Thursday, December 07, 2006

Why you care about the new Electronic Discovery rules

On Friday, December 1st, 2006, new rules concerning electronic discovery went into effect in the US. Technically these rules only apply to federal litigation, but since they were ruled on by the US Supreme Court they can be used as precedent in any case. In a nutshell, the regulations say that all electronic communications must be saved for a period of 7 years.

Basically this brings at least part of Sarbanes-Oxley down to all levels of business. It does provide a few "outs", though. For example, Rule 26(b)(2)(B) states:

The amendment to this rule will provide that a party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. The burden would be on the responding party to show that the information is not reasonably accessible because of undue burden or cost. Even if that showing is made, the court may nonetheless order discovery if the requesting party shows good cause. The court may also specify conditions for the discovery.

That's nice, but trying to justify why it is unreasonable to store 500TB of e-mail data to someone whose knowledge of technology starts and stops with iPod ads on TV is going to be painful. And there is Rule 37(f), which I see being invoked a lot:

This amendment will provide that absent exceptional circumstances, a court may not impose sanctions on a party under the rules for failing to provide electronically stored information lost as a result of the routine, good faith operation of an electronic information system.


In other words, you can overwrite backup tapes if you can prove your backup procedures maintain full copies of documents. The questions I still have are:

  • What about revisions to documents? Do you need to maintain those?
  • What about the autosaved revisions some applications like Word, Excel and Lotus Notes create? Do those point-in-time snapshots have to be maintained?
  • What about personal computers used to conduct work-related business?
  • Or what if someone uses their personal cell phone to text message a customer are we expected to capture that?
  • What about using a personal digital camera to take pictures of a customer site? Are we supposed to confiscate the camera media so we can obtain a copy?
  • What is the liability of the systems administrator responsible for a messaging solution? Can we be held accountable at any level?
A good write-up can be found at the website of O'Melveny & Meyers, LLP. I have no relationship with them at all, I found their site while Googling for information and it was actually readable. They also provide a link to the full text of the new rules.

4 comments:

  1. Thanks for the information Charles. As soon as I saw this ruling I forwarded it to my IT director to get it to our corporate lawyer. We don't currently do any mail logging, but I have a feeling that we may have to. If we do have to start that, I think I may use a Linux domino server for our SMTP server so that I can store the mail log files on Network Attached Storage. It will be a good deal cheaper than System i storage, right? :)

    Also, does this require that BES Administrators have to start logging SMS and PIN messages from the server? Because this is a new feature in BES 4.1.

    And what about public IM clients on the desktops? Do we need to keep that? It would be a little easier now that we could use Sametime with public services, though. But we would have to prevent access to other IM clients.

    Many questions, few answers yet!

    ReplyDelete
  2. On reading this article... it sounds like you only need to make a change to your current procedures once a lawsuit begins. If that were to happen then we couldn't overwrite backup tapes due to "virtual shredding". My take is that, if there's no pending lawsuit, rather then saving everything, you mostly just need to know what you have and where it is.


    http://abcnews.go.com/Business/story?id=2693703&page=1&CMP=OTC-RSSFeeds0312

    Key phrases would be:

    "parties involved in federal litigation"

    "once a lawsuit has been filed"

    "Companies still could routinely purge their archives if the data aren't relevant to cases companies have pending or expect to face"

    ReplyDelete
  3. I just wanted to make sure everyone was aware this was lurking out there so they could formulate their own plans.

    Part of the thing that concerns us is we work with numerous suppliers, some of whom have been hit with class action lawsuits. We were asked to provide copies of electronic communications, but because we are not publicly traded there was no regulation that required us to keep those records.

    As Chris said, there are many questions and few answers yet. Our corporate attorneys are working through this now to determine what is needed to be fully compliant. Once I have an answer from our lawyers I will post a response.

    @Chris - That's one of the main reasons we switched to the BladeCenter and SAN. Upgrading storage in the iSeries was painfully expensive, and trying to get a SAN that would interoperate with the iSeries was just insane.

    @Maria - Thanks for that link. There is just so much that is being inferred or assumed right now that it's hard to know what, if anything, we should be doing. I printed out the 60 page document and it's in such stilted legalese that it's nearly impenetrable to me. It would make way too much sense if they would make this understandable by the masses instead of continually funding the legal industry.

    ReplyDelete
  4. Our NAS provider (NetApp) actually said that the reason their product wouldn't work well with Domino on the iSeries is that the 64bit > 32bit > 64bit translation is too slow. But the Linux Domino server we connect to the NAS is a 64bit server. I worked with a Domino for iSeries guy at IBM on this some and we just couldn't get Domino to mount the filesystem. We do connect some non-Domino stuff from the IFS to the NAS and it works well as a straight NFS connection from the iSeries. Seemed it was more of a Domino issue.

    Maria has some good points - thanks. I guess the glaringly obvious question is What good is having the law for "litigation" only? If you get involved in a suit, do you only have to retain 7 years of data after the suit is filed?

    ReplyDelete