New Email Rules Effective Friday

An anonymous reader writes "As of today [Friday], certain U.S. companies will need to keep track of all the e-mails, instant messages and other electronic documents generated by their employees, in accordance with new federal rules. In April the Supreme Court began requiring companies and other entities involved in federal litigation to produce 'electronically stored information' as part of the discovery process of a trial." From the article: "Under the new rules, an information technology employee who routinely copies over a backup computer tape could be committing the equivalent of 'virtual shredding,' said Alvin F. Lindsay, a partner at Hogan & Hartson LLP and expert on technology and litigation. 'There are hundreds of "e-discovery vendors" and these businesses raked in approximately $1.6 billion in 2006, [James Wright, director of electronic discovery at Halliburton Co.] said. .'"

What's next?

[Salvance]

What happens for companies that don't host their own e-mail, particularly smaller companies?

In order to save money, my company hosts our website and e-mail on a shared server. E-mails are downloaded via POP3 and immediately deleted from the server (each account can only hold 20MB online at one time). Most people then delete their e-mails after reading, so we have absolutely no way to retrieve this data.

This doesn't seem to impact my company, but at some point I fear regulators will start requiring more stringent data retention processes (among other IT tech processes). SOX has already hurt large companies, hopefully they don't start pushing some its fundamentals down to the little (non-public) folks.

Misleading

[calbanese]

Under the new rules, an information technology employee who routinely copies over a backup computer tape could be committing the equivalent of 'virtual shredding.

This is a bit misleading. Its only "virtual shredding" if you don't keep the records around for a reasonable period (either by statutory requirements or insutry standards) or if you have notice of litigation in which the evidence is relevant, and you continue to shred.

Thats why there is a document retention policy safe harbor in the rules themselves.

As amended, Rule 37 creates a "safe harbor," protecting a party from sanctions for failure to produce electronically stored information as long as it took reasonable steps to preserve electronically stored information when it knew or should have known such information was discoverable, or the failure results from loss of information during routine operation of such party's electronic information system.

FWIW, lawyers, even the "technology experts" don't seem to understand technology as well as someone who came through IT before becoming a lawyer.

(disclaimer: IT guy-turned-lawyer, so I always think I know more than "pure lawyers" when it comes to tech).

The amendments

[jwaters]

Since the linked article is light on information, I found the actual amendments [uscourts.gov] (note: PDF)

Re:Nice; tell you about new rules, just not the ru

[calbanese]

It applies to all companies. The length of time you are required to retain documents before destroying can be different for different companies. Like a poster noted, Sarbanes-Oxley defines a time period for publically listed companies. But other than that (and other industries where regulations prescribe time periods for record retention), the courts have used a "reasonable time period" requirement in the past and most commentators expect that to continue under the new rules, which are, in many ways, a formalization of previous court practice.

Re:Nice; tell you about new rules, just not the ru

[DerGeist]

Welcome to the wonderful world of scare-mongering!

This only applies to compaies [myway.com] under federal litigation, but I'm sure it'll get a lot more pageclicks if you make it sound terrifying and scream things like WE'RE ALL GONNA DIE!

Truth time, kiddies! You absolutely must hold on to email and IM data... IF it is part of a subpoena or a discvoery process, and so on. But there's nothing requiring companies to hold on to such data for any specified period of time.

Re:What's next?

[owlnation]

But TFA (I read it, sorry!) doesn't use "some"... even though logically that must be the case.

Links to the rules

[davidwr]

This link [fulcruminquiry.com] goes into a bit more detail than the article in the main /. story.

The pertinent rules appear to be the Federal Rules of Civil Procedure, specifically Rule 16 dealing with pretrial scheduling and Rule 26(f) relating to discovery and disclosure.

Cornell University has these rules online. They might be outdated already.
Rule 16 [cornell.edu]
Rule 26 [cornell.edu]

Wikipedia also has a writeup on the Federal Rules of Civil Procedure [wikipedia.org].

Do a search for rules on electronic discovery [google.com] for more commentary.

Re:Massive Pretty Good Privacy

[NatasRevol]

Well, maybe you could use Squirrelmail.

http://www.squirrelmail.org/plugin_view.php?id=153 [squirrelmail.org]

This is plain old FUD... heavy on the 'F'

[Anonymous Coward]

This is a great example of FUD... programmers need to stick to programming and lawyers need to stick to lawyering. (I happen to be both, but that's beside the point).

This is not legislation.. it is part of the court rules. In a lawsuit, you have to provide all relevant documents to the other side. In the past, there had to be a *lot* of court time wasted on deciding what was subject to disclosure (i.e. a man does work for the company from home... is his home computer subject to examination? Answer: yes). This rule change simply makes standard what most all the court rulings concluded was subject to disclosure anyway.... all it does is save wasted court time in disputes by making the rules clear.

If a company has a "document retention policy" that sais all e-mails will be deleted in 30 days, all backup tapes will be overwritten or erased in 30 days, etc., then they can continue doing that. No one has to retain anything under these rules. These rules say that anything that *is* retained, has to be turned over in a lawsuit. After a lawsuit is started (technically when a company becomes aware of a claim even before suit is filed) the company has to not delete anything they know is relevant.... but continuing to follow the published document retention policy for everything else is fine. This has been so for many, many years. Nothing is changing is this regard.

Companies that do bad things will have evidence of doing bad things.... they will want to delete things. Companies that don't do bad things will have evidence of their proper behavior, and they will not want to delete things. I was once involved in a case where a man was blinded by some chemicals. He claimed there was no warning sign. I found the e-mail in a user's mail archive confirming installation of the warning sign, dated 6 months before his injury. If that company had been deleting all e-mails 30 days old in archives (they deleted 30-day old mail, but it did not reach local archives on the users' HD), they would have lost this exculpatory evidence. As a result, they changed policy to have uses include the word "SAFETY" in the subject line of all e-mails related to safety, warning signs, safety related repairs and maintenance, etc., and e-mails with that in the subject line were excluded from the deleting policy in the future.

Re:What's next?

[MoralHazard]

companies that don't host their own e-mail, particularly smaller companies

This is a no-brainer, right? If you're the kind of company that is subject to these retention rules, having a shared email server that immediately deletes DL'd messages, with no user policy
at the local level, either, is illegal. You'd have to immediately move your email in-house and implement appropriate policies, or find a 3rd-party that can handle it, or some mixture.

If you're not the kind of company that is subject to these rules, who the fuck cares?

If you don't already know that your company is subject to these rules, and it turns out you do need to follow them, fire your in-house counsel because they're incompetent.

Re:What's next? or who's next?

[Anonymous Coward]

If they can do it for corporations, how long do you think it will be before they require ISPs to store all personal email?

Do yourselves a favor and become a part of anoNet [anonet.org] now.

Re:Nice; tell you about new rules, just not the ru

[DerGeist]

Nice try, but you are sadly wrong thanks to your slippery-slope fallacy. As long as you have a data collection policy and follow it, you're fine. Documents/data that have been shredded prior to discovery or litigation aren't your problem. If your policy is "shred every 60 days" and you follow it, and the court requests something 120 days old, your policy will stand up in court. This rule applies only to those who are currently under federal litigation or think they soon might be.

Re:Legislated expense

[Anonymous Coward]

The company I work for has been implementing this sort of infrastructure over the past year. It's hard. With all the IM clients available, getting one system that will handle all the traffic and maintain usability in the face of changing features across the field is hard enough; couple that with long term storage requirements for corporate e-mail where the culture is to send huge attachments around willy-nilly, and add in all the other changing requirements, and the burden to adhere to this new bit of legislation becomes quite a burden.

What's hard? Pick one of the jabber/xmpp servers and be done with it. Wildfire Enterprise covers logging.

Re:Exempt from all this of course

[hsmith]

Lets take an example:

The $61 trillion in unfunded liabilities we currently have for Medicare ALONE. Medicare which is set to go bankrupt in 2018, Social Security in 40 years. "Emergency war spending" so that we can "pretend" we get "closer" to balancing the budget. Printing out gobs of money destroying the value of our savings so they can pretend to pay for all this shit

Please, if you think they are somewhat honest in how they present any of the ways they pay for or fund anything you are kidding yourself.

http://releases.usnewswire.com/GetRelease.asp?id=1 24-03232004/ [usnewswire.com]

Re:Links to the rules

[Your Pal Dave]

NPR did a report [npr.org] on this today as well.

Re:What's next?

[MrNougat]

IANAL, but I have worked in IT for a company during a time when it was under subpoena.

The summary mentions companies "involved in federal litigation." If you are not involved in federal litigation (you're not being charged with a crime or sued or under subpoena), then you can do anything you like. The moment you become involved in federal litigation, you cannot destroy any electronic data, as it is discoverable by the court.

The fact that this is a new official rule shouldn't frighten anyone - this has been the case all along. The official rule just clarifies the rules as they apply to electronic documentation. The rules were written for paper and voicemail at best, not email, IM, backup tapes, etc etc.

Net effect: no change. If your small company came under investigation last year, you would still be subject to the same spirit of the law regarding data retention as you would be if your company came under investigation today.

Re:What's next?

[sBox]

If you are in the group required to do this, I'd print out and retain that message from the boys upstairs saying 'we can't afford this solution' or 'it doesn't apply to us.' I can just imagine someone saying, 'I thought we were doing this?' and the company being sanctioned. CYA never hurts, and the blank spot on your resume will be telling to your next boss.