Month: June 2011

The Four Factor Test for Employee Expectation of Privacy

Bill Tolson eDiscovery , , , ,

On May 23, in SEC v. Reserve Management Co. Inc.,the U.S. District Court for the Southern District of New York ruled that an employee does not have a reasonable expectation of privacy with respect to communications with a spouse through an employer’s email system. In reaching its decision, the court used the four-part test from In re Asia Global Crossing Ltd to determine if the employee had a reasonable expectation of privacy. A key point in this analysis was the presence and actual notice to employees of an email policy that both forbade personal communications and warned employees of possible disclosure of company-controlled email communications. A write up of this outcome from the National Law Review can be viewed here.

Several cases have afforded protection to employees who may reasonably have expected privacy when using company IT systems. In Asia Global Crossing, the court set forth a four-factor test to assess the reasonableness of an employee’s privacy expectation in personal email transmitted through a corporate email system. The Asia Global Crossing test is composed of four basic questions:

  1. Does the company maintain a policy banning personal content or other objectionable use?
  2. Does the company monitor the use of the employee’s computer or email?
  3. Do third parties have a right of access to the computer or emails?
  4. Did the company notify the employee, or was the employee aware, of the use and monitoring policies?

If all four questions can be answered in the affirmative, then the employee should have no expectation of privacy.

This four factor test has been adopted by a number of courts faced with the task of determining the reasonableness of privacy expectations. As the Reserve Management court pointed out, “the cases in this area tend to be highly fact-specific and the outcomes are largely determined by the particular policy language adopted by the employer.”

Further questions that should be considered when putting one of these policies together:

  • Does the company maintain a policy banning personal content or other objectionable use?
    • Is the policy written down?
    • How often is it updated?
    • Was the policy communicated to employees?
    • How was it communicated?
    • Can employees find it if they want to?
    • Was the policy reviewed by legal staff?
  • Does the company monitor the use of the employee’s computer or email?
    • Did the company explain to the employees that the company and other legal entities has a right to access and review employee email?
    • How was this communicated?
  • Do third parties have a right of access to the computer or emails?
    • Was this explained to all employees
    • How was it communicated to the employees?
  • Did the company notify the employee, or was the employee aware, of the use and monitoring policies?
    • How did the company notify the employees?
    • Does the company audit the policy?
    • Does the company enforce the policy?

Some of the added question detail above highlights intent. Is the company’s intention to not allow personal communications from their employees (usually not) or is the intent to educate the employees as to their lack of privacy if they choose to utilize the corporate email system for personal use?

This review serves to remind organizations of the importance of creating and training employees on well thought out “use policies”. A well thought out and comprehensive use policy that employees are not aware of is in reality, not a policy. Lastly, when creating and adopting these use policies, it is always a good practice to get acknowledgements from all employees as to their understanding of the use policy.

Discovering the public cloud in Outlook

Bill Tolson Cloud Storage, eDiscovery, Technology , , , , , , , , , , ,

In my blog “The coming collision of “free to the public cloud storage and eDiscovery” posted on June 23, I talked about these new free cloud storage options and how they could become a problem in the litigation/eDiscovery process. While researching that blog, I found an interesting capability with Microsoft Outlook and the various cloud storage offerings.

It is called a email folder URL redirect. Microsoft Outlook includes the capability to associate an email folder with a Web page. You can set up this association so that when you select the email folder, the Web page appears or the contents of the folder appear.

This capability can be useful when you want to include internal instructions or news about the organization. Another example would be a redirected folder pushed out to all in the organization announcing a litigation hold and answering questions about the hold, expectations, target content etc.  Although this capability provides the opportunity to create powerful public folder applications, non-approved scripts can be included on the Web page that access the Outlook object model, which exposes users to security risks so users should not be adding redirected email folders without IT’s approval.

So how does this capability, email folder URL redirection, relate to cloud storage? All four of the “free to the public cloud storage” offerings mentioned in the blog include a web page where files can be uploaded, viewed and downloaded. This means, for example, the Amazon Cloud Drive service could be a redirection target for an Outlook email folder.

Use the following steps to create and associate an e-mail folder with a Web view:

  • If you don’t already have a folder list showing in your Outlook front end, click on the View menu, then click Folder List.
  • Create a new folder in the folder list called Amazon Cloud by right clicking on the top most folders where you want to create the Cloud folder under. Then type in the new folder name Amazon Cloud

Figure 1: Create a new email folder called “Amazon Cloud”

  • In the Folder List, right-click the folder that you want to associate with a Web page, and then click Properties on the shortcut menu.
  • In the Property dialog box, click the Home Page tab.
  • In the Address box, type the URL for the Amazon Cloud drive web page.
  • Click to select the Show home page by default for this folder check box if you want the Web view active.

Figure 2: Input the URL address of the Amazon Cloud drive webpage

  • Click OK.

Now, by clicking on the new email folder, you will see the Amazon Cloud drive sigh in webpage.

Figure 3: Access and sign in to your Amazon Cloud drive webpage

Figure 4: You now have full access to your cloud storage from within Outlook

Some things you can now do include being able to open files from within your Amazon Cloud Drive. Once opened, data can be copied and pasted to a new email you might be creating.

Some things you can’t do directly include saving an email attachment directly to your cloud drive, dragging a file in your cloud to an email. For both these capabilities, an interim step is required. Namely coping files to your desktop first.

If that’s the case, is this capability useful? That depends… If you utilize a “free to the public cloud storage” service then you may want a more direct capability to view content in your cloud from within Outlook. This is somewhat of a stretch but you never know.

The main reason I’ve highlighted this capability is to illustrate how difficult the eDiscovery collection and litigation hold processes are getting when custodians have all these different options for storing (hiding) potentially responsive ESI.

How easy is eDiscovery in SharePoint 2010?

Bill Tolson eDiscovery, records retention, Technology , , , , , , , , , ,

There has been nagging questions surrounding SharePoint and its ability to allow complete and effective eDiscovery searches of all potentially responsive content in the repository. The below description is from the Microsoft Enterprise Content Management (ECM) Team Blog.

From the Microsoft blog:=================================================================

Hi everyone, I am Quentin Christensen and I work on document and records management functionality for SharePoint. Electronic discovery (commonly referred to as eDiscovery) is an area we are supporting with new set of capabilities in SharePoint Server 2010. In case you are not familiar with eDiscovery, it is the process of finding, preserving, analyzing and producing content in electronic formats as required by litigation or investigations. eDiscovery is an important concern for all of our customers and given that SharePoint has grown to be an integral part of collaboration, document, and records management for many organizations, we recognize the need to support the eDiscovery process for SharePoint content.

Microsoft Office SharePoint Server 2007 included a hold feature that could be used for eDiscovery, but it was scoped to the Records Center site template. With SharePoint Server 2010 the eDiscovery capabilities have been greatly expanded to provide more functionality and the power to use these features across your entire SharePoint deployment.

In this post, I want to highlight three major improvements in SharePoint that support eDiscovery. You can:

  • Manage holds and conduct eDiscovery searches on any site collection
  • Use SharePoint Server Search or FAST Search for SharePoint out of box to search and process content
  • Automatically copy eDiscovery search results to a separate repository for further analysis

Read on to learn how SharePoint Server 2010 can support your eDiscovery initiatives and provide you with the tools you need to manage holds, identify, and collect SharePoint content.

The eDiscovery Process

The Electronic Discovery Reference Model from EDRM (edrm.net) provides an overview of the different parts of the eDiscovery process:

imageSharePoint Sever 2010 addresses the Information Management, Identification, Preservation and Collection stages. While this blog post will focus mostly on the identification, preservation and collection components, SharePoint provides a rich Information Management platform for Collaboration, Social Computing, Document Management and Records Management.  This means that you can take a proactive approach to eDiscovery by putting a governance framework in place and using appropriate disposition policies to expire content. Managing content and deleting it when it is no longer needed will reduce the amount of content that must be indexed and searched, and collected for eDiscovery.  The result is that eDiscovery costs can be dramatically reduced, changing the problem from finding a needle in a hay stack to finding a needle in a hay bale. Ultimately, the key to achieving legal compliance for eDiscovery obligations is built upon a foundation of robust Information Management.

When an eDiscovery event occurs, such as a receipt of complaint, discovery, or notice of potential legal claim, the identification stage begins. Content that may be subject to eDiscovery must be identified and searches are conducted to find that content. That content needs to be preserved and at some point, the content will be collected.

 

The eDiscovery Features

Hold and eDiscovery

Hold and eDiscovery is a site level feature that can be activated on any site.

imageActivating this feature creates a new category in Site Settings that provides links to Holds and Hold Reports lists. There is also a page to discover and hold content that allows you to search for content and add it to a hold. Once the Hold and eDiscovery feature is activated you can create holds and add to hold any content in the site collection. By default only Site Collection administrators have access to the Hold and eDiscovery pages. To give other users permission, add them to the permissions list for the Hold Reports and Holds lists. This will also give access to the Discover and hold content page.

clip_image005You can manually locate content in SharePoint and add it to a hold, or you can search for content and add the search results to a hold. With the Hold and eDiscovery feature you can create holds in the hold list and then manually add content to the relevant hold by clicking on Compliance Details from the drop down menu for individual items.

imageThen click on the link to Add/Remove from hold.

imageAnd you can select the relevant hold to add to or remove from.

imageBy manually adding an item to hold you will block editing and deletion of that item until it is released from hold. You will notice that the document now has a lock icon showing that it cannot be edited or deleted.

imageEach night a report for each hold is generated by a timer job. If you need a hold report faster you can manually run the Hold Processing and Reporting timer job in Central Administration.

Search and Process

You can manually add items to hold on any site collection, which is great. But that doesn’t help you find the content you don’t already know about. What if you have a large amount of items you want to find and add to a hold? For that you can use the features on the Discover and hold content page, which is a settings page in Site Settings. From this page you can specify a search query and then preview the results. The configured search service (SharePoint Search Server or FAST Search for SharePoint) will automatically be used. You can then select the option to keep items on hold in place so they cannot be edited or deleted, or if you have configured a Content Organizer Send to location in Central Administration you can have content copied to another site and placed on hold. You may want to create a separate records center site for a particular hold to store all content related to that hold. The Content Organizer is a new SharePoint Server 2010 feature based on the Microsoft Office SharePoint Server 2007 Document Router with richer functionality to automatically classify content based on Content Type or metadata properties. Look for a future blog post covering the Content Organizer.

Holding content in place is recommended if you want to leave content in the location is was created with all the rich context that SharePoint provides, while blocking deletion and editing of content. Be aware that this will prevent users from modifying items. If you prefer users to continue editing documents, then use the copy to another location approach.

When searching and processing, the search will by default be scoped to the entire Site Collection and run with elevated permissions so all content can be discovered. The search can be scoped to specific sites and you can also preview search results before adding the results to a hold. Items can be placed on multiple holds and compliance details will show all of the holds that are applied to an item.

imageIn summary, SharePoint Server 2010 contains key features that make it an essential aspect of your eDiscovery strategy. With the new SharePoint Server 2010 capabilities you can easily apply proper retention policies for all content and make it easier to discover content if an eDiscovery event occurs. eDiscovery often prescribes tight deadlines for production. SharePoint 2010 helps you find the right content and deliver it faster.

Quentin Christensen
Program Manager – Document and Records Management
Microsoft

The coming collision of “free to the public cloud storage” and eDiscovery

Bill Tolson Cloud Storage, eDiscovery, Information Management, Technology , , , , , , , , , , , , , , , , , ,

The discovery process is tough, time consuming and expensive. What new problems are corporate attorneys facing now with the availability of “free to the public cloud storage”?

First, what is “free to the public cloud storage”? For the purposes of this blog I will define it as a minimum amount of storage capacity offered by a third party, stored and accessible via the internet made available to the public at no cost (with the hope you purchase more). The cloud storage offerings I’ve already mentioned do not limit the types of files you can upload to these services. Music storage is a prime target for these services but many, like myself, are using them for storage of other types of files such as work files which can be accessed and used with nothing more than a computer and internet connection, anywhere.

Examples of these cloud storage offerings include Dropbox, Amazon Cloud Drive, Apple iCloud, and Microsoft SkyDrive. I looked at the Google Cloud Service but determined it is only useful with Google Docs.

A more detailed comparison of these services can be found here.

The only differences between the four offerings stem from the amount of free capacity available and how you access your files. For example, my Amazon Cloud Drive as seen from my Firefox web interface:

Figure 1: The Amazon Cloud Drive web interface

The advantage to users for these services is the ability to move and store work files that are immediately available to you from anywhere. This means you no longer have to copy files to a USB stick or worse, email work files as an attachment to your personal email account. The disadvantage of these services are corporate information can easily migrate away from the company security and be managed by a third party the company has no agreement with or understanding of in reference to the third party will respond to eDiscovery requests. Also be aware that ESI, even deleted ESI is not easily removed completely. In a previous blog I talked about the Dropbox “feature” of not completely removing ESI when deleted from the application as well as keeping a running audit log of all interactions of the account (all discoverable information). The Amazon Cloud Drive has the same “feature” with deletions.

Figure 2: The deleted items folder in the Amazon Cloud Drive actually keeps the deleted files for some period of time unless they are marked and “Permanently Deleted”

The big question in my mind is how will corporate counsel, employees and opposing counsel address this new potential target for responsive ESI? Take, for example, a company which doesn’t include public cloud storage as a potential litigation hold target, doesn’t ask employees about their use and or doesn’t search through these accounts for responsive ESI…potential spoliation.

For Corporate counsel:

  1. Be aware these types of possible ESI storage locations exist.
  2. Create a use policy addressing these services. Either forbid employees from setting up and using these services from any work location and equipment or if allowed be sure employees acknowledge these accounts can and will be subject to eDiscovery search.
  3. Audit the policy to insure it is being followed.
  4. Enforce the policy if employees are not following it.
  5. Document everything.

For employees:

  1. Understand that if you setup and use these services from employer locations, equipment and with company ESI, all ESI in that account could be subject to eDiscovery review.
  2. If you use these services for work, only use them with company ESI, not personal files.
  3. Be forthcoming with any legal questioning about the existence of these services you use.
  4. Do not download any company ESI from these services to any personal computer, this could potentially open up that personal computer to eDiscovery by corporate counsel

For opposing counsel:

Ask the following questions to the party being discovered

  1. Do any of your employees utilize company sanctioned or non-sanctioned public cloud storage services?
  2. Do you have a use policy which addresses these services?
  3. Does the policy penalize employees for not following this use policy?
  4. Do you audit this use policy?
  5. Have you documented the above?

These services are the obvious path for employees to utilize over the next couple of years to make their lives easier. All involved need to be aware of the eDiscovery implications.

Software bug exposed Dropbox users’ accounts to others

Bill Tolson Cloud Storage, eDiscovery, Technology , , , ,

I posted a blog back on May 16, 2011 about the Dropbox cloud storage service. Yesterday I saw the following headline in the Los Angeles Times; “Software bug exposed Dropbox users’ accounts to others” and thought it would be a timely story to pass on to others that don’t read the LA Times. The point of the story was that accounts of people using Dropbox were accessible to other users during a nearly four hour period last Sunday.

Click on the hyperlink above to read the full story.

Part 2: Finding hidden data and metadata in office documents for eDiscovery

Bill Tolson eDiscovery, Technology , , , , , , , , ,

I ended my last blog with the question; So what and how should a company put in place a process to make sure this type of metadata is removed as a standard process before litigation arises?

Before we answer that question, let’s review the point of the last posting. The point was that Microsoft Office (and other applications) can be a rich source of discoverable information (not just metadata, thanks Leonid) for the plaintiff, especially if the author of the document didn’t take the time to scrub all hidden and personal information before finalizing it. Obviously this unseen data can be a goldmine for the opposing counsel if they know to look for it.

To address this risk, you should get your employees into the habit of “finalizing” documents by running the Microsoft Office “Document Inspector” as well as deleting all previous revisions of the document. To many, this seems like a lot of trouble but in the long run can significantly reduce your eDiscovery risk.

Figure 1: Accessing the “Document Inspector” in Word 2007

The Document Inspector provides a central location for you to examine documents for personal, hidden, or sensitive information. You can then use built-in Document Inspector modules to remove unwanted information more easily. The document inspector can be found by clicking on the “Prepare” topic and then on the “Inspect Document” menu item. The Document Inspector is available the same way in all Microsoft Office applications.

Figure 2: The Document Inspector

As you can see above, the Document Inspector allows you to check for Comments, revisions, versions, annotations, document properties, personal information, custom XML data, headers, footers, watermarks and hidden text. This type of data can be damaging in litigation if the discovered party is not aware of its existence.

Once the Document Inspector is run, you will get an indication of potential threats as seen in the window below:

Figure 3: The Document Inspector will alert you to possible threats

From this point, you can either “remove all” hidden data for each topic searched on or none of it.

But that’s the point right? You can’t remove this data after a litigation hold has been applied so by removing this hidden data as part of a consistent process will remove the risk of having to review and turn over this data in discovery.

The two points to remember is first, this hidden data and metadata could exist in you employee’s potential responsive files which means you better review it before you turn it over and second, there are ways for employees to easily remove it themselves as part of a documented process.

Accessing hidden metadata in Office documents for eDiscovery

Bill Tolson eDiscovery, Technology , , , , , , , , , ,

Microsoft Office and other documents including PowerPoint, Word, and Excel among others can be a rich source of discoverable information for the plaintiff, especially if the author of the document didn’t take the time to scrub all hidden and personal information before finalizing it. Be aware all of this hidden and personal metadata can’t be altered after a litigation hold should have been applied.

Several types of hidden and personal data can and will be saved by default in an Office document if the correct precautions are not taken.  The first point to remember is that Office applications are by default capturing data as the document in question is created, reviewed and revised. Data such as:

  • Comments, revision marks from tracked changes, versions, and ink annotations
  • Document properties and personal information. Document properties, also known as metadata (metadata: Data that describes other data. For example, the words in a document are data; the word count is an example of metadata.), include details about your document such as author, subject, and title. Document properties also include information that is automatically maintained by Office programs, such as the name of the person who most recently saved a document and the date when a document was created. If you used specific features, your document might also contain additional kinds of personally identifiable information (PII) (personally identifiable information (PII): Any information that can be used to identify a person, such as a name, address, e-mail address, government ID, IP address, or any unique identifier associated with PII in another program.), such as e-mail headers, send-for-review information, routing slips, printer paths, and file path information for publishing Web pages.
  • Headers, footers, and watermarks
  • Hidden text including reviewers notes
  • Hidden rows, columns, and worksheets
  • Invisible content PowerPoint presentations and Excel workbooks can contain objects that are not visible because they are formatted as invisible
  • Off-slide content
  • Presentation notes
  • Document server properties. If your document was saved to a location on a document management server, such as a Document Workspace site or a library based on Microsoft Windows SharePoint Services, the document might contain additional document properties or information related to this server location.
  • Custom XML data

In my experience, few companies train their employees to remove this metadata before their documents, spreadsheets and presentations are finalized and distributed. For the attorney asking for ESI, a tell tale sign of spoliation would be the total absence of this hidden data. The attory could do a quick sampling of discovered documents and if the majority of them are “clean” then a discussion with the defendants counsel and possibly Judge would be in order. Unless the defendants could show evidence of employee processes including the regular removal of this type of data as a standard process, a spoliation ruling would be in the cards.

So what and how should a company put in place a process to make sure this type of metadata is removed as a standard process before litigation arises?

My next blog entry will answer this question.