Feature
Article
Email
- The Most Dangerous Data in an Organization
by
Jason Cherkas
The
Federal Rules of Civil Procedure were revised on December
1, 2006 changing how electronically stored information can
be exposed during a legal matter. Under the Rules, a party
may request another party to produce any electronically
stored information including information stored in any medium.
As a result, document retention policies now must have a
greater focus on email retention and also need to take into
account common work-arounds and the wide use mobile devices.
The days of worrying
only about information stored on company servers are now
in the past. Company owners and information technology professionals
have been forced to take inventory of every electronic document
they store in any format. Document retention polices had
to be modified and in some cases thrown out and started
over. Besides the obvious focus on documents stored on a
file server, emails are now an important component of a
retention policy. Many companies now have email retention
policies in place that specify deleting email from the server
and client every 30 – 180 days. Backup tapes are overwritten
every two to three months to preserve the retention policy.
For some companies this is their entire email retention
policy. However, we know employees have many reasons why
they want to retain emails and so, take creative steps to
try to work around the email retention policy. This creativity
has made email a ticking time bomb in many organizations.
The most common
way of getting around a retention policy is to use a Personal
Storage Template or PST file in Outlook. A PST is a built-in
method of moving data off of the email server to a data
file located on the users local or network share. This accomplishes
what the user wants by keeping the email, but it negates
the company's email retention policy. In addition, PST files
can be stored anywhere and IT may not be aware of their
existence leaving the company open to surprises during discovery.
We recommend that a company's retention policy specifically
prohibit the use of PST files for company email.
I was involved
with an internal investigation where an employee was accused
of sending harassing emails to another employee. The person
who was being harassed ended up leaving the company after
no action was being taken to stop the emails. Six months
later the company was sued for negligence and IT called
in to recover emails and files that may help with the case.
According to company policy, monthly backup tapes are over
written every three months and former employees' machines
are wiped and repurposed after thirty days. The company
only had the original complaint but did not have anything
else to help their case. During the discovery process the
company found out the complainant had a copy of all the
emails in a PST file that she took with her when she resigned.
The company had no choice but to settle out of court for
a large amount of money.
Another creative
method is saving the actual message file or converting the
message to another format for safe keeping. A user can simply
drag the message from their inbox to their local hard drive,
network shared drive or external storage device like a USB
fob or hard drive. This creates file with all the email
header and message contents. The save as function can also
be used to save the email to a Word or notepad format. The
header information will be lost but the email contents will
remain intact. There is no way to differentiate this from
other documents because it is saved in a specific file extension
besides Word or Adobe PDF.
Mobile devices
are now part of most companies' infrastructure. Some companies
allow staff to receive email on their personally owned devices.
This saves the company money, but is a cause for concern
because who has control over the emails on the device is
debatable. Smart phones that receive company email should
therefore be considered in the document retention policy.
Another engagement
I was involved in concerned a partner of a small company,
who used a Windows Mobile device to receive his email. He
was asked to meet with the other company owners about a
few issues but he knew he was going to be let go because
of some financial wrong doings that had been discovered
by other partners. Once he entered the meeting, the IT department
sent a wipe request to his phone so that company data would
be removed as he sat in the meeting. After the meeting the
IT department gathered his phone and other company owned
belongings. They were put in a box for safe keeping and
forgotten about. However, the IT department did not know
that he had turned the phone off before entering the building.
The phone never received the wipe request. A few months
later a lawsuit was filed by the accused partner and this
box of belongings was handed over to the company's law firm
for review. By this time his email history had been deleted
from the server, backup tapes had been over written and
his computer had been wiped and put back into service. The
company lawyers were looking for emails to defend the company
and were out of luck until, in the electronic discovery
process, the error of not wiping the device was found and
the emails were discovered. In this case it worked to the
company's favor, but it could have just as easily worked
against them had the emails supported the employee's position.
A strong, clear
document retention policy is imperative for companies today.
In order to be effective in protecting the company, the
policy should include email retention and mobile devices.
These policies should also consider common ways to get around
the policy. The liability of not taking the creative methods
people take to save emails from automated retention polices
into account can be detrimental to a company in the event
it is involved in litigation.
>>
HA&W News Archive
|
