Data Sovereignty and the GDPR; Do You Know Where Your Data Is?


Blog02142019As more companies move their data to the cloud, the question of data sovereignty is becoming a hotter topic. Data sovereignty is the requirement that digital data is subject to the laws of the country in which it is collected or processed. Many countries have requirements that data collected in a particular country must stay in that country. They argue that it’s in the Government’s interest to protect their citizen’s personal information against any misuse. Continue reading

Advertisements

The Right to be Forgotten Versus The Need to Backup


Blog02072019A great deal has been written about the GDPR and CCPA privacy laws, both of which includes a “right to be forgotten.” The right to be forgotten is an idea that was put into practice in the European Union (EU) in May 2018 with the General Data Privacy Regulation (GDPR). Continue reading

The New California Privacy Law and Presumed Damages


CA 07142018_1At the end of June, California’s legislature passed a new privacy law that in effect implements the strongest privacy controls of any state in the U.S. The new law provides a series of new rights to California’s consumers over how their personal data is collected, used, and sold. The new law will come into effect on January 1, 2020, however, on January 1, 2020, California citizens will be able to request all data about them going back 12 months, or January 1, 2019. This means companies will need to ensure they are properly collecting and classifying California resident data starting January 1, 2019. Continue reading

The Bottle is Only Half Full: Email Migration for eDiscovery


Many legal professionals aren’t aware that there is more to defensibly migrating an email archive in response to eDiscovery than simply copying the journaled email store. In a previous blog titled “What I Don’t Know Can Hurt Me; Beware of Indexers Disguised as Archive Migration Tools”, I talked about the eDiscovery issues you can run into when you migrate the email store without reconciling it with the email archive SQL database, i.e. you lose all associated email metadata showing folder structure, read/unread, follow-up reminders, sender and all recipients (including CC and BCC).

There is another issue that responders to an eDiscovery request must be aware of; there can be two potential sources of archived email content in an email archive; the journaled mailbox archive and the individual custodian archived mailboxes. Migrating only the archived journal mailbox versus the individual mailbox archives can put you at legal risk.

Journal mailbox archiving captures each individual message as it flows through the email server and stores it in a “journal mailbox,” which is a big bucket of all emails sent and received from all mailboxes (figure 1). The main benefit of journaling email is that it captures and protects every email sent and received. In the past, journaling was used to ensure compliance with the SEC requirement that all emails, for brokers and traders, be captured and secured for later review. Journaling also ensures that the original email message is captured in an unaltered (original) state. The down side of journaling is that it creates a “flat” archive with none of the metadata generated from within an individual’s mailbox once it has been received (or sent). This means that mailbox folder structure, forwarding, movements from mailbox folder to folder, and the fact that the email was opened, etc., are not captured when journaling email.

Archiving via journaled mailbox


Direct mailbox archiving
 works differently from journaling in that the archive server will access each individual mailbox and archive anything new in that mailbox including new messages, drafts, email movements from folder to folder, etc. The benefit of direct mailbox archiving is that it captures additional content and metadata that could be important during litigation (figure 2). The downside is that this form of mailbox archiving can take much longer to complete.

Direct Mailbox Archiving

To get the best of both worlds, many organizations will enable both types of email archive collection to ensure the capture of all messages in an unaltered state via journaling while also performing a direct mailbox archive once a day to capture the additional content and metadata.

The issue arises when the company or company’s vendor, in response to an eDiscovery request, chooses to migrate only the journaled email archive while certifying to the opposing counsel and court that ALL responsive data was migrated and reviewed (figure 3 – left side). Keep in mind, in legal discovery it is the duty of the responding party to search for, and turn over, all relevant data to opposing counsel. This includes all existing metadata that could be relevant to the case.

This incomplete production of data could trigger charges of incomplete discovery response or spoliation (destruction of evidence) if the archived metadata is lost or corrupted after the original data production.

Migrate Journal & Direct Archives

Organizations migrating email from an archive, in response to an eDiscovery order, should ensure their migration vendor can defensibly migrate and reconcile both the journal and direct mailbox archives (figure 3 – right side).

Archive360 has experience in migrating email archives in response to eDiscovery requests. We defensibly migrate email so charges of incomplete eDiscovery or spoliation do not occur.

The Need for Archiving and FRCP 37(e)


The December 2006 amendments to the Federal Rules of Civil Procedure (FRCP), specifically Rule 37, established when litigation can be reasonably anticipated, the duty of both sides is to immediately stop all alterations and deletions of all potentially relevant content and secure it – also known as a litigation hold and the duty to preserve.

Earlier this year, the Supreme Court approved new amendments to the FRCP which will become effective on December 1, 2015. The new Rule 37(e) reiterates the need to preserve electronically stored information (once litigation can be reasonably anticipated) but also creates a uniform standard for spoliation (destruction of evidence) and so, they hope, will provide greater predictability around the question of loss of ESI during litigation.

The new amended Rule 37(e) allows a court to respond when one party loses electronically stored information (ESI), which then prejudices the other party. Rule 37(e) empowers a court to take reasonable action to cure the prejudice, even if the loss of ESI was inadvertent. The new twist is now the burden to prove prejudice resulting from the missing/lost evidence as a result of willful or intentional misconduct falls on the innocent party before the most severe sanctions can be imposed, and then only if the prejudice shown cannot be mitigated through other remedies, e.g. additional discovery. To complicate matters further, even in cases when there is no demonstrated prejudice to the opposing party, the court can assume the ESI was unfavorable and enter a default judgment in the case. This means that the Judge has wide latitude to respond to parties who don’t take their eDiscovery responsibilities seriously.

The need for information governance and archiving

Many believe the amended Rule 37(e) highlights the need for corporations to get more control of all of their electronic data, not just that data considered a record. Information governance programs including on-going content archiving of those types of information most sought after in eDiscovery, namely email and other forms of communication, enables an organization to quickly find all potentially relevant content, secure it under a litigation hold, and begin the review process immediately – knowing the archive is the “copy of record” repository.

Many Judges look closely at the steps taken by the responding party when eDiscovery mistakes happen. Judges want to see that reasonable actions were taken and a good faith intent was present to reduce or stop eDiscovery mishaps including, regularly updated policies, on-going employee training, and the type of technology purchased. Judges understand that there is no such thing as Perfect; that mistakes happen, and many times it inadvertent.

Keeping everything forever is a mistake

Another related eDiscovery problem many companies find themselves facing is the issue of having too much data to search and review during eDiscovery. Many companies only manage what they consider to be “business records”, which averages 5% of all corporate data,  and leave the other 95% to be managed (or not) by individual employees. This huge unmanaged store of employee data, which is a popular target in discovery, dramatically drives up the cost of eDiscovery, while also driving up the potential of problems occurring during eDiscovery. Defensibly disposing of expired or valueless data will reduce the amount of data that must be pulled into an eDiscovery action reducing the cost and risk of problems later.

A centrally managed archive that proactively captures, for example, all communications (email, IM, social communications) and applies retention/disposition policies to all captured content can insure that expired or valueless data is defensibly disposed of, reducing the size of the overall discovery data set by as much 60%. Because it’s defensibly disposed of via automation and policy, questions of spoliation cannot be raised.

In fact, archiving your most important (and requested) content provides a great deal more granular data management capability then simply relying on individual employees – so you don’t run afoul of the new FRCP Rule 37(e).