Businesses Generally Ignoring E-Discovery Rules

eweekhickins writes "A full year after the institution of new federal e-discovery court rules, only a minority of companies are paying attention. Keeping track of every IM, email, and document for a court order that may never come must seem like a tall order. Researcher Michael Osterman said that only 47 percent of companies have some kind of e-mail retention policy in place. 'I don't think it's difficult to understand the rules,' Osterman told eWEEK. 'I just think that it sometimes takes headline shock to make people move on some things.'"

Apparently it doesnt hurt them enough

[sethstorm (512897)]

Time to raise the penalties for violations - and close off any foreign country escape route from this regulation.

Ignore The Law: I AM the judicial branch

[by Anonymous Coward]

'cause I [whitehouse.org] do.

Cheers,
W

Re:

[plague3106 (71849)]

How about it's a stupid law and is being rightfully ignored? Ya, that's it. It places an undo burden on business, and really, they're being asked to keep evidence which may incriminate them. Might as well ask a rapist to keep detailed records too so they can be subpoenaed.

Re:

[rootofevil (188401)]

oh to have the burden of the undo! i should be so afflicted...

undue burdens on the other hand, those are just not cool.

why not just record our thoughts "for the record"?

[HelloKitty (71619)]

while we're at it, maybe I should record all conversations I have too. just in case someone wants to know what I've been saying. you just never know.

and my brain waves too. just in case some lawyer needs to see if I was thinking impure thoughts over the last year.

I think we could all accept an implanted recording device in our skulls, don't you?

Ones being investigated for a crime.

[pavon (30274)]

This ruling is about what is and isn't considered destruction of evidence in a court case. The only business which may be required to retain more data that they already would are those who are being investigated for a crime. There are two parts.

The first deals with data deleted prior to the start of an investigation. Basically if you have an data retention plan that states how long you keep documents for, and you follow that plan, then you cannot be charged with destruction of evidence. On the other hand if a bunch of documents relevant to an investigation just happen to be deleted in a manner that deviates from your normal behavior, then you can be.

It doesn't matter what the plan is - it could be that you delete emails from the server immediately after they are download, or you can back them up for eternity, or anything in between - it is entirely up to you. For the sake of CYA, it is a good idea to have this policy documented, and to make sure it is followed closely, but you are not required by law to do so.

The second part gives judges the ability to require companies to retain data relevant to an investigation that would otherwise be deleted as part of their normal data retention policy. This requires a court order, and is no different from dead-tree requirements. Again, you are not required by law to have a plan in place to do this, however, it is good idea to think about it so that you aren't scrambling to figure out how to deal with it if you ever are investigated.

It's not ignorance.

[Prysorra (1040518)]

They just don't care. In fact, I commend them for it.

Wow, that's a rare sentiment for companies coming from me.

Or Maybe

[Atomm (945911)]

it is a bad law that failed to consider the impact it would have on business to actually implement the requirements.

Re:

[eln (21727)]

It also constitutes cruel and unusual punishment for those poor paralegals who have to sift through all this crap during discovery.

More business for lawyers

[wsanders (114993)]

You inconsiderate clod, it creates nothing but opportunity for lawyers to charge endless fees for e-discovery. Imagine the new volumes of information available for them to charge $500 an hour to sift through! And if they can charge $1.50 per page to make copies of documents, imagine how much they can markup deleted email recovery services! And the damage awards they can demand from corporation-hating juries for failure to retain data that may or may not have any relevance to the case at hand.

The opportunities are endless!

Re:

[GiMP (10923)]

Exactly.. what is the actual cost of this? What if a company's currently stored documents already reaches into hundreds of terabytes? I haven't looked into the law, but what about ISPs, email hosting providers? Does google need to store every email that has ever been stored on their servers? What about Yahoo, which often removes emails from user's inboxes automatically after a certain amount of time? Heck, what about standard hosting providers -- if someone bypasses your quotas and uploads a terabyte

Re:

[Cally (10873)]

You put forward a persuasive case outlining the shortcomings of requiring email retention. How, then, would you propose that corporate communications with bearing on matters which come to court are given protected status, to ensure that (eg) companies indulging in outrageous deliberate corporate malfeasance - Enron stylee, let's say - can't have a digital shredding party once a month and walk free when the cops arrive? You're not proposing we give up attempting to regulate commerce through commercial law, I

Internal insight not necessary to regulate.

[Kadin2048 (468275)]

You could just stop caring about internal documents and eliminate or change the laws that depend on them. Treat the corporation as a 'black box,' in other words.

I'm not sure why we should really give a shit about what goes on inside a company. What matters is what it does. If a corporation does something bad, punish it. I don't really care, and I don't think it should matter, whether people in the corporation "knew" what they were doing was bad, and that's mainly what the retention laws are all about. They

Re:

[Cally (10873)]

I'm not sure why we should really give a shit about what goes on inside a company. What matters is what it does.

Well IANAL so I can't give you a formal answer to that. However it doesn't take much thought to imagine a scenario where whether or not people inside the company knew certain things or not, and when they knew them, has significance regarding how long people go to jail, how much the company's fined, or whatever. As a random though experiment, supposing the wing falls off the fancy new Airbus super-jumbo and 800 people end up getting their 15 minutes of fame in the form of charred shreds of flesh hanging fro

Re:

[Zordak (123132)]

Or maybe it's not a "law" at all, but rather the Federal Rules of Civil Procedure, which only apply to parties in litigation in Federal court (or at the very most, those who reasonably anticipate they will be in litigation in federal court for a specific matter). Really, I don't see the story here. The new e-discovery rules do not impose onerous requirements on all businesses. They just prevent you from dumping data when you have that "Oh, crap, we're gonna get sued for this" moment.

Is this ALL companies

[doroshjt (1044472)]

Is law for all companies or just Public corporations? Seems an excessive burden to put on small businesses?

Re:

[DRAGONWEEZEL (125809)]

I have not read the law and don't know who it pertains to, but if it did pertain to all business large and small, then yes, it is an excessive burden. Having a document repository doesn't just mean a spare hardrive. You have to have security measures (pretty extreme ones if it were my company) in order to maintain a constantly updated archive that doesn't give away your business secrets to the outside world. Especially if your growing, and moreso if your doing any kind of computer related work.

Some small

Re:

[Todd Knarr (15451)]

Actually it applies not just to all businesses but to all entities that have been sued. Even individuals. Once you are sued or are aware you will be sued, you must retain all relevant material and turn it over during discovery. This isn't new, this has been the rule for the last century or so. What's new is things like e-mail and instant messaging, and companies going "Oh, that was done in IM, we don't keep records of that.". The e-discovery rules are merely the courts going "You knew you were being sued, y

Re:

[Intron (870560)]

The problem is that the law also applies to anyone who might be sued, which is everybody. A shareholder sues you because their stock lost $1 based on some bad decision that you made (like buying an email backup system). When their lawyer asks you for the data that you have already wiped, it's too late to say "I didn't think that anyone would ask about that."

Re:

[DRAGONWEEZEL (125809)]

That is my point!

Everyone can be sued, most will be at some time in their life. Hell, even I am in the middle of arbitration at the moment, but it is a minor personal matter. I digress...

If a small business have to maintain records for everything, each transaction, who made it, etc... and have it backed up regularly, it will cut into productive time. A business of 3 people loosing a 1 man hour a week IS SUBSTANTIAL. that's 4 hrs / month and 48 hrs a year on top of an allready slim margin. Think of a lo

Re:

[Cally (10873)]

Make that 5 gig.

You are currently using 305 MB (5%) of your 5837 MB.

The law should be overturned

[Bryansix (761547)]

The law is burdensome on businesses. Keeping track of email is one thing. Keeping all communication archived is ridiculous. We just came up with a solution to archiving email so we can finally delete some mailboxes off of our exchange boxes. My co-worker just wanted to purge the boxes and not back them up. I convinced him that even if this law didn't exist the mail may be useful for us in a court case so it would be worth keeping.

Now we used to use Spector 360 which would satify this ridiculously overbroad law. The software is nuts though and opens all kinds of issues like keeping the data secure since it captures all keystrokes and so people may have CC#, SSN or bank account numbers in their database records kept by this program.
When we moved we stopped using the program.

Re:

[Zordak (123132)]

This "law" should not be "overturned." It is not a "law." It is Rules of Civil Procedure for parties in litigation in Federal court. You can read them here [house.gov]. The rule you want is R. 34.

This post does not constitute legal advice and is not endorsed by Jackson Walker LLP

Re:

[Zordak (123132)]

I should also mention that R. 37 has a safe harbor provision. "Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system." If your normal policy is to dump certain stuff at certain times, you won't get smacked unless it looks like you did it in bad faith (e.g., implemented the policy to screw adverse litigants or something)

Re:

[darkmeridian (119044)]

This post evinces a basic misunderstanding of your obligations under this new rule. A company that is not sued or is not reasonably anticipating a lawsuit may have a data retention policy, which is commonly "we destroy all e-mails after ninety days, and we do not keep any backups." Once they are sued or notified of a suit, then they have to suspend that policy and keep the e-mails and electronic documents created by the relevant executives and employees. The company has a problem only if the data destructio

the FRCP

[theMerovingian (722983)]

The Federal Rules of Civil Procedure are being grossly mischaracterized here. The main purpose of the changes is to make it so companies can't intentionally obfuscate their data storage in order either 1) increase the timeline for digital discovery; or 2) increase the costs (especially to the non-business plaintiff) for digital discovery.

The FRCP are not a set of regulations to govern businesses, it just means that parties with digital information will bear the burden to produce it in the event of a lawsuit. Depending on the frequency with which your company is sued, it may or may not be a good idea to make it faster to access your backups.

You aren't under an obligation to save all electronic corresponce unless you are in a heavily regulated industry with special rules requiring that. However, anyone who deletes or destroys documents once a court order has been issued is in pretty big trouble if they get caught. This has been true long before the advent of email.

IMPORTANT NOTE: I am not a lawyer, this is not legal advice, there is no formation of attorney client privilege, this does not serve as an offer to represent you, your family, or anyone you have ever met, consult the advice of a licensed attorney in your jurisdiction before taking any action, the forgoing is for informational and educational purposes only, and any and all warranties inherent in this post whether express or implied are hereby disclaimed.

In other words

[Sycraft-fu (314770)]

It doesn't so much matter what your policy is, so long as your policy is consistent. If your policy is that e-mails are kept for one week and then deleted, that's ok. What is not ok is if you normally keep e-mails for a year, but then suddenly delete everything older when you get sued. There aren't any over all rules for what your retention has to be, however you can't change your policies to try and avoid handing over data.

So if your policy is that nothing gets kept, you have no backups, no retention, you

Hear Hear!

[spiedrazer (555388)]

This poster is absolutely correct. there is no requirement to retain all your electronic records. See my post "PLEASE help stop the FUD" below.

Re:

[Cally (10873)]

IMPORTANT NOTE: I am not a lawyer, this is not legal advice, there is no formation of attorney client privilege, this does not serve as an offer to represent you, your family, or anyone you have ever met, consult the advice of a licensed attorney in your jurisdiction before taking any action, the forgoing is for informational and educational purposes only, and any and all warranties inherent in this post whether express or implied are hereby disclaimed.

Awww, c'mon,.. don't spoil it for the kids!

Re:

[Brian See (11276)]

I am a lawyer and my practice focuses on eDiscovery. In other words, I translate between lawyers and people who read /.

Lots of interesting comments in this thread. There is a lot of FUD out there (like that's news). I hardly know where to start.

First, sophisticated litigants have seen increased costs from eDiscovery compliance, because "Joe Average" lawyer on the other side is getting more sophisticated about these issues. The new eDiscovery rules require companies to make pretty specific disclosures r

The rules are clear, but it can be tricky.

[richg74 (650636)]

I suspect that one of the reasons many firms are not complying with this is that the job seems so overwhelming, they don't know where to start. "Old tech" documents were created and saved (or not) under a kind of natural discipline, stemming from the fact that the cost of creating them was obvious and non-trivial. You might make off-the-cuff smart-ass comments at the water cooler or in the lunchroom, but you weren't likely to put them in a memo.

E-mails and IMs give the illusion of being almost costless

It's the cost!

[SatanicPuppy (611928)]

Setting up a backup schedule so that you're basically keeping all email is freaking expensive, even when you're only doing incrementals. Tape "rotation"? Forget that. It's tape storage for ever and ever.

You need drives, and tape storage, and a tape inventory system, and let's not forget a never-ending stream of tapes.

Re:

[Billosaur (927319)]

Go beyond the storage issue: how do you sift through all that communication to find what you're looking for? Simple searches? Semantic searches? A room full of $8 per hour interns reading every email and IM? Frankly it's impractical.

You can tell companies aren't paying attention.

[olddotter (638430)]

If they were, their lobbists would be be crawling all over this. The cost of capturing and storing all of the digital communications made by employees is non trivial. I know of one company just trying to give their lawyers access to query and retain e-mails. That project is a mess. I can't imagine trying to keep instant messaging along with, etc., etc. .....

White House sets the Precedent

[soren100 (63191)]

If you want to teach people through headlines, the White House has deleted 10 Million emails and is getting nothing -- not even a slap on the wrist for it.

They're just teaching through example.

There's no way you can have a more egregious example of failure to comply with federal document retention laws, or a more important reason to retain the emails, but absolutely no punishment seems to be forthcoming. Neither half of our political party seems to be even pretending to want to do anything about it.

So wh

What e-discovery rules?

[tgd (2822)]

Thanks, I'll be here all day. ;-)

This is my business

[gurps_npc (621217)]

I do e-discovery related document loading and exporting.

I can tell you the following:

1. It is a big business.

2. It is not "pointless".

3. The reason the laws were passed is that people were intentionally deleting documents or worse LYING and claiming they had deleted it when back ups were clearly present. They lied because of the expense it would take to recover the back-ups. Honestly, was it that hard to have the lawyers talk directly to the tech people, instead of too middleman that cared more about money than their legal responsibilities?

4. The law at heart simply states that if you have documents then deleting it BECAUSE of a legal action is illegal.

5. The law clearly allows you to routinely delete documents, say 1/year, or even every month.

6. All it really takes to satisfy the law is a commitment to a reasonable data-retention policy. The only businesses that don't or can't comply are

A. those that have been giving their IT department the short-shift, not providing a reasonable amount of cash for data and back-ups.

B. Those that don't realize that after you are SUED or CHARGED with a crime means you have to spend money on the law-suit. That includes the responsibility of saving and organzing the data you collected.

Re:

[TheCarp (96830)]

> 4. The law at heart simply states that if you have documents then deleting it BECAUSE of a legal action is illegal.

Though, wasn't that true before?

I clearly remember this coming up in a discussion of backup retention policy 5 years ago. Basically what was stated then was that we needed a policy for backup destruction so that we could get rid of backups because if there were ever a legal case, and we didn't have such a policy, then attempting to purge old backups could be seen as trying to destroy evide

Too Expensive

[pickapeppa (731249)]

This kind of archiving would be nigh impossible for some businesses, no matter how heavily regulated. Its partially a matter of resource allocation. I do a nightly backup and a monthly backup for an organization that deals with kids, medical records, and large donations (i.e. heavily scrutinized). 80 percent + of donations must be spent on program services, so I have a limited budget. If something is written and deleted betwixt the monthly backup and the earliest nightly, its gone. There's no practical w

PLEASE help stop the FUD!!!

[spiedrazer (555388)]

OK everybody, listen up!!

Despite what the vendors who produce e-mail archiving software may say, there is NO requirement that ANYONE archive all their e-mail/chat/word docs. etc. for potential litigation!!!

The rules say that, once you know that there is a legal case (or can reasonably expect that an issue may lead to legal action) you can't destroy evidence that could be used in the case. The federal rules actually spend more time outlining all the valid reasons you may have for destroying/deleting old e-mails or other correspondence.

There are a lot of vendors generating a lot of FUD about this issue, and even more clueless tech writers and glorified corporate publicity rags like eSchool news to perpetuate it. Don't be sucked in!

Yes, your company/agency should have a retentions policy, but that doesn't mean to retain everything! It should spell out how often you delete materials that are no longer deemed necessary. As long as you follow that policy, you are covered if you delete something that comes up later in an un-anticipated legal action! Once you are aware of a legal action, it is your responsibility to identify and secure any documentation in any form that can have bearing on the case.

The pains of E-Discovery Rules

[HeliosTrick (825325)]

I'm the sysadmin at a lawfirm in the Chicagoland area, and we've been following these guidelines for a couple years. However, it is quite a hassle, even though we only have 150 employees. We keep tape backups on a rotating 14-day schedule, with End of Month and End of Year retains kept indefinitely - offsite in a fireproof safe, natch. The amount of storage space we need will soon require us to move from LTO-2 to LTO-4 format and buy an even larger safe.

Most companies may not need to follow these guide

Just in case

[phorest (877315)]

Keep any documentation that can potentially help you, delete the stuff that you know could hurt you.

Re:

[Bryansix (761547)]

Because people have a certain expectation of privacy in email communications even though they shouldn't if the email account is a work email account. Also workplaces ready chat is kind of sketchy. My work used to do it. Not anymore.

Re:

[mr_mischief (456295)]

What business I conduct and with whom is proprietary information, and very much private. My client list is worth money to me, and what services I'm performing for those clients is worth even more. It's not public, and it would be worth a good deal to my competition. I might also discuss other things with my business partner, such as future marketing plans. Those are private as well.

What the government wants is a complete record of everything, in case you might have evidence that could convict you of somethi

Re:

[overunderunderdone (521462)]

And businesses are owned, operated and staffed by what?

Re:Privacy?

[Billosaur (927319)]

More like...

Auditor: It's not much of a mail server, isn't it?

Sysadmin: Oh yes, sir, finest in the company sir!

Auditor: Explain the logic underlying that conclusion, please.

Sysadmin: Well, it's so clean, sir.

Auditor: It's certainly uncontaminated by email.

Sysadmin: You haven't asked me about IMs, sir.

Auditor: Is it worth it?

Sysadmin: Could be.

Re:

[gardyloo (512791)]

That figures. Predictable really, I suppose. It was an act of purest optimism to have posed the question in the first place.

Re:

[Cally (10873)]

Yep, there's plenty of companies out there selling IM retention stuff [google.co.uk].

Re:

[Brian See (11276)]

"noidentity" said: Why is this tagged privacy? This applies to businesses, not people.

That statement is flat-out wrong. The Federal Rules of Civil Procedure apply to parties who are the subject of lawsuits (or third party subpoenas). It's often companies, but theu can apply to individuals, too.

In many of the RIAA lawsuits, defendants have gotten into trouble for deleting information on the computers -- i.e., information which the RIAA contended was evidence that they were illegally sharing files.

Most lawy

Re:

[RMH101 (636144)]

You may argue with the law, but if you ignore it you could end up in prison. As could your CIO. Right or wrong, you'd be stupid to ignore it if you're a company that trades in the US.