archiving and storing e-mails – the legal and practical issues
TRANSCRIPT
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 4 ( 2 0 0 8 ) 1 7 6 – 1 8 0
ava i lab le a t www.sc iencedi rec t .com
www.compsecon l ine .com/publ i ca t i ons /prodc law.h tm
Regulation of email
Archiving and storing e-mails – The legal andpractical issues
Stephen Mason
St Paul’s Chambers, UK
1 E-mail, networks and the Internet: a con2 The Companies (Registrar, Languages an
0267-3649/$ – see front matter ª 2007 Stephdoi:10.1016/j.clsr.2007.09.004
a b s t r a c t
This article will outline the problems faced by one company in relation to the destruction
of e-mail communications in a recent case in the United States, and then set out some of
the legal and practical issues that lawyers and their clients should consider if they have
reached the conclusion that they ought to buy one of the products that began to appear
on the market from 2000 that help with the storage of e-mails in particular, although the
issue is wider than just e-mail communications.
ª 2007 Stephen Mason. Published by Elsevier Ltd. All rights reserved.
The disclosure or discovery phase of litigation in modern
times tends to concentrate on the abundance of evidence
available by way of e-mail communications, and there have
been a number of high profile cases in the United States of
America in particular that have illustrated the problems
a party can face if it transpires that e-mail communications
have been deleted or entire archives of back-up tapes have
been destroyed or overwritten. For years, the author has
been advising organizations that deleting or overwriting e-
mail back-up tapes is one of the most foolish activities that
can be carried out with e-mails, yet such advice is regularly ig-
nored at best, or the legal reasons are challenged as being an
incorrect statement of the law1: that is, until the company sec-
retary or legal director is called before a judge to explain why
they failed to preserve e-mails within the organization. The
usual response by senior management to this issue is to
assume that the IT department are responsible for retaining
e-mail communications. However, the IT department have
no such responsibility. The IT department are, at best only
the custodians of the records created by the organization: in
a commercial organization, it is the company secretary who
cise guide to complianced Trading Disclosures) Reen Mason. Published by E
carries the legal responsibility for the preservation of business
records, yet few company secretaries understand this duty.
1. Why e-mails must be preserved
People in senior positions and at board level regularly fail to
appreciate that an e-mail (for e-mail, include Instant Message)
can fall into one or more categories, each of which will have to
be retained for the length of time determined by law:
(a) An e-mail discussing official business between employees
internally is an internal memorandum.
(b) A similar e-mail sent out to a third party relating to official
business is an external communication, and should be
treated as official stationery, by being sent with the same
corporate information required by law that is contained
on the stationery.2
(c) An extension of a telephone conversation, confirming
something, for instance, is a note to be added to a file,
whether it is sent to people within the organization or to
with the law (xpl publications, 6th edn, 2006).gulations 2006 Statutory Instrument 2006 No. 3429.lsevier Ltd. All rights reserved.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 4 ( 2 0 0 8 ) 1 7 6 – 1 8 0 177
external addressees, or a mix of internal and external
addressees.
(d) A note to a friend to say you enjoyed the party last night is
an item of private correspondence using the organiza-
tion’s resources. The use of e-mail for this purpose may
or may not be authorized by the organization.
The types of document that have to be retained, and how
long they need to be retained for, will partly depend on the na-
ture of the business conducted by the organization. Some doc-
uments created during the course of a business are common
to all organizations, whether public or private, and provisions
are made in the relevant legislation for the retention of such
documents. Further, public finance initiatives often have con-
tracts that require the organization to retain all documents for
the length of the contract (sometimes 30 years) plus seven
years after the contract expires. In essence, document reten-
tion periods are set against different criteria: retention periods
prescribed by law, rules issued by regulatory bodies and in-
dustry best practice.
2. The failure to preserve e-mails
The case of In re Intel Corporation Microprocessor Antitrust Litiga-
tion3 is a classic example of the failure of an organization to
have a proper policy in place dealing with the retention of
e-mail communications. In the antitrust litigation between
Intel Corporation (Intel) and Advanced Micro Devices, Inc
(AMD), it transpired that Intel was not in a position to provide
copies of e-mails during the discovery phase of the litigation,
because large volumes of e-mails had not been preserved. A
status conference took place on 5 March 2007, and in prepara-
tion for the hearing, Richard L. Horwitz sent a letter on behalf
of Intel to U.S. District Court Judge Joseph Farnan Jr, explaining
the issues faced by the company.4 In his order dated 5 March
2007, U.S. District Court Frederick L. Cottrell, III set out the
problem in broad terms5:
Since the last status conference, there have been troubling devel-
opments in this case. Through what appears to be a combination
of gross communication failures, an ill conceived plan of docu-
ment retention and lackluster oversight by outside counsel, Intel
has apparently allowed evidence to be destroyed. Though all the
facts are not in, potentially massive amounts of email correspon-
dence generated and received by Intel executives and employees
since the filing of the lawsuit may be irretrievably lost, as may
other relevant electronic documents. The damage does not appear
confined to low-level or marginally important witnesses; to the
contrary, Intel executives at the highest level failed to receive or
to heed instructions essential for the preservation of their records,
and Intel and its counsel failed to institute and police a reliable
backup system as a failsafe against human error.
3 There are a substantial number of references to this case, andthe reader is advised to consult a legal database, such as West-law, should they wish to follow this case more fully.
4 Case 1:05-cv-00441-JJF Document 293 Filed 03/05/2007.5 MDL Docket No. 05-1717-JJF, Civil Action No. 05-441-JJF, US
District Court (Delaware), pp. 1–2.
Intel has not yet fully assessed the magnitude of its problem,
but what it has disclosed thus far demonstrates systemic
evidence preservation breaches of troubling breadth and depth.
Under the best of circumstances, Intel is a company that shuns
creating a record of what goes on within its walls. When not
under a litigation cloud, Intel automatically purges all e-mail
sent or received by its employees every thirty-five days (or in
the case of senior executives, every forty-five to sixty days).
What backups are made are immediately overwritten the very
next cycle.
Disturbingly, even after it was sued, Intel allowed this periodic
destruction of its records to continue. In a half-hearted attempt
at preservation, Intel instead imposed an ‘‘honor system’’ on se-
lected employees, who were asked voluntarily to identify and
move relevant materials to off-network storage on their personal
computers. Intel also was supposed to create and retain weekly
backups to deal with the inevitable lapses that infect a user-
driven preservation system.
The learned judge then recited the problems that were un-
covered at pages 2–3:
Everything that could have gone wrong did go wrong. As dis-
cussed in greater detail in the balance of this memorandum, until
two weeks ago, Intel failed to deliver any retention instructions to
more than one-third of its 1,027 ‘‘custodians,’’ who by definition
are employees possessing ‘‘appreciable quantities’’ of ‘‘non-
duplicative’’ evidence. The two-thirds who were placed on reten-
tion received faulty instructions that failed to admonish them,
among other things, to save ‘‘Sent’’ e-mail. Other instructions
were not clearly conveyed and compliance only cavalierly moni-
tored, with the result that over half of custodians preserved incor-
rectly, including some of Intel’s highest ranking executives who
mistakenly thought ‘‘IT’’ would discharge their preservation ob-
ligations for them. Intel’s thirty-five day e-mail ‘‘grim reaper’’
has relegated to the electronic dust bin the messages and attach-
ments that custodians failed to segregate and move off-line, and
for as many of half of Intel’s custodians, the back-up systems that
were supposed to prevent against this type of loss were never
even turned on.
In summary, Intel failed in the following ways, as set out by
the learned judge on page 5:
Intel chose to adopt and rely on a highly-risky system of docu-
ment preservation. Although it has provided ever-changing de-
scriptions of both its ‘‘normal’’ practices and its retention
system, from that AMD can tell, Intel’s preservation strategy:
� Allowed the continued, automatic purge on a 35-day (or longer)
schedule of all e-mail communications to, from and within the
company;
� Relied exclusively on a move-it-or-lose-it ‘‘honor system’’ that re-
quired individual custodians to correctly identify, segregate and
proactively move relevant evidence to media on their local com-
puters before that data was destroyed by a network purge;
� Backstopped this ‘‘honor system’’ beginning in October 2005 with
a weekly back-up of e-mail that required Intel’s IT personnel to
identify and correctly migrate custodians’ data to dedicated
e-mail servers subject to the backup.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 4 ( 2 0 0 8 ) 1 7 6 – 1 8 0178
As noted above, this ‘‘honor system’’ was defeated by a combina-
tion of apparently erroneous, unclear or incomplete ‘‘litigation
hold’’ instructions, lack of adequate monitoring to ensure those
instructions were understood and followed, and a wholesale fail-
ure timely to deliver any preservation instructions to a third of the
employee-custodians Intel itself identified.
As a result of this hearing, AMD made an application, at
page 8, that was accepted by the learned judge:
AMD therefore proposes that Intel be required with all deliberate
speed, but no later than March 21, 2007, to provide the Special
Master and the parties with a complete accounting of its preser-
vation problems, a custodian-by-custodian tally of issues and
identification of data that appears to have been lost, and an in-
ventory of backup tapes that exist and can be successfully re-
stored. With the participation of AMD and the Class Plaintiffs,
the Special Master should be authorized to investigate Intel’s cul-
pability and to fashion an appropriate action plan and remedia-
tion order. This process should include Intel proposing or the
Special Master imposing changes to Intel’s preservation methods
that will prevent further loss of evidence. In addition, the Court
should schedule a further status conference six to eight weeks
from now to consider the Special Master’s recommendations or,
at minimum, to be briefed on status.
A status conference was subsequently held on 7 March
2007 before The Honourable Vincent J. Poppiti,6 in which the
practical issues were discussed about how the discovery exer-
cise has to continue. It was also agreed to appoint a neutral
third party to be retained by the court to help the court deter-
mine the resolution of any future disputes of a technical na-
ture between the parties. In addition, Intel indicated, both in
the letter sent by Richard L. Horwitz before the hearing and
during the course of the hearing, that it intended to buy an
e-mail archiving system from a vendor with the intention of
preventing the loss of e-mail correspondence in the future.
The remaining part of this article considers some of the le-
gal and practical issues that a lawyer should be aware of when
offering advice to a client in deciding to buy such a solution. It
will not escape the notice of the reader that the issues set out
below will apply to a law firm that also decides to buy a similar
system for their own use.
3. The integrity of e-mails and insurancecover
It is widely appreciated that the content of e-mails can be edi-
ted, partly deleted, and the names of the people to whom it
was addressed and sent to, removed when they are sent on
in the form of a ‘forward’ or when replying. In this respect,
the original e-mail, unless retained, is being altered. However,
providing the original e-mail is retained, then the edited ver-
sion does not affect the integrity of the original. However,
the author has had cause to advise on issues in connection
6 MDL Docket No. 05-1717-JJF, Civil Action Nos. 05-441-JJF and05-485-JJF, transcript of conference by Gail Inghram Verbano,shorthand reporter, www.corbettreporting.com.
with the filing of e-mails on electronic document manage-
ment systems. Some organizations require all relevant e-
mail correspondence in relation to a particular job or client
matter to be manually copied into a document management
system. However, where an e-mail does not contain a suitable
file reference in the subject field, for example, it is invariably
the practice of employees to amend the subject field to include
such a reference before the e-mail is placed into the document
management system. If this occurs, the e-mail has been al-
tered, and in many instances, the original e-mail as received
might be deleted from the e-mail system. Naturally, the con-
tent of the e-mail can also be altered by the employee before
adding it to the document management system.
It should be noted that, from the perspective of profes-
sional indemnity cover as well as any other relevant insurance
cover, it is important to ensure that if an e-mail is copied into
a document management system, that the e-mail (or any
other form of electronic document for that matter) is the orig-
inal, and it is stored in such a manner that it can be demon-
strated that it has not been tampered with. Should it be
possible to alter any electronic document before it is added
to the document management system, and should it also be
possible to alter any document once it is placed in the docu-
ment management system, doubt could be cast upon the in-
tegrity of the documents held in the system, which means
the integrity of such documents may be open to challenge in
legal proceedings, and any insurance cover may be invalid.
4. E-mail ‘solutions’
The solutions on the market differ in the way they are
designed. The design of the software affects the way e-mails
are stored. In addition, some products have audit or manage-
ment trails. Whilst some products provide for pure storage,
others have been designed to enable the organization to com-
ply with legal and regulatory requirements. In addition, some
products are now very clever and have the potential to be very
useful to the better running of the business. For instance,
some products do not distinguish between different types of
digital object, so an e-mail, for instance, does not need to be
treated in a different way to any other document in digital
form. Dedicated e-mail archiving or storage is rapidly being
overtaken by more complex methods of storing and archiving
digital documents, whatever form the document takes. In ad-
dition, some of the search engines used to find documents are
very effective, and are capable of enabling the user to obtain
significant benefits in searching for and locating relevant doc-
uments. For instance, search engines can now conduct highly
selective searches, and can then find links in the chain of re-
lated documents in digital format, regardless of the native for-
mat of the document. Hence a user can search for a particular
e-mail, then continue the search to find every other document
in electronic format that directly relates to the subject matter
of the e-mail, whether a letter, report, image or instant
message.
Invariably, any given solution will not be suitable for every
organization, and many organizations will have such complex
requirements, that additional analysis will be required for
more complex infrastructures.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 4 ( 2 0 0 8 ) 1 7 6 – 1 8 0 179
4.1. The journalling facility
One point should be made in relation to the facility provided
by Microsoft for journalling in Exchange. When an e-mail is
sent or received, a copy goes direct to the journal mailbox.
However, there are a number of issues that illustrate how
vulnerable this facility can be. Some are IT management con-
cerns, whilst others have legal ramifications.
4.1.1. Managing the problemIt tends to be impractical to leave all the e-mail messages in
the journal mailbox for the following reasons:
(a) The Microsoft Exchange server message store may con-
tinue to increase in size over time, which can cause the
server to get progressively slower if it keeps each message
store as a flat file. As a corollary to the increase in data, the
time taken to backup the server will also increase. The cu-
mulative effect of progressively increasing volumes of data
will, in turn, affect the time it takes the IT department to
restore a system from a back-up tape.
(b) The sheer volume of e-mails stored in the journal makes
a search more difficult, especially because none of the e-
mails are indexed.
(c) Large numbers of e-mails may be in the journal mailbox
that should be stored elsewhere, such as e-mails that
have to be retained for long periods, as set out in the doc-
ument retention and disposal policy. In addition, it may
not be appropriate to have every e-mail stored in the jour-
nalling mailbox, as it is difficult to search, too big and lacks
the basic auditing requirements set out below.
4.1.2. The legal perspectiveA significant weakness with some versions of the journalling fa-
cility is the ability of an administrator to switch the facility off or
delete the entire database. Further issues include the following:
(a) The time and date stamp facility is not protected to pre-
vent the time and date from being altered.
(b) E-mails can be viewed in clear text without leaving an
evidential trail.
(c) A copy of the entire journal can be taken without leaving
an audit or management trail.
As a result of these weaknesses, it is possible for a person
to log into the journal mailbox, extract e-mails, alter their con-
tent and then save them back to the mailbox without their ac-
tions being preserved in an inviolable audit trail. Where the
Microsoft Exchange server logs this activity, the person could
then go to the server and delete the entire log file, thus remov-
ing any evidence of the action.
5. Points to consider when deciding aboutbuying a software product
If a technical solution is to provide for a degree of certainty in
ensuring e-mail correspondence is retained in such a way as
to prevent employees from deleting correspondence, it is nec-
essary to consider some of the points set out below. Although
these features are directed towards e-mail, nevertheless the
same principles apply to any other form of communication
held in digital format:
(a) Prevent employees from meddling with data or logs either
entirely or at least in a way that can be detected once they
have been stored.
(b) Prevent the administrator from having access to communi-
cationswithoutan audit or management trail of their actions
being immediately apparent on an inspection of the system
(this protects the administrator and the organization).
(c) As a corollary to the two previous points, it would be useful
if a record is made in the audit or management trail every
time a communication is recovered and opened during an
investigation, which in turn provides details of each per-
son who undertakes this activity; this requires the logs to
be able to record metadata about who has obtained access
to the data. Such a function can help to demonstrate the
organization is abiding by the provisions of the Data Pro-
tection Act 1998.
(d) Archive each relevant communication securely in real
time (or as near to real time as possible), including all
forms of metadata, not just selected forms of metadata.
If e-mails are not archived in real time, but every hour,
say, then an astute employee can delete an e-mail in the
knowledge that the deleted e-mail will not be archived. If
only one form of metadata is retained, the evidential value
of the e-mail will be very light.
(e) Ideally, do not archive every communication received for
the same length of time, because many e-mails and
instant messages may not need storing (such as private
e-mails or those that contain comments that do not need
to be retained for a business reason).
(f) Create a policy that applies at the organizational level that
prevents individuals making independent decisions about
the retention and disposal of e-mails in their mail account,
if on the organizations’ system, or in their personal com-
puter, if they are permitted to use their home computer.
Ideally, people at the highest and most suitable levels
within the organization should set the appropriate reten-
tion dates. Policies are required to set out how long the
communication will be stored for; where it will be stored
(on-line or off-line); how many copies will be retained, on
what type of media, and with what attendant levels of con-
fidentiality protection (such as encryption). Whenever the
organization decides to change a policy affecting the life
cycles of a category of networked communication, it is im-
portant to ensure an audit or management trail is created
to document the change.
(g) Search quickly and effectively for data to comply with re-
quests and duties under the Data Protection Act 1998 and
Freedom of Information Act 2000.
(h) The encryption of all e-mails that are archived, which can
help the organization comply with the requirements of
Principle 7 of the Data Protection Act 1998, and the detec-
tion of administrators viewing the content of networked
communications by virtue of their use of decryption capa-
bilities. It should also be noted that encryption is not
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 4 ( 2 0 0 8 ) 1 7 6 – 1 8 0180
a safeguard against destruction. Logs of all administrative
manipulation of the archives should be produced and
retained, preferably in a format that cannot be altered.
Further points to consider when buying a solution include
the following:
(a) Where encryption is used in a product, it is necessary to es-
tablish: which algorithm is used in the product, whether
a royalty is to be paid for its use, whether it has been cracked
(and if so, what computational effort was required to crack
it); how the keys are computed; whether the vendor uses
a single key for every customer, or creates a unique key
for each product sold; what the vendor’s key management
policy is for any keys that have been assigned by them for
the use of the buyer, and what security arrangements are
in place to provide for the security of those keys.
(b) Verify whether the product is a stand-alone product that
only needs servicing by the client’s own personnel, or
whether the product requires constant monitoring by the
vendor. If the product requires constant monitoring by
the vendor, it is necessary to determine whether the ven-
dor’s employees need to monitor the product remotely
(which is linked to data protection and confidentiality is-
sues), or whether the vendor requires to visit the client’s
premises to undertake the work.
(c) Where a product must be monitored by the vendor, con-
sider establishing: the country in which the employees
are located; what level of access the vendor’s employees
will have to the client’s system (for instance, the ability
to see the log files; or to read communications; or to obtain
access to the entire system as root authority); what written
guarantees are offered, if any, and if necessary, copies of
relevant documents to demonstrate the vendor’s em-
ployees have been positively vetted and they are in turn
monitored at all times; also, consider whether it is neces-
sary to require the vendor to provide a warranty that
such checks have been carried out; consider requesting
the vendor to obtain and maintain sufficient insurance in
place to cover any losses the client may suffer either
because, as a result of the vendor’s actions, the client’s
system collapses, or personal data is exposed, contrary to
the client’s obligations under the Data Protection Act 1998.
6. Proving a negative
Finally, a word of warning: beware vendors that assert that
they can prove your client did not receive a particular e-mail
or instant message. No matter how good the product on offer,
problems will always occur to your client’s communications
system, even if the product works perfectly and never fails.
All systems stop working for a number of reasons, even if
the rate of malfunction is very low. As a result, the client
will inevitably loose traffic. In such circumstances, there is
no categorical assurance that anybody can make that it can
be proven that they did not receive a particular communica-
tion. In a legal context, any assertion that is made about the
degree of certainty that every communication has been re-
ceived, will quickly meet with some simple cross-examination
that will rapidly establish that such an assertion cannot be
correct.
The issue is not really about proving a negative, but a ques-
tion of establishing working protocols around when to take
action in relation to e-mail correspondence. For instance, if
a series of e-mails are exchanged between two parties with
a view to entering a contract, and one vital e-mail has not
been received by one of the parties, it will rapidly become ap-
parent to the other party, who can then establish, by other
means, what has gone wrong. To rely on proving a negative,
that the organization did not receive an e-mail or instant mes-
sage, demonstrates a lack of awareness about the risks inher-
ent in the infrastructure. A number of scenarios demonstrate
the difficulties, as illustrated below (the suggestions are not
meant to be exhaustive).
(a) Where the communication was received, the recipient
may chose to do nothing, not even reply, or the recipient
may delete it, with or without reading it or taking any ac-
tion; alternatively, the recipient may not see it for a pro-
longed period of time because they are away; further, the
message may have gone into a spam filter, and was
ignored, or the message may go into a spam filter and be
deleted.
(b) A communication may not be received for a number of rea-
sons, such as the system was not working, or the system
was working, but the product failed; it might be that the In-
ternet service provider stopped sending communications
because of a failure, or simply that the communication
was lost as it was transferred across the Internet.
Even if a party can prove they did not receive an e-mail
(which in itself may be a difficult task), if the correspondence
in question is relevant to a dispute, then the surrounding ev-
idence of previous correspondence, telephone conversations
and a range of other evidence will probably act to resolve
most problems that occur. There will be occasions that it
will be useful to find an important missing e-mail, especially
if it was deleted accidentally, or deleted because it was not
thought to be of any value at the time it was discarded.
Intel have discovered that the expense of recovering
e-mails that were not saved or deleted, for whatever reason,
can be considerable when legal action is under way – that is
why they have, in all probability, decided to consider buying
a product that may act to resolve this issue in the future.
Stephen Mason ([email protected]) Report Cor-
respondent, Barrister.