Psystar Case Reveals Poor Email Archiving At Apple

Ian Lamont writes "Buried in the court filings of the recently concluded Psystar antitrust suit against Apple is a document that discussed Apple's corporate policy regarding employee email. Apparently, Apple has no company-wide policy for archiving, saving, or deleting email. This could potentially run afoul of e-discovery requirements, which have tripped up other companies that have been unable to produce emails and other electronic files in court. A lawyer quoted in the article (but not involved in the case) called Apple's retention policy 'negligent.' However, the issue did not help Psystar's lawsuit against Apple — a judge dismissed the case earlier this week."

e-dicovery?

[Dutch Gun]

The fear of fines and other legal sanctions has resulted in many companies instituting strict "e-discovery" retention policies, and has helped give rise to a new class of enterprise-class storage and indexing tools.

I think "iDiscovery" is a much catchier name...

Joking aside, I kind of wonder about the practicality of requiring companies to retain their own documents in case of possible litigation against them. Won't this simply encourage people to use alternate means for any sort of confidential communications? Also, what proof is there of a lack of tampering? I'm not saying Apple is guilty of this, but it does cross my mind in a general sense. It seems only natural that executives will be more cautious of saying anything even remotely incriminating via e-mail. More face-to-face meetings in the future, I guess.

email is for communication... not documentation

[iamhigh]

I tell this to users all the time. Email is for communicating... not storing documents and information. Do we require companies to record all phone conversations? What about documenting meetings and informal conversations (where the real magic happens)? Why is email different? Yes I know the laymans answer - because it is already half way retained. But that doesn't equate to legal requirements for a company to retain ALL email. That is actually quite a burdon. The intranet, CMS, ERP, $software_solution, and paper copies are all that should be REQUIRED for legal proceedings.

Now, some IANAL (or IAAL) tell me why I am completely wrong.

Re:email is for communication... not documentation

[chill]

The financial industry requires all that. Where I work (broker/dealer and investment management firm) EVERYTHING is recorded. E-mail, phone calls, meetings, etc. IM and the like are forbidden. We even get copies of every fax sent/received and paper letter sent by investment advisers. All of it. Yes, it is a royal pain.

Re:e-dicovery?

[the eric conspiracy]

I kind of wonder about the practicality of requiring companies to retain their own documents in case of possible litigation against them.

There is no general requirement. Many companies have document destruction policies - for my company we automatically delete all email older than 90 days.

Some records have to be kept - financial records, taxation, etc. Invention records for patents, and so on. If you are in the financial industry the SEC requires 5 years for everything. If you are in a lawsuit the judge might order you to stop destroying stuff - I think Prudential got hit with a fine because nobody told their IT department to turn off their automating pruning process.

Sarbanes-Oxley

[BitterOak]

I thought that since Apple is a publicly traded company they are required to retain ALL corporate e-mails as a result of Sarbanes-Oxley legislation. What am I missing here? (IANAL, so I'm genuinely curious.)

Re:Sarbanes-Oxley

[vvaduva]

Yes, SOX section 802 can bring criminal penalties if audit records (which can include email messages) are not maintained. It sounds like Apple may not be SOX compliant.

Re:email is for communication... not documentation

[Anonymous Coward]

Now, some IANAL (or IAAL) tell me why I am completely wrong.

IANAL, but IAARecordsProfessional.

You're really not wrong. The fact is e-mails are capable of substituting for lunch-room gossip, post-it notes, memorandums, and corporate letterhead.

The problem is that most users, particularly of the age and experience level to make executive business decisions that exist purely as communication, have *not* received training on how to distinguish between those degrees of what constitutes an e-mail Record. Hence, save-it-all policies. (Or with some employees, print-it-all habits.)

Most companies say take minutes of meetings, and write down what you said during an important phone conversation. Make a record; have corroboration; cover your ass.

Explaining that e-mails not only have haunting and embarrassing consequences, but can put a company on the line for millions of dollars, is apparently something that only the newspaper headlines or personal grief can teach.

Most professionals in most fields already spend at least a third of their day trying not to fall behind on reading and writing their important e-mails. If we add consistent and reliable filing policies to that mix, we'll need to extend the work week to 60 hours, or give everyone an e-mail clerk. Then it's a geometric increase in workload as more people try to do more work, burn out faster, and the staff turnover creates more work for those left behind.

And when you stop to realize that 90% of the world's business-critical e-mails are holed up in Outlook .PST files... well let's just say I'm in a stable career. ;-)

LOL! Step 1 = read article, Step 2 = comment

[ReedYoung]

It was not a statute at all, it was just Anonymous Coward's (TM) sales pitch in the guise of legal counsel. From the first article:

An e-discovery lawyer, who asked not to be named because his employer (a firm you probably have heard of) doesn't want him speaking to the press, explained the basic legal requirements surrounding email and document retention to The Standard. "If litigation is anticipated, the party has a duty to preserve potentially relevant documents," he said.

Playing safe does indeed indicate good record-keeping. I'm still not a lawyer, but that seems like reasonable enough legal advice. However, he has more to say.

"An employee retention program with no organization or coordination is effectively incapable of compliance," he continued, "barring an act of God, or luck akin to picking every game right in an NCAA pool. Apple's retention policy is negligent."

Do you mean "negligent" in the legal sense, or the colloquial? Because, you know, now that you're being cited as an e-discovery lawyer, the inclination will be to assume that everything you say is your legal opinion or best counsel based on the sum of relevant statute and precedent.

Consider this scenario: Employees could have emails from five years ago that become "potentially relevant", but because there was no policy in place regarding e-documents, those records could easily become destroyed -- making it potentially impossible for a plaintiff to make a case from internal documents.

That could only be a problem under an ex post facto law, in my opinion. I am still not a lawyer, so if I'm right [meaning his advice is not so hot], we now have a good idea why "his employer (a firm you probably have heard of) doesn't want him speaking to the press."

However, Apple claims in the Psystar document that its policy is fine because once the company anticipated litigation:

[Apple] identified a group of employees who could potentially have documents relevant to the issues reasonably evident in this action. Apple then provided those individuals with a document retention notice which included a request for the retention of any relevant documents.

Psystar's antitrust claim has been dismissed, but Apple is currently involved in many other cases. Apple's weak e-discovery practices could very well come back to haunt the company.

That is of course possible, but "could very well" normally implies high probability, and that is not supported by the facts given in this article. Obviously, he has a product to sell, but I would have come away with a more favorable impression of e-discovery software if he had said something more like, "if the evidence against you is as weak as the evidence against Apple in this case, you don't need a data retention policy any better than Apple's. However," I would continue if I was trying to sell some e-discovery software, "in case of better-organized litigation against you than this case, a more comprehensive data retention policy might be in your best interest." See, instead of making my sales pitch on a case that, taken on its own, indicates that my product is unimportant, I would acknowledge that my product was not important in this case, but suggest that it is not wise to assume that every case will be so easy. I think my approach appeals less to the customer's fear, and more to the careful consideration that will need to be evident in an approved purchase request.

Vague guidelines are good

[Anonymous Coward]

Our legal people won't respond to IT requests such as 'how long should we keep backups' The problem being that if they give an answer it can be used against the company.

Not having a guideline at all is the best way to circumvent that. Of course they do have a guideline for employees to delete all emails that are no longer pertinent to their jobs, but those guidelines are there for the same reason. It's all about deniability.

So I'd call this smart, not negligent.

Re:e-dicovery?

[Degrees]

Actually, there is a general requirement - although it's a special case, kind of. It's called FRCP [cornell.edu] - Federal Rules of Civil Procedure. So, it's a special case in that it only applies when you show up in Federal court. But it's a general requirement in that any case that gets ruled against can be appealed, and after enough appeals, you end up in Federal court. The Cornell link also points out that a lot of state courts are accepting the FRCP rules as reasonable for their proceedings.

I've been told by our legal counsel the same thing mentioned in TFA: "If litigation is anticipated, the party has a duty to preserve potentially relevant documents". The obvious case is when someone's death (due to negligence) is involved. The less obvious case is when the boss starts an affair with one of the administrative assistants. Do you keep the love letters? Is litigation anticipated? What if the boss has authority over job promotions?

Problem 1 is that the automated "we delete after 90 days" system may not have a provision for "well, delete all except foo and bar". (And, BTW, foo might take five years to get to court, and bar might never). Problem 2 is that it's probably not reasonable to expect end users to be able to classify keepers from trash. If they weren't love letters, but rather evidence of sexual harassment, should the victim have been allowed to keep them? If corporate policy says no....

I don't know if this was the same case you were thinking of, but Morgan Stanley agreed to pay $15 million [computerworld.com] in fines for its failure to retain e-mail messages.

Re:e-dicovery?

[Lord Kano]

Won't this simply encourage people to use alternate means for any sort of confidential communications?

YES.

Two weeks ago, where I work, there was a new training module that we had to complete. One of the topics was email and discovery. We are specifically prohibited from speculating about anything in email because it can be a part of discovery. If we have concerns, we are to walk to the person's office and discuss it with them in person.

LK