• Join our Communities!

  • Twitter Updates

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

  • Disclaimer:

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. The opinions and interests expressed on this employee blog are the employees' own and don't necessarily represent EMC's positions, strategies or views. Inappropriate comments will be deleted at the authors discretion.

Archiving To Help Solve BYOD

We have written before about the security, privacy, compliance and legal issues created by the Bring Your Own Device (BYOD) phenomenon.  And if BYOD seems difficult here in the US, it’s far more difficult in the EU with its stronger protection of personal data.  With BYOD, personal information is being mixed with corporate information on an employee-owned device, often with no real corporate oversight, creating all kinds of new problems.

The UK’s Information Commissioner’s office recently published guidance to assist organizations in dealing with BYOD concerns in the EU.  Of course, a main point is that having a clear and effective BYOD policy is a crucial step for any organization.  But one issue, along with its related advice, really caught our attention:

     “If copies of data are stored on many different devices. . . there is an increased risk that personal data will become out-of-date or inaccurate over time … [or] retained for longer than is necessary … [because] it is more difficult to keep track of all copies of the data.  Using devices to connect to a single central repository of data can help mitigate this risk.”   [Emphasis added].

Centralized archives, operating and retaining data according to company policies, serve this purpose.  For example, rather than having email (and attachments) stored on various email servers, in PST files and on devices for every custodian, it should be stored, maintained, accessed (and ultimately deleted) from a single instance email archive.  Each device can serve as a “window” to that centralized content so that it’s accessible as needed, and then deleted.  This avoids creating new instances of each message that are stored and managed for each individual device requiring access to the data.  And this same concept can be applied to documents from file systems, Sharepoint, even records management systems.

Not every organization will have to meet EU (or even EU-style) data requirements.  But centralizing and managing content is a solid best practice that will pay dividends no matter where you are located.

Archiving: The Secret Sauce to IT Transformation (Part 2)

Lady Backup asserts that there is a key enabler in IT transformation that EMC hasn’t paid enough attention to: archiving.
To understand why, let’s look at the 3 key benefits of archiving:
Benefit 1: Archiving increases operational efficiency.
How old are the emails stored in your email system? How frequently are files older than a year accessed in your file servers? How many sites are sat untouched in SharePoint?
Archiving allows you to be smart in how you retain content by storing aged content outside of your production environment. First, this reduces the storage capacity required. But also a lean production environment improves backup and recovery, increases application performance, and eases application maintenance/upgrades.
Benefit 2: Archiving improves end user productivity.
Data growth is not just a challenge for the infrastructure – it is also a challenge for end users to find content.
Take this scenario: you are trying to find a Word document created a year ago. Was it sent to by email? Did you save it to your PC hard drive? Or did you store on a network drive? Or maybe it was uploaded into a SharePoint site? Where do you look first??
Your archive can be the first stop for users to do granular searches for content, saving time hunting around for the file or worse, recreating it because it can’t be found.
Benefit 3: Archiving consistently manages retention policies.
Retention management not only keeps your data volumes under control, but from a corporate governance perspective you can consistently enforce retention policies.
Archiving allows you to consistently and automatically execute policies that meet your company’s policies and/or your regulatory requirements.
Let’s face it – data volumes are challenging a “keep everything forever” mentality.
Next week, we’ll look at considerations for an archiving solution. LB

Viva La Resolution!

Although I strictly avoid New Year’s Resolutions, January is often a good time to think about the year ahead.  Last year at this time I created a wish list hoping that we would all learn more about archiving, machine classification, social media and “the cloud”. 

While those topics remain very important this year, let’s start 2013 by focusing on an umbrella issue — “Information Governance”.  To me, very simply, Information Governance encompasses all of the things that we’ve focused on individually during the last several years in the information world — eDiscovery, archiving, retention policies, defensible deletion, security, records management, privacy, etc.  (Deb Logan of Gartner has a far more thoughtful definition). 

How do you “do” Information Governance?  That’s a very good question and I don’t know that anyone yet has a great answer.  The best thing that we can do, today, is to be better educated on the issues outside of our main focus area so that we can better understand the impact of our own initiatives.  For example, the legal department’s goal of making information more accessible and searchable for eDiscovery may impact privacy and even security concerns.  An IT goal to move email to the public cloud to save money may create compliance and eDiscovery nightmares.  And an initiative to delete “legacy” data could wreak havoc with records management policies.

For now, spend some time learning about what your colleagues are doing in their areas of expertise, across IT, legal, records, compliance, security, etc.  You may find that the big picture quickly becomes much clearer.  

P.S.  Hope to see you at the EMC booth at Legal Tech.  

 

Be Clear Before You Cloud!

Interest in cloud services remains extremely high, with IDC predicting a compound annual growth rate of almost 28%.   Yet “cloud” is a broad term, and when purchasing cloud services it is more important than ever to understand the details of an offering, particularly when considering email archiving.

Cloud archiving offers the opportunity for cost savings and a potential reduction in operational complexity.  But as with any offering, there are risks and downsides that are often ignored during the decision-making process:

–          If the system fails or is down, what are my rights?  In most cases, you will have an Service Level Agreement but the remedy if that SLA is not met is usually minimal.

–          If a regulator needs access to data or if I have an unexpected e-discovery requirement, how can I get the data that I need?  Some clouds will have tools but few companies determine in advance whether those tools are sufficient to meet their needs.

–          If the system is hacked or there is a security breach, what happens?  In most cases, any penalty for stolen or lost data remains with the company that owns the data, and the recourse against the provider is contractually limited.

–          If I find a better solution (or just don’t like this one next year), how can I move to another system?  Migrating your data from a cloud system is generally not an easy or inexpensive task.

For many, a managed service or private cloud may be the right answer.  In this model, the equipment and data center can still be owned by the customer, enabling it to maintain control and access whenever desired.  But with the day-to-day operation of the system managed by a skilled third party, at a set rate, operational costs and even complexity can be sharply reduced.

One size still cannot fit everyone.  So when looking at cloud solutions, make sure to understand all of your company’s requirements (have you talked with legal and compliance?) and get the answers before you decide.  It may save you a rainy day.

Activating Your Information Management Shield

We talk with companies every day about how they can be better at managing their enterprise information.  Good policies, with technology to enable and enforce them, can help insure that records and compliance information are retained for the right amount of time, while also enabling the deletion of stale and useless information which has outlived its retention period.  Good information management processes insure that protected information is stored in the right place, operational efficiencies are enhanced by focusing on useful information and the e-Discovery process is easier and more efficient.

Many organizations know that they should implement information management initiatives, but often have difficulty in providing concrete reasons to the business.  If your organization is looking for more reasons why good information management is valuable, two recent cases provide some great reasons:

  • If you have an information governance policy, it may help you to defeat a claim for sanctions even if data has been deleted; and
  • If you don’t have an information governance policy, and you delete data that was subject to compliance requirements, the lack of a policy can help to establish the bad faith necessary to award sanctions.

Diligence As A Shield

In Danny Lynn Electrical & Plumbing, LLC v. Veolia Es Solid Waste Southeast, Inc., 2012 U.S. Dist. LEXIS 62510 (M.D. Ala. May 4, 2012), the plaintiff requested sanctions for the defendants’ alleged failure to properly implement a litigation hold.  Specifically, the plaintiff claimed that defendants had deleted nine email accounts and kept in place an auto-delete function which removed email from the trash after 10 days.  They also alleged that the defendants improperly sent notifications to employees on legal hold that they should continue to delete email messages to comply with email account size limitations.

The court found it significant that the defendants had deployed an email archive to capture all of its email messages.  (Interestingly, the court did not discuss or make any findings about how the archive had been setup, configured or managed).  In addition, in finding that there was no bad faith (a requirement in the 11th Circuit), the court found it important that defendants “began using a software system that archives all emails”:

The court’s impression is that the defendants have expended great effort to insure that the plaintiffs receive information from both their live and archived email system by providing document review technology and allowing access to its database.  All of these factors added up to the court finding that no sanctions were warranted.

Lack of Diligence Can Be A Final Straw

The flip side to the protection offered by information management can be found in FDIC v. Malik, 2012 U.S. Dist. LEXIS 41178 (E.D.N.Y. Mar. 26, 2012) where the court also considered a spoliation motion for the deletion of emails.  The email messages related to a law firm’s prior representation of a mortgage company.

In determining whether bad faith was present to enable sanctions, the court noted that the subject email messages were required to have been preserved not initially for litigation hold, but under compliance requirements — professional responsibility and ethical rules.  The court found that retention under the compliance requirement was especially important to this case:

A regulation requiring retention of certain documents can establish the preservation obligation necessary for an adverse inference instruction where the party seeking the instruction is ‘a member of the general class of persons that the regulatory agency sought to protect in promulgating the rule.  The court held off on a final decision pending an evidentiary hearing.

Being Proactive With Information Management

We all know that litigation holds are difficult to implement and are almost never perfect.  Sometimes something bad actually does occur– a custodian is inadvertently omitted, a handful of emails are lost.  But more often, nothing bad happens at all.  Still, even in those cases it can be difficult (and time-consuming and expensive) to fight off the other side’s claim that something “must have been lost.”  A good information management policy, with tools and education to enable it, can go a long way towards showing good faith and protecting your organization from harm.

InfoGov Guide to Momentum at EMC World 2011

The Information Governance team is building momentum for EMC World in Las Vegas next week.  There’s an awful lot going on and we thought we’d share some of the highlights with you.

We’ll be located in the Momentum Zone again this year, in the Solutions Pavilion.  We’ll be in the Governance pod, and we’ll be demonstrating our SourceOne Archiving, e-Discovery and Documentum Records Management, and enterprise Governance, Risk, and Compliance (eGRC) solutions.

We’ll also have 20 different presentations during the conference, including sections on Information Governance, with titles like Optimizing Microsoft SharePoint for Information Growth and Governance or From Records Management to Information Governance: How to Successfully Ride the Information WaveThere will be Continue reading

Dantes Inferno

Jim Shook, Senior Legal Consultant—eDiscovery & Compliance EMC Corp

Jim Shook, Senior Legal Consultant—eDiscovery & Compliance EMC Corp

Circles of Sanctions

In customer meetings and speaking engagements, I sometimes relate eDiscovery sanctions to

Dante’s “Inferno” and its nine circles of hell.  The idea is that those who have poor eDiscovery processes and cannot meet their obligations to preserve relevant ESI have a good chance of facing sanctions.  At that point, the only question becomes the level of sanction – in Dante-speak, the circle of hell – on which to land.  Fortunately for most, the determination of the sanction is based in large part on the level of culpability — but as we will see in a few recent cases, the road to, uh, sanctions can be paved with good intentions.

Judges have a wide variety of sanctions available to remedy eDiscovery violations, which typically revolved under the failure to retain relevant ESI.  From least to most harsh sanction, they are:

  • Further discovery
  • Cost-shifting
  • Fines
  • Special jury instructions
  • Preclusion; and
  • Default judgment or dismissal (terminating sanctions)

(Pension Committee v. Banc of America Securities, 2010 WL 18431 (S.D.N.Y. Jan. 15, 2010) at 19-20).  The court has broad discretion in such matters, with the severity of the sanction normally based upon a combination of (1) the prejudice caused to the innocent party and (2) the degree of culpability of the bad actor.  (Victor Stanley v. Creative Pipe (“Victor Stanley II”), No. MJG-06-2662 at 71-72 (D. Md. Sept. 12, 2010); Pension Committee at 19-20).  As Judge Grimm notes in Victor Stanley II, harsh sanctions can result from a low level of culpability where there has been considerable prejudice to the injured party (to remedy the innocent party); and can also be awarded where prejudice is minimal but the culpability is great (to punish the wrongdoer and discourage future bad actors).  (Victor Stanley II at 72).

The Punishment Fits the Crime

In Victor Stanley II, Judge Grimm deals with a party – Mark Pappas, the president of defendant Creative Pipe – who repeatedly deleted ESI in deliberate attempts to frustrate the discovery process.  If you read the incredibly detailed opinion, you will see that this is not your run-of-the mill case where typical mistakes are made because IT did not talk to legal, or the lawyers did not know about much about IT concerns such as backup tapes or destruction policies.  Pappas intentionally and knowingly deleted thousands of files, deleted email while claiming that he was actually preserving the email in the “Delete” folder, and even used programs in an effort to eliminate more ESI (and his trails).  All along, he intentionally misleads the court and the opposing party about the state of discovery in the case and the defendant’s efforts to preserve and collect data.

Ultimately, Judge Grimm has seen enough, and he fashions one of the most interesting — and severe — sanctions that we have seen in eDiscovery caselaw.  Not only is judgment entered against the Defendant on one of the main claims in the case –the default judgment seems to be a fair response to all of the spoliation activities –- but Judge Grimm finds it important to go a step further:

I order that Pappas’s acts of spoliation be treated as contempt of this court, and that as a sanction, he be imprisoned for a period not to exceed two years, unless and until he pays to Plaintiff the attorney’s fees and costs that will be awarded.

Prison – could it be a secret 10th circle?  This punishment is not even on our original list of possible sanctions!  (Technically, this part of the sanction is for contempt of court and not merely a remedy for violating eDiscovery requirements).   Truly, a sanction like this will apply only in the very rarest of circumstances.  However, before you discount the case as just another “shark bite” case, take a look at the next one.

Little Bad Acts Add Up

In interesting contrast to the totally indefensible acts of Victor Stanley II is Harkabi v. Sandisk Corp., 08 Civ 820 (S.D.N.Y. Aug 23, 2010).  In Harkabi, the defendant (ironically a high-tech, electronic data storage company) never intentionally deleted ESI, but it did make several important mistakes:

  • After segregating and then imaging the plaintiffs’ laptops (former employees), employees ultimately lost all of the data before it could be produced;
  • The company deleted relevant email messages during its transition to a new email archive platform (which also occurred after litigation hold began but before production);
  • The company failed to quickly realize these mistakes and – either as a function of that failure or as a separate mistake – failed to promptly inform the plaintiffs and the courts of these issues.  In fact, the plaintiffs were the first to discover that there were problems with defendant’s production, despite defendant’s assertions that it had not reason to believe that there were any problems.

Unlike Victor Stanley II, these problems seem to arise from a lack of attention to detail and possibly a lack of legal and/or IT knowledge.  While the court takes those circumstances into account, it also notes that in-house counsel was noticeably absent at critical junctures of the case, such as:

(1) when the plaintiffs’ original hard drives, which had been physically set aside, were copied onto a retention server;

(2) when those hard drives were later wiped so that the laptops could be re-issued to other employees; and

(3) during the transfer of email into the new archive system – which was particularly troubling because many of those emails should have been on litigation hold – there is no record that legal was involved at all.

Because much of the data was ultimately recoverable, one could argue that these are mostly minor to or moderate-level transgressions (and they certainly are minor in comparison to Victor Stanley II).  But to the court, taken together they show some serious problems and in response, the court leveled appropriately serious sanctions:

  • To address plaintiffs’ costs and the delays in the eDiscovery process, defendants were ordered to pay money sanctions of $150,000; and
  • Perhaps even more important, the court authorized an adverse inference instruction to be issued to the jury when the case is tried, permitting or requiring the jury to assume that Sandisk destroyed evidence that would have helped the plaintiffs to prove their case.

These are serious sanctions.  While the court stopped short of a terminating sanction (the 9th circle), there are few cases that can reasonably survive a strong adverse inference instruction that seems likely to be given here.  Thus, while the sanctions are vastly different on their face from those in Victor Stanley II (particularly in the issue of incarceration), the practical difference on the actual cases may be very similar.

Conclusions

The language of Pension Committee, Victor Stanley II and other important rulings in 2010 are sounding a common theme: that the bench has less tolerance for eDiscovery violations, and is more willing to order appropriate sanctions for violations.  While you may not always be able to avoid procedural issues with your eDiscovery processes, taking a diligent approach and documenting your processes will help you to avoid serious sanctions.