I’ve been fielding quite a few requests for legal holds recently, and I’ve been tracking the storage used by legal holds on our SAN and tape library. Out of curiosity, I started doing research on the average length of a trial, then tabulating the cost of storing the data requested on WORM for that time.
Guess what I’ve found?Some trials last a loooooooong time, and the costs are not insignificant. Now I see why Beth has been ringing the alarm about FRCP.
My company has been very lucky — we have a great risk and legal team as well as solid policy. But people will still sue if you have a business address. The incidental cost of keeping someone’s mailbox around for five years or so while they litigate (then appeal when they lose) is high, but can a company afford not to do so? What happens when you can’t produce an email to back up your side of a dispute? Worse still, what if the other side accuses you of damaging their case by not providing them with the emails they’ve requested?
There’s a “Safe Harbor” clause in the FRCP that absolves companies of responsibility if the company has — and strictly follows — a deletion and retention policy. This protects the company from falling afoul of the regulation, but does my act (as an end user) of deleting an email fall under the “Safe Harbor” clause?
Let me put on my lawyer hat. Okay, it’s on. I’ve seen some precedent that leads me to believe that simply having and following a policy is not enough. Say that, as a network administrator, I have a policy that strictly prohibits viewing pornography on a company network. I can communicate the policy, but if I don’t have measures in place to actively block pornography or follow up complaints about it, I may leave myself open to suit. Some of you may be thinking, “Why would you have a rule that you can’t look at pornography and not have a content filter in place?” My point exactly: Why have a deletion and retention policy, and allow people to do their own deleting and retaining?
This is going to get very esoteric and confusing (as many of our laws are), but what I took away from this article was this: If you allow me to do something, you may be implicitly approving of the behavior. Not to mention that while the employee viewing the pornography is breaking the rules and doesn’t have a case against me, what about the person walking by their terminal who sees it against their will?
So as it relates to e-discovery, if you allow me to delete my own emails, are you implicitly approving of me disobeying retention and deletion policy?
I started thinking about this a little deeper (which almost always spells trouble) and technically, it seems like I would have to have CDP in place and store every email entering and leaving every mailbox forever to be really covered against every contingency. Suppose I’m an end-user, and I delete an incriminating email, but then sue and claim I need the email to prove my case, and that you should have that email available. . .BUT my mailbox wasn’t backed up before I deleted the message. Are you, the respondent, still in hot water?
Implications abound here. Will SMBs that fall under some form of regulation — SOX, HIPAA, etc. — have to store every email forever? I’d love some readers to weigh in on this. Have any of you out there fought this battle with management? Do you know of any vendors that have products that address this particular issue?
I’m curious as to how deep this particular rabbit hole goes and how many folks have been forced to follow it to its logical end. Is there a crazy playing card there yelling “Off with their heads!!”?