IT Compliance Institute, March 21, 2006:

Trends and Technologies

Loss, Litigation, and Hype: The E-mail Retention Enigma

What if a judge demanded all of your archived e-mails from June 21, 2003? Think carefully before you answer. Vendors say you must retain e-messages, but companies will lie to avoid handing over old mail; and judges might fine you whether you do or don't. What's a company to do?

By Mathew Schwartz

Morgan Stanley’s record-breaking $15 million settlement with the Securities and Exchange Commission (SEC) over improper e-mail retention practices begs the question: are other organizations prepared to deal with regulators’ and courts’ requests for their electronic communications?

Last month Morgan Stanley disclosed its offer to settle an SEC investigation into its improper email-archiving practices. Between 2001 and 2004 the firm overwrote a substantial number of e-mails it was required to retain—a business decision that ultimately cost the company $15 million in fines.

Morgan Stanley’s faux pas begs this question: should companies employ dedicated message-retention software to more effectively archive electronic communications?

Although many vendors say such tools are essential to comply with future requests by regulators or courts, compliance practitioners are reserving judgment.

According to one messaging manager at a Fortune 1000 company, “E-mail archiving product vendors tend to exaggerate the immediate need for compliance with all kinds of legislation and regulations.” Preferring to remain anonymous to avoid “lengthy interactions” with in-house PR, the manager comments in a Ferris Research newsletter, “Often this [exaggeration] is done to alarm IT staff, who normally are not well qualified to assess the meaning and the impact of such laws and regulations.”

Ferris Research analyst David Via concludes that IT managers should consult with in-house counsel, external counsel, auditors, and business consultants about their regulatory liability and burden before investing in message storage solutions.

If this advice seems overly broad, it’s because there are few hard-and-fast rules for e-mail and instant message archiving. Of course, as the Morgan Stanley settlement highlights, companies covered by SEC regulations are a notable exception. Many public companies must retain electronic communications in an easily accessible manner for at least two years, and often much longer.

For most companies, however, “The question of what they’re going to do and when they’re going to do it varies by industry and risk,” observes Via. But make no mistake: doing something is on the agenda. “Most organizations are going to address e-mail as business records and manage it as business content. It’s just a question of how quickly they’re going to address it.”

Legal Discovery Response: How Fast is Fast Enough?

Beyond regulations, some organizations worry about complying with electronic discovery (e-discovery) requests, such as court orders to produce copies of internal messages and files relevant to a lawsuit. Just how great a threat is a company’s inability to comply deftly and quickly with such requests?

To find out, the authors of “Electronic Discovery Sanctions in the Twenty-First Century,” published in Michigan Telecommunications and Technology Law Review, analyzed all 45 federal and 21 state cases occurring between 2000 and 2004 that included written opinions on e-discovery sanctions. According to the authors, “Courts granted [requests for] sanctions 65 percent of the time, with defendants being sanctioned four times (81 percent) as often as plaintiffs. The sanctioned behavior most often involved the non-production, i.e., destruction of electronic documents (84 percent), rather than a delay in production (16 percent).”

The study’s authors note e-discovery deadlines aren’t arbitrary, but rather negotiated by all parties in advance, and that any delays often signal bigger problems. “When parties were sanctioned for delay, the late production was sometimes coupled with some form of deception or misrepresentation to the court, such as the fabrication of evidence or falsely claiming that documents did not exist (43 percent).”

In other words, if you agree to e-discovery deadlines, you should meet them. Previous e-discovery cases show that an inability to deliver requested messages—notwithstanding any “backup tapes ate my e-mails” excuses—tends to end predictably: judges rule against you.

How to Lose in Court

Such advice isn’t news for financial services firms. For example, Morgan Stanley was previously in the news in March 2005, when a judge ruled against it for failure to produce e-mails relating to accounting fraud at its client, Sunbeam, which had been part of a $1.5 billion merger with Coleman. A jury subsequently awarded the plaintiff $1.57 billion. Morgan Stanley appealed and notes it expects to put $360 million toward defending the case and subsequent appeals.

In another case, PricewaterhouseCoopers (PwC), was sued for improper audits of Telxon, a wholly owned subsidiary of Symbol Technologies. During the trial, PwC was only able to produce requested messages after suspicious delays. This led the judge to issue a default ruling against PwC, citing its apparent “willfulness, bad faith, or fault.” Some of the delayed messages appeared to have been altered, leading the judge to suggest the firm and/or its lawyers had “engaged in deliberate fraud.”

The judge recommended PwC pay a fine of $345 million. The company eventually settled with Symbol for $18 million and ended a class-action lawsuit by Talxon’s investors by settling for $37 million.

Message Retention as Good Business Practice

The Morgan Stanley and PwC examples go beyond compliance and legal-discovery issues to questions of proper business practices—which, of course, regulations and lawsuits are often meant to enforce. Yet, that’s exactly why more companies are choosing to adopt messaging-management technology: “They realize it’s good business practice,” says Ferris’s Via. Indeed, he forecasts strong growth in the archiving and message-retention market, which includes both auditors and lawyers who offer the related business advice and products to meet those needs. (For vendors, he says EMC, Symantec, and Zantaz lead the pack.)

Message-archiving technology promotes good business practices for a variety of reasons. For starters, message retention can help organizations stop improper internal practices before a plaintiff finds them through legal discovery, says Via. “For me the value of archiving and search tools isn’t for when you get into a discovery situation, but for you actually knowing what’s happening in your organization, because the worst situation is that in discovery, the plaintiff ends up discovering something you didn’t know you had.”

Indeed, a plaintiff may already know something a defendant doesn’t. “E-mail always has two sides to it—the ‘from’ and the ‘to’—and in many cases the e-mail was sent to somebody outside,” notes Nick Mehta, senior director of product management for Symantec’s Enterprise Vault. “So many times, if the company can’t produce an e-mail but the plaintiff can produce it, it leads you to ask, ‘What are all the other e-mails the company can’t produce?’”

Sometimes, message deletion is unintentional or due to sloppy organization. Yet when courts issue hold orders on electronic communications, companies need to comply. According to a recent study from The Association for Information Management International (ARMA) and the Association for Information and Image Management International (AIIM), 43 percent of companies “do not have a formal system for records hold orders in place.” Archiving software can ensure needed messages aren’t deleted.

Beyond retaining messages, archiving tools also let organizations verify they’re only providing what’s actually been requested. “The value of these tools is to avoid accidentally shooting yourself in the foot,” says Via. “Less is more in a discovery request.”

Of course, many companies wouldn’t get into trouble if only their employees hadn’t written something down. Might it be possible to change their behavior? “I’ve long told people, ‘Don’t put anything in an e-mail you wouldn’t be comfortable seeing on the front page of USA Today,’” says Via. “But it continues to happen. The medium is so seductive in the way it makes you think of being informal.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.