Psystar Case Reveals Poor Email Archiving At Apple

Ian Lamont writes "Buried in the court filings of the recently concluded Psystar antitrust suit against Apple is a document that discussed Apple's corporate policy regarding employee email. Apparently, Apple has no company-wide policy for archiving, saving, or deleting email. This could potentially run afoul of e-discovery requirements, which have tripped up other companies that have been unable to produce emails and other electronic files in court. A lawyer quoted in the article (but not involved in the case) called Apple's retention policy 'negligent.' However, the issue did not help Psystar's lawsuit against Apple — a judge dismissed the case earlier this week."

If Litigation is required.

[Whiney Mac Fanboy (963289)]

From TFA:

...the basic legal requirements surrounding email and document retention to The Standard. "If litigation is anticipated, the party has a duty to preserve potentially relevant documents"

The thing here is that litigation is always anticipated at Apple - if they're not currently suing someone, its because they're getting ready to sue. (or the legal team are on holiday [hawaiishar...unters.com] [legal team pictured on the right hand side of that photo])

The other point worth noting here is that an electronic document retention policy is only a good thing to have if you're confident your employees are acting ethically (or at least unaware of any breaches).

Re:If Litigation is required.

[aliquis (678370)]

It's probably more to say "if you think you will get busted you're not allowed to start removing things", not "you can't remove anything because some day in a time far far away someone may want to look you up."

LOL! Step 1 = read article, Step 2 = comment

[ReedYoung (1282222)]

It was not a statute at all, it was just Anonymous Coward's (TM) sales pitch in the guise of legal counsel. From the first article:

An e-discovery lawyer, who asked not to be named because his employer (a firm you probably have heard of) doesn't want him speaking to the press, explained the basic legal requirements surrounding email and document retention to The Standard. "If litigation is anticipated, the party has a duty to preserve potentially relevant documents," he said.

Playing safe does indeed indicate good record-keeping. I'm still not a lawyer, but that seems like reasonable enough legal advice. However, he has more to say.

"An employee retention program with no organization or coordination is effectively incapable of compliance," he continued, "barring an act of God, or luck akin to picking every game right in an NCAA pool. Apple's retention policy is negligent."

Do you mean "negligent" in the legal sense, or the colloquial? Because, you know, now that you're being cited as an e-discovery lawyer, the inclination will be to assume that everything you say is your legal opinion or best counsel based on the sum of relevant statute and precedent.

Consider this scenario: Employees could have emails from five years ago that become "potentially relevant", but because there was no policy in place regarding e-documents, those records could easily become destroyed -- making it potentially impossible for a plaintiff to make a case from internal documents.

That could only be a problem under an ex post facto law, in my opinion. I am still not a lawyer, so if I'm right [meaning his advice is not so hot], we now have a good idea why "his employer (a firm you probably have heard of) doesn't want him speaking to the press."

However, Apple claims in the Psystar document that its policy is fine because once the company anticipated litigation:

[Apple] identified a group of employees who could potentially have documents relevant to the issues reasonably evident in this action. Apple then provided those individuals with a document retention notice which included a request for the retention of any relevant documents.

Psystar's antitrust claim has been dismissed, but Apple is currently involved in many other cases. Apple's weak e-discovery practices could very well come back to haunt the company.

That is of course possible, but "could very well" normally implies high probability, and that is not supported by the facts given in this article. Obviously, he has a product to sell, but I would have come away with a more favorable impression of e-discovery software if he had said something more like, "if the evidence against you is as weak as the evidence against Apple in this case, you don't need a data retention policy any better than Apple's. However," I would continue if I was trying to sell some e-discovery software, "in case of better-organized litigation against you than this case, a more comprehensive data retention policy might be in your best interest." See, instead of making my sales pitch on a case that, taken on its own, indicates that my product is unimportant, I would acknowledge that my product was not important in this case, but suggest that it is not wise to assume that every case will be so easy. I think my approach appeals less to the customer's fear, and more to the careful consideration that will need to be evident in an approved purchase request.

Re:

[tlhIngan (30335)]

The thing here is that litigation is always anticipated at Apple - if they're not currently suing someone, its because they're getting ready to sue. (or the legal team are on holiday [legal team pictured on the right hand side of that photo])

Or... they're being sued. It's practically a rare day these days when Apple isn't being sued by someone.

It's a wonder Apple can release product considering how much the probably spend on legal...

Re:

[TheRaven64 (641858)]

See? Another example of Apple not innovating. Spending vast amounts on lawsuits was a strategy first pioneered by IBM and later adopted by Microsoft.

Re:If Litigation is required.

[Whiney Mac Fanboy (963289)]

Erm? Really? You cannot be serious?

You don't recall Apple suing one of its fanbase [thecrimson.com] (a student & lifelong fan), a web design school [pulse2.com] (who mostly used Apple's products), New York [sys-con.com] (for daring to use an apple in a environmental awareness campaign) and of course Psystar [tuaw.com] (attempting to resell OS X).

I could go on & on. Sure. Plenty of people sue Apple (just like any other big tech corp), but Apple's penchant for pulling out the legal guns against small operators (and its fanbase) makes it stand alone in the tech crowd.

Re:

[dubbreak (623656)]

In the case of the web design school it was a pretty clear case of trademark infringement. The fact that they used Apple equipment made it even more likely.

They have a logo that is very similar to apple's trademarked logo, they deal with computer related tasks/services/education, they use apple hardware... it is quite likely someone may mistake that the company is somehow tied to apple (an official apple web design school or something of the sort). Whether it is "morally" wrong for them to sue this compa

in the year 2000

[negRo_slim (636783)]

email? apple is to hip for that. its social networking [web-strategist.com], far as the eye can see...

Re:in the year 2000

[lysergic.acid (845423)]

::HackintoshDood signs in to Myspace::
MySpace: you received a friend request from AplLawyrBabe81
::looks at profile pic::
HackintoshDood: sweet, she looks pretty hot.
::approves friend request::
MySpace: you have a chat request from AplLawyrBabe81.
HackintoshDood: awesome!
::clicks::
AplLawyrBabe81: a/s/l?
HackintoshDood: 21/m/san jose, u?
AplLawyrBabe81: kekeke
HackintoshDood: i rly like ur pics. you're hot. ;-)
AplLawyrBabe81: kekeke, thanks. ;-)
AplLawyrBabe81: ur profile says u r Matt Anderson. is that rly ur name?
HackintoshDood: yep, that's me =P
AplLawyrBabe81: oh, good. then consider yourself served.
AplLawyrBabe81: ur being sued by Apple for copyright infringement.
AplLawyrBabe81: c u in court. k bye!

e-dicovery?

[Dutch Gun (899105)]

The fear of fines and other legal sanctions has resulted in many companies instituting strict "e-discovery" retention policies, and has helped give rise to a new class of enterprise-class storage and indexing tools.

I think "iDiscovery" is a much catchier name...

Joking aside, I kind of wonder about the practicality of requiring companies to retain their own documents in case of possible litigation against them. Won't this simply encourage people to use alternate means for any sort of confidential communications? Also, what proof is there of a lack of tampering? I'm not saying Apple is guilty of this, but it does cross my mind in a general sense. It seems only natural that executives will be more cautious of saying anything even remotely incriminating via e-mail. More face-to-face meetings in the future, I guess.

Re:

[jellomizer (103300)]

I think it could get a greater sliding scale effect. Require Emails for endless archives, then IM's then further recording and archiving all phone calls... It is out of hand, and worse almost every politician in power use to be a lawyer. So you can't even cry for them for some reasoning that sometimes the Lawyers jobs will need to be tougher and you can't always have the company share all its information to everybody. And shouldn't be required to.

Re:e-dicovery?

[hairyfeet (841228)]

Yes but IMHO it should be the same as taxes, that is 7 years. If the excrement hasn't hit the bladed cooling device in that time then chunk away. But if there isn't at least SOME kind of retention policy required of corporations you'll see every Enron style ripoff artist simply switch everything to email so they won't have to worry about having any paper trails. You have to balance the needs of the public and the shareholders with the needs of the company. But since we are rapidly switching(and some could argue we already have) to a paperless society then we really should have a set number of years for electronic records like email and IM. After all, look at what has come out against MSFT over the Vista Capable scam thanks to email.

Re:e-dicovery?

[the eric conspiracy (20178)]

I kind of wonder about the practicality of requiring companies to retain their own documents in case of possible litigation against them.

There is no general requirement. Many companies have document destruction policies - for my company we automatically delete all email older than 90 days.

Some records have to be kept - financial records, taxation, etc. Invention records for patents, and so on. If you are in the financial industry the SEC requires 5 years for everything. If you are in a lawsuit the judge might order you to stop destroying stuff - I think Prudential got hit with a fine because nobody told their IT department to turn off their automating pruning process.

Re:e-dicovery?

[Degrees (220395)]

Actually, there is a general requirement - although it's a special case, kind of. It's called FRCP [cornell.edu] - Federal Rules of Civil Procedure. So, it's a special case in that it only applies when you show up in Federal court. But it's a general requirement in that any case that gets ruled against can be appealed, and after enough appeals, you end up in Federal court. The Cornell link also points out that a lot of state courts are accepting the FRCP rules as reasonable for their proceedings.

I've been told by our legal counsel the same thing mentioned in TFA: "If litigation is anticipated, the party has a duty to preserve potentially relevant documents". The obvious case is when someone's death (due to negligence) is involved. The less obvious case is when the boss starts an affair with one of the administrative assistants. Do you keep the love letters? Is litigation anticipated? What if the boss has authority over job promotions?

Problem 1 is that the automated "we delete after 90 days" system may not have a provision for "well, delete all except foo and bar". (And, BTW, foo might take five years to get to court, and bar might never). Problem 2 is that it's probably not reasonable to expect end users to be able to classify keepers from trash. If they weren't love letters, but rather evidence of sexual harassment, should the victim have been allowed to keep them? If corporate policy says no....

I don't know if this was the same case you were thinking of, but Morgan Stanley agreed to pay $15 million [computerworld.com] in fines for its failure to retain e-mail messages.

Re:e-dicovery?

[Lord Kano (13027)]

Won't this simply encourage people to use alternate means for any sort of confidential communications?

YES.

Two weeks ago, where I work, there was a new training module that we had to complete. One of the topics was email and discovery. We are specifically prohibited from speculating about anything in email because it can be a part of discovery. If we have concerns, we are to walk to the person's office and discuss it with them in person.

LK

Re:

[Dutch Gun (899105)]

Bah, don't worry about the executives. They already have a entire language of obfusciation and everybody else just posts the dirt to their MySpace blog.

It's not that I'm worried about executives. It just feels both pointless and overly intrusive to me, which is a bad sign for any government policy. From there, it seems a small step to require Internet providers or search engines to start logging the same sort of data. It doesn't really seem all that far-fetched. [npr.org]

Re:

[lysergic.acid (845423)]

well, corporations shouldn't even have rights as an individual. however, if corporate entities are going to be given rights, and in fact more rights/power than regular citizens, then they should be held to higher legal & moral standards and also subjected to greater scrutiny (i feel the same should be applied to politicians, law enforcement, and others in positions of power).

ordinary individuals have to file & report all of their financial earnings, and the court can issue warrants to search and sei

Re:

[c_forq (924234)]

corporations shouldn't even have rights as an individual

Yes and no. Should they have the right to free speech? Yes, with the same limits as an individual. The right to bear arms? No, I don't think Omnicorp needs guns. The right deny boarding of government troops? Yes, I sure don't want weekend warriors taking over my cubicle.

Re:

[lysergic.acid (845423)]

why should a corporation have the right to free speech? or perhaps a better question might be, why would a corporation need the right to free speech?

a person's right to free speech may be encroached if they, say, create a film that offends some special interest groups or portrays a powerful corporation in a negative light. a lawsuit might be filed against the filmmaker in an attempt to silence him. in this case it would be a matter of free speech.

now, how would the issue of free speech ever arise regarding

Re:

[Dutch Gun (899105)]

so if people are subjected to all of these encroachments of privacy and civil liberties, then why shouldn't corporations be forced to keep records that can assist legal investigations? if anything people should have more of a right to privacy than a corporation, since a corporation is just a commercial entity, not a human-being with natural rights.

I'm not arguing against it on the basis of civil liberties. I'm arguing on the basis that its counter-productive and unnecessary. If someone is doing something illicit, don't you think they'll be just as likely to try to cover their tracks? That leaves the burden of compliance on those companies that *are* doing the right thing.

Keep in mind that not all "corporations" are giant conglomerates. Many smallish businesses are also "corporations", just not publicly traded. What do you feel would be the size

Re:

[MushMouth (5650)]

As long as you delete it before you are served you are fine.

email is for communication... not documentation

[iamhigh (1252742)]

I tell this to users all the time. Email is for communicating... not storing documents and information. Do we require companies to record all phone conversations? What about documenting meetings and informal conversations (where the real magic happens)? Why is email different? Yes I know the laymans answer - because it is already half way retained. But that doesn't equate to legal requirements for a company to retain ALL email. That is actually quite a burdon. The intranet, CMS, ERP, $software_solution, and paper copies are all that should be REQUIRED for legal proceedings.

Now, some IANAL (or IAAL) tell me why I am completely wrong.

Re:email is for communication... not documentation

[chill (34294)]

The financial industry requires all that. Where I work (broker/dealer and investment management firm) EVERYTHING is recorded. E-mail, phone calls, meetings, etc. IM and the like are forbidden. We even get copies of every fax sent/received and paper letter sent by investment advisers. All of it. Yes, it is a royal pain.

Re:

[libkarl2 (1010619)]

Typical e-mail systems treat messages as messages, and not documents. Its made evident by the email address itself: someone@domain.net -- not alot of meta-data in there. Just a person at a place.

what blows me away is when companies that do make an effort to archive e-mail messages, insist that the operation be performed at the client, via CC or message forwarding (the cost savings technique). Sounds ripe for abuse if you ask me.

Lets face it: e-mail is too big to fail! Therefore (Satan get behind me) we must

Re:

[Ihmhi (1206036)]

Yes, it is a royal pain.

Well, a marketing company or something else like that can't exactly torpedo the economy the way financial organizations can.

Lockheed Martin acts stupid, maybe they go bankrupt or get acquired. A financial company acts stupid, and... well, the last few weeks are evidence enough as to what happens.

Re:email is for communication... not documentation

[truesaer (135079)]

But that doesn't equate to legal requirements for a company to retain ALL email.

No it doesn't. But there are two issues with email. First is that if you don't have a standard policy for retention/destruction of email (or network share backups or whatever), it opens you up to allegations that you destroyed evidence after a lawsuit was filed. If people can delete things at any time, it makes it hard to show if it was coincidence that your VP just happened to delete all that relevant stuff after a suit was filed or not. With a standard policy, if everyone complies, then this matter is much more cut and dry.

Second is Sarbanes-Oxley compliance. I know a lot of companies have banned external instant messenging because of retention concerns related to Sarbanes-Oxley (since you can't easily log AIM and other IM discussions). I'm a bit surprised that Apple hasn't got policies in place given their issues with improper options in the past. Similar laws, I guess they didn't take the scandal very seriously.

Re:

[truesaer (135079)]

"Should" be used? That may be the best policy for limiting discovery in lawsuits, but it would seriously damage the operation of the business. I can't immediately resolve an issue emailed to me most of the time, and I rely on saving emails with important information for later use. I'd say these are pretty common ways that people use email.

You want to mitigate legal risk, not necessarily eliminate it.

Re:email is for communication... not documentation

[by Anonymous Coward]

Let me put it this way - I know of a largeish piece of corporate litigation that turned almost entirely on a Christmas card.

Broadly speaking, anything that is recorded and is able to be read/interpreted/played back/whatever is a "document" for legal purposes and is discoverable if it is relevant to the issues in the case (or whatever your local rules are).

A conversation isn't a document as there is no persistent record of it. That is why you have "pens up" meetings and why some people will never put anything more informative in an email than "come see me".

However, if you do make any record of that conversation - be it five words on a napkin, a detailed minute of the meeting or an audio recording, then that becomes discoverable (provided it is relevant). If you are given a handout of powerpoint slides at a meeting and you make notes on it then that handout becomes a wholly distinct, individually discoverable "document" from a blank printout of the slides.

In most places it is considered contempt of court to destroy a document that is discoverable in actual or reasonably anticipated litigation.

And yes, IAAL.

Re:email is for communication... not documentation

[fermion (181285)]

From what I can tell, this is old news and the protocol has been set. Destroy documents every so often. Do it consistently. Do not wait until there is a budget. Continuously go through everything and destroy everything that older than a cutoff. If you are told to stop, stop, and don't start trying to catch up on the destruction. This has been SOP since the Enron mess.he legal requirement is to follow protocol and not destroy stuff after you are told not to. This is nothing new, and if Apple does not have a consistent policy, then that is bad for them. The fact is that the paper trail is there. If you don't want a paper trail, have an undocumented face to face meeting.

Re:

[Degrees (220395)]

What it comes down to is the definition of a "record". If you and your boss make a decision over the phone, and it's followed up with an email, then that is the record of the decision. In the Bad Old Day, a record was paper. The transition to email doesn't get rid of the need for records - it just changed the form.

I work in government, and we have to live under 'open meeting rules'. In other words, elected officials have to be careful not to discuss items with each other (and thus be at risk for the accusat

Retention policy?

[girlintraining (1395911)]

Retention policy is simple: Delete anything that shows it's your fault. Save anything that shows it's somebody else's fault. Forward anything that makes your boss look good. If you're asked for copies of anything give them something that looks similar but isn't it. If you're called into court, you have a bad memory unless your lawyer says you don't. And under no circumstances should you ever, ever






.

Re:

[lucas teh geek (714343)]

The first rule of retention policy club is do not talk about retention policy club!

Yeah..

[sleeponthemic (1253494)]

Just because a massive company doesn't have a "company-wide" policy on email does not mean it does not effectively archive it.

Re:

[narcberry (1328009)]

People cannot expect to act responsibly unless there is a policy explicitly requesting such.

Re:

[sleeponthemic (1253494)]

I know what you mean, if it weren't for that rape policy at work..

Time Machine?

[xZgf6xHx2uhoAj9D (1160707)]

Man, if only Apple had access to some sort of technology that would automatically back up their emails. Something that indexed the back-ups too. Something that Just Works.

Re:

[GMonkeyLouie (1372035)]

That's actually hilarious that you mention that, as I am storing about a half-decade's worth of e-mails using apple products and hardware. Wouldn't call it especially secure or safe, but it's there and it's intuitive to use.

Why wouldn't they at least use the office as a place to field test the product?

Re:Time Machine?

[bill_mcgonigle (4333)]

Something that Just Works.

Perhaps you've heard of Mobile Me? It's a wonder they have any e-mail.

Sarbanes-Oxley

[BitterOak (537666)]

I thought that since Apple is a publicly traded company they are required to retain ALL corporate e-mails as a result of Sarbanes-Oxley legislation. What am I missing here? (IANAL, so I'm genuinely curious.)

Re:

[vvaduva (859950)]

Yes, SOX section 802 can bring criminal penalties if audit records (which can include email messages) are not maintained. It sounds like Apple may not be SOX compliant.

Policy? Is there a rule for this?

[filesiteguy (695431)]

I'm kind of in the middle of developing a policy for my department (1500 employees/800 Exchange users) of a large County (105,000 employees) where we currently have zero policy.

I've already been part of an e-discovery action for a lawsuit - which we eventually won - and can't imagine what might happen next.

Nevertheless - I follow the GTG philosophy. If it takes less than 60 seconds to do, I delete it. I also delete my deleted files every time I close for the day.

Re:

[justinlee37 (993373)]

Whatever happened to "innocent until proven guilty?" It's ridiculous to think that we now have to archive all of our correspondence "just in case" we have to defend ourselves in court. People need to re-read (or read for the first time) Kafka's "The Trial."

Re:

[filesiteguy (695431)]

Actually, I've found it to be more the opposite. If I delete everything as my personal policy then there's no issue.

If I retain stuff and something - however unlikely - is found to be damaging in a future lawsuit then "m screwed.

Now, If I do what Oracle (IIRC) did and start deleting AFTER a discovery request is made, then I'm guilty of obstruction.

I figure just delete before hand.

Re:

[justinlee37 (993373)]

That seems like the sensible thing to do to me. Making things too complicated is a waste of time.

I double dog dare you...

[fuzzyfuzzyfungus (1223518)]

Ok, I propose the following: We take up a collection to establish a prize pool to be paid to the (estate of) the first person to approach Steve Jobs and, with a completely straight face, suggest that he "Really ought to consider an enterprise grade hosted-Exchange Solution; since, after all, Exchange and Microsoft Workgroup Technologies(tm) are the heart of the dynamic enterprise."

Just remember, Steve has eye lasers, and they are powered by pure disgust.

Good reason not to even use email

[blitz487 (606553)]

So many companies have been hung out to dry based on emails one wonders why officers and above in the organization are even allowed to use email. They should go back to voice only, and have someone else write a memo if it is really important.

Vague guidelines are good

[by Anonymous Coward]

Our legal people won't respond to IT requests such as 'how long should we keep backups' The problem being that if they give an answer it can be used against the company.

Not having a guideline at all is the best way to circumvent that. Of course they do have a guideline for employees to delete all emails that are no longer pertinent to their jobs, but those guidelines are there for the same reason. It's all about deniability.

So I'd call this smart, not negligent.

Why keep emails?

[by Anonymous Coward]

Why would Apple bother to keep emails when they already know that the risk of the email being used against them is far worse than the penalty for not keeping them.

Re:

[MarkRose (820682)]

Especially when not properly archiving that email can take a bite out of your corporate image! Oh wait...

Re:

[Duradin (1261418)]

Now would be the time to invest in Sapho production. Biological storage will be the way of the future.

If there is a future, I wonder if the archeologists will be able to determine it was the lawyers that caused all forms of permanent information to disappear.