Employees Using Personal Email Accounts to Send Large Files

In a recent survey conducted by Osterman Research, it was revealed that 82 percent of employees use their personal email accounts to send large work-related files when an email attachment exceeds the size limit imposed by IT.

Is this a problem?…YES

Lets say your company is involved in civil litigation and has received interrogatories (written questions as part of the discovery process) from opposing counsel. One of the questions could be; “Has any of your employees or contractors ever sent business related emails or attachments to another party using their personal email account?” According to the Osterman data, 82% of your employees will answer yes to that question.

Why is this a problem?

First, your eDiscovery process including legal hold requirements will have to include searching your employees personal email accounts, if they give you permission. In my opinion, that doesn’t relieve you of the responsibility of protecting those responsive emails.

Second, eventually your employees are going to face the possibility of attorneys reading their personal emails and attachments from within their personal email accounts. There are few employees that will think this possibility is a good thing.

So how do you remove or at least lower this possibility?

First, create written email use policies that forbid employees from ever accessing their personal email accounts at work from employer provided equipment.

Second, Include in the above mentioned policy that company related records are never to be sent or received from personal email accounts.

Third, explain to employees that if they violate the policy, they could be fired.

Forth, explain that if they were to violate the policy, attorneys, including opposing counsel may be reading their personal emails in discovery some day.

Fifth, create a way within your infrastructure to send and receive large files so employees don’t have to fall back to using their personal email accounts to send or receive large business related files.

10 Clues Corporate Counsel Should Take to Heart about eDiscovery

The following content was inspired by an article in Law Technology News in Oct 2009 by Tom O’Connor titled “Top 10 EDD Tips for General Counsel”.

  1. Read the Rules: Read the Federal Rules of Civil Procedure or at least the amendments passed in December of 2006. For most of you, the days of farming out all discovery preparation is quickly disappearing. You are going to be responsible to not lose the case against you in the first couple of weeks by screwing up the discovery process. Come on…you made it through law school and read (?) all those books as well as you probably have suffered through your share of mind numbing IP applications. The FRCP is not as bad as that. I also recommend taking a look at the Electronic Discovery Reference Model (EDRM), a great site for in-depth learning of the eDiscovery process.
  2. Learn from Others: Case decisions are a great place to learn what others assumed or tied and didn’t work. They are also a great place to determine Judge’s opinions and judicial thinking. There are many great blogs and websites. The one site I look at every day is Electronic Discovery Law which consistently has great write ups and analysis on current and past cases. I have been constantly amazed over the years to see how little corporate counsels pay attention to current legal actions. If nothing else, some of these decisions have a great deal of humorous revelations in them and will give you a chance to make fun of others. Another great organization to look at for information and leadership in the discovery process is the Sedona Conference organization.
  3. Understand the Terms: No, eDiscovery is not an electronic dating service; early case assessment (ECA) is not a process to determine if a case of wine in your basement has gained in value and “PST” is not a juvenile texting shortcut for “Please Stop Texting”. Knowing the legal terms is expected, generally knowing technical terms such as “Giga Byte” and “Thumb Drive” will be helpful and just might impress the Judge.
  4. Understand Where the Corporate ESI Could be Stored: Understanding all the places ESI could exist is the first step in lowering your risk in litigation. After you understand where all the ESI could exist, and it could be thousands of places that have little or no central control, limit the number of locations that ESI can be stored. This will lower your cost of collection a huge amount.
  5. Talk to your IT department: Take the key individuals in your IT department out once in a while, maybe to your club. This will impress the propeller heads enough so that the next time you incorrectly reverse sync your Blackberry and blow all your contacts out of your outlook, they might actually fix it quickly. You might also learn some other stuff that would be helpful like the fact that they are keeping backup tapes around for years (if you don’t know why this is a problem, you didn’t take the prerequisite to this class).
  6. Acknowledge (and work with) your Records Managers: They’re not bad people, just misunderstood. I have heard Records Managers often referred to as “Blue Hairs”. This is an obvious reference to the stereotype that all records managers are “mature” women. I won’t lie to you; this is sometimes true in certain industries but not everywhere. The Records Management department can be an important ally in your understanding of eDiscovery problems and ways to fix those problems. They are also important in the next clue.
  7. Create a Usable Records Management Policy and Schedule: I walked into a large company several years ago on a consulting engagement and asked them for their records retention schedule. After about a day and a half I was given a 212 page document that was full of record types and retention periods, all in 8 point type. When I asked them if they really thought every employee actually followed this schedule, they answered “absolutely” and they met it. After interviewing 40 or so employees I found that 34 on them didn’t know the company had a retention schedule and the other 6 employees just regularly kept everything for ever. Having a records retention policy and schedule is the first step in controlling your ESI. The idea is to manage and control it; not keep everything forever. A word of caution; a retention schedule that is not enforced is worse than not having one at all.
  8. Create a Litigation Hold Policy and Test It: Creating a litigation hold policy before you experience litigation should not be a revelation to anyone even though I know for a fact it is for many.  It just makes sense that being able to effectively stop the destruction of potentially responsive ESI would lower your risk of spoliation. A common sense next step would be to test it. A litigation hold policy that doesn’t work will not usually impress the Judge.
  9. Train Your Employees: Train your employees on the records retention policy and schedule as well as the litigation hold policy. Remember the example above in the “Create a Usable Records Retention Policy and Schedule” topic. Having a policy and not telling your employees about it will not get you an invitation to the next Mensa gathering. Employees should be trained regularly and asked to sign a document that says they understand the training.
  10. Automate Where You Can: The bigger your organization, the harder it will be to do things manually. I know “archive” is a dirty word to most legal types but the term archive does not mean save everything for ever. It is a way to manage your ESI so that it is eventually deleted. Put ESI management systems in place that will help you meet your legal, regulatory and business requirements.

Do we need an addition to the EDRM?

The Electronic Discovery Reference Model is a great reference model showing all the general steps/processes around eDiscovery. There has obviously been a great deal of thought and work put behind it with fantastic results but does it cover everything that corporate legal departments want?

The reason I bring this up is I often run across companies that comment on the EDRM mostly because it doesn’t really reflect their processes. I don’t think it was met to be specific and probably couldn’t have been. Organizations have their own processes they have developed and are use to and it would be nearly impossible to take them all into consideration.

An addition I would like to see in the EDRM is a costing component. What processes, for example, incur the highest costs and how could those costs be better controlled. Again, I don’t believe it was in the EDRM’s target to answer those kinds of questions but wouldn’t those answers be great?

Eight Tenets for Building Effective Records Retention Policies

Corporate records retention policies for many companies are afterthoughts with little understanding of how the company truly uses its documents/records/ESI. In my experience, many companies leave the decision of whether to keep records and for how long to their employees. This strategy is dangerous and costly when litigation is potentially possible. Allowing your employees total control over records and ESI drives the cost of eDiscovery up because you greatly multiple the number of possible storage ares you must check for responsive records. It also increases the risk of spoliation when a litigation hold is required.

So to lower your cost and risk during eDiscovery, creating and enforcing effective records retention policies is a great first step to take.

Building effective records retention policies for eDiscovery preparedness, storage management, regulatory requirements etc. is not an exercise that should be done by a single individual or department. Put a cross departmental team together to fully understand how your organization uses and discards records.

The Eight Tenets:

  1. Understand any and all regulatory retention requirements you may have. Every organization will have federal or state retention requirements. The most obvious is the HR related regulations.
  2. Understand how and why your employees use data. You don’t want to create policies that make employees less productive or take away their ability to use and reference the data the need for their jobs.
  3. Create a common sense retention schedule. Don’t create an overly complex schedule that employees will quickly find ways to work around or ignore. Keep in mind the 5 second rule: If it take employees more than 5 seconds to decide how long to keep a record/document, they will almost always choose the longest retention period available.
  4. Build in a ESI litigation hold process…and test it.
  5. Train your employees on the new policies and insure they understand why the policies were created.
  6. Enforce the retention policies with audits and punishments if not followed. This step is important in litigation to be able to show the Judge of your “good faith intent” to insure ESI is not recklessly destroyed.
  7. Insure the language of the poplicy stands up to scutinity in the event of litigation by having your external counsel review the policies annually.
  8. And lastly, document everything you have done.

Depending on the size and complexity of your infrastructure, an ESI archive may be appropriate.


Its time to address this expectation from records managers that all records are created equal…They’re not.

How many pieces of paper a day does the average employee create or receive? For me its zero. Now, how many electronic documents, spreadsheets, email, attachments, instant messages, etc. does the average employee create or receive per day? In my case its hundreds of objects and 30-100 MB per day.

I work with customers all the time that try to use a very detailed retention schedule they created for hardcopy documents with their electronic records. They instruct their employees to classify each email etc. based on the retention schedule with little thought given to how long this directive will take each employee. They throw the policy over the fence and because few openly refuse to use it, assume it is working.

In records management we have a 5 second rule: if it takes an employee more than 5 seconds to classify a document, they will either attach the longest retetion period to it or delete it immediatly. I worked with a large bank that had a 290 page retention schedule that employees were suppose to consult for every record including emails. Every employy I interviewed either didn’t know the schedule existed or they classified everything as infinite retention period. Hardly a usefule system.

Companies not under a federal or state regulatory retentio requirements need to get a little more realistic about electronic record retention policies. Usually “high water mark” retention policies are the way to go. Assign retention based on department or function such as “2 years” for everyone on Finance. Many companies spend way to much time and expense trying to not keep the “lets go to lunch” types of emails for example. Why not keep them, they take up little room and are not detremental.

Lets just get more realistic about records management.

Rumored to be courtroom testimony

Attorney: Did you check for his blood pressure?

Doctor: No

Attorney: So, then is it possible that the patient was alive when you began the autopsy?

Doctor: No

Attorney: How can you be sure doctor?

Doctor: Because his brain was sitting on my desk in a jar

Attorney: But could the patient have still been alive nevertheless?

Doctor: It is possible that he could have been alive and practicing law somewhere

Litigation Holds and Lessons Learned

Bow Tie Law’s Blog recently had an interesting piece on litigation holds titled “The Holding Pattern: Lessons Learned on Litigation Holds” where insufficient notices or notices crated in bad faith can jeopardize a case because of the possibility of spoliation of ESI.

I have run across this same problem with past customers that didn’t take the litigation hold responsibility seriously. I worked with a customer whose litigation hold process was to send an email out to all 40,000 employees in 60 different countries telling them to stop deleting emails with specific content.

There was no consideration given to employees in other countries being able to read and understand English nor any follow up to make sure they had understood and acknowledge their responsibility. The GC’s opinion was: “I’ve let the employees know; now it’s their problem”. Obviously that doesn’t fly now.

So what is an easier, less risky way of applying litigation holds? The most straight forward way is to do it centrally and not rely on employees to understand and do it properly. A centrally managed ESI archive gives the legal department the ability to find the potentially responsive ESI and apply a litigation hold within minutes. This will also greatly reduce your risk of spoliation.

This also means all responsive ESI is available to be searched and placed on litigation hold. So you don’t have to hope employees understand and react properly to your litigation hold request…you simply do it centrally.

Manual Litigation Holds are Risky

In the case Pinstripe, Inc. v. Manpower, Inc., 2009 WL 2252131 (N.D. Okla. July 29, 2009), the defendant ran afoul of the litigation hold requirement by relying on a manual form of placing litigation holds, e.g. send litigation hold notices out to affected custodians.

The risk in this process is that 1. you have to send the notice out to all potentially affected custodians and 2. you have to be sure they read and understand the notice.

Many companies lose litigation before it really starts because they can’t effectively stop deletions of potentially responsive ESI.

The only way to insure you can stop ESI deletions when the litigation hold requirement is triggered is to take the management of ESI away from the individual custodians and centrally control it via an archive that captures and secures everything for some period of time.

With this strategy, the ESI can be managed and secured centrally which also allows for instantaneous placement of litigations holds on all potentially responsive ESI.

The key here is to use an ESI archiving system that captures a full ESI data set meaning for example not just email messages but also their attachments, calendar entries, task lists, contacts and attributes.

Also, for those of you that have SharePoint systems, be aware that SharePoint manages many more data type than just a record or document. Make sure you can capture and hold anything the eDiscovery request could ask for in a given ESI system.