Warning: The contents of this article may make you paranoid about sending e-mails for the rest of your life

“A company with 100 employees sending or receiving the industry average 25 e-mail messages a day produces 625,000 e-mail messages a year, generally unorganized and full of potentially embarrassing or inappropriate comments.... ‘Deleted’ data is not really deleted at all.... The possibility that a deleted file can be restored or retrieved presents a temptation to engage in electronic discovery on a much broader scale than is usually contemplated in conventional paper discovery.”

—from introduction to Guidelines For State Courts Regarding Discovery of Electronically Stored Information, from the Conference of Chief Justices, for guidance to state court systems (www.ncsconline.org)

The “poof” has gone out of much of American business. What’s “poof”? “Poof” represents the disappearance of all visible traces of communications between boss and employee, banker and customer, colleague and colleague, and more. Once upon a time, much communication relied on human memory—fallible, faulty, forgiving human memory—for recall. Increasingly, “poof” has gone “poof.”

Think of your own workday. How many matters that you once settled by a simple walk down the hall for a ten-minute conversation get handled by six e-mails back and forth? How many heated phone calls that would occur, and then be smoothed over, get formalized for posterity in e-mail exchanges stored in at least two companies’ systems? Paper notes can be tossed; e-mail lives on.

“E-mail has become today’s default communication,” says Brenda Sharton, partner, litigation, in the Boston office of Goodwin Procter L.L.P.

When you sent them, did you ever think they might wind up on a front page? In court exhibits? Or worse?

We won’t even get into instant messaging, texting, voicemail, and whatever they invented last week. Nor some of the hidden elements some e-mails may contain, such as cuts, edits, and comments still in the file, and “metadata,” information regarding the history, tracking, and management of the electronic file. All of these are things that the right expert with enough money and motivation may be able to uncover.

Paranoid yet? You should be.

Discovering E-discovery
“It took lawyers a few years to figure out that there’s gold in them thar e-mails,” says attorney and records retention expert John Monta—a. “But today they are making e-mail an issue in lawsuits. If you are involved in lawsuits, you’ll be asked for e-mails.”

Monta—a, vice-president and general counsel for PelliGroup, Inc., Reston, Va., says that attorneys have found e-mail one of the most productive veins to mine during the process of “discovery.” This is the process, early in a lawsuit, when the other side begins asking your side (and vice-versa) for information that may support its case. Monta—a says requests for e-mail are so common, they are incorporated into legal boilerplate.

The potential for damage from e-mail is increasing. “Regulators, like plaintiff’s lawyers, ask first for e-mails, in the belief that they will tell them what’s really going on in an organization,” says Goodwin Procter’s Sharton. “And part of the problem is”—think Blackberries and other PDAs—“the more informal the communications tool, the less that people think before communicating. People just fire stuff off.”

More than one in five employers surveyed has had employee e-mail and instant messages subpoenaed pursuant to a lawsuit or regulatory investigation, according to a 2004 study by the American Management Association and The ePolicy Institute.

“In almost every piece of litigation today,” says Sharton, “it’s an e-mail that turns out to be the most important document in the case.”

To these risks, add another: reputation risk. “You have to stop and think, if you work for a bank, ‘How will this look on the front page?’,” says Sharton.

Rules becoming firmer
As e-mail and its usage have been evolving, so has the law, regulation, and legal rules pertaining to it.

In some industries, and in some sectors of the banking business, requirements for retention of e-mail and other electronic records are very precise and very strict. Monta—a points out that the Securities and Exchange Commission has very stringent rules regarding anything—including e-mail—that could be considered a “client communication.” Banks in SEC-regulated lines of business would be governed, in those lines, by such requirements, at a minimum.

Case law regarding e-mail has been evolving for some time, and some major decisions have been handed down in federal and state courts regarding what, when, how, who, and how much expense can be expected. However, enough time has gone by that formalized rules are developing.

The biggest movement on this front has been in the federal courts. On Dec. 1, 2006, major revisions to the Federal Rules of Civil Procedure, concerning discoverability of e-mail and other electronic records and documents, went into effect. The changes provide a framework for making rulings on discovery requests. (Note that the rules became effective in December not only for new proceedings, but also, to the extent “just and practicable,” all cases pending at that time.)

As these rules begin to become widely applied, this will bring more certainty to the e-discovery process.

However, Monta—a points out that the federal rules are guidance to federal judges, not truly binding on them.

A judge still has the ability to decide, on a case-by-case basis, to diverge from what the federal rules says, according to Monta—a.

Understanding rules’ scope
Goodwin Procter’s Brenda Sharton notes that, in spite of some misunderstandings out there, the new federal rules do not require that companies keep all electronic documents forever.

Even within the rules themselves, there is latitude. Consider this excerpt from revised Rule 26:

“A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. ... If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause....”

A commentary incorporated in the rules points out the gray nature of such decisions:

“It is not possible to define in a rule the different types of technological features that may affect the burdens and costs of accessing electronically stored information. Information systems are designed to provide ready access to information used in regular ongoing activities.

They also may be designed so as to provide ready access to information that is not regularly used. But a system may retain information on sources that are accessible only by incurring substantial burdens or costs.”

Of course, a bank must remember that it could wind up in state court, where the federal rules don’t apply.

Some states have adopted some form of rule to address electronic records, possibly including e-mail, while other rules are in development. In August 2006 the interstate judicial group, the Conference of Chief Justices, released “Guidelines for State Trial Courts Regarding Discovery of Electronically Stored Information,” as a springboard for states to use. This guidance was structured with both the federal rules and American Bar Association standards on civil case discovery.

In addition, while the federal and state rules can serve as guidance to other types of forums, they may not be binding on those venues. Monta—a points out that deliberations before specialized bodies may be subject to their own rules.

Risks of “spoliation”
In the old WWII spy movies, secret agents would always commit a written message to memory and then burn the original. Short of torture or treason, that data was safe inside their heads. But e-mail isn’t nearly so easily “burned.”

“It’s only when you’ve worked with a computer forensics expert that you understand what they mean when they say that nothing is really deleted,” says Sharton. “It never goes away. It can be overwritten, but that doesn’t always happen. You can’t count on it.” Indeed, even if an e-mail that a plaintiff or other party wants is truly no longer anywhere in your organization’s own system, it may exist in another organization’s system.

Partners, vendors, consultants, any number of third parties to a deal or project in litigation may still have CCs of deleted e-mails. And this is not beyond the reach of the lawyers.

“Third-party subpoenas” are quite common, says Monta—a.

Furthermore, the “third party” may not be a third party at all, but an organization’s own employee, if they have been saving e-mails to their local hard drive (or perhaps a personal e-mail account) and retaining them after the corporate e-mail system’s standard deletion dates.

Employee hard drives are part of the corporate system, of course. And an employee’s account on Yahoo or Hotmail is open to discovery if it’s been used for business purposes related to a matter in litigation.

“These accounts are in no way sheltered or protected,” says Monta—a. “They add a wild card to the situation.”

Sharton says any good plaintiff lawyer knows to include personal e-mail accounts in the discovery net.

Deletion and destruction of e-mail records treads into an area of law that is called “spoliation.” Broadly, spoliation in this context means the failure of one side in a proceeding to come forward with evidence—such as paper records, letters, and e-mails—that is in its possession. Spoliation may be “intentional or willful spoliation,” or “negligent spoliation.”

Goodwin Procter’s Sharton makes the point that if a company reasonably anticipates it will be a defendant, but nonetheless intentionally or negligently destroys e-mail, a jury may be allowed by a judge to assume the e-mail was damaging to its case.

The commentary to the new federal rules points out, for instance, that “... a party’s identification of sources of electronically stored information as not reasonably accessible does not relieve the party of its common-law or statutory duties to preserve evidence.” The rules contemplate times when, rather than completely ruling out recovery of information, a court may direct the organization asked for discovery information to perform tests or sampling of data requiring atypical recovery, with the court to weigh costs in light of that experience.

On the other hand, the rules clearly make the point that a company could lose potentially discoverable information without being culpable for that loss; this could be the result of “good-faith operation of an electronic information system.” In other words, overwriting part of a hard drive containing an old record that was “deleted” may not trigger trouble. However, the rules also make clear that once litigation is anticipated or actually started, a “litigation hold” ought to override typical, standard deletion.

Structuring an approach to e-mail
Banks frequently ask what they need to do here. Really definitive blueprints aren’t to be had—the matter isn’t addressed, for instance, in the FFIEC’s IT examination handbook.

“E-discovery has no one-size-fits-all answers,” advises Stephen G. Harvey, partner, litigation, in the Philadelphia office of Pepper Hamilton LLP.

That said, Harvey, who specializes in financial institution litigation, maintains that it is a basic “for every financial institution to prepare an information management plan that is tailored to the institution’s needs. Critical issues to consider include: the institution’s specific needs regarding e-mail and other electronic materials; the specific legal and regulatory requirements regarding preserving documents and electronic materials, which will depend upon the type of financial institution, and which agency regulates it; and the capabilities of the company’s e-mail system.”

Harvey stresses that this challenge is too big for any one department of the bank to take on alone. He believes the effort should include the input of at least the following functional areas: information technology; human resources; legal; compliance; and records management, if it is a separate function. Outside experts’ input may also be warranted.

“This is a balancing act,” warns John Monta—a of PelliGroup. “It’s not a very containable thing.” A bank will have to weigh costs and resource allocation versus ideal plans, ideal storage targets, and more. The more ambitious an approach a bank commits itself to at the outset, the bigger the burden it will represent as time goes by, says Monta—a. However, the less ambitious a bank’s program becomes—the quick-and-dirty of this business is the “30 days and out” plan, Monta—a says—the more likely employees will cheat, opening the bank up to trouble and expense.

And there is judgment, too. Montana points out that the bank may have a 30-day approach, and employees may even be abiding by it. If a plaintiff should convince a judge that, for some reason, a 30-day approach is inadequate given the matter in litigation, then the bank is headed towards significant recovery expenses in spite of having at least addressed the issue.

You can’t keep it all
Yet the other extreme doesn’t serve, says Goodwin Procter’s Brenda Sharton. “Some companies throw up their hands, and decide, ‘We’ll just keep everything’,” says Sharton. She says this is a poor solution, and not just because of all the expense of maintaining and tracking and indexing so much.

Such a strategy will wind up preserving huge amounts of e-mails that could potentially damage a bank’s case, especially with a plaintiff’s attorney who is on a fishing expedition. In addition, the deeper the pool, the more that winds up in the plaintiff’s discovery net. In many cases, attorneys must go through all of the e-mails to ensure that none of it falls into categories of “privileged information” that may not be discoverable. The bank may be getting itself into thousands of hours of attorneys going through e-mails.

“When you create the hay stack,” says PelliGroup’s John Monta—a, “you shouldn’t complain when you have to find the needle in it.”

Having made its judgments, however, a bank has to get on with business. Harvey suggests that once a plan is in place, performance under the bank’s e-mail policies and procedures be audited. It is one thing to mandate an approach, another to know down to one’s toes that everyone in the organization is following it.

The key point to take away from this whole section, the attorneys say, is this: The best e-mail policy you can have is the one that your bank will be able to consistently obey.

One relatively impartial source of guidance for banks investigating this is the nonprofit Sedona Conference (www.thesedonaconference.org).

Assessing tech aids
There are many vendors, and many variations, on technological solutions. Some are simple and straightforward.

GetBack Software, LLC (www.getbacksoft.com) offers a solution that allots every—or certain—employees an “allowance” of e-mail “postage.” Unlike inbox limits, which punish employees who may receive many unasked-for messages, the postage approach rations outbound usage. This helps hold down the size of the company’s e-mail challenge.

Other tech solutions are much more global. IBM FileNet Records Manager is a comprehensive enterprise records management system that can manage records, including, using a special interface, the e-mail system. Among other features, e-mails can be linked to other files concerning each of an organization’s customers.

Vendor offerings, thus, can be impressive, but experts warn against putting all of your faith into any electronic remedies.

“Solutions proposed by vendors may be good in theory, but there are a lot of vendors hawking their wares—not all of them reliable—and institutions need to be very careful,” says Pepper Hamilton’s Steve Harvey. “I would not recommend following the advice of vendors to not retain e-mails, unless it were done in connection with an information management plan and had the signoff of all of the institution’s advisors.”

Low-tech advice
Brenda Sharton says common sense and discipline can also help protect your bank from e-mail hell, plus training and awareness of the issues wrapped up in e-mail.

“If you can remember nothing else,” Sharton advises, “remember to pick up the phone. Don’t send an e-mail unless you are willing to have the president of your company see it.”

Moreover, Sharton suggests putting communication to the “letter test.”

“If you wouldn’t be willing to put your thoughts into a letter, don’t put it into an e-mail,” says Sharton.

Sharton says some major companies have actually barred senior executives from transacting affairs through e-mail. This is extreme, she says. However, if an organization is going to continue to make e-mail part of its communications suite, it behooves management to ensure that policies are in place and rigorously enforced. And that it has an IT team, Sharton says, “that is ready, willing, and able to communicate with outside counsel.” BJ

 
The electronic version of this article available at: http://lb.ec2.nxtbook.com/nxtbooks/sb/ababj0607/index.php?startid=44

 

TrackBack URI for this entry