Proposed Federal Rules On E-Document Destruction 147
runner345 writes "The Federal Advisory Committee on Civil Procedure is evaluating a series of 'e-discovery' rules that will change the way litigation handles electronically stored information for the federal courts. Included in this is proposed Fed. R. Civ. P. 37 which would exempt parties from sanctions for electronic evidence destroyed in a 'routine operation of the party's electronic information system.' Microsoft and other technology heavy-hitters have strongly backed this safe harbor because it judicially validates electronic document retention policies (perhaps the most effective Orwellian misnomer for outright document destruction). If you thought it was hard to get incriminating documents from the tech industry now, think about what this rule will do to a plaintiff's chances. You can get the proposed rule here (when their site works) and read what Microsoft and Intel have to say about it here. You can also read my law school thesis on the topic (still only in draft)."
Simple! (Score:4, Funny)
Re:Simple! (Score:5, Funny)
Install Windows, place on hard drive, give an open internet connection three days to install candy inside.
Re:Simple! (Score:2)
Give machine to any typical clueless user. Tell them to go on the Internet without protection (just IE, no firewall, et cetera). Watch the fun begin.
Re:Simple! (Score:2)
Click-of-death zip disks work well too.
Re:Simple! (Score:1, Funny)
Well, it was already defective, can't hurt to try... WHACK... I slammed it down from about 4 inch / 10 cm above the table. Not dropped, but with my hand accelerating the drive towards the table.
Now the drive works fine. I don't use it for anything critical, because I don't trust it, and who k
Re:Simple! (Score:2)
Re:Simple! (Score:2)
Re:Simple! (Score:2)
Keep in mind that this works both ways. Websites that want to protect user data from subpoenas could have a very limited document retention policy that allows them to delete logs daily and not get in trouble. Of course they should document this policy in the event of a subpoena.
Not necessarily bad (Score:1)
Re:Amen (Score:2, Interesting)
Yeah, this one is funny.
---
"Reasonably Accessible" The term often means information that the party itself routienely accesses or uses or that is easily located and retrieved. By contrast, information stores only for disaster recovery is generally expensive to restore and is disorganized.
---
That's pretty damn accurate in a lot of companies!
Whats new (Score:1)
Re:Whats new (Score:2)
As long as a company has a policy abo
Re:Whats new (Score:1)
document rentention policies (Score:5, Insightful)
The submitter makes it sound like it's horrible for the plaintiff, but would we really want to live in a world where we have to keep every single file forever? I think not.
Re:document rentention policies (Score:1)
Think of all the lawsuits that would result
Re:document rentention policies (Score:5, Interesting)
Do we really want to live in a world where there is no such thing as electronic evidence, since anyone can just say, "oops, it got deleted in the routine operations of my business... last night." I think not. See Burst v. Microsoft.
Re:document rentention policies (Score:2)
What this says is that if a firm has a document retention policy for carrying some documents three years, some five, some seven, etc., it's likely to be legitimized and companies don't need to spend inordinate amounts of money keeping, say, automated notices forever. This says nothing to the effect that companies can't be punished for poor document retention policies, such as one in which executive communications are deleted monthly.
Re:document rentention policies (Score:2, Insightful)
The point is that Microsoft claimed they didn't keep the files and messages for the Burst case (a strange 18-month "black hole" in their email records) after claiming in another case that they kept everything. This self-incrimination is the only thing that managed to help Burst.
Re:document rentention policies (Score:2)
Re:document rentention policies (Score:4, Insightful)
Re:document rentention policies (Score:2)
Sure they can say that, but will the courts believe them? Judges are not all stupid.
Re:document rentention policies (Score:2)
law, particularly those portions that require
them to retain electronic evidence that can be
used against them later. Between MSFT's legal
shennanigans in their lawsuit with Burst, this
new regulation, as well as the new DRM initiatives
from MSFT (Palladium & patented XML), corporations
(and their legislative stooges) will effectively
have eliminated this threat to their malfeasance.
A whistleblower cannot "blow the whistle" if he
or she will not have the capabilit
Re:document rentention policies (Score:5, Interesting)
All that currently happens is that companies avoid putting anything potentially incriminating in writing. "Call me about this," the email says. So companies spend huge amounts of money ensuring "compliance" with retention laws, plus they are unable to get all the efficiency out of communications technologies that are possible because they still end up having the important conversations in person, and we still can't prove anything in court. What's next? Require companies to record and save all phone calls? The ultimate step will be when we don't allow people to have off-record conversations:
CEO: "What do you think, Phil?"
CFO: "I don't think the [FLUUUUUUUSSSSSHHHHH] shareholders will suspect a [ZIIIIP!] thing."
Retention requirements are a huge ball-and-chain for companies without fully addressing the problem they are intended to solve.
Re:document rentention policies (Score:2)
Voicemail is discoverable. And because of the way it's stored, it's an "electronic document" within most definitions.
Saner preservation plans/orders are specifying that voicemail need not be preserved. Less sane plaintiffs are trying to force people to save (and review and produce) voicemails. And yes, it costs a heck of a lot of money to do.
Re:document rentention policies (Score:2)
I already do, more or less. I have email dating back a decade, and archived backups and as many things as possible kept under CVS to give acess to old versions.
So far as I can see, given the current cost of storage, keeping things is all win. The only reason that wouldn't be so would be if someone knows they have something to hide.
Re:document rentention policies (Score:2)
Also, is a POP3 equipped mail server that deletes mail off the main server even legal?
Re:document rentention policies (Score:2)
But, surely, it simply scales linearly. One person doesn't create exponentially more data just because they work in a company with 10,000 others rather than 10. They still only have 10 fingers and the same typing speed.
The cost of storage for the email and report etc. output of one person for a year is trivial compared to their sallary, tax, benefits, providing them
Re:document rentention policies (Score:1)
Re:document rentention policies (Score:2)
Well, as the doctor in the joke says, don't do that then. The issue was retention, not copying everything across your network every night. Leave it where it is. Don't even need to back it up, if it gets eliminated by a disk crash after 5 years, ho-hum, no one gets put in jail when their paper records are destroyed by fire, unless they are holding the match.
In any case, by definition you are already shipping all
Re:document rentention policies (Score:1)
Re:document rentention policies (Score:2)
But when you have a shitload of data being created, you are clearly a big operation with a shitload of resources.
Aren't we talking about the same volume of data per day as would be added to the backups? Tapping that off into an archive isn't going to involve a volume of data which isn't already being handled. So it comes down to cost of the actual archive storage, which is going to be cheaper
Re:document rentention policies (Score:3, Informative)
No, you gotta count the number of connections. Businesses have a lot more e-mail then your average person. Not to mention the automatic stuff sent by programs and systems. Throw in the attachments and other fun things and you get a nightmare. The cost isn't trivial and it adds to the administrative overhead. Adding a sudden need to do proper backup (and offsite storage) of what should be transient.
I understand it for certain industries (I used to work in Clinic
Re:document rentention policies (Score:2)
Nothing personal against you Caley, but any type of intrusive laws such as what we're discussing here are the opposite of freedom, and need to be called out as such whenever they're seen.
If you want to keep everything, that's your business. However, you should evaluate your motives. Keeping everything for the express pu
Re:document rentention policies (Score:2)
If you read what I wrote, rather than what you would like to read to have a straw man to shoot at, you'll se I said nothing like that.
What I said was, in paraphrase ``only the guilty are subject to a significant cost in keeping everything''. Nothing about hiding anything. There are indeed perfectly good reasons for hiding things, consider the story last week about the anarchist site whose brain-dead admin had his logs confiscated when half a brain cell would hav
some of us do, you insensitive clod! (Score:5, Informative)
Re:some of us do, you insensitive clod! (Score:2)
Now, many companies do hold onto their data for that long and longer for a variety of business reasons, but they do not have to do so. Some reasons for voluntarily holding onto their data might be:
1. The ability to use the data in R&D for other compounds.
2. The ability to use the data as a basis for comparison for other compounds.
3. The ability to use the da
Re:some of us do, you insensitive clod! (Score:2)
Re:some of us do, you insensitive clod! (Score:2)
That computer systems need to be validated is a clear requirement of the Barr decision and 21CFR11 - no argument there. That they need to have audit trails is also reasonable based on Part 11 as well as comparable standards for paper-based data.
All I really want to know is where the retention period is specified for this data. I won't claim to be an expert on the GCP side of the business, but there is certainly no requirement in the GMP side to hold data for decad
hell, you're right! (Score:2)
i'm not saying big pharma's blameless for everything, but someone's got to research and make the drugs you use. unless the only drug you're smoking is crack...
Re:some of us do, you insensitive clod! (Score:2)
Re:document rentention policies (Score:2)
Incidentally the 7 year rule was because that's how long a 9-track tape reel was supposed to last before magnetic print-through would manifest on the old media. Anyone looking for an update on this, or will this be another business standard that lasts forever based on obsole
Re:document rentention policies (Score:2)
Remember how IBM vs. The BUNCH was resolved? Litigation had gone into critical mass (i.e. the collection of suits and countersuits would complete three minutes after the heat-death
How long (Score:3, Interesting)
What if your regular clean up procedures begin just after you've gotten wind of a warrent or other legal issue?
Im sure there are provisions and details about these situations ( IANAL and i dont speak legalese) Can anyone with more knowledge elaborate on exactly what this all means?
Re:How long (Score:3, Insightful)
Re:How long (Score:1, Informative)
Sorry IBM (Score:2, Redundant)
Routine Operation? (Score:1)
What is a routine operation - how do you define this? I assume we're talking about scheduled backups but could this be a possible loophole or is it defined in some cunning way in the actual proposal?
Re:Routine Operation? (Score:1)
I agree with this legislation (Score:5, Interesting)
"Don't retain anything incriminating".
I'm glad to see, government is catching up, with trends set by industry leaders like myself !!
God Bless America.
God Bless Corporate Malfesence.
Death to document retaining, Commie Linux Users!
Also, it's worth noting.
We've always been at war, with East Asia !
[Seriously folks]
Am I the only one who thinks that government should be requiring companies to move the *other* way?
Ie, retain, *everything*... absolutely *everything*, why should email/*doc* be an acceptable domain, where, one can simply erase data under dubious circumstances ?
Because corporation (x) wants it that way ?
[Aside]
Corporations are too powerful now.
Increasingly, law is coming to reflect the interests of Corporations, instead of the interests of countries citizens.
It's not so absurd to suggest, that.. eventually, the little guy will revolt.
Think the French revolution, think the American revolution...
Eventually, when the little guy gets done taking enough crap from those on top... the little guy gives the other the boot.
In this light, Bill Gates is the King of France.
"Let them eat Patent-Cake".. etc.
Re:I agree with this legislation (Score:3, Informative)
*Everything* is a lot. Do you want every revision of your swap file to be backed up?
On the other hand, every email you send does seem like a reasonable requirement. But what if your email contains a URL. Should you be required to back up that version of the web page?
Re:I agree with this legislation (Score:2)
No, silly person.
That's why we have Google.
Re:I agree with this legislation (Score:2)
If it's YOUR OWN web server, though, it's a different analysis.
Also, if you have cached a copy of the web page (say in your individual browser cache, or if your company has a caching proxy server), there is arguably a duty to preserve that cached copy.
Oops, you overwrote your cache through routine web browsing?
Re:I agree with this legislation (Score:2)
This doesn't sound very practical to me. The people who know what's in the cache won't know which items in it are mentioned in email messages like this one: "Hey, you see what Enron did in that story on news.com.com today? We did the same thing!" So should they back up everything in the whole cache?
Re:I agree with this legislation (Score:3, Informative)
Um, have you ever heard of a little piece of legislation called Sarbanes-Oxley? Yeah, you might want to check that out before you start assuming you're on a one-man crusade. Corporate ecords retention requirements have only increased over the past 10 years.
"Ie, retain, *everything*... absolutely *everything*, why should email/*doc* be an acceptable domain, where, one can simply erase data under dubious c
Re:I agree with this legislation (Score:1, Insightful)
Maybe if corporations would climb out of the gutter for a few years, people would stop ranting about things like this, but no, Enron, Worldcom, KBR... and these are just the recent ones, its not like corporate scum is a new invention. It just never stops, does it? An endless cycle of greed and taking advantage of everyone within arm's reach for the almighty holy dollar.
Maybe if apologists like you would shut up and think about the image corporations have for about 3 second
Re:I agree with this legislation (Score:2)
And don't governments fail to "pretend to be good, they flagrantly disobey laws and get away with it" too? They do, and in part for that reason, socialism failed; the Berlin Wall fell, Soviet Russia collapsed, and every significant genuinely-socialist nation (former Soviet Russia, China, India, Vietnam, Nazi Germany) is no longer fully-socialist, havin
Re:I agree with this legislation (Score:2)
1) There are tens of thousands of incorporated companies in the USA. If you include sole-proprietor LLCs, which share certain liability features of corporations but not the management structre (they're essentially traditional small business with a liabili
Re:I agree with this legislation (Score:2)
Thesis (Score:3, Funny)
1. Post unfinished thesis on slashdot for us to review
2. Incorporate feedback from users who read it
3. Profit!!!
Only problem is.... I dont think anyone is going to want to read it, especially not on a monday morning
Re:Thesis (Score:1)
better still... (Score:2)
Excellent (Score:3, Insightful)
the miracle of encryption... (Score:2, Insightful)
Re:the miracle of encryption... (Score:2, Informative)
Re:the miracle of encryption... (Score:2)
Re:the miracle of encryption... (Score:2)
routine, huh? (Score:5, Funny)
So I suppose the following is perfectly acceptable:
30 0 * * * rm -rf
i see nothing wrong with this proposed rule (Score:5, Insightful)
When we move to an electronic imaging system, everything will probably fit on to a couple of high-capacity disks. In 7 years, the cost of that amount of storage is probably going to be negligible, so there's no technical reason we couldn't keep things forever. But I'm still going to configure the document management system to toss anything older than 7 years. Why? Because 7 year old information is not useful. The only reason it's there is because of state/federal rules of evidence that require me to keep it around. It's only useful to someone who's suing me, and when those 7 years are up I'm glad to get rid of it.
One of the things that keeps people from modernizing their filing systems is the fear of losing this "protection," of being able to throw away old information. There's a fear that if you go electronic, it's always going to be "out there" somewhere and potentially a legal threat to you, even if you've done nothing (intentionally) wrong.
I for one support this rule. And if it seems like a good idea for our small company, imagine how it would seem if you're, say, Citibank.
This rule is obviously not designed to support policies of "oh, we're getting sued, so I'm going to throw out this particular subset of information related to the lawsuit and try to claim it's a standard practice," because any attorney worth the price of his suit would get me thrown in jail for destroying evidence.
7 Years vs 45 Days (Score:1, Interesting)
Re:i see nothing wrong with this proposed rule (Score:2)
Reading some of the actuall testamony put out there, some good points show up. If a company can say "you have automated backup tapes from 2000, and one one of them you may have *whatever* piece of information, so I want it." You have no idea which tape it may be on, so you go through your massive pile trying to find it. If you're a small, but data intense, company
Re:i see nothing wrong with this proposed rule (Score:2)
Re:i see nothing wrong with this proposed rule (Score:2)
And yes, HIPAA does permit a reasonable charge to provide a copy of records. Don't bitch to me, bitch to your congresscritter.
Establish retention/destruction policies first... (Score:3, Interesting)
[IANAL but have researched this issue to some extent. No statements I make should be construed as legal advice.]
Organizations should establish data retention and destruction policies and follow them consistently.
Suppose an organization has a policy that states that a) all email older than N days will be purged from the server and b) all email must remain on the server (i.e. no local storage of messages). Another party initiates legal action based on an email sent on $DATE and the discovery process begins. If the order comes through on the (N+1) day for the organization to produce its email, the organization will be in the clear because it followed its own already-established policy. However, if the order comes in on the (N-1) day and the organization purges older email early, it [the org.] will be in hot water.
However, the organization must be sure that it includes all sources of this information. Does the site backup/restore policy parallel the 90-day destruction rule? Many sites pull a set of tapes/media from the rotation once a month or so and put it aside for archival purposes. If the site policy is to destroy email but the backup tapes are available...
IIRC this was a serious mistake on the parts of Enron and Arthur Andersen: they had no such destruction policies in place and began deleting sensitive items only after they knew proceedings were about to begin.
Too Much STUFF! (Score:5, Insightful)
Bah.
Re:Too Much STUFF! (Score:2)
"Multi-gigabyte" sounds like a lot, but it's only a couple of DVDs.
Instead of deleting, you could just as easily back it up and file the DVD, hard disk, or whatever. Should be able to
Re:Too Much STUFF! (Score:2)
Re:Too Much STUFF! (Score:2)
You're not creating 3 TB of data a week. (Not of email, anyway.) As I said, archive what you'd delete. I know, you want us to put key loggers on everyone's computers and archive those forever.
Calm down.
we have mailboxes in excess of 13GB, and that's just the stuff they wanted to keep!
How long did it take them to accumulate this? I didn't say
Re:Too Much STUFF! (Score:2)
I wish (Score:1)
Yea I know, I should have done xyz. But I've lost soooo many CD's, floppy disks, zip disks, jazz disks... the occassional dead hard drive, and then there were those two times I accidentally deleted the wrong partition. Oh how I cried. (admit it, you've been there too)
Anyway, back ontopic: Do you realize just how much volume a cubic meter is?
~187,5
Re:Too Much STUFF! (Score:2)
I set up a daily backup of our entire accounting systeytem. HAd to restore or refer to them a few times, so I know, soemthng. Maybe not "Enterprise clas terabytes", but the principle is the same.
You're storing 20 mb in your 10 year history of e-mail? I get five times that much in less than a month in only one of the five accounts
It's humanly impossible to either read or write 100 MB of
There are Already Policies in Place (Score:1)
Re:There are Already Policies in Place (Score:1)
Those are few and far between. Insurance companies are an exception and are highly regulated because 1) they're basically an arm of the state and 2) they're legalized gambling.
Submitter has no idea what he's talking about (Score:4, Insightful)
Abuse of American electronic discovery rules is getting worse every year. Defragment your disk? That's a sanction. Copy files from an old computer to a new one? That's a sanction.
Seriously, the legal rules need to realize that asking for documents not normally accessible is extremely expensive and opens up possibilities for extortion. ("Looks like it will cost you three million dollars to restore and examine these tapes... Why don't we just settle the case for two?") Everything the Microsoft attorney said is true.
The judges know this, the attorneys know this, the companies know this. The submitter needs to get out in the real world and get his head out of his ass. There's not even an ideological basis for thinking the way he does. It's not like poor people benefit from these rules (who Democrats like to protect) or self-made rich people (who Republicans like to protect).
Re:Submitter has no idea what he's talking about (Score:1)
Re:Submitter has no idea what he's talking about (Score:2)
Perhaps, according to your point of view, the judge doesn't "know this" quite as well as you'd like.
Right now, the default is highly burdensome for the producing/preserving party.
The proposed "safe harbor" says you can't be reckless. If you, as the plaintiff, want something more, you can take it to the court, who can assess the burden of complying with the preservation request against the potential benefit to yo
Re:Submitter has no idea what he's talking about (Score:2)
Not nearly as cheap as corporate budgets.
I'm always amused to get emails from our Exchange server about how I'm over-quota, when gmail is offering 20x as much space to anybody who cares to sign up for free.
Corporations should simply create a forensic image before reimaging PCs. This could be done in a networked fashion to a central file server. In theory whatever script they use to do the imaging could probably take care of it.
Arguabl
Notice from Legal (Score:5, Funny)
Inbox: 41559 messages (41551 read, 8 unread)
Saved-messages: 4154854884569842455 messages
You are usuing 12090% of storage capacity.
Re:Notice from Legal (Score:1)
Discovery in federal suits (Score:1, Insightful)
This rule change simply means that: if a party in a lawsuit doesn't disclose something electronic, because it was erased, because that's normally ho
I don't this that this is bad at all (Score:2)
Re:I don't this that this is bad at all (Score:1)
These aren't people, they're corporations. And if they expect to continue being corporations, they'll abide by the minimum civil standards imposed by the nation-state that recognizes them as such.
Of course Microsoft supports it! (Score:2)
Knee jerk! (Score:2)
Deleteing anything under human control (rather than as part of an automated sweep) is obviously not routine and sanctionable. Said sanctions to increase to the level of criminal with Sarbannes-Oxley. I fully expect SOx prosecutions from civil discovery. Who else is going to look?
Context of the proposed rule: what's required now (Score:5, Informative)
First, if you destroy evidence after the lawsuit gets filed (or when you enter the grey zone of when you "reasonably anticipate litigation"), you have just committed spoliation of evidence. While this makes intuitive sense - the rule prohibits a defendant from having a "shredding party" the day after a lawsuit gets filed - it becomes problematic as definitions of what constitutes "evidence" expand.
Active emails? Check. Files on network servers? Check.
Backup tapes from last night's cycle? OOPS. Yes, several court decisions
Updating databases that might result in some data (i.e., last accessed, last modified) being modified? Uhoh, better take a snapshot of that database.
Are your server logs at issue? Uhoh, better suspend rotation of your server logs.
Hey, when you TURN ON your desktop, aren't you overwriting some cache space and slack space, that might make recovery of deleted files impossible? Guess what? If the other side wants to do a forensic examination of your machines, you can't even continue using them without taking a bit-by-bit image.
And by the way -- if you miss any bit of this data, you get sanctioned. Monetary sanctions, or an adverse inference ("we don't know what was on that tape that was destroyed, but you can ASSUME it was bad!"), or even a default judgment. Yes, electronic discovery can turn into a game of "gotcha".
Think how expensive this is for a small shop with just a handful of machines. And then think what's involved for a nationwide company with, say, 80 far-flung locations and company databases.
See the problem?
The "safe harbor" to Rule 37 says that you don't sanctioned for failure to preserve information lost from ROUTINE operation of a system UNLESS THE LOSS WAS INTENTIONAL OR RECKLESS. The "reckless" hole is very large, admittedly. But the rule attempts to bring some sanity to some of the broad-reaching data preservation games being played today.
Also, note that a court can order a party to take steps above and beyond what the proposed Rule 37 requires.
I am from tech industry (Score:3, Interesting)
Check the actual testimony. (Score:2, Informative)
Found in the Microsoft testimony:
"One of the better comments I think that was submitted to you was from somebody who does a lot of employment class action litigation. And she expressed that very concern. She also cited a few statutes, like Title 7 and maybe the Wage and Hours Act in the employment area, that very specifically tell companies what they must keep and what they must not.
And I bet those statutes also provide penalties if the
Combine this with treacherous computing... (Score:3, Informative)
A quick review for those not familar with "trusted" computing. The hardware uses digital signatures to enforce running an approved BIOS only, which in turn enforces running an approved OS, which in turn will only run approved applications. Documents are encrypted, and the approved applications can phone home to determine whether you are allowed to read a document. If the document is on a delete list, it is immediately erased. Microsoft Media Player already implements this system - except for the hardware enforcement. Microsoft Office is next. Evil Media companies, and Microsoft, want to make the hardware enforcement required by law on all computing devices.
In the not too distant future, having obtained a copy of an incriminating document, you could keep it stored on a banned Linux system running on illegal hacked hardware, and given Microsoft's expertise with security, probably crack the encryption in a reasonable amount of time due to some stupid design flaw (e.g. random seed for session key is derived from Document time stamp). However, the resulting evidence would not be admissable in court. So stock up on tin foil hats.
Re:Call me stupid but... (Score:2)
Okay ... you're stupid.
"Electronic documents" could also be the server logs showing you surfing those gay porno sites, as well as all those ethnic/sexist jokes you posted/received.
Then there's the backups of the backups of the backups problem.
And the time and manpower necessar
Re:Call me stupid but... (Score:1)
Re:Call me stupid but... (Score:1)