Cloud Storage is not as secure as local storage…Really?


A December 13th posting in the Harvard Business Review Blog titled; Cloud Computing? Not So Fast — Unintended Consequences of Recent Disclosures, seemed to conclude cloud computing/cloud storage was inherently less secure than traditional local or on-premise storage of sensitive records.  The blog entry tried to site a couple recent cases to prove the point. One example used was the wikileaks revelations.  The implication was this massive amount of leaked information was (more easily) leaked because it was “stored in the cloud” verses somewhere else…such as an organization’s NAS or SAN.

The implication of the blog posting is inaccurate in that it assumes the top secret federal government controlled files were stored in a third parties data center with little or no security and this was why army private Bradley Manning was able to easily steal a such huge cache of files/records.

I don’t know for a fact, but my guess would be that this data was held within the federal government infrastructure and was not being stored at a third party data center. But even if the data was held at a third party facility, security of the data is key.

There are several definitions of cloud storage but the one most referenced is; cloud storage is storage accessed over a network (internal or external) via Web Services APIs. To many in the business world, cloud storage is a service which allows an organization to store electronic files/records in a third party remote location. Organizations will look at this service for a couple of reasons; first it may be less expensive then purchasing and maintaining their own local storage resources. The second reason is for increased security; sensitive data can be better protected from employee leaks etc.

The miss-used wikileaks example aside, it may be the author doesn’t fully understand the technology involved in on-premise storage verses cloud storage. In my experience, most organizations don’t protect the data their employees store locally with encryption or other safeguards. Many of the cloud storage providers encrypt data being stored to a cloud repository as it arrives at the storage facility. A couple providers encrypt it before it leaves the customer’s location; and of course the encryption key is known only to the owner of the data not the storage provider.

Top tier cloud storage providers store their customer’s encrypted data in class 4/5 secure underground data centers. Many Fortune 100 companies believe this type of storage is higher quality than letting their employees store sensitive data locally…

Beware: Your Facebook Posts Could End Up in Court


Social networking posters beware…your Facebook and other social media accounts may be seen by more than just your friends; in fact, what you post and tweet could become court evidence.

But many of us don’t consider these implications when tweeting and posting. Current employers, potential employers and, yes, even attorneys review social networking sites for information on workers, job candidates and litigants.

Individuals as well as organizations need to carefully consider what they post to these sites. In the personal injury case of McMillen v. Hummingbird Speedway, Inc., No. 113-2010 CD (C.P. Jefferson, Sept. 9, 2010), Hummingbird Speedway, Inc. sought access to plaintiff’s social network accounts, requesting an eDiscovery production of his usernames, log-ins and passwords.

Plaintiff objected, arguing that the information on those sites was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days. Additionally, the court ordered that plaintiff should not take steps to delete or alter the existing information on his social network accounts. The court said:

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.  In so holding, the court also noted the possibility that communications could be disclosed by friends of the account holder with whom the communications were shared.

Organizations need to establish and enforce employee social media policies to lower their risk and better protect their brand. Check out this related blog titled “Companies Need a Social Media Policy” for suggestions on establishing a corporate social media policy. And for all of us posters, bloggers and tweeters, be careful what you say; otherwise, it could be read back to you by an employer or judge.

Are Custodial Self-Discovery and Preserving ESI in place a good idea?


A majority of organizations still rely of the practice of instructing custodians to search for and protect potentially responsive ESI locally or “preserve it in place”. In its 7th Annual Litigation Trends Survey, Fulbright & Jaworski reported that 55% of responding companies still rely on custodians to identify and preserve their own information as the method used most frequently to preserve potentially relevant information in litigation or an investigation.

Custodial self-discovery and “preservation in place” is a potentially risky in that, especially with larger numbers of custodians, the risk of incomplete collection, inadvertent deletion/spoliation, and meta data corruption is greatly increased, legal supervision of the collection process is impossible leading to inadequate defensibility of the litigation hold and eDiscovery process.

In a 2008 Kahn Consulting survey on employee understanding of eDiscovery responsibilities, only 22% of respondents said they had a good understanding of their responsibilities for retaining ESI for discovery. Only 16% said they had a good understanding of their responsibilities when responding to a litigation hold. These statistics blatantly highlight the risk of custodial self discovery and preservation in place.

The courts are now holding litigants to a higher standard. In a recent case, Roffe v. Eagle Rock Energy GP, et al., C.A. No. 5258-VCL (Del. Ch. Apr. 8, 2010), the Judge was surprised at the custodial self discovery practice one attorney was relying on:

The Judge asks;

Am I correct that you have been relying on what they [the defendants]  self-selected to put in their transaction files, in terms of what you obtained and produced?

The defense attorney answers;

That’s correct, your Honor. I was told that they uniformly would put all of their Eagle Rock e-mails into that folder. I have not checked, and I don’t know whether that is true or whether that is accurate. I believe they are telling the truth, but I don’t know if that is accurate.

The Judge immediately responds to the defense attorney;

Then here is my ruling. This is not satisfactory. From what you have described to me, you are not doing what you should be doing. First of all, you do not rely on a defendant to search their own e-mail system. Okay? There needs to be a lawyer who goes and makes sure the collection is done properly. So both as to the two directors who already have produced — we don’t rely on people who are defendants to decide what documents are responsive, at least not in this Court. And you certainly need to put somebody on a plane to go out and see Mr. Smith.

In this exchange, the Judge clearly states; we don’t rely on people who are defendants to decide what documents are responsive. Custodial self-discovery is like the wolf guarding the chicken coop.

Relying on litigants to find, protect and eventually turn over potentially responsive ESI can be problematic. Most of them will attempt to do what’s right; to the best of their understanding (less than 23% have a good understanding). Those few that could have something to hide may find ways to do a subpar job in the discovery process. If I am the opposing counsel, I am going to want to know if self discovery was relied on.

New York lawmakers propose legislation to enforce archiving for governor’s emails


“A recent proposal will mandate the current and future governors of New York to use an email archiving solution that will offer permanent access to important documents, the Times Union reports.

The most recent proposal marks the second-consecutive year New York lawmakers have passed legislation that creates more strict regulations forcing governors to submit emails to state archives. The bill’s proponents have stressed the historical benefits of integrating a government email archiving solution.

“Without documentation from successive governors’ administrations, the history of New York state is, and will remain, incomplete,” said Camille Jobin-Davis, assistant director of the state Committee on Open Government, in a memo in support of the bill, the news provider reports.

Lawmakers have been pushing for improved documentation of state government emails for the past year in an effort to fill a current void in the state’s information management requirements. Jobin-Davis criticized the state’s current email regulations and said they provide “minimal” guidance by allowing governments to freely destroy emails.”

The entire article can be read here

Email archiving has become an important tool to ensure transparency among government agencies. Citizens want to be able to have access to all areas of how their government is run. Email archiving ensures government agencies, including governors, are making their records available for review.

Effective Records Management Greatly Benefits the Legal Dept for eDiscovery


Many (but not all) corporate legal types consider ESI retention management as the legal hold process. Not a bad thought but really falls short of a true corporate definition of the term. To records managers ESI retention management refers to the systematic retention and disposition of the organizations electronic business records; either for the day to day running of the business, regulatory compliance or litigation support. And in this case I believe the records managers are right.

ESI retention management, also known as records management, needs to be better understood by corporate legal because the proper management and deletion of electronic business records have a direct relationship to the corporate legal department for both legal holds and eDiscovery.

A properly managed ESI records management system allows legal to quickly find and place on legal hold, all archived potentially responsive electronically stored information thereby reducing the risk of spoliation; destruction of evidence. A centralized ESI management system will also act as a on-going collection point so that when eDiscovery starts, the collection phase is already taken care of for that ESI already under management. Because the archive acts as an on-going collection point, the legal department can quickly search the ESI archive for responsive ESI and begin their culling and review responsibilities almost immediately; without the need to spend days or weeks trying to find/collect potentially responsive ESI.

Training Employees Before they Hit the SEND Key


Time and time again we see news stories and legal case writes ups where it has become obvious employees still have no idea that an email is not a private communication. I find most employees, even corporate legal department types, still consider an email is like a verbal conversation in a parking lot; once its ended, it doesn’t exist anymore (unless it was recorded).

A recent example came from the Goldman Sachs Congressional hearings where the following exchange took place:

US Senator Carl Levin: “And when you heard that your employees, in these e-mails, when looking at these deals, said God, what a shitty deal, God what a piece of crap – when you hear your own employees or read about those in the e-mails, do you feel anything?”

David Viniar, chief financial officer, Goldman Sachs: “I think that’s very unfortunate to have on e-mail.”

This is a prime example of a probably very smart guy never considered that specific content in that email would every show up in a blog much less the front page of the Wall Street Journal. This problem of unguarded content in emails has become a major liability for many companies and organizations. Another example is the email flap recently over the emails between various researchers at various universities around the global warming question.

Organizations are doing themselves a huge disservice by not training their employees around proper email use and its implications if not followed. I am not addressing the “right” or wrong” questions about these two specific examples, just the fact that very smart people continuously ignore the consequences of questionable emails.

So what can organizations do to protect themselves from this kind of liability? Well there are two steps that you can take to drastically reduce your liabilities around smoking gun emails. First, train all employees (not just once but at least annually) on your email use policy (hopefully you have one that addresses this kind of behavior). But also just as important is to educate them on the consequences of inappropriate email usage. Explain to them the eDiscovery process and what that means for email. Government agencies as well as attorneys regularly ask for and get emails from organizations in litigation or agency subpoena.

Also educate them on the email technology. I can’t count how many times I have had CEOs, CIOs all the way down the line to line workers explain to me that when they delete an email from their email box, it’s really gone. Show them why that’s not the case with a couple of the hundreds of case examples where company employees believed the same thing and what happened.

The second step is to put technology in place that helps you zero in on this type of behavior before it ends up in court and on the front page.  Many organizations will think this is “big brotherish” and not fitting with their organizations culture. I disagree with this reasoning…Putting protections in place to ensure proper business behavior is a common sense measure to reduce your legal liabilities. Install an email archiving system so that email is secured for some period of time via retention policies and also have content monitoring capability to be able to monitor, in real time, occurrences of content/behavior your organization has deemed out of bounds. Along with this technology, be sure to explain (repeatedly) to each and every employee that all of their emails are being captured for a period of time and that some are actually being monitored for content. I guarantee you that your employees will be overly careful what they put in emails going forward.

Adequately Securing ESI


The law firm of Gibson Dunn has just published their mid-year Electronic Discovery and Information Law Update and pointed out some interesting trends. The report can be viewed here.

From the Gibson Dunn report:

Of the 103 opinions Gibson Dunn analyzed, litigants sought sanctions in 30% (or 31)–compared to 42% in all of 2009–and received sanctions in 68% of those cases (or 21)–compared to 70% in all of 2009.

Courts have continued to impose monetary sanctions on outside counsel for failing to adequately supervise a client’s collection and preservation of electronically stored information (“ESI”). In re A&M Florida Properties, the court sanctioned both the client and its outside attorney, noting that although neither had acted in bad faith, sanctions were appropriate because outside counsel “simply did not understand the technical depths to which electronic discovery can sometimes go.”

Similarly, in Wilson v. Thorn Energy, LLC, No. 08 Civ. 9009 (FM), 2010 WL 1712236 (S.D.N.Y. Mar. 15, 2010) (Maas, Mag. J.), the court imposed an adverse inference sanction for gross negligence where the defendants had lost all data relevant to a large transaction when a USB drive was erased.  Id. at *3.  The Wilson decision declined to apply the protections of Federal Rule of Civil Procedure 37(e), which provides a “safe harbor” “for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system,” as the erasure occurred outside of any routine document management procedures.  Id.

Based on these findings, sanctions for eDiscovery failures are still rising and the courts are holding outside counsel responsible for the discovery practices of their clients.

The Wilson v. Thorn Energy case is interesting for the fact that the responsive data in question was stored entirely on a “USB Thumb drive” with no backup. This brings up the question; what is an acceptable procedure for securing responsive or potentially responsive ESI? Is dumping it to a legal department share drive enough? How about storing it solely on a backup tape? How about putting it on an attorney’s laptop hard disk? The main question that I will address in the next blog post is; What do you need to do to ensure the ESI will be available later on?

Custodial Self-Discovery and Common Sense


The eDiscoveryJournal, recently ran an article about desktop collection for eDiscovery and mentioned the case of Roffe v Eagle Rock, a case involving custodial self-discovery and expectations from the Judge. The transcript from the conversation between the Judge and both parties of the case can be seen here.

This transcript is interesting in that the judge clearly explains his (and most judges) expectations of the discovery process especially in dealing with custodian’s email accounts and personal computers. In the exchange, one of the defendant’s attorneys explains that he has received some potentially responsive emails from the defendants and is still waiting for some more. To clarify, the Judge asks;

Am I correct that you have been relying on, for the other two committee members, what they self-selected to put in their transaction files, in terms of what you obtained and produced?

The defense attorney answers;

That’s correct, your Honor. I was told that they uniformly would put all of their Eagle Rock e-mails into that folder. I have not checked, and I don’t know whether that is true or whether that is accurate. I believe they are telling the truth, but I don’t know if that is accurate.

In the defense attorney’s answer it becomes obvious that he is relying on the defendants to find and turnover all responsive emails to him and that he has not done any supervisory direction or auditing of the discovery process.

The Judge immediately responds to the defense attorney;

Then here is my ruling. This is not satisfactory. From what you have described to me, you are not doing what you should be doing. First of all, you do not rely on a defendant to search their own e-mail system. Okay? There needs to be a lawyer who goes and makes sure the collection is done properly. So both as to the two directors who already have produced — we don’t rely on people who are defendants to decide what documents are responsive, at least not in this Court. And you certainly need to put somebody on a plane to go out and see Mr. Smith.

So the question for me would be, one, how fast can you do this right? And that means not only the e-mails from Mr. Smith. As I say, somebody should have been on a plane a long time ago to go through his e-mails. And if he chose to use his personal computer, well, that was his bad choice. All right? And if he has it mixed in other stuff that he gets, 150 e-mails a day, or whatever, that was his bad choice. That makes it all the more essential that a lawyer get on a plane, and go and sit down with Mr. Smith, and go through his e-mail and make sure that what is produced is — what is responsive is appropriately produced. And whoever it is better check his auto-delete settings, and they had better find out if these things have been auto-deleting every 30 days or 60 days or 90 days, and they better think through, as somebody properly should have done, whether there needs to be some type of, again, image and forensic check, to make sure that something hasn’t been lost in what sounds to me to be a lackadaisical, unsatisfactory process.

In this exchange, the Judge clearly states; we don’t rely on people who are defendants to decide what documents are responsive. Custodial self-discovery is like the wolf guarding the chicken coop. So for large matters with many custodians with potentially responsive ESI, what can an organization do?

First, the defense attorney should be overseeing the discovery process to ensure it is accomplished correctly. In most courts, the attorney has to certify that the discovery process was done correctly and what attorney wants to do that if they didn’t really manage it?

Second, relying on defendants to find and turn over potentially responsive ESI can be problematic. Most of them will attempt to do what’s right, to the best of their understanding. Those few that could have something to hide may find ways to do a subpar job in the discovery process. If I am the opposing counsel, I am going to want to know if self discovery was relied on. There are a couple of ways to accomplish a custodian-centric discovery. You can image all custodians workstations etc and filter the images for responsive ESI. You can conduct one on one interview with custodians and run search applications on their workstations. Both of these processes are expensive and time consuming.

Companies Need a Social Media Policy


Reuters had an interesting article on social media policies on June 28 at:

http://uk.reuters.com/article/idUKLNE65R01920100628

The article pointed out that trying to stop employees from participating in the social media revolution is near impossible and is not the right strategy in any case. The article advocated giving employees some ground rules (via written policy) about what can be written and to always use a “professional” conduct.

In a perfect world…I would agree, but this assumes employees will follow your “general” policies.

The corporate brand is one of the most valuable assets the company owns with years of investment of money, time and goodwill. To simply give that over to any employee could be disastrous.  Let’s look at the problem from the lawyer’s point of view. Your attorney needs to protect the company from possible litigation and costly eDiscovery requirements wherever possible. Corporate social media needs to be managed just like any other marketing program.

All the social media venues I am aware of in one way or another record and displays thoughts, pictures, links etc for some period of time, sometimes forever. The fact to keep in mind is that if you put it in writing, it’s permanent and is out of your direct control from then on. Now, the first question you need to address is “is social media content discoverable (in the legal sense)? Depending on the case and relevancy of the content, the answer is of course! So do you want any employee “speaking” for the company? If your policy is you allow any employee to use corporate social media accounts or allow those employees to refer to the company in any way, then they could be seen as representing the company. Most successful companies I have worked for in the past have very specific rules around for example speaking to the media without prior approval or training. Why would an organization diverge from that strategy?

I know you can’t control what employees do away from work but companies do have a right to control their brand and that includes how they are represented on social media sites. For that reason, every organization should develop, implement and enforce a corporate-wide social media policy for all employees (because if you don’t enforce it, then do you really have a policy?).

Aspects of a corporate social media policy should include:

  1. A policy author with contact information in case employees have questions
  2. An effective date
  3. A definition of what social media is
  4. A description as to why this policy is being developed (for legal defense, brand protection etc)
  5. A description of  what social media sites the company officially participates in
  6. A listing of those employees approved to participate on those sites
    1. The fact that any and all approved social media participations will be done only from corporate infrastructure (this is to protect approved employees from discovery of their personal computers)
    2. A description of topics approved to be used
    3. A description of those topics not approved to be used
    4. A description of any approval authority process
    5. A description of what will happen to the employee if they don’t follow the approved process
  7. A direct statement that unapproved employees that mention the company, company business, other employees, company customers etc. in any social media venue will be punished in the following manner…
  8. A description of how these policies will be audited and enforced

Once the policy is developed, it needs to be communicated to all employees on a regular basis and updated by legal representative on an annual basis.

A side point is, for legal reasons, you should be archiving all approved social media participations much like many companies now archive their email and instant message content.

This type of policy will seem rather draconian to most employees but in reality the organization needs to protect the brand and always have a proactive strategy to potential litigation.

Putting some real teeth in eDiscovery sanctions will drive effective information management


Ok, I know there is a push back from the legal industry in reference to the problem of the cost of discovery. Yes, companies create, use, receive and delete huge amounts of electronic information on a daily basis and it is unreasonable to expect an organization to have enough of a handle on this moving target to be able to place an effective legal hold – quickly, and provide all responsive information in response to an eDiscovery request. But come on… organizations live and die by their information, especially electronic information and if an organization doesn’t have enough of a handle on their data to be able to place a legal hold on select data, then I’m sorry they have other problems.

It all comes down to effective information management. Why is it unreasonable for a Judge to expect a company knows what data it has at any point in time and can find it when it needs to?

I understand the proportionality doctrine argument, and it makes sense. If proportionality did not exist, a plaintiff’s counsel could win every case just based on how they construct their discovery request.

Many businesses in the United States have long given employees total control of the company records, with a few exceptions, with little or no central control or even knowledge the information exists and how it pertains to the business. This does not seem the best business decision for the long run.

Maybe eDiscovery can serve as the impetus to nudge companies to start taking information management seriously. If Judges start imposing even larger penalties and fines for what amounts to eDiscovery failings because of ineffective or no information management policies in an organization, then we may see a corporate change of attitude.

In a recent LTN Law Technology News article, e-discovery analyst Barry Murphy of Murphy Insights noted that very few sanctions for e-discovery have had any real teeth, and the few that have involved large dollar amounts have been overturned. In some cases, e-discovery snafus have led to negative inferences that almost certainly impacted the outcome, but he says even those rulings seem to have had little impact. “The sanctions we’re seeing are too small to register with many people, and while negative inferences may lead to a bad outcome, the impact is not always obvious,” says Murphy. “Once we see a sanction for many millions of dollars because of a failure to preserve electronic evidence, the point will be clearer.”

Let me offer some common sense suggestions around information management and eDiscovery:

  1. Have regularly updated and tested records retention policies
  2. Get rid of data your business no longer needs
  3. Really know what electronically stored information (ESI) you have and don’t have
  4. Be ready to find it quickly
  5. If you are a big enough organization, have tools on hand to help in the searches
  6. Have a tested litigation hold process. Be able to stop records deletions based on content, employee, date etc. quickly
  7. Have a tested eDiscovery process

Too many organizations are willing to risk the consequences; “It’s never happened to me before”. If you manage your ESI effectively, then discovery response should not be a problem