A court invalidated Privacy Shield, a popular program for enabling personal data to flow from the EU to the US. Here I examine good alternatives to Privacy Shield: https://www.unboundsecurity.com/blog/data-privacy-protection-from-eu-to-usa/
A court invalidated Privacy Shield, a popular program for enabling personal data to flow from the EU to the US. Here I examine good alternatives to Privacy Shield: https://www.unboundsecurity.com/blog/data-privacy-protection-from-eu-to-usa/
Privacy or Spoliation?
A movement is afoot in the European Union to grant individuals an online “right to be forgotten.”
The general idea is that a person would have the right to force a service provider to delete data the provider possesses about the person. That right would promote privacy.
Yet the right to be forgotten clashes with another emerging expectation in modern law, that is, the expectation that organizations will maintain extensive records about their activities. Broadly speaking, law in the digital age has become increasingly suspicious of early destruction of records. See UK case, record retention trends and civil law jurisdictions.
The ability of computers to create and preserve prodigious quantities of records has fueled a sense that organizations should keep records so they can be held accountable to society.
Law expects organizations to retain records for many purposes: consumer protection, collection of taxes, investigation of fraud, resolution of civil disputes and innumerable other purposes. If an organization deletes records too early, law will punish the organization under doctrines like spoliation and obstruction of justice.
So . . . when an organization evaluates whether to delete a person's data for privacy purposes, it also must weigh whether the data is a record that must be preserved under some other principle of law.
[Update November 2011] A US court ruled that putative privacy interests under European law do not justify the destruction of emails needed for litigation in the US. In IO Group Inc., et al. v. GLBT Ltd., et al., U.S. District Court for the Northern District of California punished a website owner for intentionally destroying emails relevant to copyright litigation. The website owner argued that U.K. Data Protection Act 1998 required destruction of the emails because they contained personally identifiable information that was no longer needed for business. The court dismissed the argument and held that the website owner had engaged in spoliation. E-Commerce Law Week; Issue 683, Week Ending November 19, 2011.
Denied without Rational Basis
E-discovery is not the gateway to a feast for the litigant requesting access to the electronic records held by its adversary. The party requesting e-discovery of complex information
from a larger enterprise must be careful. If the request is not targeted, proportionate to the seriousness of the case and rationally based on already-known evidence, the request may be blocked.
Sanctions for Overly-Broad eDiscovery Request?
One e-discovery expert, Mary Mack, even predicts that soon a court will sanction a requester for being overly broad in its e-discovery request.
Another leader in e-discovery, Craig Ball, advises that when a requester demands that the record holder preserve ESI, the requester is shooting himself in the foot if he “demands the moon and paralyzes [his] opponent’s operations.”
In other words, crafting an e-discovery request is hard work. The request must be tailored to the case at hand as it exists – and according to the information that is available – at the time of the request.
Request Denied
See Mirbeau of Geneva Lake, LLC v. City of Lake Geneva, 2009 U.S. Dist. LEXIS 101104 (E.D. Wis. Oct. 15, 2009). After a city government turned over some paper printouts of email, the requester (Mirbeau) demanded that the city make all its computers and electronic storage devices available for forensic examination. To justify this demand, the requestor argued that, in an earlier deposition, a city employee hinted that some relevant electronic evidence was being destroyed.
The court denied the request because the requester “failed to demonstrate why a more rigorous discovery process, with extensive forensics analysis of the computers by the plaintiffs, is needed in this case…. Mirbeau has failed to identify what type of information it hopes will be discovered through the forensic mapping of the entire City’s computer system, and Mirbeau has not explained that the information it is requesting would be in the form in which the defendant’s ESI [electronically stored information] is normally maintained.”
Court Urges Cooperation
Still, the court believed further e-discovery was warranted because the city had been less than diligent in retrieving records. The court urged the parties to cooperate to come up with a fair way to get information. It said : “While not intended to be all inclusive, the parties need to contemplate: (1) what different methods could be used to find ESI relevant to this litigation; (2) whether neutral parties could be procured to run scans on the electronic devices of the defendants; (3) whether the searches for ESI could be staggered, such as not to disrupt the City’s ability to function; (4) whether the searches could be narrowed such that they are focused only on certain parties and certain dates; and (5) what methods need to be in place to ensure that the privacy rights of third parties are not adversely affected during the discovery process.”
Rational Request, Based on Existing Evidence
The negotiation of e-discovery is a delicate, intellectual process. It's not enough for the requester to say, "give me [or save for me] everything you got." Nor is it enough for the record holder to say, "you aren't entitled to anything more," or "we just don't have any more records than these."
In this computer age -- when one fully comprehends every scrap of data that may exist anywhere on an iPhone, hard drive, or backup tape -- the quantity of records in an enterprise is infinite. Accordingly, it is ridiculous to say either:
- "I want everything" (to find and disclose every last data element takes too much effort); or
- "nothing more exists" (something more always exists somewhere within the control of the enterprise).
For the requesting party, a key challenge is to gather enough intelligence via depositions, interrogatories or other research to inform rational e-records demands.
For the responding party, the challenge is to be cooperative, while not enabling a "fishing expedition" by the requester.
–Benjamin Wright
Local County Government Compliance with State Standards
Records managers at Travis County, Texas, are publicly debating how to draft retention policy for the e-mail of over 4000 users. The county is subject to many confusing state directives and standards on records retention.
The Travis officials (Steven Broberg and Shawn Malone) have assembled a web site and blog to explain the issues and solicit public input. The officials outline three options, roughly being:
1. Continue the status quo, where each employee stores, deletes and/or categorizes e-mail without clear, modern guidance from management on how this should be done. Under this approach, some employees store a lot, and some store less. Some print “important” e-mails and place them in a file cabinet; others do not.
2. Train each employee to rigorously review each e-mail and decide its retention status (i.e., destroy quickly; OR place in category X so it can be retained for a certain period; OR place in category Y so it can be retained for a different period; and so on). New technology, such as artificial intelligence, may be on the horizon to facilitate this option.
This is what I have previously called the make-a-decision style of e-mail records management. The Travis officials call this the bucket approach . . . each e-mail fits into a bucket (i.e., a category to which are assigned rules for retention, destruction and so on) and a way must be found to put the e-mail into the right bucket. The officials note that some learned commenters have advocated the bucket approach, but the officials have appealed to the commenters to bring forward a good example of the bucket approach working in practice. See video at the bottom of blog post.
3. Keep all e-mail “indefinitely” (spam excluded). Related to option #3 is what Broberg & Malone call the haystack approach to e-mail records management. Rather than trying to place each e-mail into category X or Y so it can be found and managed as though it were a sheet of paper, the haystack approach simply keeps copious volumes of e-mail and then relies on search engines to find particular e-mails when they are needed, such as for e-discovery or an investigation.
Here’s my initial input to Broberg and Malone.
First, option #3 could be implemented in many different ways. It should be understood as not a single option, but a large family of options, with many flavors and nuances.
Second, I have previously voiced skepticism about option #2.
Third, I recently witnessed a large institution wrestle with the same topics. It knew that, like Travis County, its present condition was option #1. The e-mail system deleted each e-mail within 90 days, unless the user (such as an inventor) took effort to store it specially, such as in a folder. Its present e-mail usage had created and was continuing to create, vast heaps of records. The internal audit department argued that all this stuff, stored according to user discretion, contained important material. Copies were spread around (rather haphazardly) on servers, desktops, laptops, BlackBerries and Androids. Those e-mails, and the data contained therein, included:
* assets of the enterprise (contracts, negotiations, representations, internal controls, intellectual property, delegations of authority)
* evidence that is and will be relevant to present and future investigations (lawsuits, e-discovery, corruption audits, fraud allegations, false pretenses, whistleblower complaints, retaliation complaints, misappropriation of funds, misallocation of funds probes, hostile work environment claims, etc.)
* sensitive information such as trade secrets, other intellectual property and personally identifiable (private) information
Internal audit argued that this scattered corpus of stuff needs to be managed, measured, controlled and secured. For privacy and other reasons, audit trails need to be kept to show who looked at which archives and when.
Further, argued internal audit, as the years go by, decisions about how long to keep this or that can change on account of matters like future litigation hold and changes in law (or changes in records management philosophy). In other words, the institution might initially set an e-mail for seven-year retention, but later learn it should be retained for 10 years. The institution needs a way to find the e-mail so it can be moved to the longer retention period.
E-mail, concluded internal audit, needs to be managed under a centralized archive appliance. In other words, all e-mail (excluding spam and the like) needs to be copied into a archiving system control by the institution, not individual employees. (Employees might still keep their own copies of e-mails at their discretion, but centralized archival ensures that the institution gets a copy of everything.)
Centralized e-mail archiving is largely a departure away from Travis County’s option #1, and it's not option #2.
Policy?
So precisely how long should an enterprise keep email records? There is no universally-correct answer. I have led in-house workshops to address this question at numerous, diverse enterprises. The outcome of these workshops has varied, depending on many factors, including corporate culture.
In my experience, the best email retention policy is one that is developed by collaboration of the various stakeholder departments in the enterprise (legal, IT, HR, operations et al.). Normally, these different stakeholders will start with different positions on what the policy should say. But, in my experience, after the stakeholders have talked through the issues, they tend to compromise their positions and coalesce into a policy that is unique to the enterprise.
--Benjamin Wright
Mr. Wright is senior instructor for the SANS Institute, where he teaches its 5-day course on the law of e-discovery, electronic records, data privacy and computer investigations.
Attorney Benjamin Wright helps others navigate the law of technology.
Recent Comments