ul></ul>
  25. 25. Why use a medium designed to create records for: <ul><li>Informal communications? </li></ul><ul><li>Internal, preliminary discussions about promotion or discipline of employees? </li></ul><ul><li>Brainstorming (except to prove pre-existing use for IP)? </li></ul><ul><li>Personal communications? </li></ul><ul><li>Personal information that is notice-triggering or a PCI DSS violation in the event of a security breach? </li></ul><ul><li>Unofficial announcements? </li></ul><ul><li>Sales processes – pricing strategy, prospect reactions? </li></ul><ul><li>Project work– client reactions, financial issues? </li></ul><ul><li>Preventing unintentional disclosure of IP and trade secrets? </li></ul><ul><li>For your eyes only (privileged, confidential or sensitive)? </li></ul><ul><li>Other off–the–record conversations? </li></ul>
  26. 26. The Opposite of GM's Approach: Electronic Conversation <ul><li>Email, IM, social networking technologies and other forms of &quot;informal&quot; communication – including all those designated &quot;casual and transitory&quot; – all create records, if not for you then potentially for the sender or recipient, and the court, and the rest of the world, forever and ever. </li></ul><ul><li>Efforts to destroy them soon after send/receive almost always creates underground archiving in organizations. </li></ul><ul><li>Instead of trying to define email as recordless (as did GM), what if we instead acknowledge that email and archiving are a good way to keep records (that may or may not be replaced by collaboration software)? </li></ul><ul><li>For communications that are supposed to be transitory, what if we use another communicative method with the intuitive ease of email that does not create records? </li></ul>
  27. 27. <ul><li>“ Business is not required to communicate via e-mail. Unless the law or </li></ul><ul><li>regulators demand a record of your discussion or transaction, private </li></ul><ul><li>recordless communication conducted in person, on the phone,or via </li></ul><ul><li>electronic confidential messaging is legal and may be the most </li></ul><ul><li>appropriate form of business communication.” </li></ul><ul><li>Source - ePolicy Handbook </li></ul><ul><li> 2nd edition </li></ul>A New Perspective?
  28. 28. Go Ahead, Ask the Hard Questions <ul><li>Jon Neiditz </li></ul><ul><li>(404) 322-6139 </li></ul><ul><li>[email_address] </li></ul>

×