In the US, a process known as “e-discovery” is requiring litigants to search for and disclose large numbers of electronic mail records in lawsuits. Penalties related to e-discovery motivate organizations to retain an ever-growing quantity of e-mail records.
In civil law jurisdictions in Europe, however, e-discovery is not compelling businesses to retain email as it is in the US.
However, research suggests that European companies are wise or required to archive e-mail records.
Société Générale is a large French bank. Jérôme Kerviel was a rouge trader who exposed the bank to potentially many tens of billions of euros in liability.
The case may be a landmark in French thinking about record retention. The bank had, in the ordinary course of business, retained Kerviel's email and text message records. As the scandal broke, at first the bank was reluctant to read his message records out of concern for his right to privacy. But the bank quickly dismissed that concern. The bank read his messages so that it could understand what he had done and what commitments he had made on behalf of the bank and then to correct his dangerous misadventure.
The lesson seems to be that companies in continental Europe do need to keep the records of important employee email and text messages so that the companies can understand their rights and responsibilities and to correct mistakes.
Requirement to Keep Records of Rights and Obligations
My friends in Europe inform me that civil law jurisdictions often require companies to keep records of their rights and obligations for numerous years. For example, I generally understand from Polo G. van der Putt of the Vondst law firm in Amsterdam that Dutch Civil Code Article 3:15i states an obligation for companies to keep for seven years “books of financial condition and of everything relating to the company and to retain records in such a manner that its rights and obligations can be determined at all times.” Further, Article 2:10 paragraph 3 requires seven-year retention for “All books, records and other data carriers which relate to the financial condition of the legal person and everything relating to its activities.”
It seems to me that email would commonly constitute the records evidencing the rights and obligations of a company or business. See Article 9 of the EU Directive on Electronic Commerce 2000/31/EC, which supports the formation of contracts by electronic means such as email.
Punishment for Not Having Records
I am in search of European cases in which businesses have been punished for failing to keep electronic records.
Research in Switzerland, under the guidance of Dr. Jürg Schneider, Walder Wyss & Partners Ltd., identified a case in which a criminal defendant in a conspiracy and money-laundering prosecution had violated his obligation to retain records by destroying many electronic documents at his company. The court found that by destroying records the defendant had hindered a criminal investigation and was therefore required to pay the full costs of the proceedings against him. (In the US and Canada, we would call the defendant’s action the crime of “obstruction of justice.”) The citation for the Swiss decision is SK.2008.18; it is a decision by the criminal division of the Federal Criminal Court of July 8, 2009. The decision is available in German on the web.
This Swiss decision points up a issue for organizations as they set policy for email retention and destruction. If the law will punish you for destroying records when you have reason to believe they will be needed in an investigation or lawsuit, then your policy for destroying email must be ready to stop the destruction at the right time. In practice, knowing when to stop, and then actually implementing the stop, are not easy for complex enterprises.
My knowledge of law in civil law jurisdictions is limited. If you the reader know more information or cases on this topic, I invite you please to let me know.
In partnership with Messaging Architects, Mr. Wright leads in-house workshops to help organizations establish policy on the retention and destruction of electronic records.
Many enterprises and professionals are using Twitter* for official business. One local government example is the City of Raleigh, North Carolina. The Raleigh municipal government appears to be using Twitter to broadcast public service messages.
For legal purposes, many professionals and enterprises are wise to archive some or all of their Twitter (or Foursquare) communications. Records may be needed for such purposes as subpoenas, e-discovery (EDD), public records law and the like.
How does one record Twitter for long-term storage? In practice it is difficult for an enterprise (or an individual professional) to manage electronic records –-Twitter or otherwise -- for long periods of time. This difficulty motivates records managers to focus their attention and resources.
I argue that electronic mail should normally be the cornerstone for archiving electronic business records. My feeling is that e-mail is the first digital place the legal system expects to find important records. When records managers tackle electronic records, e-mail is the logical first place for to focus attention and resources. Every business person has an e-mail account, through which he or she exchanges important messages.
Thus, as a business professional adopts social media like Twitter and Facebook for serious communications, a practical approach to archiving those communications is to capture them in the professional's email account. Services like Twitter and Facebook come and go. They are hot this year, but something else may replace them next year. The professional's email account, however, is fairly permanent and stable. The email account is the unified, timeless place to store all important communications.
I've previously suggested how to use a business email account to capture Facebook messages. Native Facebook provides tools for exchanging many kinds of FB messages via email.
I've looked for similar tools at Twitter.com. However, native Twitter does not appear to support email as much as FB does. Instead, Twitter supports SMS*. SMS is normally associated with cell phones.
Twitter's support for SMS gives me ideas for simple record-keeping. It is relatively easy to integrate SMS with email for the purpose of capturing messages in an e-mail account. I offer some simple examples here. I'll bet even better ways exist.
For some professionals, the easiest way to submit a tweet* to Twitter via SMS, while also saving a copy in a business email account, is with a cell phone. Many cell phone services such as Sprint allow the user to send an SMS message to a mobile number (such as the mobile number that Twitter supports) and, at the same time, to an e-mail address. Accordingly, a user could use SMS on his Sprint phone to send a tweet to Twitter, with a copy to his business e-mail account, where it can be archived like all his other email.
In the alternative, the professional can subscribe to a paid service like ipipi.com to act as a gateway between email and SMS.
If the professional uses Microsoft Outlook for e-mail, she could exchange SMS message from her email client using the Outlook Mobile Service. The service works via an SMS account with a provider like your cell phone carrier, and thus might involve special charges. Using the Outlook Mobile Service, the user could send an SMS tweet to Twitter, and her Outlook account would keep a record just as it normally would keep a record of an outgoing email.
Here is a screenshot of a tweet sent from a Sprint phone.
What do you think of these ideas, Gentle Reader?
Update: Apparently there is a twitter gadget for gmail that will store your tweets in gmail so they can be archived like email.
Another update: Apparently Twitter, and search engines that search Twitter, lose much of the tweet conversation quickly. Although Twitter keeps tweets indefinitely, it is unable to search for features like hashtags, which organize ongoing conversations, such as #iranelection. Similarly, LinkedIn seems not to display public conversations more than a couple of weeks.
Third update: The Broward County Sheriff's Department has created its own Twitter-like service, called CyberVisor, to broadcast messages about crimes and emergencies as they develop. Presumably the Sheriff's Department can control and record this service better than something on Twitter.
* What is Twitter? Twitter is a popular social media service that allows users to broadcast and read short messages. The little messages are normally stored on Twitter’s web site (in the form of a so-called micro-blog), and are often transmitted to other places such as cell phones and widgets on other web pages.
* What is SMS? SMS means short message service. It is best known as the standard for exchanging text messages among cellular and mobile phones.
* What is a tweet? A tweet is a short text message, no more than 140 characters, broadcast or micro-blogged from a user's account in Twitter.
Summit Title: "E-Data Retention, Discovery and Destruction: Developing and Implementing IT Policy"
Announcement: We have cancelled this conference. We are evaluating whether to revive it at different place, time and/or format. If readers or potential partners/sponsors have any ideas, please contact Ben Wright. Many thanks to the speakers who agreed to support this summit.
Former date and place: September 27-28, 2010, Las Vegas
Summit Description: Almost unheard of ten years ago, electronic discovery is today chewing up IT resources – equipment, services and staff time. Recognizing that many electronic records such as e-mail, spreadsheets and text messages might some day be demanded in a lawsuit or freedom-of-information request, what policy should your enterprise adopt for retaining and destroying electronic records? Although it is foolhardy to keep everything forever, numerous, recent court cases have punished organizations for failing to retain data, or for failing to find and disclose it in a timely, responsive manner. This summit [conference] draws from the wisdom of diverse experts and end-users, including case studies, to address:
- the process for setting workable policy,
- techniques for managing storage and service costs,
- confidentiality, security and other tradeoffs between in-house and cloud storage,
- ever-improving methods for searching and culling vast troves of records,
- real-world experiences on the interplay between lawyers and IT professionals,
- protocol for access to records for internal investigations,
- international issues, including non-US privacy laws.
Given that law and technology are simultaneously undergoing rapid change, the summit assesses what the future may hold for e-records management policy, products, services and legal expectations.
We are looking for sponsors and suggestions! If you wish to exhibit or offer an idea, then please:
- leave a comment below; or
- call me at 1.214.403.6642; or
- email ben underscore wright at compuserve dot com (put "BLOG" in subject line).
Update: We are proud to announce these confirmed speakers:
- Steven Broberg and Shawn Malone of the Records Management Department of Travis County, in Austin, Texas
- Jorge Rey, Director of Information Security and Compliance, Kaufman, Rossin & Co., P.A. (policy development case study)
- Kevin Bong, Director of Corporate Security, Johnson Financial Group (end-user policy case study)
- Sonian, Inc. (cloud email archiving)
- Alex Blumrosen (American attorney practicing in Paris, France)
- Greg Smith, Messaging Architects
- Vivien Osamiluyi, Internal Auditor, Legg Mason
- CrowdFlower will demonstrate crowdsourcing as a tool for assessing large quantities of documents in an official investigation, such as a lawsuit or government inquiry
- Michael Osterman of Osterman Research
- Brian W. Foster, Access Sciences Corporation
- Kevin Larson - Qualcomm, Inc (end user enterprise)
- Digital Reef
- Jesse Wilkins - Access Sciences Corporation
- Jim Balter - University of Miami
Twitter hashtag for the Summit: #sanspolicy
Summit Agenda
[Tentative as of July 21, 2010 - Subject to Revision.]
[Not yet approved by Speakers.]
September 27 – 28, 2010
Las Vegas, NV
Title: "E-Data Retention, Discovery and Destruction: Developing and Implementing IT Policy"
The mission of this Summit is to stimulate discussion and debate as a tool for learning. Each session will allow ample time for interaction among participants.
DAY ONE Monday, September 27
9:00-9:40: Welcome and Introduction
Speaker: Benjamin Wright, Summit Chairman
Title: Resolving the conflict in electronic records retention policy setting.
Abstract: The quantities of electronic records are skyrocketing, and courts are expecting better retention of them. How do we reconcile these developments with traditional records management practices? What to expect in this Summit. Mr. Wright will query participants to bring their issues and experiences to light.
Throughout the Summit, Mr. Wright will attempt to summarize and stimulate discussion around major points that emerge from the sessions.
9:50 – 10:50
Title: Records Managers – Travis County, Texas – Confront E-mail
Speakers: Steven Broberg and Shawn Malone, Records Department, Travis County, Texas.
Abstract: Professional records managers will articulate the considerable challenges they have encountered in trying to square legal expectations with the realities of email in a complex enterprise having 4500 email users.
10:50 – 11:10 Break
11:10 - 12:15
Session Title: Experts on Record Retention Policies
Speaker: Access Sciences Corporation - Brian W. Foster (former Director of eDiscovery at one of the top five global oil companies) and Jesse Wilkins
Session description to be determined.
Lunch 12:15 – 1:30
1:30 – 2:20
Session Title: Finding Email Records in the Real World
Speaker: Greg Smith, Messaging Architects
Abstract: Practical e-discovery experience – the proliferation of email records throughout an enterprise, including in unexpected places. Stories from the trenches.
2:20 – 2:40 Break
2:40 – 3:55
Session Title: User Panel
Abstract: All enterprises wrestle with how to set policy for the retention of electronic records in a changing environment. Hearing the experiences of diverse user enterprises can paint a more realistic picture of what is possible and what should be expected for well-crafted policy.
Panel Members:
Internal Auditor: Vivien Osamiluyi, Legg Mason
Kevin Bong - Johnson Financial Group
Kevin Larson - Qualcomm, Inc (end user enterprise) - How do security issues influence policy on electronic records retention? Podcast about Kevin's presentation: Download Sans_intro_klarson
- Jim Balter - University of Miami
Steven Broberg and Shawn Malone, Records Department, Travis County, Texas
4:00 – 5:00
Session Title: e-Discovery's Influence on Email Record Retention Policy
Speakers: Digital Reef - Steve Akers (Founder and CTO) and Digital Reef's Customer, James Bandes
Abstract: What are practical experiences with e-discovery telling us about how to write and implement e-record retention policies?
DAY TWO Tuesday, September 28
9:00 – 10:00
Session Title: European Experience
Speaker: Attorney Alexander Blumrosen, Bernard-Hertz-Béjot - Paris, France
Abstract: In lawsuits and investigations, privacy issues can loom larger outside the US. How are these issues influencing e-Discovery and the development of e-records policy in Europe?
10:05 – 11:00
Session Title: Drawing Practical Lessons
Speaker: Benjamin Wright, Summit Chairman
Abstract: What are the larger implications of the stories from day 1? How can these be combined with the lessons today to write a take-home list of principles and guidelines? Mr. Wright will lead the group in compiling that list, starting now and running through the rest of the day.
11:00 – 11:20 Break
11:20 – 12:15
Session Title: The Future of Electronic Records Policy and Technology
Speaker: Michael Osterman, Osterman Research
Abstract: What are the big trends in records management and e-discovery and how are organizations not keeping pace from a policy perspective with regard to records management, social media management, or managing data for regulatory or legal compliance? How is technology changing and what is the role of technology vis-à-vis things like employee training and establishment of corporate policies? What can we expect two years, five years from now? How should enterprises prepare for the future from both a technology and non-technology perspective?
12:15 – 1:30 Lunch
1:30 - 2:30
Session Title: e-Mail & Electronic Records Disposal Policy Case Study
Abstract: In this case study, an accounting firm helped an organization save costs by implementing a policy that reduced the quantity of electronic records and emails retained. During this session, ample time will be available for all Summit participants ask questions, make comments and debate.
2:30 – 2:50 Break
2:50 – 3:40
Session Title: Cloud Storage of Records
Speaker: Sonian, Inc. and End-User Customer
Abstract: What are the true costs for storing enterprise email in the cloud? As a practical matter, can the enterprise be assured that those records will be secure and will be retrievable many years in the future? Will privacy and confidentiality issues limit the use of cloud services for the storage of critical business archives? Can these issues be addressed with contracts, technical controls and other procedures?
3:45 - 4:15
Session Title: TBA
Speaker: TBA
4:20 – 5:00
MUST SEE HIGHLIGHT OF THIS SUMMIT!
Session Title: Crowdsourcing Demonstration
Speaker: CrowdFlower
Abstract: In modern lawsuits and investigations, the massive volumes of electronic records is daunting. How do we make sense of all these records? Crowdsourcing may be one effective tool, where a swarm, an army, of virtual workers is employed to review and analyze records. CrowdFlower will present a pioneering demonstration of this concept, live at the Summit. Don't miss this unprecedented learning experience. Download Media alert SANS-CrowdFlower
Freedom of Information Act requests will eventually motivate governments will publish on the web large portions of their official records, including the emails and text messages of officials and administrators. Federal, state and local governments are being swamped with FOIA requests for email records of officials like county commissioners.
As more and more of these records are released to the public, people publish them on the web. AnnArbor.com, a news organization, has assembled and published more than 2700 pages of emails of the city council members for the municipality of Ann Arbor, Michigan. The records cover messages exchanged among members during the council's public meetings. The municipality had released the e-mail records, piecemeal, on paper in response to numerous FOIA demands over time. The news outlet then gathered them from the various requesters, scanned them into digital form, organized them and published them on the web. As a consequence government became more transparent in that city.
As technology advances, and as populist activists make more use of FOIA, it will become easier and more common to find and assemble records like these on the open Web. Ever-greater transparency in public administration is an inexorable force in the 21st century.
Wise government leaders will embrace radical transparency. Instead of dribbling records out in small units, they will jump straight to the endgame and publish an ever-growing swath of their internal records and communications directly on the web and make them easily searchable.
Meanwhile many politicians and managers will live in denial and fail to understand how technology is changing society. The Ann Arbor city council, for instance, explicitly decided in October not to publish on the web a database of emails similar to the one that annarbor.com compiled and published.
Recent Comments