Legal Considerations for E-mail Archiving Why implementing an effective e-mail archiving solution can help reduce legal risk Written by: Quest Software, Inc. Executive Summary
Copyright Quest Software, Inc. 2007. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com e-mail: info@quest.com U.S. and Canada: 949.754.8000 Please refer to our Web site for regional and international office information. Updated May, 2007 1
ABSTRACT This document helps explain why implementing an effective e-mail archiving solution can help reduce legal risk even if an organization has yet to decide what sort of e-mail retention and disposal policies are appropriate for them. 2
DISCLAIMER This document is not intended to provide legal advice. Quest recommends professional legal advice is sought before considering or implementing any of the information in this document. Quest is not responsible for any loss or damage which may be caused as a result of using information provided in this document. 3
CONTENTS ABSTRACT... 2 DISCLAIMER... 3 CONTENTS... 4 INTRODUCTION... 5 LEGAL CONSIDERATIONS FOR MANAGING E-MAIL... 6 WHAT E-MAIL SHOULD BE KEPT?... 6 ARE DELETED MESSAGES REALLY DELETED?... 6 HOW BAD CAN IT BE?... 7 YOU RE PROBABLY KEEPING ALL YOUR E-MAIL ANYWAY... 7 PSTS ARE LANDMINES... 8 UNDERSTANDING HOW E-MAIL ARCHIVING CAN HELP... 9 TAKE CONTROL OF E-MAIL... 9 MANAGING RETENTION...10 SUMMARY... 12 ABOUT QUEST SOFTWARE, INC.... 13 CONTACTING QUEST SOFTWARE...13 CONTACTING QUEST SUPPORT...13 4
INTRODUCTION Recent litigation and legislation have combined to raise the profile of the importance of e-mail, and impose burdens on organizations of most sizes, in most industries. Illustrated in Table 1 below, high profile cases involving institutions such as Morgan Stanley, Bank of America, Phillip Morris and JP Morgan have resulted in multi-million dollar fines, setting the stage for enforced e-mail management. Offending Company Case Penalty Judgment Morgan Stanley Coleman Holdings v. Morgan Stanley (2005) Bank of America SEC Settlement (2004) Philip Morris United States v. Philip Morris USA Inc. (2004) $1.45B Failure to produce e- mail evidence $10M Failure to produce e- mail evidence $2.75M Spoliation (deletion of 60-day old e-mail for 2 years) J.P. Morgan SEC, NASD, NYSE Settlement (2005) $2.1M Spoliation of e-mail Table 1. Examples of violations in e-mail retention. But despite the potential penalties, organizations affected by the myriad of legislation are struggling to determine how to address their compliance requirements everything from not doing anything with e-mail to not dealing with it properly. Implementing an e-mail archiving system helps organizations address compliance requirements by ensuring there are mechanisms in place to capture and locate e-mail information. Often, in addition to helping with compliance requirements, these systems have operational benefits, such as reducing overall e-mail storage requirements and centralizing the control of the e-mail system to improve performance and realize better use of limited resources. But once implemented, organizations also need to ensure that the policies controlling the e-mail archiving solution meet the requirements of the business. In many cases, though, organizations have been so daunted by the many options available to them that they have either done nothing and delayed deployment of a solution, or not purchased a solution at all. This technical brief helps explain why implementing an effective e-mail archiving solution can help reduce legal risk even if an organization has yet to decide what sort of e-mail retention and disposal policies are appropriate for them. 5
LEGAL CONSIDERATIONS FOR MANAGING E- MAIL From a legal perspective e-mail is fraught with risk and many legal departments would prefer e-mail was not used at all. However, the reality is that e-mail is now the predominant form of business communication and while e-mail is simple to use, its ramifications for business are significant. Additionally, the hesitancy of the legal department to agree to, or implement, an e-mail archiving system can have a detrimental effect on other parts of the business that want to take advantage of the operational benefits these systems provide. A number of companies have delayed deploying an e-mail archiving solution because they believe that until they have formulated appropriate policies, keeping e-mail in an archive will expose them to increased risk. In an ideal situation, a business would retain all e-mails that are beneficial and dispose of those that are harmful within the bounds of the law. There are a number of reasons while this seemingly simple requirement is virtually impossible to achieve. What e-mail should be kept? E-mails are context poor, in that it is often very difficult to decide the importance of an e-mail based purely on its content. Furthermore, many e- mails contain office banter and important information. Events often determine the importance of an e-mail and so an e-mail that may have been deemed to have no value can take on a whole new meaning in the context of an event such as a sexual harassment case. Individuals can t be expected to classify e-mail as to their importance not just because of the above but also because the typical volume of e-mail makes this impractical. No one would keep an e-mail that was damaging to them even if it was important to their organization. Are deleted messages really deleted? Like a fax machine transaction there is always more than one e-mail: the sender s copy, and anyone who receives the message. E-mail exists in peoples sent items folders and in multiple inboxes both internally and externally. Completely deleting an e-mail is often impossible. Even if you manage to delete it within your organization it could exist outside of your corporate boundaries. This is further complicated by the use of offline stores or personal stores where an e-mail is no longer contained in the corporate mail 6
system but exits on a local computer drive that is effectively beyond the control of an organization s IT department. All of these repositories could be searched as part of a legal discovery exercise even though it is a complex and expensive process. How bad can it be? In the event of litigation where e-mail is involved (which is most litigation) it is vital to know what the potential exposure is to the organization. If you can t search and discover across your own e-mail repository how can you formulate a strategy to deal with the situation? Modern e-mail platforms are optimized to send and receive e-mail. However they lack the ability to effectively search and manage the data they contain and, as previously mentioned, e-mail data is often stored outside of the e-mail system. The defense of not having the systems in place to search e-mail is no longer an acceptable reason to not produce e-mail in a timely manner. For example, in early 2007 Intel said it may have lost e-mail correspondence relevant to an antitrust lawsuit brought by rival Advanced Micro Devices (AMD). The company's document-retention program, which was used around the time of the AMD suit, possibly did not preserve potentially relevant messages. AMD accused Intel of apparently allowing the destruction of evidence. You re probably keeping all your e-mail anyway Most organizations will find that regardless of any formal retention and disposal policies, end users retain almost all of their e-mail messages. Usually these messages are kept in the personal stores mentioned earlier. End users retain most of their e-mails because they believe they have to in order to perform their jobs, or in some cases they do so for personal protection. Remember: E-mail is now the most widely used form of business communication. As a result, organizations will unwittingly be keeping significantly more e-mail than it knows about or controls, increasing the likelihood of non-compliance. Most organizations force people to keep their e-mail outside of the corporate mail system E-mail systems are not designed to store e-mail long-term and so most organizations have e-mail quotas whereby users are limited to a certain size of store in the e-mail system. When a quota is reached or exceeded a user is forced to delete e-mails to reduce storage before they can send or receive new messages. To avoid being interrupted by these messages, users either move e-mail to a personal store and/or randomly delete e-mail (usually starting with the largest ones) to get below their quota limit. 7
This has two serious implications: Once e-mail is outside of the corporate e-mail system they are no longer in corporate control and this presents a serious risk as they exist but cannot easily be searched and accessed by the organization. If users are randomly deleting e-mail to stay under their quota the risk to the organization increases. Not only are the deleted e-mail of potential business value, they may also be important from a compliance perspective. Organizations need a way of ensuring the right information is retained, and that the organization not end users manage this. PSTs Are Landmines Some organizations work to limit e-mail-based liability by aggressively deleting e-mail out of the mail server, believing that if does not exist it cannot be discovered. These same organizations often do not have an effective means of controlling, deleting, or retaining e-mail messages that reside in personal stores. Because e-mail that exists in personal stores is certainly discoverable and open to subpoena, yet is mostly invisible to the organization as it is not centrally stored nor managed, PSTs are essentially legal landmines that undermine an organization s effort to decrease liability. Only through the collection and proactive management of all these personal stores and all other e-mail data can an organization be prepared to deal with the e-mail-related legal issues that are bound to arise. 8
UNDERSTANDING HOW E-MAIL ARCHIVING CAN HELP In this situation, the risk is not keeping all of your e-mail messages; it s not knowing what you have, nor being able to manage it. E-mail archiving solutions have been designed to help organizations control and manage their e-mail, not only helping them to address their compliance requirements, but also reducing overall e-mail storage utilization, assisting with mailbox management and increasing the performance of the mission critical e-mail server. Often, the needs of the wider organization are considered less significant than those of the legal team, who understandably need to understand the pros and cons of implementing such systems, and make recommendations accordingly. Regardless of the size of the company, or the industry in which it operates, understanding these issues can be a challenge. As a result, the implementation of such a system often stalls. The question the lawyers want answered is: Why should we implement an e-mail archiving solution if we haven t formulated retention and disposal policies? There are several rational reasons why implementation is important, and the factors identified in the previous section can be addressed. Take Control of E-mail One of the primary objectives of any e-mail archiving project must be to gain some level of control over the e-mail in your organization. In this case, control doesn t only mean being able to manage the new messages being sent and received, but also includes all of the other e-mail which is stored across the organization in file shares, on local hard disks, in Microsoft Outlook personal store (PST) files, etc. Retention and disposal policies are worthless if they cannot be effectively applied and managed and if e-mail is stored in disparate locations it is impossible to apply such policies. An effective archiving solution can import all the e-mail from personal stores and the corporate e-mail system, regardless of where this data is located. E-mail also needs to be managed on an ongoing basis. Even once it s been collected, it is important that users are either no longer able to, or no longer need to, keep e-mail in personal stores. Given that users need access to old e- mails in order to perform their jobs, their e-mail quota needs to be effectively removed. Quest Archive Manager provides two powerful features to address this issue: the ability for end users to search their e-mail, and the ability to manage the size of the originating message store. 9
End users can have direct and secure access to their archived e-mail, and can use the powerful search tools to quickly locate the information they need. Below, Figure 1 depicts the standard web-based search screen that Archive Manager provides, including the results of a sample search. Messages can be opened directly from this results grid. Figure 1: Archive Manager Search Screen Archive Manager can also help manage the corporate e-mail store so users can effectively have an unlimited e-mail quota without putting the corporate e-mail system at risk, and in doing so maintains access to the e-mail for end users including those who access e-mail using Microsoft Outlook. Reducing the size of the store also improves the performance of the store, and reduces the amount of data that needs to be backed up. Once all e-mails are centrally captured and managed retention and disposal policies (once formulated) can be applied retrospectively. It is expected that an organization will evolve their policies over time to keep pace with changing business and legislative requirements. Managing Retention Retention will allow organizations to determine how long to keep e-mail messages for, both at a global and a partial level once the retention period has passed, then the e-mail messages are removed from the archive. Laws and regulations specify that, for some industries, e-mail messages must be kept for a specific period of time, in some cases ranging from one year to 10+ years. The retention policies and the rules which are implemented supporting those policies must be sufficiently precise in order to increase the likelihood of compliance. 10
As this is an emerging area, there are few examples of organizations being fined for mismanaging their retention rules the e-mail-related cases that have occurred have been related to not keeping e-mail in the first place. By ensuring the e-mail messages are kept, and that appropriate classifications are used, organizations can use Archive Manager s flexible retention policies to control the retention and disposal of e-mail. Figure 2 below shows how organizations can create flexible retention policies to suit their specific needs. Figure 2: Archive Manager Retention Policy Editor 11
SUMMARY Most organizations now have to comply with laws and regulations relating to e- mail and how it is managed. The penalties for non-compliance are significant, and for that reason e-mail archiving solutions are being adopted to help organizations address their compliance requirements. By relying on the status quo and not implementing a solution, organizations are exposing themselves to unnecessary risk and effort as their e-mail data will not be controlled, managed or able to be located in a timely way. Implementing an e-mail archiving system ensures organizations gain control of their e-mail data, and in conjunction with appropriate people, processes and technologies, can significantly increase the likelihood of compliance being achieved. Organizations will also benefit from the operational benefits such systems also deliver. Quest Archive Manager enables e-mail to become a true asset for the organization by capturing, indexing, and storing messaging data for mailbox management, compliance, and knowledge sharing. 12
ABOUT QUEST SOFTWARE, INC. Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and Windows infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 50,000 customers worldwide meet higher expectations for enterprise IT. Quest s Windows Management solutions simplify, automate and secure Active Directory, Exchange and Windows, as well as integrate Unix and Linux into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone: 949.754.8000 (United States and Canada) E-mail: info@quest.com Mail: Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Web site www.quest.com Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/pdfs/global Support Guide.pdf 13