Deleting Emails Costs Morgan Stanley $1.45B 312
DoubleWhopper writes "The financial giant Morgan Stanley lost a $1.45 billion judgement yesterday due, in part, to their failure to retain old email. The judge in the case, 'frustrated at Morgan Stanley's repeated failure to provide [the plaintiff's] attorneys with e-mails, handed down a pretrial ruling that effectively found the bank had conspired to defraud' their former client. The CEO of a record retention software company noted, 'Morgan Stanley is going to be a harbinger'."
I thought the problem was that they HAD backups (Score:2, Informative)
Re:Oh crap! (Score:5, Informative)
Apparently, Morgan Stanley came forward, said they had produced all the emails. (time passes) They find some more emails and turn them over. (time passes) The find a closet stuffed with backup tapes and turn them over. (Time passes) Morgan Stanley files a document certifying that they turned everything over. (Time passes) Morgan finds even more emails and turns them over. This causes the judge to get annoyed.
One of the earlier problems was that Morgan had built a database to house old emails and the first time they were told to turnover emails, a sysadmin who was not in a clueful state just searched the database without finding out how much had already been imported into the DB. (Turned out the DB had only had a small percentage of old emails put into it.)
Re:Oh crap! (Score:2, Informative)
Knowing the financial industry as well as I do, I wouldn't be at all surprised to heat that the executives that failed to create a defensible email retention policy really will end up hanging all of the blame on some poor system-administrating underling who had just done exactly what he had been told to do.
To Keep or Not to Keep (Score:3, Informative)
Email records can be subpoenaed just like anything else. If it benefits your case, it would be nice to have, if it hurts our case, it would not be so nice to have.
When I write computer use policies, I recommend keeping it for 1 to 2 years. Depending on the type of business that might get extended out much longer. A start-up company might want to keep it 10 or more years to cover any possible arguments with their VCs over who owns the IP.
So why not keep it forever? Unless you want to have the lady sueing you for sexual harassment making your companies email part of the public record, you might want to set some limits.
The key is to document, in writing, what that limit should be. For example, maybe put it in your companies Computer Use policy. You have one...right?
Re:Email retention Policy. (Score:4, Informative)
Re:Not really the best use of the "YRO" category (Score:5, Informative)
sliding schedule - SEC rules? (Score:3, Informative)
Re:Oh crap! (Score:2, Informative)
harbinger definition (Score:1, Informative)
Harder to keep old mail than you think (Score:2, Informative)
Re:Yes, but when the madmen are running the asylum (Score:5, Informative)
I hate to defend Dick Cheney, but saying he only has a few years of government service under his belt is flat-out false.
==
His career in public service began in 1969 when he joined the Nixon Administration, serving in a number of positions at the Cost of Living Council, at the Office of Economic Opportunity, and within the White House.
When Gerald Ford assumed the Presidency in August 1974, Mr. Cheney served on the transition team and later as Deputy Assistant to the President. In November 1975, he was named Assistant to the President and White House Chief of Staff, a position he held throughout the remainder of the Ford Administration.
After he returned to his home state of Wyoming in 1977, Mr. Cheney was elected to serve as the state's sole Congressman in the U.S. House of Representatives. He was re-elected five times and elected by his colleagues to serve as Chairman of the Republican Policy Committee from 1981 to 1987. He was elected Chairman of the House Republican Conference in 1987 and elected House Minority Whip in 1988.
==
From Whitehouse.gov [whitehouse.gov]
Re:Email retention Policy. (Score:5, Informative)
Re:Time Study Analysis on the Cubicle Slaves (Score:5, Informative)
And hey, at least we don't burn out like a lightbulb after a few years.
Re:i don't get it (Score:5, Informative)
Actually, I've come to the opposite conclusion. I don't know every e-mail system, and I don't know what Morgan Stanley was using, but I have administered serious e-mail systems for about 15 years, and I can tell you that in many, it is in fact very difficult to insert a fake message into the message store in the right place, with the right semantic context. Don't forget that in all these cases the recovery is from (presumably) dated and logged backup tapes, possibly under the observation of opposing counsel's expert, and under penalty of perjury. So go ahead, tell me how you insert (or even alter) a message into a multi-gigabyte message store coming off a tape that's been archived and logged at Iron Mountain for the last five years. Will it have the right SMTP transit headers? The correct "In-Reply-To:"? What about the context of the message? Are you replying to someone? Do they later reply to you? Does it all fit together? This is a distinctly non-trivial exercise. Possible, yes, but maybe only theoretically so. And the grunt doing the recovery is *very unlikely* to want to risk going to jail to cover up some fraud he was probably never associated with.
Re:Email retention Policy. (Score:3, Informative)
Unless the GP's employer is in the financial/accounting field I do not believe this Act applies.
As long as the retention policy is documented and enforced you can pretty much go as short as you want (unless of course there is a requirement from an outside agency ).
I maintain the ISO 9000 and environmental compliance documents and records at work so I know a little...
Banking, in a nutshell (Score:2, Informative)
FYI, the banking and securities industry is governed by a set of rules that are implemented in various ways. The NASD and SEC regulations essentially boil down to two things:
1) Firms must retain all email and IM communication for at least 3 years, one year in a "readily accessible" location. This is all so that if Mom & Pop Investor lose money, then sue and claim their order execution was botched, the truth should be readily evident. Most places block external email (yahoo, et. al.), block IM, and log everything else. Propriety and compliance takes some sacrifice. Legal compliance divisions are growing every year, while IT is stable/shrinks. Consider that at Career Day!
2) All broker/dealer voice conversations must be recorded for similar time periods. Some places record ALL conversations (including the mail room clerks, support staff, everyone) just to be sure. Watch what you say on the phone at work kids.
[and, maybe relevant, SOX is a financial process compliance law, that extends criminal culpability to officers certifying records (see recent Enron, WCOM, etc. financial scandals for cause), and extends to IT in even more mysterious ways.]
Basically, not much has changed since 1995; most places that want to stay in business for a while err on the side of caution. Back then I sat in on SEC meetings with our legal team and watched them struggle to put the Internet in perspective. Later, our CTO told us to archive all the data going over (at the time) T1s for three years. Yes, ALL the data, which we had to do some basic math to explain that given available technology it would be insanely expensive. Never did happen; we did archive all email though. There are rumors some places still use WORM drives to comply with the old regulations, just to be safe. Probably the only new change is now Facetime, Akonix, and IMLogic make a financial killing with logged IM servers for the places that enable/rely on IM technology.
Summary, the technical requirements are easy but business is not...profit where possible, but try to play by the rules, don't piss off a judge, or you get massive fines and/or sued by Spitzer. That said, this one will likely be reduced on appeal. MS is suing their lead council for malpractice, has plenty of grounds to appeal (not to mention that the applied default-culpability judgement in this case is very, very rare). Business will go on.
Re:i don't get it (Score:3, Informative)
Uh, actually, I am.
I know I'm a moron for replying to an AC, but here goes. Picture this scenario: you get a subpoena or a discovery request for e-mail from the CFO from five years ago. You retrieve a tape from your archival storage company, and there's an audit trail showing it's been there for four years 11 months. Either the FBI agent or opposing counsel's expert looks over your shoulder while you restore from that tape onto a lab system, unconnected to anything else, running just your MTA of choice under your OS of choice. Let's say it's Notes. File date/time stamps are verified by you and the FBI guy. You then connect one other (verified and trusted) system to your message store, running the MUA of choice. You open the CFO's mailbox and retrieve the requested e-mails. At what point were you able to insert something into the message store?
Sure, I know how to telnet to port 25 and run the appropriate SMTP commands. So what? How do I modify that old message store? Say it's a Notes or GroupWise database?
Sounds to me like you are not very conversant with enterprise-scale e-mail systems, but just learned how to spoof SMTP.
35 other books say the same thing. (Score:3, Informative)
Care to read 35 other books that say the same thing? Here's a review of them, and 3 movies: Unprecedented Corruption: A guide to conflict of interest in the U.S. government [futurepower.org].
Re:Email retention Policy. (Score:2, Informative)