The Bottle is Only Half Full: Email Migration for eDiscovery


Many legal professionals aren’t aware that there is more to defensibly migrating an email archive in response to eDiscovery than simply copying the journaled email store. In a previous blog titled “What I Don’t Know Can Hurt Me; Beware of Indexers Disguised as Archive Migration Tools”, I talked about the eDiscovery issues you can run into when you migrate the email store without reconciling it with the email archive SQL database, i.e. you lose all associated email metadata showing folder structure, read/unread, follow-up reminders, sender and all recipients (including CC and BCC).

There is another issue that responders to an eDiscovery request must be aware of; there can be two potential sources of archived email content in an email archive; the journaled mailbox archive and the individual custodian archived mailboxes. Migrating only the archived journal mailbox versus the individual mailbox archives can put you at legal risk.

Journal mailbox archiving captures each individual message as it flows through the email server and stores it in a “journal mailbox,” which is a big bucket of all emails sent and received from all mailboxes (figure 1). The main benefit of journaling email is that it captures and protects every email sent and received. In the past, journaling was used to ensure compliance with the SEC requirement that all emails, for brokers and traders, be captured and secured for later review. Journaling also ensures that the original email message is captured in an unaltered (original) state. The down side of journaling is that it creates a “flat” archive with none of the metadata generated from within an individual’s mailbox once it has been received (or sent). This means that mailbox folder structure, forwarding, movements from mailbox folder to folder, and the fact that the email was opened, etc., are not captured when journaling email.

Archiving via journaled mailbox


Direct mailbox archiving
 works differently from journaling in that the archive server will access each individual mailbox and archive anything new in that mailbox including new messages, drafts, email movements from folder to folder, etc. The benefit of direct mailbox archiving is that it captures additional content and metadata that could be important during litigation (figure 2). The downside is that this form of mailbox archiving can take much longer to complete.

Direct Mailbox Archiving

To get the best of both worlds, many organizations will enable both types of email archive collection to ensure the capture of all messages in an unaltered state via journaling while also performing a direct mailbox archive once a day to capture the additional content and metadata.

The issue arises when the company or company’s vendor, in response to an eDiscovery request, chooses to migrate only the journaled email archive while certifying to the opposing counsel and court that ALL responsive data was migrated and reviewed (figure 3 – left side). Keep in mind, in legal discovery it is the duty of the responding party to search for, and turn over, all relevant data to opposing counsel. This includes all existing metadata that could be relevant to the case.

This incomplete production of data could trigger charges of incomplete discovery response or spoliation (destruction of evidence) if the archived metadata is lost or corrupted after the original data production.

Migrate Journal & Direct Archives

Organizations migrating email from an archive, in response to an eDiscovery order, should ensure their migration vendor can defensibly migrate and reconcile both the journal and direct mailbox archives (figure 3 – right side).

Archive360 has experience in migrating email archives in response to eDiscovery requests. We defensibly migrate email so charges of incomplete eDiscovery or spoliation do not occur.

Advertisements

The Need for Archiving and FRCP 37(e)


The December 2006 amendments to the Federal Rules of Civil Procedure (FRCP), specifically Rule 37, established when litigation can be reasonably anticipated, the duty of both sides is to immediately stop all alterations and deletions of all potentially relevant content and secure it – also known as a litigation hold and the duty to preserve.

Earlier this year, the Supreme Court approved new amendments to the FRCP which will become effective on December 1, 2015. The new Rule 37(e) reiterates the need to preserve electronically stored information (once litigation can be reasonably anticipated) but also creates a uniform standard for spoliation (destruction of evidence) and so, they hope, will provide greater predictability around the question of loss of ESI during litigation.

The new amended Rule 37(e) allows a court to respond when one party loses electronically stored information (ESI), which then prejudices the other party. Rule 37(e) empowers a court to take reasonable action to cure the prejudice, even if the loss of ESI was inadvertent. The new twist is now the burden to prove prejudice resulting from the missing/lost evidence as a result of willful or intentional misconduct falls on the innocent party before the most severe sanctions can be imposed, and then only if the prejudice shown cannot be mitigated through other remedies, e.g. additional discovery. To complicate matters further, even in cases when there is no demonstrated prejudice to the opposing party, the court can assume the ESI was unfavorable and enter a default judgment in the case. This means that the Judge has wide latitude to respond to parties who don’t take their eDiscovery responsibilities seriously.

The need for information governance and archiving

Many believe the amended Rule 37(e) highlights the need for corporations to get more control of all of their electronic data, not just that data considered a record. Information governance programs including on-going content archiving of those types of information most sought after in eDiscovery, namely email and other forms of communication, enables an organization to quickly find all potentially relevant content, secure it under a litigation hold, and begin the review process immediately – knowing the archive is the “copy of record” repository.

Many Judges look closely at the steps taken by the responding party when eDiscovery mistakes happen. Judges want to see that reasonable actions were taken and a good faith intent was present to reduce or stop eDiscovery mishaps including, regularly updated policies, on-going employee training, and the type of technology purchased. Judges understand that there is no such thing as Perfect; that mistakes happen, and many times it inadvertent.

Keeping everything forever is a mistake

Another related eDiscovery problem many companies find themselves facing is the issue of having too much data to search and review during eDiscovery. Many companies only manage what they consider to be “business records”, which averages 5% of all corporate data,  and leave the other 95% to be managed (or not) by individual employees. This huge unmanaged store of employee data, which is a popular target in discovery, dramatically drives up the cost of eDiscovery, while also driving up the potential of problems occurring during eDiscovery. Defensibly disposing of expired or valueless data will reduce the amount of data that must be pulled into an eDiscovery action reducing the cost and risk of problems later.

A centrally managed archive that proactively captures, for example, all communications (email, IM, social communications) and applies retention/disposition policies to all captured content can insure that expired or valueless data is defensibly disposed of, reducing the size of the overall discovery data set by as much 60%. Because it’s defensibly disposed of via automation and policy, questions of spoliation cannot be raised.

In fact, archiving your most important (and requested) content provides a great deal more granular data management capability then simply relying on individual employees – so you don’t run afoul of the new FRCP Rule 37(e).

The Weak Link in the Information Security Chain…Law Firms


Many law firms are unwittingly setting themselves up to be a prime target for cyber criminals. But it is not the firm’s data that hackers might be looking for – it is the huge volume of client data that law firms handle on a daily basis that make them so appealing for cyber criminals to target.

eDiscovery continues to generate huge, and ever-growing data sets of ESI for law firms to manage. Those data sets are often passed to the client’s law firm for processing, review and production. The end result is law firms are sitting on huge amounts of sensitive client data and if the firm is not diligent about managing it, securing it, and disposing of it at the conclusion of the case.  And absent serious reforms in the Rules of Civil Procedure, these data volumes will only continue to grow.

A 2014 ABA Legal Technology Survey Report found that 14% of law firms experienced a security breach in 2013 which included a lost or stolen computer or smartphone, a cyber-attack, a physical break in of website exploit event. That same survey reported that 45% of respondents had experienced a virus-based technology infection and boutique firms of 2 to 9 attorneys were the most likely to have experienced an infection. Law firms of 10 to 49 attorneys were the most likely to suffer security breaches.

A growing number of clients are demanding their law firms take data security more seriously and are laying down the law – “give us what we want or we will find another law firm that will…” Generally speaking, law firms have never been accused of being technology “early adopters” and while they still don’t need to be, they do need to take client (and firm) data security and management seriously and adopt technology and processes that will both satisfy their client’s rising expectations as well as their cyber insurance providers best practices.

At the end of the day, law firms should ask themselves a basic question: is my law firm prepared and equipped to protect our client’s data and if not, what’s the best strategy for my law firm going forward?

For more detail on this topic, download the Paragon white paper on this subject:

Email Use Policies: The beginning of the end?


A December 2014 National Labor Relations Board (NLRB) decision in reference to the Purple Communications, Inc. case might have started the decline of employer’s rights over how their property and systems can be used by employees.

In the 2007 Guard Publishing decision, the NLRB held that the National Labor Relations Act does not give employees the right to use an employer’s email system for union-related business, i.e., activity not related to the running of the business. Partly because of this decision, employers have regularly created and enforced email use policies that forbid the use of the employer’s email system for anything other than actual company business. This decision was supposedly based on the NLRB’s comparison of an employer’s bulletin board, telephone system, copy machines and PA systems to the employer’s email system. In other words, employees did not have carte blanche to utilize these other systems for non-business-related activities either.

The NLRB Purple Communications decision reversed the 2007 ruling and held that employees do now have the presumptive right to use their employer’s email system for non-work NLRB-protected purposes. But does this decision also reverse the practice of employers restricting the use of the other systems (copy machines, bulletin boards, etc.) to strictly business-related purposes?

There are several points to keep in mind before taking over your employer’s copy machine to print 1,000 garage sale flyers.

  • The 2014 NLRB-Purple Communications decision was limited to email systems only.
  • The 2014 NLRB-Purple Communications decision was limited to actual employees of the company—not family members or anyone else.
  • The 2014 NLRB-Purple Communications decision relates to activities protected by the National Labor Relations Act, i.e., union-related activities only.
  • The NLRB invalidated the prior validity of prohibitions of the non-work use of company physical property such as the previously mentioned copy machines, bulletin boards, and telephone systems.

Another interesting fact from the 2014 case is that the NLRB (re)confirmed an employer’s right to monitor its email system for “legitimate management purposes” and that employees continue to have no expectation of privacy in their use of the employer’s email system. But the NLRB stated that the employer may not increase employee email monitoring during union-organizing campaigns or focus monitoring activities on “protected” conduct or union activists specifically.

Obviously, the NLRB decision was directed specifically to companies with union membership and activities. But this raises the question of the use of employer equipment and systems for non-union-related activities. Will this decision be used to erode employer restrictions on the use of company property in the future?

InfoGov: Productivity Gains Equal Revenue Gains


Information Governance-101

A great deal has been written on lost productivity and the benefits of information governance. The theory being that an information governance program will raise employee productivity thereby saving the organization money. This theory is pretty well accepted based on the common sense realization and market data that information workers spend many hours per week looking for information to do their jobs. One data point comes from a 2013 Wortzmans e-Discovery Feed blog titled “The Business Case for Information Governance – Reduce Lost Productivity! that states employees spend up to nine hours per week (or 1 week per month or 12 weeks per year) looking for information. The first question to consider is how much of that time searching for information could be saved with an effective information governance program?

InfoGov Productivity Savings

Three months out of every year spent looking for information seems a little high… so…

View original post 804 more words

Dark (Data) Clouds on the Horizon


Dark Cloud

There have been many definitions of “Dark Data” over the last couple of years including: unstructured, unclassified, untagged, unmanaged and unknown electronic data that is resident within an organization’s enterprise. Most of these definitions center on unstructured data residing in an enterprise. But with the advent of BYOD and employees use of personal clouds, this definition should be expanded to include any corporate owned data, no matter where it resides.

Dark data, especially dark data stored outside of the company’s infrastructure (and awareness that it even exists) is an obvious liability for eDiscovery response, regulatory compliance, and corporate IP security.

Is BYOC a good idea?

Much has been written on the dangers of “Bring Your Own Device” (BYOD) but little has been written on the dangers of “Bring Your Own Cloud” (BYOC) otherwise known as personal clouds. Employees now have access to free cloud storage from many vendors that give them access to their content no matter where they are. These same personal clouds also provide automatic syncing of desktop folders and the ability to share specific documents or even entire folders. These personal clouds offer a fantastic use model for individuals to upload their personal content for backup, sharing and remote availability. In the absence of any real guidance from employers, employees have also begun to use these personal clouds for both personal and work purposes.

The problem arises when corporate-owned data is moved up to personal clouds without the organization’s approval or awareness. Besides the obvious problem of potential theft of corporate IP, effective eDiscovery and regulatory compliance become impossible. Corporate data residing in personal clouds become “Dark Clouds” to the organization; corporate data residing in repositories outside the organizations infrastructure, management or knowledge.

Dark Clouds and eDiscovery

Organizations have been trying to figure out what to do with huge amounts of dark data within their infrastructure, particularly when anticipating or responding to litigation. Almost everything is potentially discoverable in litigation if it pertains to the case, and searching for and reviewing GBs or TBs of dark data residing in the enterprise can push the cost of eDiscovery up substantially. But imagine the GBs of corporate dark data residing in employee personal clouds that the organization has zero awareness of… Is the organization still responsible to search for it, secure it and produce it? Depending on who you ask, the answer is Yes, No, and “it depends”.

In reality, the correct answer is “it depends”. It will depend on what the organization did to try and stop employee dark clouds from existing. Was a policy prohibiting employee use of personal clouds with corporate data in place; were employees alerted to the policy; did the organization try to audit and enforce the policy; did the organization utilize technology to stop access to personal clouds from within the enterprise, and did the organization use technology to stop the movement of corporate data to personal clouds (content control)?

If the organization can show intent and actions to ensure dark clouds were not available to employees, then the expectation of dark cloud eDiscovery search may not exist. But if dark cloud due diligence was not done and/or documented, all bets are off.

Regulatory Compliance and Dark Clouds

Employee personal clouds can also end up becoming the repository of sensitive data subject to regulatory security and privacy requirements. Personally identifiable information (PII) and personal health information (PHI) under the control of an organization are subject to numerous security and privacy regulations and requirements that if not followed, can trigger costly penalties. But inadvertent exposure can occur as employees move daily work product up to their personal clouds to continue work at home or while traveling. A problem is many employees are not trained on recognizing and handling sensitive information; what is it, what constitutes sensitive information, how should it be secured, and the liabilities to the organization if sensitive information is leaked. The lack of understanding around the lack of security of personal clouds and the devices used to access them are a related problem. Take, for example, a situation where an employee accesses their personal cloud while in a coffee shop on an unsecured Wi-Fi connection. A hacker can simply gain access to your laptop via the unsecured Wi-Fi connection, access your personal cloud folder, and browse your personal cloud through your connection (a password would not be required because most users opt to auto-sign in to their cloud accounts as they connect on-line).

As with the previous eDiscovery discussion, if the organization had taken the required steps to ensure sensitive data could not be leaked (even inadvertently by the employee), they leave themselves open for regulatory fines and more.

Reducing the Risk of Dark Clouds

The only way to stop the risk associated with dark clouds is to stop corporate data from leaving the security of the enterprise in the first place. This outcome is almost impossible to guarantee without adopting draconian measures that most business cultures would rebel against but there are several measures that an organization can employ to at least reduce the risk:

  • First, create a use policy to address what is acceptable and not acceptable behavior when using organization equipment, infrastructure and data.
  • Document all policies and update them regularly.
  • Train employees on all policies – on a regular basis.
  • Regularly audit employee adherence to all policies, and document the audits.
  • Enforce all breaches of the policy.
  • Employee systematic security measures across the enterprise:
    • Don’t allow employee personal devices access to the infrastructure – BYOD
    • Stop employee access to personal clouds – in many cases this can be done systematically via cutting specific port access
    • Employ systematic enterprise access controls
    • Employ enterprise content controls – these are software applications that control access to individual content based on the actual content and the user’s security profile.

Employee dark clouds are a huge liability for organizations and will become more so as attorney’s become more educated on how employees create, use, store and share information. Now days,

Law Firms, HIPAA and the “Minimum Necessary Standard” Rule


TMI blogThe HIPAA Omnibus Rule became effective on March 26, 2013. Covered entities and Business Associates had until September 23, 2013 to become compliant with the entirety of the law including the security rule, the privacy rule and the breach notification rule. Law firms that do business with a HIPAA regulated organization and receive protected health information (PHI) are considered a Business Associate (BA) and subject to all regulations including the security, privacy and breach notification rules. These rules are very prescriptive in nature and can impose additional procedures and additional cost to a law firm.

Under the HIPAA, there is a specific rule covering the use of PHI by both covered entities and Business Associates called the “Minimum Necessary Stand” rule or 45 CFR 164.502(b), 164.514(d). The HIPAA Privacy rule and minimum necessary standard are enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Under this rule, law firms must develop policies and procedures which limit PHI uses, disclosures and requests to those necessary to carry out the organization’s work including:

  • Identification of persons or classes of persons in the workforce who need access to PHI to carry out their duties;
  • For each of those, specification of the category or categories of PHI to which access is needed and any conditions appropriate to such access; and
  • Reasonable efforts to limit access accordingly.

The minimum necessary standard is based on the theory that PHI should not be used or disclosed when it’s not necessary to satisfy a particular job. The minimum necessary standard generally requires law firms to take reasonable steps to limit the use or disclosure of, PHI to the minimum necessary to represent the healthcare client. The Privacy Rule’s requirements for minimum necessary are designed to be flexible enough to accommodate the various circumstances of any covered entity.

The first thing firms should understand is that, as Business Associates subject to HIPAA through their access and use of client data, firms are subject to the Minimum Necessary Standard, which requires that when a HIPAA-covered entity or a business associate (law firm) of a covered entity uses or discloses PHI or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Law firm information governance professionals need to be aware of this rule and build it into their healthcare client related on-boarding processes.