X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The disappearance of thousands of White House e-mails bruised the Bush administration’s credibility this spring and gave the media and Democrats in Congress plenty of reasons to suspect negligence, abuse, or wrongdoing. But the episode was more than grist for investigative reporters, bloggers, and political junkies. It offered key lessons for executives and in-house lawyers at any large company, organization, or government agency. But to find those lessons, we must strip the story from its political trappings and see it for what it was: a colossal records management failure not unlike those that take place at companies on a regular basis. What happened? In an attempt to comply with a federal law prohibiting the use by federal employees of government resources for partisan activities, the White House allowed as many as 60 officials to rely on a Republican National Committee e-mail system and RNC-issued computers for political matters. At the same time, those officials were to rely on the White House e-mail system and computers for official government business to ensure preservation of records as required by the Presidential Records Act. But some of the White House officials used the RNC e-mail accounts and computers for official business, such as communicating with the Justice Department about the firing of U.S. attorneys. As a result, a treasure trove of correspondence was reportedly purged by the RNC due to its policy at the time of deleting e-mails more than 30 days old. Separately, according to a report by the watchdog group Citizens for Responsibility and Ethics in Washington, 5 million e-mails created between March 2003 and October 2005 were “lost” from White House servers, a claim that has conspicuously not been disputed. CREW attributes the missing e-mails to the Bush administration’s decision to discontinue use of the Clinton administration’s automated archiving system and the subsequent failure to replace it with an adequate substitute. (Last week, Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) said the White House had told him some lost e-mails had been recovered.) These two White House failures � the failure to control staffers’ modes of communicating and the failure to archive important correspondence � are mirrored in countless organizations across the country. Though the White House e-mail debacle’s providence was governmental, the technologies, policies, and practices that allowed it to happen are prevalent in the private sector. Over time, many organizations will eventually pay for records management laxity in courts of law, the court of public opinion, and business relations. The loss of White House e-mail can be attributed to three essential factors: the lack of a clear computer usage policy, a weak records retention policy, and a failure to comply with and enforce those policies that were in place. These mistakes are particularly instructive for organizations attempting to regulate employee communication and preserve valuable business records and electronically stored assets. COMPUTER USAGE According to media reports, the Bush White House did have a policy in place that prohibited staffers from using the RNC e-mail accounts for government business. Yet staffers violated the policy. It’s hard to tell whether they were confused about the rules or willfully violating them. We can say, however, that the line between appropriate and inappropriate communications is not always a stark one, and employees cross it every day. In just about every office in Washington, including the West Wing, employees are mixing official business with unofficial business. In corporate America, executives may, within a single hour, compose a quarterly report, order opera tickets, and e-mail family members. Without clear policies regulating this behavior, intentionally or unintentionally, computer users will increase the likelihood of security breaches, theft of business assets, and other records management failures. Of course, people will always violate vague computer usage policies, as they are rarely, if ever, reminded of these policies. Organizations should thus develop highly detailed computer usage policies that clearly explain what users can and cannot do with all the computing devices at their disposal. Such policies should address Internet use, e-mail, and instant messaging. They should address the use of BlackBerrys, laptops, and other devices � when they can be taken out of the office, what may or may not be stored in them, what information can be transmitted from the devices, and how the information should and should not be sent. The policy should also stipulate whether employees can access home computers from office computers and vice versa, and whether employees are permitted to transmit the organization’s files from an office computer to a personal computer or a personal e-mail account operated by a service provider such as Yahoo. The risk of ignoring computer usage policies has been illustrated by recent data security breaches that have featured missing or stolen laptops containing unencrypted consumer information. The routine is now familiar: a laptop belonging to Corporation X goes missing, the company announces that, as a result, thousands of citizens are at risk of identity theft, the media slams the company, and Congress grumbles on cue about the need for data security regulation. The lesson is clear: The use of mobile data storage, be it in the form of memory keys, BlackBerrys, or CDs, imposes on organizations the responsibility to regulate internally how information is accessed and used, as well as what information is taken where, by whom, and in what form (encrypted versus unencrypted). Most companies and organizations have implemented records retention policies. The White House certainly did. Clearly, living up to policies is more difficult than writing them. Probably the most common mistakes in records retention are failing to clarify what must be saved and how, failing to implement procedures that effectively preserve business records, and failing to provide adequate information safeguards and destruction methods. Companies that err in this regard will face greater difficulty and cost in managing, locating, and storing their data, and in responding to discovery requests if litigation arises. They also stand to lose valuable assets. Documents containing intellectual property, customer or contact lists, or work product may be purged by automatic deletions, simply get lost in a burgeoning sea of data on corporate servers, or even be stolen. Even where corporate records retention policies are sound, retained records may nevertheless remain accessible to employees and subject to purposeful or inadvertent manipulation. If the time stamp on archived records can be changed, for instance, the integrity of those records cannot be guaranteed. The very possibility of manipulation can cast doubt over documents produced in the context of litigation or governmental investigations. Records of questionable authenticity may be impeached by opposing counsel or precluded from use as evidence altogether. To prevent mishaps, companies should ensure that records retention policies reflect organizational responsibilities and needs. The White House shoulders the burden of archiving correspondence relating to official government business. Corporations face the more complex challenges of complying with regulations, meeting shifting business needs, and anticipating discovery requests. In-house counsel can play a helpful role in making sure policies and procedures are in fact meeting all these demands. Corporations should also be wary of how third-party service providers manage records. As the White House e-mail fiasco illustrated, what service providers do or don’t do with your documents can come back to haunt you. In this case, the outside party was the RNC, which provided staffers with e-mail accounts and equipment. In the private sector, employees may interface with free e-mail systems such as Yahoo or outsourced business applications run by companies such as IBM. To head off trouble before it arises, companies should consider explicitly prohibiting the use of external e-mail and IM services such as Yahoo or MSN for conducting business communications. Although convenient, communications over such services are difficult to preserve and manage and can expose companies to new security risks. As a general rule, these risks outweigh the services’ benefits. Secondly, with respect to paid outsourced services, a company should insist that the vendor’s outsourcing contract contain records retention provisions that conform to the current company policy. The contract should also stipulate what the company and its service provider will do when the threat of litigation arises or when a litigation hold must be deployed. If a vendor in possession of company records cannot or will not retrieve records in response to a discovery request made upon the company, the company could be hit with economic sanctions or adverse jury instructions. Companies can also lose cases or be forced into unfavorable settlements for failing to locate records that would have exonerated them. To be effective, computer usage and records management policies should be driven from the executive level on down. If relegated to staff members, such policies are more likely to be violated or ignored. To implement the policies, companies should empower a team composed of business, technical, and legal experts, and they should devote sufficient time and money to train the work force about compliance. Once up and operating, the policies and procedures should be subject to ongoing maintenance and auditing to ensure they satisfy the organization’s need. For the White House and the federal government as a whole, records management touches on the ability of civil servants to fulfill their duty to the American people and American history. The missing White House e-mails, if never recovered, represent a serious gap in presidential records and our collective historical memory. For companies, the consequences of bad records management are also dire, especially for organizations that are at high risk of litigation and that rely heavily on electronically stored assets. Such companies can take heed of the records management failure on Pennsylvania Avenue by strengthening internal policies and getting serious about compliance.
William McComas, a partner at Shapiro Sher Guinot & Sandler in Maryland and Washington, D.C., concentrates on business and technology law. Joseph E. Sandler is a partner at Sandler, Reiff & Young, a D.C. firm concentrating on election law, campaign finance, government ethics, and nonprofit organizations. Sandler also serves as outside general counsel for the Democratic National Committee. The views expressed here are those of the authors and do not necessarily reflect the views of their firms or their clients.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.