Storage Soup

Mar 6 2008   12:31PM GMT

FRCP looking like a PITW (Pain in the Wallet)

Tskyers Tory Skyers Profile: Tskyers

I’m not sure how we get all mired in TLA’s but this FRCP is going to be a PITA (pain in the you-know-where), because it’s a four-letter acronym!

I’ve been fielding quite a few requests for legal holds recently, and I’ve been tracking the storage used by legal holds on our SAN and tape library. Out of curiosity, I started doing research on the average length of a trial, then tabulating the cost of storing the data requested on WORM for that time.

Guess what I’ve found?Some trials last a loooooooong time, and the costs are not insignificant. Now I see why Beth has been ringing the alarm about FRCP.

My company has been very lucky — we have a great risk and legal team as well as solid policy.  But people will still sue if you have a business address. The incidental cost of keeping someone’s mailbox around for five years or so while they litigate (then appeal when they lose) is high, but can a company afford not to do so? What happens when you can’t produce an email to back up your side of a dispute? Worse still, what if the other side accuses you of damaging their case by not providing them with the emails they’ve requested?

There’s a “Safe Harbor” clause in the FRCP that absolves companies of responsibility if the company has — and strictly follows — a deletion and retention policy. This protects the company from falling afoul of the regulation, but does my act (as an end user) of deleting an email fall under the “Safe Harbor” clause?

Let me put on my lawyer hat. Okay, it’s on. I’ve seen some precedent that leads me to believe that simply having and following a policy is not enough. Say that, as a network administrator, I have a policy that strictly prohibits viewing pornography on a company network. I can communicate the policy, but if I don’t have measures in place to actively block pornography or follow up complaints about it, I may leave myself open to suit. Some of you may be thinking, “Why would you have a rule that you can’t look at pornography and not have a content filter in place?” My point exactly: Why have a deletion and retention policy, and allow people to do their own deleting and retaining?

This is going to get very esoteric and confusing (as many of our laws are), but what I took away from this article was this: If you allow me to do something, you may be implicitly approving of the behavior. Not to mention that while the employee viewing the pornography is breaking the rules and doesn’t have a case against me, what about the person walking by their terminal who sees it against their will?

So as it relates to e-discovery, if you allow me to delete my own emails, are you implicitly approving of me disobeying retention and deletion policy?

I started thinking about this a little deeper (which almost always spells trouble) and technically, it seems like I would have to have CDP in place and store every email entering and leaving every mailbox forever to be really covered against every contingency. Suppose I’m an end-user, and I delete an incriminating email, but then sue and claim I need the email to prove my case, and that you should have that email available. . .BUT my mailbox wasn’t backed up before I deleted the message. Are you, the respondent, still in hot water?

Implications abound here. Will SMBs that fall under some form of regulation — SOX, HIPAA, etc. — have to store every email forever? I’d love some readers to weigh in on this. Have any of you out there fought this battle with management? Do you know of any vendors that have products that address this particular issue?

I’m curious as to how deep this particular rabbit hole goes and how many folks have been forced to follow it to its logical end. Is there a crazy playing card there yelling “Off with their heads!!”?

8  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Tskyers
    There is a source of help and support for IT professionals who are now beset by requests for legal holds. The area of litigation is one where the worlds of two professional groups coincide. Records and Information Managers and IT professionls are often both involved in: (1) helping their firms avoid discovery problems when litigation arises, and (2) in administering legal holds when discovery requests are initiated. I can't provide the author here a complete course in how to establish records retention schedules for electronic records. However, if such retention schedules were in place... the frantic, costly and difficult effort to establish legal holds, and to produce electronic records required in e-discovery could be dealt with effectively. For those IT professionals who read these comments, I recommend that they - or their peers - learn more about the field of Records Management (yes, it fully encompases records generated, managed and stored in electronic form). One of the best ways in which to do that is to join ARMA International, or to learn more through the Association's education and training sessions. The web site for ARMA International is: http://www.arma.org Douglas P. Allen, CRM, CDIA+
    0 pointsBadges:
    report
  • Tskyers
    Tory, Take a deeeeeeep breath. Let it out. Feel better? Your panic is real, but unrealistic. First of all, the FRCP apply only to litigation that ends up in Federal court. Some states are adopting these rules, or variations on them, because they make the rules of engagement between opposing attorneys a bit more even. They aren't perfect by any means. Secondly, there is nothing in there that says, "keep everything" or "get rid of everything", implied or otherwise. I would suggest that many IT folks are having similar panic attacks to what you are experiencing. Third, get your legal staff to put together a retention policy for your organization. That means either hiring a records manager or engaging a records management consultant. Records managers have been setting retention policies for years and we have a pretty good sense of what works for an organization. To make you feel a little better, think about snail mail. Remember postal letters? Do you retain every piece of mail that you get? Of course not. You toss out the junk mail and keep the few pieces that you need. Email and electronic records work the same way. Toss the junk and keep the items that have value to the company. While I think we would all like some magic software that would make that decision and retain the records of the organization, most of us are stuck relying on the end user to do the right thing. You provide guidance within a policy structure and verify that they are doing what they are supposed to do. At the end of the day, it is going to be the end user who has to account for his or her decisions. All that said, you will still get sued and someone will still want you to hold electronic records -- and that will be costly. And it will be problematic when subsequent litigation hits some of the same data and you have to figure out what needs to continue on hold and what can be tossed. So I would focus my attention on building a good approach to e-discovery collection and preservation, particularly focusing on finding out all the places that people squirrel away data. You'll also want to create a data map of your organization so that your attorneys will be able to explain where and how electronic records are being maintained. You'll also need to educate your legal staff about what makes good sense and what doesn't. They are in as much of a panic as many IT people. Some of them don't "get" IT stuff and some think they do and have no clue (witness the lawyer who wanted my staff to create 170 forensic images of HDDs -- by the next morning). You'll need to think about what makes sense and ask the lawyers questions when they require you to do something that seems stupid. Get to know people who do e-discovery and forensics. Get some vendors under contract. You may find it more cost-effective for your company to retain an outside firm to manage records needed for e-discovery, as well as having them collect it. There is an analysis for you to do there. If you have enough litigation, hiring someone in house may be cheaper, although the big issue tends to be finding a place to store what is required. Get your legal staff to roll out a retention policy and enforce it, but don't let trying to be perfect stand in the way of being good.
    0 pointsBadges:
    report
  • Tskyers
    So does this mean that you also have to check my briefcase at the door to ensure I'm not bringing in a copy of Playboy? Or have we let print and electronic media become subject to totally different rules?
    0 pointsBadges:
    report
  • Tskyers
    Interesting viewpoint, but not exactly accurate information. The current FRCP was out for public comment originally in 2005, and there were many opportunities for people to weigh in on the proposed changes. In fact the proposed changes were amended a few times prior to being finalized (in April 2006) and they eventually went into effect in December of 2006. So, here we are 14 months later, and people are still complaining about what is a severely simplified manner of producing ESI in the event of a discovery action. As the author correctly mentions, there is a Safe Harbor provision. Not only does this provision limit the volume of data subject to combing through in the event of a legal action, it is based on sound business practices. It has been proven for decades that organizations which have a Records Management policy, supported by a well-crafted, industry and location specific records retention schedule are able to minimize costs and improve operating efficiencies. And yes, if you don't have one, it takes time to develop one, but it's money well spent. Business Process Analysis and Management is a cornerstone to efficient and effective operations, and at the heart of this is establishing policies and procedures for the generation and management of information assets. This is the forte of Professional Records and Information Managers (RIMs), many of whom are members of ARMA, the Association of Records Managers and Administrators (www.arma.org). ARMA has been at the heart of this critical function for over 50 years, offering training and education to its members, ensuring that there will always be RIM Professionals trained and ready to provide the services necessary to improve on information management business practices. Of great concern to those of us in the Profession is the frequent publication of misinformation when it comes to the complexity and extreme measures required to achieve compliance with legislation such as Sarbanes Oxley, HIPAA, and the FRCP. Even more disconcerting are statements like those in this article, indicating that the only way to comply is to keep everything forever. Nothing could be farther from the truth. A well crafted records retention schedule establishes the minimum legal required retention period for information to comply with regulations, statues, and laws impacting an organization. Additionally, it takes into account the potential business need for information that may exceed those periods, and after a careful evaluation of the potential risk extended retention may place an organization at, determines how long information should be retained. It also takes into account any known or potential legal actions an organization may be involved in and ensures legal holds are placed on the destruction of any information that may be impacted by those actions. By doing this, an organization can minimize the volume of information that it retains, reducing costs for management of unnecessary information by ONLY managing what meets the organization's definition of a "record", and only retaining it for the required time. Other information that is defined as non-record, or has met it's assigned retention can be destroyed of in the course of normal business. In the long run, the information that truly is an asset to an organization will be readily available to support decisions, use for research or reference, and defend an organizations position in the event of a legal action... THAT is what Records and Information Management is all about. Larry Medina Danville, CA RIM Professional since 1972
    0 pointsBadges:
    report
  • Tskyers
    Thanks for the comments and the information. I'm both breathing easier and a little more worried at the same time. First the worry, two of the comments mention "Records Managers" and they all mention policy (even around Playboy! ;-D), my worry is again simply if i have a retention policy should I be allowing end users to manage their mailboxes? Meaning if I have a retention policy in place and a records manager doing their job well, by definition end users would lose the ability to delete their email? The other thing is I don't want us to lose sight of the issue I have w/ this whole thing: The cost of storage! I'm still on the hook to pay for all this stuff (including the Records Mgr position), and out of this conversation I am seriously questioning whether the cost surrounding "legal hold storage" belongs on the budget as an IT storage line item or an IT security line item. *Legal hat again* Precedent, something lawyers live and die by in the court room. How much precedent has there been surrounding FRCP, and has anyone really tested the Safe Harbor clause yet? Thanks again for your comments guys, it really did help clarify some of these issues in my mind.
    0 pointsBadges:
    report
  • Tskyers
    Very interesting post Tory – you bring up a lot of excellent points. You’re certainly not alone in your confusion around FRCP and how to best comply with the regulations. In my role as product manager for Fortiva, an on-demand email archiving provider, I talk to IT professionals on a regular basis that are struggling with similar issues. In answer to your first question, No, the “Safe Harbour” clause does not protect an organization if an end-user is allowed to delete a relevant email after a litigation hold is put in place (even if a policy was in place and was well-communicated to the employee). The deletion of that email (whether intentional or accidental) can be considered spoliation of evidence (which carries serious penalties). So, you are absolutely correct that “simply having and following a policy is not enough” – the policy must be enforced to meet the FRCP requirements. And to your second question, yes, the technology exists to address the concerns you raise. An email archive with litigation readiness features (litigation hold, no end-user deletion, automatic policy enforcement and e-discovery search capabilities) is a cost-effective way to meet FRCP requirements for a litigation hold, while making the e-discovery process much faster and easier. Many archives (Fortiva included) also offer additional benefits for IT, including reducing the burden on the Exchange store and providing real-time, browser-based search of the archive for legal (so IT doesn’t have to spend days and weeks retrieving and searching through data). I wrote a more in-depth response to your post on the Fortiva blog, http://blog.fortiva.com. Thanks again for raising some very valid concerns that are causing a great deal of confusion for a lot of people.
    0 pointsBadges:
    report
  • Tskyers
    Here's the direct link to my response in case you're interested: http://blog.fortiva.com/fortivablog/2008/03/litigation-hold.html.
    0 pointsBadges:
    report
  • Tskyers
    I just read through Rick's response to both the blog and some of the comments and I'm pleased that vendors out there are addressing this in a cost effective manner. One thing in his response (and a conversation w/ one of my friends known to shoot holes in my theories) that gives me pause is the whole idea around user deletion. If i decided to delete a file or email that is part of a litigation hold, how does anyone know I've deleted it? Curtis Preston talked about "true CDP" in a session a few years back at Storage Decisions and what true CDP meant both to the user and to the requirements for storage, policy etc, and I've mused about multi-terabyte hard drives, and why on earth would someone need one. I think I've just found the need. This is a logical game of Twister I've been playing in my head and the great comments here has prompted me to schedule time w/ our legal, risk management and security teams again.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: