How to store e-mail long term?

Is Archival Affordable?

As a mere lawyer, I struggle to understand from a technical perspective how to implement e-mail retention policy in a larger organization across many years.  Legally, the organization may – due to litigation hold or other factors – have incentive to store some (maybe a lot) of email a long time, more than five or seven years.

Legally speaking, the biggest mistake with e-mail records is to destroy them too early.  That could be spoliation.  So why not delay destruction a long time?

In theory long-term storage of much e-mail should not be expensive because the cost of raw storage is dropping.  However, IT folks in my SANS courses argue that the cost of storage media is not the key issue.  They argue the overhead associated with massive storage is high (they bring up things like expensive disk arrays).

Destroy Backup Tapes, Obstruct Justice?

Canada | Politician Emails Lost?

Which employee wants to be the target of a criminal investigation into whether public record e-mails were wrongfully destroyed?  Observers of a political corruption lawsuit in British Columbia were shocked to learn that – while the well-known lawsuit was pending – IT employees destroyed backup tapes  containing key e-mails by executives (i.e., government officials negotiating the sale of the then-government enterprise, BC Rail).  

This kind of news sounds sensational in the press.  The public naturally wonders what the justification was for erasing records.  How much does it cost, citizens ask, just to retain some tapes a few more years?  Did someone apply a record destruction policy as a convenient way to eliminate embarrassing evidence?  Should the employees not have observed a "legal hold" (also known as "litigation hold") on the records?

Such destruction of records, during an on-going prosecution, could be grounds for a criminal investigation into obstruction of justice, said a local expert quoted in the BC news media.

Such destruction of records may also qualify as spoliation, worthy of sanctions by a court.

Easy to Write Policy | Hard to Follow

In the field of records management, it is easy to write a policy that says an enterprise will destroy records like email regularly, but will apply a "legal hold" when a lawsuit or investigation arises.  However, in practice, to institute a legal hold is hard.  It is hard for the responsible employees to understand when and where they need to apply a litigation hold. 

Consider this issue from the perspective of employees in government agencies or other large enterprises.  They don’t want to do anything illegal.  But for an employee to stay fully informed of all pending lawsuits and investigations (even well-known ones) can be very difficult in practice.  Many employees who have control over email records do not know all of the matters to which they many pertain.

Safer Course

From the perspective of employees, the safer course of action is to retain electronic records of executives generously, for a long time.  Modern technology is causing the cost of email retention to drop. To retain a lot of e-mail is not as expensive as retaining a lot paper holding the same content.

–Benjamin Wright

Mr. Wright teaches e-records management and cyber investigations law at the SANS Institute.

Court Judges Corporation’s Record Retention-Destruction Routine

Phillip M. Adams & Associates v. Dell Inc.

Corporate record retention policies are taking a beating in court.

Conventional policy instructs employees to look at records on a one-by-one basis and decide according to rational standards what to keep and what to destroy.  Conventional policy further provides that when litigation arises, then a legal hold is applied – that is, record destruction is suspended and relevant records are retained.  Classic records and information management (RIM) theory holds that if a corporation follows such a conventional policy, then the corporation should not be penalized in litigation for improper destruction of records.

But the theory is not holding up.  Over the past decade, legal authorities have looked askance at record destruction policies.

At an emotional level, the attitude of authorities is, “What?  You’re telling me, big enterprise, that you don’t have any records on the topic of this lawsuit because you told your employees to destroy records (or you set up your system to destroy records automatically unless employees undertake arduous steps to preserve them)?  Explain that to me.  What is the urgency to destroy records in this digital age?   Maybe when records were paper an enterprise needed to rid itself of documents that occupy a lot of real estate and are hard to search.  But e-mail archives do not take up much physical space, and they are amenable to automated search.  I have a pointed question for you, big enterprise:  Did you as a matter of policy winnow down the number of your records so that you could achieve a general advantage in lawsuits?”

The legal system is unhappy with an enterprise that destroys records for the purpose of positioning itself for future litigation, even litigation that is not specifically anticipated.  The system calls that behavior spoliation.

Phillip M. Adams & Associates v. Dell Inc. is a striking case.  It sanctioned a company for destroying records for some years before the lawsuit was filed or specifically threatened.  In accordance with the company's policy, employees (including an engineer or two) destroyed records, or they refrained from preserving records as the company's computer systems destroyed them.

Storage space was limited on the company's central e-mail servers.  Servers overwrote (erased-purged) e-mail relatively quickly unless employees made special efforts to preserve them.

Although the company's policy was not fully expressed as a formal, unified document, the court was able to ascertain what the policy was from the company's deliberate practices and their effect.  Said the court, "“[The company's] practices  . . . tend toward loss of data. The practices place operations-level employees in the position of deciding what information is relevant to the enterprise and its data retention needs."

Effectively, the company's policy is what I've termed on this blog the make-a-decision style of records management, where individual employees are supposed to decide what records to keep and what to destroy.

The court essentially felt the policy was unreasonable.

Some commentators think the court made a bad decision because it runs counter to common business practice.  They speculate the court suspected bad faith on the company's part, but couldn’t specifically cite evidence to support that suspicion.

Regardless of whether the court was right or wrong, the case is consistent with a trend in 21st century law:  the legal system is distrustful of early or aggressive record destruction.  The legal system is providing enterprises a growing basket of incentives to be more generous in retaining records, especially email.

–Benjamin Wright

Mr. Wright teaches e-discovery and e-investigations law at the SANS Institute.

Alternative Dispute Resolution eDiscovery

Global Electronic Mail Record Retention-Destruction Policy

E-discovery (EDD) is a topic of growing importance in international dispute resolution. Although the US courts are considered the hotbed of e-discovery (along with, to a lesser extent, the other common law-based courts of UK, Canada and Australia), the topic cannot be ignored anywhere in the world.  For this reason, foreign (i.e., non-US and non-English tradition) organizations have growing reason to retain plentiful e-mail records, even if they have little or no exposure to the jurisdiction of US or other English-tradition courts.

Item One: The Chartered Institute of Arbitrators (known as CIArb, based in London) has published the Protocol for E-Disclosure in Arbitration.  In general, the Protocol is akin to the 2006 e-discovery amendments to the US Federal Rules of Civil Procedure. It confirms that “e-disclosure” (British for “e-discovery”) is a legitimate, even common issue in modern business-commercial arbitration, regardless of whether the common law countries (e.g., US, UK, Canada, Australia, New Zealand and in Asia Signapore) are involved. Further, similar to amended FRCP 16(b) and 26(a) & (f), the Protocol urges parties to confer early and often on e-discovery issues and seek to reach agreement on matters such as the scope, method and cost of e-discovery. And, similar to amended FRCP 26(b)(2), the Protocol presumes that hard-to-reach e-data (electronically stored information or ESI) are outside the scope of disclosure, though the presumption can be overcome.

Item Two: Could the e-discovery law of American courts hold that a continental European government, which hails from a civil law tradition (sometimes called the Roman law tradition), spoliate e-mail records?  The glaring answer is yes. In Reino de Espana v. American Bureau of Shipping, 2006 U.S. Dist. LEXIS 81415 (S.D.N.Y. Nov. 3, 2006), the national government of Spain sued a US enterprise, in US federal court, regarding an oil spill near Spain.  But as Spain initiated this lawsuit, it failed internally to implement an effective litigation hold on its own e-mail records. Spanish government computers lost, destroyed, deleted, erased relevant records.  The US court ruled that the government of Spain was at fault for spoliation.  

The law of spoliation is a key reason that US institutions have learned that generous, centralized retention of e-mail is today wise. The Spanish government has now learned the same lesson.

Update: Practical experience in Germany shows that businesses are, legally-speaking, wise to keep their e-mail records.

–Benjamin Wright

Corporate Electronic Mail Lost

Don't Adopt a Policy Executives are Disinclined to Follow in Practice

A famous e-mail spoliation case involved a formal policy that corporate executives were to “print and retain” important e-mails.  In this case the drafters of corporate records policy misunderstood how a written policy – which was sound in theory -- would be observed, or ignored, in practice.

Philip Morris and the federal government were engaged in a long-running lawsuit regarding marketing of cigarettes.  During the lawsuit, the company was required to preserve important records related to the topic of the case.

Philip Morris and its attorneys did not trust e-mail records (executives might make embarrassing, off-the-cuff comments in e-mail!), so they promulgated a two-part policy.  The first part would be to destroy e-mail in 60 days.  But they knew some e-mails would be relevant to the pending litigation and therefore the company must put those e-mails in a special category and prevent them from being destroyed.  So the second part of the policy would be print and retain – a kind of “legal hold”.  Written company policy informed executives they must print and retain paper records of e-mail pertaining to the topics important to the lawsuit.

Court Reviews Results

In 2004, after this policy had been in effect for some time, the court reviewed the results.  The court was shocked and disappointed to learn that company executives performed poorly at the task of printing and retaining. (Question to the reader: Should it come as a surprise to anyone other than a judge or a lawyer that well-compensated executives will falter at the job of [a] reading carefully through each and every one of their e-mails and deciding which ones do and which ones do not fit into a special legal hold category, and then [b] printing those special e-mails one-by-one and placing them in a select file in the cabinet for safekeeping?)

The court learned that some executives printed and retained some e-mails, but many did not.  Reply Memo in Support of the United States' Motion for Evidentiary and Monetary Sanctions Against Philip Morris USA . . . Due to Spoliation of Evidence, February 6, 2004, at page 15, footnote 20.

Further, the court learned that the print and retain policy confused some executives, as it was just one part of a complex statement of policies within the enterprise. Id. at page 15, footnote 19 

One can surmise that many executives believed they had more important things to do than (a) staying facile with the details of complex record retention policies, and (b) rigorously following the clerical duties specified by the policies. 

The company did not implement an inspection program to monitor or audit compliance with the print and retain policy – even though the company claimed – and probably honestly believed that it “vigorously monitors and reinforces compliance with its document retention polices”. Id. at page 14.

Many relevant e-mails were lost.  

Said the court: “[T]here is no question that a significant number of emails have been lost and that Philip Morris employees were not following the company’s own internal procedures for document preservation. What is particularly troubling is that Phillip Morris specifically identified at least eleven employees who failed to follow the appropriate procedures, and that those eleven employees hold some of the highest, most responsible positions in the company. These individuals include officers and supervisors who worked on scientific, marketing, corporate, and public affairs issues that are of central relevance to this lawsuit.”

Concluding that Philip Morris’ practice amounted to spoliation (i.e. wrongful destruction of evidence), the court levied memorable sanctions.  It fined the company $2.75 million.  But more importantly, it barred 11 key Philip Morris executives from giving testimony in the trial.  This latter sanction was more damaging to Philip Morris than the fine because it severely handicapped the company’s ability to defend itself in the lawsuit.

U.S. v. Philip Morris USA Inc. (D.D.C.Civil Action No.99-2496) (Sanctions Order)

Lesson to Be Learned

What is the practical interpretation of the Philip Morris case?  My interpretation: a print-and-retain policy does not work.  A print-and-retain policy means that the default is to destroy e-mail quickly . . . subject to the dubious exception that busy people like executives will one-by-one select individual e-mails for retention.  In practice busy people (who may receive scores or even hundreds of messages every day) are unlikely to patiently review every e-mail, make a responsible decision whether to keep it, and then if required dutifully ensure it is printed and stored in a paper file.

A modern update to the print-and-retain procedure is to direct employees to place retained e-mails in special folders like PST files.  Washington Metro learned that professional and managerial employees fare poorly at that task as well. 

--Benjamin Wright

Mr. Wright is an advisor to messagingarchitects.com, experts on email discovery and forensic analysis.