• Join our Communities!

  • Twitter Updates

    Error: Please make sure the Twitter account is public.

  • Disclaimer:

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. The opinions and interests expressed on this employee blog are the employees' own and don't necessarily represent EMC's positions, strategies or views. Inappropriate comments will be deleted at the authors discretion.

Archiving To Help Solve BYOD

We have written before about the security, privacy, compliance and legal issues created by the Bring Your Own Device (BYOD) phenomenon.  And if BYOD seems difficult here in the US, it’s far more difficult in the EU with its stronger protection of personal data.  With BYOD, personal information is being mixed with corporate information on an employee-owned device, often with no real corporate oversight, creating all kinds of new problems.

The UK’s Information Commissioner’s office recently published guidance to assist organizations in dealing with BYOD concerns in the EU.  Of course, a main point is that having a clear and effective BYOD policy is a crucial step for any organization.  But one issue, along with its related advice, really caught our attention:

     “If copies of data are stored on many different devices. . . there is an increased risk that personal data will become out-of-date or inaccurate over time … [or] retained for longer than is necessary … [because] it is more difficult to keep track of all copies of the data.  Using devices to connect to a single central repository of data can help mitigate this risk.”   [Emphasis added].

Centralized archives, operating and retaining data according to company policies, serve this purpose.  For example, rather than having email (and attachments) stored on various email servers, in PST files and on devices for every custodian, it should be stored, maintained, accessed (and ultimately deleted) from a single instance email archive.  Each device can serve as a “window” to that centralized content so that it’s accessible as needed, and then deleted.  This avoids creating new instances of each message that are stored and managed for each individual device requiring access to the data.  And this same concept can be applied to documents from file systems, Sharepoint, even records management systems.

Not every organization will have to meet EU (or even EU-style) data requirements.  But centralizing and managing content is a solid best practice that will pay dividends no matter where you are located.

Activating Your Information Management Shield

We talk with companies every day about how they can be better at managing their enterprise information.  Good policies, with technology to enable and enforce them, can help insure that records and compliance information are retained for the right amount of time, while also enabling the deletion of stale and useless information which has outlived its retention period.  Good information management processes insure that protected information is stored in the right place, operational efficiencies are enhanced by focusing on useful information and the e-Discovery process is easier and more efficient.

Many organizations know that they should implement information management initiatives, but often have difficulty in providing concrete reasons to the business.  If your organization is looking for more reasons why good information management is valuable, two recent cases provide some great reasons:

  • If you have an information governance policy, it may help you to defeat a claim for sanctions even if data has been deleted; and
  • If you don’t have an information governance policy, and you delete data that was subject to compliance requirements, the lack of a policy can help to establish the bad faith necessary to award sanctions.

Diligence As A Shield

In Danny Lynn Electrical & Plumbing, LLC v. Veolia Es Solid Waste Southeast, Inc., 2012 U.S. Dist. LEXIS 62510 (M.D. Ala. May 4, 2012), the plaintiff requested sanctions for the defendants’ alleged failure to properly implement a litigation hold.  Specifically, the plaintiff claimed that defendants had deleted nine email accounts and kept in place an auto-delete function which removed email from the trash after 10 days.  They also alleged that the defendants improperly sent notifications to employees on legal hold that they should continue to delete email messages to comply with email account size limitations.

The court found it significant that the defendants had deployed an email archive to capture all of its email messages.  (Interestingly, the court did not discuss or make any findings about how the archive had been setup, configured or managed).  In addition, in finding that there was no bad faith (a requirement in the 11th Circuit), the court found it important that defendants “began using a software system that archives all emails”:

The court’s impression is that the defendants have expended great effort to insure that the plaintiffs receive information from both their live and archived email system by providing document review technology and allowing access to its database.  All of these factors added up to the court finding that no sanctions were warranted.

Lack of Diligence Can Be A Final Straw

The flip side to the protection offered by information management can be found in FDIC v. Malik, 2012 U.S. Dist. LEXIS 41178 (E.D.N.Y. Mar. 26, 2012) where the court also considered a spoliation motion for the deletion of emails.  The email messages related to a law firm’s prior representation of a mortgage company.

In determining whether bad faith was present to enable sanctions, the court noted that the subject email messages were required to have been preserved not initially for litigation hold, but under compliance requirements — professional responsibility and ethical rules.  The court found that retention under the compliance requirement was especially important to this case:

A regulation requiring retention of certain documents can establish the preservation obligation necessary for an adverse inference instruction where the party seeking the instruction is ‘a member of the general class of persons that the regulatory agency sought to protect in promulgating the rule.  The court held off on a final decision pending an evidentiary hearing.

Being Proactive With Information Management

We all know that litigation holds are difficult to implement and are almost never perfect.  Sometimes something bad actually does occur– a custodian is inadvertently omitted, a handful of emails are lost.  But more often, nothing bad happens at all.  Still, even in those cases it can be difficult (and time-consuming and expensive) to fight off the other side’s claim that something “must have been lost.”  A good information management policy, with tools and education to enable it, can go a long way towards showing good faith and protecting your organization from harm.

Getting Legal to Support Your Email Management Project

Electronic Archives are one of the least understood – and yet one of the best – technologies available to the enterprise for improved operations, compliance and eDiscovery.  Yet while most IT Jim Shookprofessionals are familiar with the benefits of Email Archiving, many see only the operational improvements that an archive can bring.  So when they need to enlist in-house counsel’s assistance to approve the policies for the archive, they often miss the benefits to the legal department, making it more difficult to convince legal to help.  In fact, discussing the benefits of the archive is a critical step.  Many lawyers still misunderstand the purpose of Email Archiving, incorrectly viewing it as a tool to save everything forever – something they are almost always against.

If you’re having difficulty getting legal on board with your archiving project (or if you’re a lawyer and want to better understand how archives can help you), here are three significant areas that are improved with a good email archive deployed as part of an overall Email Management initiative.

Electronic Discovery

Electronic discovery is the process of identifying, holding, collecting, analyzing and producing electronic stored information (“ESI”) to meet the requirements of litigation, investigation or open records / FOIA requests.  Email messages are the most frequent – and arguably the most important – locations for ESI.  Email is also one of the most expensive and risky sources of ESI because most companies do not effectively manage their email.  This often forces enterprises, under the risk of sanctions for deleting data that is relevant to a lawsuit (a penalty known as “spoliation”), to search in virtually unlimited locations for email and then to process and review huge volumes of messages.  Some enterprises have no established process for eDiscovery and are forced to retain backup tapes of email servers and fileshares as a stopgap measure, at enormous risk and expense.  Worse still – some companies simply pretend to meet their obligations through a quick search of a few mailboxes on the email server, knowing that email is stored in other locations they cannot efficiently search, and then cross their fingers to hope for the best.

Almost all of this difficult and risky process can be avoided with an effective Email Archive operating as part of an overall Email Management initiative.  With a good archive, the enterprise’s eDiscovery team can quickly search through just one location for all email, substantially reducing cost and risk.  An effective Email Management program can further cut downstream cost and risk by enabling the defensible deletion of email messages that do not need to be retained.  (If you have not already begun, you will also want to consider how you handle other ESI repositories for eDiscovery).

Compliance

Good compliance programs today include processes related to the company’s electronic information, especially email.  Companies of any size or reach are subject to anti-corruption legislation such as the Foreign Corrupt Practices Act (FCPA) in the US and the UK Bribery Act.  Regulators also place demands on ESI retention and review, in addition to normal records retention requirements.  And regardless of whether we like it, email is a location where many of our records are received and maintained.

A centralized archive for email – with the ability to enforce company mandated retention policies – can be a big win for compliance. An effective email sampling process can help to insure compliance with high-risk requirements like the FCPA, UK Bribery Act and even Sarbanes-Oxley.  An archive with user-directed archiving capabilities enables a strong foundation for complying with records management and regulatory retention requirements.  Similarly, with these controls in place, the enterprise can feel more comfortable with deleting expired content, knowing that it’s not subject to any further retention requirements.  And for concerns on privacy and sensitive data, an issue that grows each day, an archive can help to insure that sensitive data does not leave the company’s firewalls without being encrypted.

Operational

Companies without archives often retain all of their email on their server, and the archive will drive savings through reducing top-tier storage requirements, shrinking backup windows and sizes, and substantially improving the efficiency of the email servers.  Companies with mailbox size quotas have different issues – and with an archive they can quickly move to eliminate local email caches (typically PSTs or NSFs) that are unmanaged, insecure and can lead to disaster in eDiscovery matters.  Users can have virtually unlimited mailbox sizes with no noticeable impact on their day-to-day work – even when working remotely or on an airplane.

Although operational improvements may not be your legal department’s main focus, your lawyers want the company to be more efficient, and helping them to understand these improvements is also an important step.

What’s Next

If your enterprise does not yet have an Email Management initiative, get legal and IT together to talk about the benefits.  You will need help from legal in drafting and authorizing appropriate policies.  (In determining best practices for policies and archiving, your legal counsel might be interested in The Sedona Conference’s guidance on Email Management).  If you have already started, check to make sure that legal fully understands the benefits, has provided appropriate retention policies, is actively part of an efficient eDiscovery process, and that someone is verifying that users are maintaining information subject to regulatory frameworks.

InfoGov Guide to Momentum at EMC World 2011

The Information Governance team is building momentum for EMC World in Las Vegas next week.  There’s an awful lot going on and we thought we’d share some of the highlights with you.

We’ll be located in the Momentum Zone again this year, in the Solutions Pavilion.  We’ll be in the Governance pod, and we’ll be demonstrating our SourceOne Archiving, e-Discovery and Documentum Records Management, and enterprise Governance, Risk, and Compliance (eGRC) solutions.

We’ll also have 20 different presentations during the conference, including sections on Information Governance, with titles like Optimizing Microsoft SharePoint for Information Growth and Governance or From Records Management to Information Governance: How to Successfully Ride the Information WaveThere will be Continue reading

EMC SourceOne…We’ve Come a Long Way, Baby!

It is with great pride that I write this blog.  What’s the news?  EMC is positioned as a “challenger” In the first ever Enterprise Information Archiving Magic Quadrant published by the Gartner, Inc.   This magic quadrant replaces the former “Email Active Archiving” Magic Quadrant as the last stand-alone email archiving Magic Quadrant was published in 2009.

Here is the magic quadrant graphic from the first Enterprise Information Archiving Magic Quadrant, published by Gartner in October 2010:

As you know, I’ve been active with SourceOne and in delivering the Information Governance message around the world.  I have the opportunity to talk with partners and customers on more than half the continents, and I’ve observed the similarity in their information management challenges.  More importantly, I’ve also seen the consistent and measurable results that customers are reporting from deploying Information Governance technologies –

  • Reducing operational costs
  • Assisting with mail platform upgrades
  • Reducing time and cost of eDiscovery
  • Making it easier to find information

Gartner echoes these drivers in the Enterprise Information Archiving Magic Quadrant.  In fact, I believe that Gartner gives further credibility to our perspective that archiving is foundational technology for Information Governance.    So the nice thing here is that EMC’s Information Governance strategy and our focus on key enabling technologies is in alignment with the major market drivers.  From a customer perspective, that should give you confidence that our product roadmap is designed to address your key challenges around your biggest headaches – email and file servers in particular.  And while you might not be there yet – SharePoint is looming on the horizon.  When you are ready to address SharePoint management challenges, EMC is ready.

To put this magic quadrant in perspective, I think it is worthwhile to look at EMC’s placement in this market space and the challenges we’ve overcome.    Nearly five years ago when I started working in this product group, EMC was a challenger in the email archiving market by multiple analyst viewpoints.  But then EMC started to lose ground in the market to the point where we became clustered with lots of smaller vendors as a niche player.  In hindsight, 2008-2009 was a dark period for us.  We were on the brink of a new product introduction.  The market was moving forward with new feature enhancements, but at EMC we held steady on the need to re-architect the underlying foundation of our archiving product.

Then we launched SourceOne, which raised concerns among customers and analysts that we had a Version 1.0 product.  We disproved the risk, and at this point I’m proud to say that we have more than 600 customers globally for SourceOne Email Management.  And we now have more content archiving types than email on the SourceOne platform.  In order to be considered for the 2010 Enterprise Information Archiving Magic Quadrant, the vendor needed to have email and file server archiving.  EMC offers SourceOne for File Systems and also SourceOne for Microsoft SharePoint on the same underlying architecture as SourceOne Email Management.  So in hindsight, our decision to focus on an architecture revamp first is proving to be the right decision.

Another area where we struggled was with EMC’s e-discovery capabilities.  For this reason, EMC acquired Kazeon in September 2009 and the Kazeon capabilities are now integrated into the SourceOne family.   Since the acquisition, we’ve made the SourceOne archive one of the targets that Kazeon can discover against.  And we have the unique advantage that Kazeon can write to Documentum, allowing us to enforce legal holds with Documentum Records Management.

Understandably, many customers use the Gartner Magic Quadrant to help narrow their vendor selection.  In 2010, EMC is finally back where we believe we belong – as a challenger in the space for enterprise information archiving.   With our focus on execution, I hope next year we’ll see an even better improvement on this axis.  But what I’m really keen to see is how the evolution of our roadmap propels us from Challenger to Leader.

Dantes Inferno

Jim Shook, Senior Legal Consultant—eDiscovery & Compliance EMC Corp

Jim Shook, Senior Legal Consultant—eDiscovery & Compliance EMC Corp

Circles of Sanctions

In customer meetings and speaking engagements, I sometimes relate eDiscovery sanctions to

Dante’s “Inferno” and its nine circles of hell.  The idea is that those who have poor eDiscovery processes and cannot meet their obligations to preserve relevant ESI have a good chance of facing sanctions.  At that point, the only question becomes the level of sanction – in Dante-speak, the circle of hell – on which to land.  Fortunately for most, the determination of the sanction is based in large part on the level of culpability — but as we will see in a few recent cases, the road to, uh, sanctions can be paved with good intentions.

Judges have a wide variety of sanctions available to remedy eDiscovery violations, which typically revolved under the failure to retain relevant ESI.  From least to most harsh sanction, they are:

  • Further discovery
  • Cost-shifting
  • Fines
  • Special jury instructions
  • Preclusion; and
  • Default judgment or dismissal (terminating sanctions)

(Pension Committee v. Banc of America Securities, 2010 WL 18431 (S.D.N.Y. Jan. 15, 2010) at 19-20).  The court has broad discretion in such matters, with the severity of the sanction normally based upon a combination of (1) the prejudice caused to the innocent party and (2) the degree of culpability of the bad actor.  (Victor Stanley v. Creative Pipe (“Victor Stanley II”), No. MJG-06-2662 at 71-72 (D. Md. Sept. 12, 2010); Pension Committee at 19-20).  As Judge Grimm notes in Victor Stanley II, harsh sanctions can result from a low level of culpability where there has been considerable prejudice to the injured party (to remedy the innocent party); and can also be awarded where prejudice is minimal but the culpability is great (to punish the wrongdoer and discourage future bad actors).  (Victor Stanley II at 72).

The Punishment Fits the Crime

In Victor Stanley II, Judge Grimm deals with a party – Mark Pappas, the president of defendant Creative Pipe – who repeatedly deleted ESI in deliberate attempts to frustrate the discovery process.  If you read the incredibly detailed opinion, you will see that this is not your run-of-the mill case where typical mistakes are made because IT did not talk to legal, or the lawyers did not know about much about IT concerns such as backup tapes or destruction policies.  Pappas intentionally and knowingly deleted thousands of files, deleted email while claiming that he was actually preserving the email in the “Delete” folder, and even used programs in an effort to eliminate more ESI (and his trails).  All along, he intentionally misleads the court and the opposing party about the state of discovery in the case and the defendant’s efforts to preserve and collect data.

Ultimately, Judge Grimm has seen enough, and he fashions one of the most interesting — and severe — sanctions that we have seen in eDiscovery caselaw.  Not only is judgment entered against the Defendant on one of the main claims in the case –the default judgment seems to be a fair response to all of the spoliation activities –- but Judge Grimm finds it important to go a step further:

I order that Pappas’s acts of spoliation be treated as contempt of this court, and that as a sanction, he be imprisoned for a period not to exceed two years, unless and until he pays to Plaintiff the attorney’s fees and costs that will be awarded.

Prison – could it be a secret 10th circle?  This punishment is not even on our original list of possible sanctions!  (Technically, this part of the sanction is for contempt of court and not merely a remedy for violating eDiscovery requirements).   Truly, a sanction like this will apply only in the very rarest of circumstances.  However, before you discount the case as just another “shark bite” case, take a look at the next one.

Little Bad Acts Add Up

In interesting contrast to the totally indefensible acts of Victor Stanley II is Harkabi v. Sandisk Corp., 08 Civ 820 (S.D.N.Y. Aug 23, 2010).  In Harkabi, the defendant (ironically a high-tech, electronic data storage company) never intentionally deleted ESI, but it did make several important mistakes:

  • After segregating and then imaging the plaintiffs’ laptops (former employees), employees ultimately lost all of the data before it could be produced;
  • The company deleted relevant email messages during its transition to a new email archive platform (which also occurred after litigation hold began but before production);
  • The company failed to quickly realize these mistakes and – either as a function of that failure or as a separate mistake – failed to promptly inform the plaintiffs and the courts of these issues.  In fact, the plaintiffs were the first to discover that there were problems with defendant’s production, despite defendant’s assertions that it had not reason to believe that there were any problems.

Unlike Victor Stanley II, these problems seem to arise from a lack of attention to detail and possibly a lack of legal and/or IT knowledge.  While the court takes those circumstances into account, it also notes that in-house counsel was noticeably absent at critical junctures of the case, such as:

(1) when the plaintiffs’ original hard drives, which had been physically set aside, were copied onto a retention server;

(2) when those hard drives were later wiped so that the laptops could be re-issued to other employees; and

(3) during the transfer of email into the new archive system – which was particularly troubling because many of those emails should have been on litigation hold – there is no record that legal was involved at all.

Because much of the data was ultimately recoverable, one could argue that these are mostly minor to or moderate-level transgressions (and they certainly are minor in comparison to Victor Stanley II).  But to the court, taken together they show some serious problems and in response, the court leveled appropriately serious sanctions:

  • To address plaintiffs’ costs and the delays in the eDiscovery process, defendants were ordered to pay money sanctions of $150,000; and
  • Perhaps even more important, the court authorized an adverse inference instruction to be issued to the jury when the case is tried, permitting or requiring the jury to assume that Sandisk destroyed evidence that would have helped the plaintiffs to prove their case.

These are serious sanctions.  While the court stopped short of a terminating sanction (the 9th circle), there are few cases that can reasonably survive a strong adverse inference instruction that seems likely to be given here.  Thus, while the sanctions are vastly different on their face from those in Victor Stanley II (particularly in the issue of incarceration), the practical difference on the actual cases may be very similar.

Conclusions

The language of Pension Committee, Victor Stanley II and other important rulings in 2010 are sounding a common theme: that the bench has less tolerance for eDiscovery violations, and is more willing to order appropriate sanctions for violations.  While you may not always be able to avoid procedural issues with your eDiscovery processes, taking a diligent approach and documenting your processes will help you to avoid serious sanctions.

Managing Information Chaos

EMC World 2010 in Boston was alive and vibrant.  There was an excitement and buzz around the show that I think was missing last year.  Particularly because I think people are feeling more confident. The economy seems to be on the upswing, which means that budgets and project funding are coming back – even if at a cautious pace.   As we do each year, EMC put on a fantastic show – both socially and from a professional development standpoint.  The show floor was packed, sessions were well attended, and the parties were rocking.  All in an all – it was a super event.

For me personally, this was my 5th EMC World.  This year was different for me.  For one, I’m now based in the United Kingdom, so it is a new experience to travel overseas to my home country for our corporate event.  Second, the messaging around the journey to the private cloud is so pervasive and well targeted.  I think across the board EMC has the potential to really truly change the IT dynamics for our customers – and it is exciting to be a part of the revolution.

For my part, I look at how the SourceOne products have relevance to the private cloud.  Since we announced SourceOne last year, we are on a mission to equate SourceOne with Information Governance, which really plays well to a challenge that customers will have across both the public and private cloud. Information Governance is about the technologies and policies to help our customers to understand what and where information is stored.  I see this concept of information visibility and management being even more of a challenge in the journey to the private cloud.  Information might be stored in a combination of onsite and in the cloud, and without proper management of its lifecycle there is great likelihood of information chaos.

It’s more than a question of what’s stored and where – our view is that Information Governance should help you to understand what you have stored, how it should be classified, how it should be managed and who should have access.  In short, it’s the holistic approach to managing your information across its lifecycle so that it continues to feed your customer service, your competitive advantage and your next innovation.  Whatever your industry, information is at the heart of your business.

I talked with many customers across multiple industries, countries and even organizational sizes at EMC World.  The common theme is that information growth has reached the point where it is weighing down production systems and sprawled in such as way that it’s difficult for anyone to find what is relevant.  For that specific reason, we introduced the SourceOne family – to help you reign in your information chaos.  Over the past year we have evolved the SourceOne family from email management to a broader portfolio that includes eDiscovery, SharePoint management and soon to follow other tools to gain control of your unstructured information.

If you have similar challenges with information chaos as well, why not check out what Information Governance can do for you at www.emc.com/sourceonecity.