E-Mail -- A Company's Forensic Nightmare

Despite a handful of recent cases where emails and electronically stored files helped to bring down corporate executives or even an entire company, few IT administrators appear to have their electronic documents under control.
Posted November 18, 2002

Cynthia Flash

Lawyers are having a field day sifting through electronic documents in their attempts to unearth evidence of corporate scandals.

They've had considerable success, as can be seen by the recent corporate black eyes or maimings given to executives at companies like Enron, Arthur Andersen LLP and WorldCom, Inc.

In most cases involving corporate fraud or investigations run by government regulators, a company's vast stores of electronic data have been used as evidence against it. Merrill Lynch in May agreed to pay $100 million in fines after government lawyers found internal e-mails in which research analysts for the Wall Street brokerage house described the same stocks they were recommending to clients as ''junk.''

Despite the recent headlines, few companies appear to have their electronic documents under control. And this is regardless of the fact that within four years there will be 60 billion daily worldwide e-mail messages exchanged, according to Framingham, Mass.-based market research firm International Data Corp.

A September 2002 survey by Chicago-based management consulting firm Cohasset Associates Inc. found that 53% of some 500 to 600 organizations surveyed said they don't include electronic records in their records management program. The survey also found that 68% are not at all confident or only slightly confident that their organization could successfully demonstrate that its electronic records are accurate, reliable and trustworthy many years after they were created. And 39% of the organizations do not have a formal policy regarding retention practices for e-mail.

''In litigation, the largest cost component is discovery and the most fertile source of evidence is e-records, specifically e-mail,'' Cohasset president Robert F. Williams wrote in his report. ''Not having any e-mail retention policies (means) amassing vast volumes of communications that are costly to retain, even more expensive to search through in response to discovery requests, and may unwittingly supply information that is harmful to the organization if disclosed in response to discovery requests.''

In the past, many companies took a reactive approach to electronic record management and waited until they had to produce documents as a result of a lawsuit or corporate merger. But that decision could ultimately cost them more.

Waiting, say analysts, is not a viable option.

This past July, President George W. Bush signed the Sarbanes-Oxley Act of 2002 in an effort to create more corporate oversight and protect shareholders from future Enron-like debacles.

The Act sets penalties for destructing records, lays out document production requirements and specifies how long certain records must be retained.

More than ever, corporations are turning to experts in electronic discovery and data retention to help them determine what to do with their digital records.

''Nobody is immune from having to produce data,'' says Deanna Loy Schuler, an industry consultant and former vice president of sales and marketing with Electronic Evidence Discovery in Seattle. ''If you get on the wrong side of litigation, you'll be asked to pull data. If you can't do it, you'll be turning over more than you need to.''

Industries that are highly regulated by government agencies -- pharmaceutical, health care and financial services companies -- are leaders in this area because of already set government regulations. But other companies need to take this as seriously, say industry observers.

For help, they can turn to companies that specialize in this area, such as Cohasset, Electronic Evidence Discovery, or Applied Discovery. They also can turn to the large consulting firms, like Deloitte & Touche or Ernst & Young, which have their own divisions that specialize in this area.

Companies that can't afford to hire a consultant can turn to trade groups, like The American Records Management Association (ARMA) or The Association for Information and Image Management (AIIM), which offer seminars and free advice online.

These consultants and organizations help companies do three things with regards to records management. First, companies must determine what records they have and where they're stored. Second, companies must determine what records to keep and how to keep them in a way that is easily accessible if they are required to produce them. Third, companies must establish a retention schedule so they don't have to keep records forever and they can defend -- in court if need be -- their decision to destroy old records.

Virginia Llewellyn, lawyer and director of industry relations for Applied Discovery based in Scottsdale, Ariz., cited a lawsuit in which an IT professional for a large Silicon Valley firm let slip that he had more than 800 backup tapes in a closet. His lawyers didn't know this and the firm was forced to make those tapes available to the opposing side.

''It was devastating to the case,'' Llewellyn said. ''It cost millions of dollars to review that amount of information.''

Just as important as having an electronic records policy is educating employees about it.

Employees must be told that just because they pushed the delete button on an e-mail or an electronic file doesn't mean it's really gone.

Having a successful electronic records policy requires the cooperation of the IT department and the company's lawyers.

''All companies need to worry about their records,'' says Betsy Fanning, director of standards and content development for the Association for Information and Image Management. ''You have to look at it as if your records are a snapshot of your company... Companies need to think in terms of how do they want their company to be remembered.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.