The Bottle is Only Half Full: Email Migration for eDiscovery


Many legal professionals aren’t aware that there is more to defensibly migrating an email archive in response to eDiscovery than simply copying the journaled email store. In a previous blog titled “What I Don’t Know Can Hurt Me; Beware of Indexers Disguised as Archive Migration Tools”, I talked about the eDiscovery issues you can run into when you migrate the email store without reconciling it with the email archive SQL database, i.e. you lose all associated email metadata showing folder structure, read/unread, follow-up reminders, sender and all recipients (including CC and BCC).

There is another issue that responders to an eDiscovery request must be aware of; there can be two potential sources of archived email content in an email archive; the journaled mailbox archive and the individual custodian archived mailboxes. Migrating only the archived journal mailbox versus the individual mailbox archives can put you at legal risk.

Journal mailbox archiving captures each individual message as it flows through the email server and stores it in a “journal mailbox,” which is a big bucket of all emails sent and received from all mailboxes (figure 1). The main benefit of journaling email is that it captures and protects every email sent and received. In the past, journaling was used to ensure compliance with the SEC requirement that all emails, for brokers and traders, be captured and secured for later review. Journaling also ensures that the original email message is captured in an unaltered (original) state. The down side of journaling is that it creates a “flat” archive with none of the metadata generated from within an individual’s mailbox once it has been received (or sent). This means that mailbox folder structure, forwarding, movements from mailbox folder to folder, and the fact that the email was opened, etc., are not captured when journaling email.

Archiving via journaled mailbox


Direct mailbox archiving
 works differently from journaling in that the archive server will access each individual mailbox and archive anything new in that mailbox including new messages, drafts, email movements from folder to folder, etc. The benefit of direct mailbox archiving is that it captures additional content and metadata that could be important during litigation (figure 2). The downside is that this form of mailbox archiving can take much longer to complete.

Direct Mailbox Archiving

To get the best of both worlds, many organizations will enable both types of email archive collection to ensure the capture of all messages in an unaltered state via journaling while also performing a direct mailbox archive once a day to capture the additional content and metadata.

The issue arises when the company or company’s vendor, in response to an eDiscovery request, chooses to migrate only the journaled email archive while certifying to the opposing counsel and court that ALL responsive data was migrated and reviewed (figure 3 – left side). Keep in mind, in legal discovery it is the duty of the responding party to search for, and turn over, all relevant data to opposing counsel. This includes all existing metadata that could be relevant to the case.

This incomplete production of data could trigger charges of incomplete discovery response or spoliation (destruction of evidence) if the archived metadata is lost or corrupted after the original data production.

Migrate Journal & Direct Archives

Organizations migrating email from an archive, in response to an eDiscovery order, should ensure their migration vendor can defensibly migrate and reconcile both the journal and direct mailbox archives (figure 3 – right side).

Archive360 has experience in migrating email archives in response to eDiscovery requests. We defensibly migrate email so charges of incomplete eDiscovery or spoliation do not occur.

Advertisements

Emails considered “abandoned” if older than 180 days


The Electronic Communications Privacy Act – Part 1

Email Privacy

It turns out that those 30 day email retention policies I have been putting down for years may… actually be the best policy.

This may not be a surprise to some of you but the government can access your emails without a warrant by simply providing a statement (or subpoena) that the emails in question are relevant to an on-going federal case – criminal or civil.

This disturbing fact is legally justified through the misnamed Electronic Communications Privacy Act of 1986 otherwise known as 18 U.S.C. § 2510-22.

There are some stipulations to the government gaining access to your email;

    • The email must be stored on a server, or remote storage (not an individual’s computer).This obviously targets Gmail, Outlook.com, Yahoo mail and others but what about corporate email administered by third parties, what about Outlook Web Access, remote workers that VPN into their corporate email servers, PSTs saved on cloud storage…
    • The emails must have already been opened. Does Outlook auto-preview affect the state of “being read”?
    • The emails must be over 180 days old if unopened

The ECPA (remember it was written in 1986) starts with the premise that any email (electronic communication) stored on a server longer than 180 days had to be junk email and abandoned.  In addition, the assumption is that if you opened an email and left it on a “third-party” server for storage you were giving that “third-party” access to your mail and giving up any privacy interest you had which in reality is happening with several well-known email cloud providers (terms and conditions).  In 1986 the expectation was that you would download your emails to your local computer and then either delete it or print out a hard copy for record keeping.  So the rules put in place in 1986 made sense – unopened email less than 180 days old was still in transit and could be secured by the authorities only with a warrant (see below); opened email or mail stored for longer than 180 days was considered non-private or abandoned so the government could access it with a subpoena (an administrated request) – in effect, simply by asking for it.

Warrant versus Subpoena: (from Surveillance Self-Defense Web Site)

To get a warrant, investigators must go to a neutral and detached magistrate and swear to facts demonstrating that they have probable cause to conduct the search or seizure. There is probable cause to search when a truthful affidavit establishes that evidence of a crime will be probably be found in the particular place to be searched. Police suspicions or hunches aren’t enough — probable cause must be based on actual facts that would lead a reasonable person to believe that the police will find evidence of a crime.

In addition to satisfying the Fourth Amendment’s probable cause requirement, search warrants must satisfy the particularity requirement. This means that in order to get a search warrant, the police have to give the judge details about where they are going to search and what kind of evidence they are searching for. If the judge issues the search warrant, it will only authorize the police to search those particular places for those particular things.

Subpoenas are issued under a much lower standard than the probable cause standard used for search warrants. A subpoena can be used so long as there is any reasonable possibility that the materials or testimony sought will produce information relevant to the general subject of the investigation.

Subpoenas can be issued in civil or criminal cases and on behalf of government prosecutors or private litigants; often, subpoenas are merely signed by a government employee, a court clerk, or even a private attorney. In contrast, only the government can get a search warrant.

With all of the news stories about Edward Snowden and the NSA over the last year, this revelation brings up many questions for those of us in the eDiscovery, email archiving and cloud storage businesses.

In future blogs I will discuss these questions and others such as how does this effect “abandoned” email archives.

Visualizing Hawaii: A GC’s Perspective Pt 2


Continued from yesterday…

Scenario #2 (using the same example from yesterday except your email retention policy is now 2 years and you have an Information Governance program that ensures all unstructured data is searchable and actively managed in place)

Its 1:52 pm on the Friday before you leave on a much anticipated 2 week vacation in Hawaii…yada, yada, yada

It’s a letter from the law offices of Lewis, Gonsowski & Tolson informing you that their client, ACME Systems, is suing your company for $225 million for conspiracy to harm ACME’s reputation and future sales by spreading false information about ACME’s newest product line. You’re told that the plaintiff has documentation (an email) from an ABC Systems employee outlining the conspiracy. You also receive a copy of the “smoking gun” email…

——-

From: Ted
Date: June 2, 2012
To: Rick

Re: Acme Systems new solutions

“I would say we need to spread as much miss-information and lies about their solution’s capabilities as possible.  We need to throw up as much FUD as we can when we talk to the analyst community to give us time to get our new application to market.  Maybe we can make up a lie about them stealing their IP from a Chinese company.” 

——-

Should I cancel the vacation? …Not yet

You call the VP of IT and ask her if she has the capability to pull an email from 13 months ago. She tells you she does have all of the emails going back two years but there are literally millions of them and it will take weeks to go through them.

You remember getting a demo from Recommind two weeks ago showing their On Demand Review and Analysis platform with a really neat capability to visualize data relationships. So you call up Recommind and setup a quick job.

IT starts the upload of the email data set to the Recommind Cloud platform.

You call your wife and ask her to delay the vacation until Monday…she’s not happy but it could have been worse.

The next morning (Saturday) you meet your team at the office and sign into the hosted eDiscovery platform and pull up the visualization module and run a search against the uploaded email data set for any mention of ACME Systems. Out of the 2 million emails you get hits on 889 emails.

You then ask the system to graphically show the messages by sender and recipient. You quickly find Ted and Rick and their email and even one from Rick to David… Interesting.

Within the hour you are able to assemble the entire conversation thread:

Email #1

From: CEO
Date: May 29, 2012
To: Sandra; Steve

Subject: Acme Systems new solutions

Please give some thought about what we should do to keep momentum going with our sales force in response to ACME Systems latest release of their new router. I can see our sales force getting discouraged with this new announcement.

Please get back to me with some ideas early next week.

Thanks Greg

Email #2

From: Steve
Date: May 29, 2012
To: Greg; Sandra

Re: Acme Systems new solutions

Greg, I will get with Sandra and others and brainstorm this topic no later than tomorrow and get back to you. Sandra, what times are good for you to get together?

Thanks Steve

 

Email #3

From: Sandra
Date: May 30, 2012
To: Ted

Re: Acme Systems new solutions

Ted, considering ACME’s new router announcement, how do you think we should counter their PR?

Thanks Sandra

 

Email #4

From: Ted
Date: June 1, 2012
To: Sandra; Bob

Re: Acme Systems new solutions

If it wasn’t illegal, I would suggest we need to spread as much misinformation about their new router as possible to the analyst community to create as mush FUD as we can to give us time to get our new solution out. Maybe we can make up a lie about them stealing their IP from a Chinese company.

But obviously that’s illegal (right?). Anyway…I suggest we highlight our current differentiators and produce a roadmap showing how and when we will catch and surpass them.

Regards Ted

 

Email #5

From: Rick
Date: June 1, 2012
To: Ted

Re: Acme Systems new solutions

Ted, I heard you had a funny suggestion for what we should do about ACME’s new router… What did you say?

Thanks Bob

 

Email #6 (The incriminating email)

From: Ted
Date: June 2, 2012
To:  Rick

Re: ACME Systems new solutions

“I would say we need to spread as much miss-information and lies about their solution’s capabilities as possible.  We need to throw up as much FUD as we can when we talk to the analyst community to give us time to get our new application to market.  Maybe we can make up a lie about them stealing their IP from a Chinese company.”

It looks like I will make the flight Monday morning after all…

The moral of the story

Circumstances often dictate the need for additional technical capabilities and experience levels to be acquired – quickly. The combination of rising levels of litigation, skyrocketing volumes of information being stored, tight budgets, short deadlines, resource constraints, and extraordinary legal considerations can put many organizations involved in litigation at a major disadvantage.

The relentless growth of data, especially unstructured data, is swamping many organizations. Employees create and receive large amounts of data daily, a majority of it is email – and most of it is simply kept because employees don’t have the time to spend making a decision on each work document or email whether it rises to the level of a record or important business document that may be needed later. The ability to visualize large data sets provides users the opportunity to get to the heart of the matter quickly instead of looking at thousands of lines of text in a table.

Visualizing Hawaii: A GC’s Perspective or the Case of the Silent Wife


ABC Systems is a mid-size technology company based in the U.S. that designs and manufactures wireless routers…

Its 1:52 pm on the Friday before you leave on a much anticipated 2 week vacation in Hawaii. You’re having difficulty not thinking about what the next two weeks hold. You talk yourself into powering through the 176 emails you received since yesterday when you notice your administrative assistant has put an actual letter on your desk while you were daydreaming…

It’s a letter from the law offices of Lewis, Lewis & Tolson informing you that their client, ACME Systems, is suing your company for $225 million for conspiracy to harm ACME’s reputation and future sales by spreading false information about their newest product line. You’re told that the plaintiff has documentation (an email) from an ABC Systems employee outlining the conspiracy. You also receive a copy of the “smoking gun” email…

————
From: Ted                                                                                                                          

Date: June 2, 2012

To: Rick

Re: ACME Systems new solutions

“I would say we need to spread as much mis-information and lies about their solution’s capabilities as possible.  We need to throw up as much FUD as we can when we talk to the analyst community to give us time to get our new application to market.  Maybe we can make up a lie about them stealing their IP from a Chinese company.”

————

You’ve got to be kidding me! Once this news gets out the stock will be hit, the board will want an explanation and estimate of potential damage to the company reputation, our channel partners will want to have a legal opinion on the sales in the pipeline, the direct sales force will want a document to give to their potential customers, and the CEO will want estimates of merit etc. as soon as possible…There goes the vacation…and probably my marriage.

Scenario #1

Now what do I do now?

  1. Find out who this “Ted” guy is! (Don’t forget “Rick”)
  2. Find out who Ted and Rick reports to and what department they work in
  3. Call the VP of IT and give her a heads up on what you are going to be asking for
  4. Call your outside counsel and alert them as well
  5. Send an email to the VP of IT (and CC outside counsel) asking her to immediately secure Ted and Rick’s email accounts and any email backup tapes
  6. Send an email to Ted and Rick (and CC outside counsel) asking them to actively collect and secure under a litigation hold any documents and email that has anything to do with ABC Systems (strange thing is the email system has no one by the name of TED in it)
  7. Ask the VP of IT to find the original email from Ted to Rick and any other email messages involved in that conversation thread
  8. Get on the phone to the CEO and update him
  9. Call your wife and tell her to cancel the vacation plans

Five minutes after your wife hangs up on you in mid-sentence the VP of IT calls and informs you that the company has a 90 day email retention policy and recycles backup tapes every 6 months…the original emails don’t exist anymore. And by the way, after speaking to the VP of HR she discovered Ted had left the company 8 months ago. The only hope is that Rick kept local copies of his emails. By this time its 5:37 pm and Rick has gone home – with his laptop.

Monday morning Rick is surprised to find several people from legal and IT waiting at his desk when he arrives. It turns out Rick actually archives his email instead of letting the system delete it after 90 days into a PST file. Rick locates his 4.5 GB PST file on his share drive but for some reason it won’t open. Several members from the IT department spend two hours trying to get it open but determine its probably corrupted because its too big (PSTs have this nasty habit of letting the user keep stuffing files into it even though its already too big).

IT sends the PST off to a consultant to see if they can open it. After three weeks and $17,553 you are told it’s completely corrupted and can’t be opened!

During those three weeks you spend $4,300 tracking down Ted who doesn’t remember why he would have written an email like that. He does vaguely remember Jennifer may have been part of that conversation thread. 4.5 hours later combing through Jennifer’s PST, (why does everyone have a PST if we made a point to delete emails after 90 days?) you actually find a forwarded version of the email from Ted…It really does exist!

You determine it will be impossible to assemble the entire conversation thread so after several months of negotiating with ACME Systems Attorneys, you settle for $35 million and an apology printed on the front page of the Wall Street Journal…and your wife stopped talking to you.

Tune in tomorrow to catch up on the further adventures of Ted, Rick, Jennifer, ABC Systems, and the strangely silent wife…

Next Generation Technologies Reduce FOIA Bottlenecks


Federal agencies are under more scrutiny to resolve issues with responding to Freedom of Information Act (FOIA) requests.

The Freedom of Information Act provides for the full disclosure of agency records and information to the public unless that information is exempted under clearly delineated statutory language. In conjunction with FOIA, the Privacy Act serves to safeguard public interest in informational privacy by delineating the duties and responsibilities of federal agencies that collect, store, and disseminate personal information about individuals. The procedures established ensure that the Department of Homeland Security fully satisfies its responsibility to the public to disclose departmental information while simultaneously safeguarding individual privacy.

In February of this year, the House Oversight and Government Reform Committee opened a congressional review of executive branch compliance with the Freedom of Information Act.

The committee sent a six page letter to the Director of Information Policy at the Department of Justice (DOJ), Melanie Ann Pustay. In the letter, the committee questions why, based on a December 2012 survey, 62 of 99 government agencies have not updated their FOIA regulations and processes which was required by Attorney General Eric Holder in a 2009 memorandum. In fact the Attorney General’s own agency have not updated their regulations and processes since 2003.

The committee also pointed out that there are 83,000 FOIA request still outstanding as of the writing of the letter.

In fairness to the federal agencies, responding to a FOIA request can be time-consuming and expensive if technology and processes are not keeping up with increasing demands. Electronic content can be anywhere including email systems, SharePoint servers, file systems, and individual workstations. Because content is spread around and not usually centrally indexed, enterprise wide searches for content do not turn up all potentially responsive content. This means a much more manual, time consuming process to find relevant content is used.

There must be a better way…

New technology can address the collection problem of searching for relevant content across the many storage locations where electronically stored information (ESI) can reside. For example, an enterprise-wide search capability with “connectors” into every data repository, email, SharePoint, file systems, ECM systems, records management systems allows all content to be centrally indexed so that an enterprise wide keyword search will find all instances of content with those keywords present. A more powerful capability to look for is the ability to search on concepts, a far more accurate way to search for specific content. Searching for conceptually comparable content can speed up the collection process and drastically reduce the number of false positives in the results set while finding many more of the keyword deficient but conceptually responsive records. In conjunction with concept search, automated classification/categorization of data can reduce search time and raise accuracy.

The largest cost in responding to a FOIA request is in the review of all potentially relevant ESI found during collection. Another technology that can drastically reduce the problem of having to review thousands, hundreds of thousands or millions of documents for relevancy and privacy currently used by attorneys for eDiscovery is Predictive Coding.

Predictive Coding is the process of applying machine learning and iterative supervised learning technology to automate document coding and prioritize review. This functionality dramatically expedites the actual review process while dramatically improving accuracy and reducing the risk of missing key documents. According to a RAND Institute for Civil Justice report published in 2012, document review cost savings of 80% can be expected using Predictive Coding technology.

With the increasing number of FOIA requests swamping agencies, agencies are hard pressed to catch up to their backlogs. The next generation technologies mentioned above can help agencies reduce their FOIA related costs while decreasing their response time.

Huge French Company Cuts off Nose to Spite Face


Susanna Kim of ABC published an article on November 29th describing how a French company has decided to implement a “Zero Email” policy, a policy banning employees from sending internal emails.

The CEO of Atos, Thierry Breton, (a French information technology company!) has said that only 10 percent of the average 200 emails employees receive per day are useful and 18 percent are spam.  Because of this statistic, he hopes the company can eradicate all internal emails in the next 18 months forcing the company’s 74,000 employees to communicate with each other via instant messaging and other Facebook style interfaces.

This reminds me of the story about an HR VP who was so tired of employees calling her with questions and problems she stopped answering her phone. She had 30 whole minutes of peace… until employees figured out where her office was.

Why not stop all internal phone calls? It would seem to me that internal phone calls would have the same “waste” statistic.  How about this… program your corporate phone system to not allow any calls from one internal number to another and instruct employees that to contact internal employees, they must use Skype. That should solve the problem, right?

Email has become a wildly successful world-wide business productivity tool. To force thousands of employees to abandon it for other types of communications technology doesn’t seem to address the problem. Won’t only 10 percent of employee’s communications using the new communications solutions be useful as well. Is there something magical about the new technology that won’t allow employees to send wasteful communications?

The other problem that arises with this particular strategy is the problem of litigation holds and eDiscovery. Email systems are well known and technology exists to enable organizations to handle email in a legally defensible manner. It seems to me an organizations risk of insufficient eDiscovery and spoliation will rise with a switch to a new communications technology.

The problem is not the technology… its employee’s use of that technology. If 70-90 percent of emails employees send internally is junk, then train the employees on proper etiquette and use policies around the use of email. Train employees to not “reply all” or “BCC” on every email. Audit employee use of the email system and punish those that misuse it.

Running away from one of the most useful business tools ever seems like a gigantic over-reaction.

Litigation Hold in Exchange 2010


Litigation hold (also known as a preservation order and legal hold) all have the same legal meaning; a stipulation requiring an individual or organization to preserve all data that could relate to a anticipated or pending legal action involving the individual or organization. The litigation hold responsibility is one of the biggest liabilities individuals and organizations have in the civil litigation process. If a litigation hold is ignored or insufficiently applied, the Judge will not tolerate excuses and the outcome can be a spoliation or destruction of evidence ruling which in turn can cause an adverse inference order be issued and loss of the case. Several third party eDiscovery applications provide for litigation hold placement on individual items to reduce over saving of non-responsive ESI.

In Exchange 2010, Microsoft suggests placing a custodian’s entire mailbox on litigation hold. In other words specifically putting a custodian’s mailbox on litigation hold ensures an indefinite retention on all content, even the content not relevant to the case at hand, in the user’s mailbox until the mailbox is removed from Legal Hold. This shotgun tactic does ensure all potentially responsive ESI is retained at the time of placement but many attorneys are leery of blindly placing a litigation hold on all content due to the possibility of over retaining ESI that is not responsive to the current case but could be in a future case.

To put a custodian’s mailbox on litigation hold in Exchange 2010, the person making that decision needs to be part of the “Discovery Management” Role in Exchange.  By default there are no approved auditors in the organization, including the Exchange Administrator, which has the right to put a user’s mailbox on litigation hold.  The Exchange Administrator can go into the Exchange Control Panel and give themselves (and others) the right to enable litigation hold for mailboxes.

Another caveat for Exchange 2010 litigation hold is that it could take upwards of 1 hour before a litigation hold takes effect on a given custodian’s mailbox. This is because the policy needs to be enacted on all messages and folders in the mailbox and be replicated through Active Directory. With litigation hold enabled, all messages, regardless of the organization’s retention policy will be retained until released.

Another aspect of placing effective litigation holds in Exchange 2010 is the question of PST files. PSTs are a long running problem area for corporate legal as well as the IT department. The problem is this; PSTs include email, attachments and metadata no longer preset within the Exchange email system. So when an auditor searches a custodian’s mailbox from Exchange 2010 for relevant emails and attachments, they aren’t able to search for any PSTs the custodian has on their local workstation.