Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Just days before his inauguration, President Bush was forced to quit using e-mail after lawyers warned him that any future correspondence could be made public. In an e-mail sent to 42 “dear friends,” Bush wrote: “My lawyers tell me all correspondence by e-mail is subject to open record requests. Since I do not want my private conversations looked at by those out to embarrass, the only course of action is not to correspond in cyberspace. This saddens me. I have enjoyed conversing with each of you. � I will miss your ideas and encouragement. So perhaps we will talk by phone.” While White House e-mail is available as part of the public record, it has become increasingly clear that private corporate e-mail often becomes public record, too. Once sent, e-mail messages are virtually impossible to control. For each message sent, multiple copies survive and multiply, and even determined efforts to dispose of them usually fail. This is no small problem, as the New York Times reports that more than 6.1 billion e-mail messages are sent each day. Each of these billions of e-mails is potentially discoverable, that is, available to virtually any legal adversary willing to file a discovery request. Because every copy of a message is discoverable, the costs associated with unmanaged, unprotected e-mail archives are spiraling out of control. For example, shortly before 3Com was to turn over a large body of e-mail to its legal adversaries in a class-action investor lawsuit, the company opted to settle — for $259 million. Even when there are not large settlements involved, the production cost — the expense of retrieving, reading and having lawyers determine the relevant messages and providing them to opposing counsel — typically runs $1 to $2 per e-mail and is often much higher. In a major lawsuit involving millions of messages, this makes answering discovery requests prohibitively expensive — even if that lawsuit is without merit. The 3Com case is hardly unique. The list of companies harmed by old messages is long and growing. Virtually every company faced with civil litigation, including Chevron, Microsoft, Ford, Firestone, Arco, Disney, Texaco, Dow Chemical and AOL, has all faced the enormous costs of old, unmanaged e-mail records, and most have now begun to take steps to deal with the problem. E-MAIL POLICIES The traditional approach to reducing the legal risk associated with old e-mail messages is to create written policies that define the “useful life” of different document types and thereby limit the spread of proprietary information. This is becoming increasingly common: According to a study commissioned by Elron Software, the number of companies with e-mail policies increased to 60 percent in 2000 from 47 percent in 1999. There is also a growing consensus about what such policies should contain. Most experts, such as those from Ernst & Young’s Records Management Services (which provide the following list), suggest that to be effective, e-mail policies must: � Recognize and communicate the need to manage e-mail messages as business records. � Identify and define individual users’ levels of responsibility for managing e-mail records. � Make system use contingent upon acceptance of and compliance with the company’s e-mail policy. � Identify and define the primary purpose for e-mail use and other acceptable or authorized uses of the e-mail system (e.g., none, limited personal use, unlimited personal use). � Provide guidelines for acceptable content (e.g., business-appropriate tone, language and subject) and unacceptable content (e.g., chain mail, jokes, discriminatory material). � Identify and define the process for managing e-mail retention, including technologies used and each user’s role (e.g., determining record value, transferring messages to a records management system, and the use of software that routinely and automatically eliminates electronic messages in accordance with the records management needs of the company). � Establish a process for applying destruction holds to records affected by pending legal action. � State that all messages sent or received using company resources are the property of the company. � State that employees should have no expectation of privacy. � Disclose that messages will be accessed, reviewed and monitored by the company, without notice to the employee, to ensure compliance with policy. � Clearly identify and communicate the repercussions for noncompliance with the policy (e.g., removal of e-mail privileges, fines, suspension, dismissal). To supplement an e-mail policy, companies should also address the following: � Computer resource, web-browser and Internet use policy. � Training and educational resources available to assist users in applying the technology, policy and procedures to messages. � Contact information for individuals who can answer questions regarding the policy. � User procedural documentation (e.g., instructions for transferring record-value messages to a records management system). � Information systems and records management procedural documentation (e.g., backup procedures, destruction hold procedures, encryption key extension procedures, retention schedule updates). While such written policies can greatly reduce the legal exposure associated with old messages, they are not sufficient in themselves. WHERE POLICIES FALL SHORT To effectively reduce legal risk, companies must enforce these policies consistently, automatically and without imposing undue burdens on employees or IT staff. Unfortunately, there have been few or no tools available to do so until now, and that has left companies faced with unpalatable choices. For example, Amazon announced a new internal e-mail policy that said everyone must delete old messages, but they had no tool to enforce this policy. Instead, the company offered everyone who complied a coupon for a latte in the company cafeteria. Rather than use a carrot to entice employees to abide by corporate polices, others are using a stick. The New York Times also had an e-mail and Internet usage policy. But they had no tool to enforce the policy. Without consistent enforcement, such policies provide no protection. So to prove they were serious about their policy, the company fired more than 20 staffers. It is easy to conclude from all this evidence that there is a need for software that can automatically enforce a company’s e-mail policy. POLICY TOOLS A viable software-based policy system must meet a demanding array of legal, technical and end-user requirements. To satisfy the policy requirements, the system must support time- and event-based destruction of old messages. It must allow a company to selectively halt scheduled deletion of messages to respond to preservation orders and discovery requests. It must ensure consistent application and cover all copies of all messages, regardless of where they are stored. It must be compatible with other records management systems, and provide administrators with a central point of control from which they can apply retention rules to different types of records. Technically, the system must involve few or no changes to existing corporate e-mail infrastructure, and be cheap to support. It must provide central control of e-mail policies, account for messages stored offline, and work within existing e-mail clients and across different messaging systems. To satisfy end users, the system must not substantially change the way users read, write or send messages. It must not add delays to sending or receiving messages, and senders must be confident that recipients can read a message without an undue burden. This is a tall order. One way to meet all these requirements is to encrypt each message (or document) with a unique key, access to which is provided via a central server that governs the company-defined terms and conditions under which that key will be shared, stored and eventually destroyed. Stuart E. Rickerson is general counsel to Golden Triangle Ltd., a strategic legal management consulting firm based in San Diego. He was formerly general counsel to Cardiac Pacemakers Inc. and to Keene Corp., and chief litigation counsel for Eli Lilly & Co., and Philip Morris Inc. (All trademarks referred to in this article are the property of the respective companies.)

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.