When an email arrives at global insurance broker Willis, a decision about the message’s future is made almost immediately. If the email relates to a customer transaction, it is printed off and a paper copy kept in that customer’s file, stored away in the company’s massive paper archives. If it does not, the email is deleted.
“We only keep those emails that are substantive and relevant to a customer history. Emails that are conversational rather than authoritative are binned,” says Mike Wright, Willis’s group IS director. “We try, on the whole, to keep our e-records down to the bare minimum,” he explains.
The reason for that relatively new policy: the court case resulting from the world’s largest ever insurance claim. In 2001, Willis brokered the insurance on New York’s World Trade Center, and post-9/11, has been required to disclose millions of its executives’ old emails from that period.
That approach flies in the face of a deluge of advice from storage suppliers: Keep everything sent or received, they say, or suffer the consequences when court action or a regulator’s enquiry demands full e-disclosure.
Many companies are heeding that advice, with the result that email management systems and software have become big business to storage systems and software management companies. According to industry research by Gartner, spending on email management at large companies is running at around $1,600 per user per year. The email management burden has given rise to a whole ecosystem of software and services companies whose products are designed to eliminate at least some of the associated pain, cost and risk.
Certainly the risks of deleting emails prematurely, either by accident or deliberately are substantial, and a number of high-profile companies have fallen foul of the law in that respect – Microsoft, Arthur Andersen, Ciba-Geigy, Norwich Union, to name a few (see box,’Email offenders’).
The laws and regulations surrounding email retention and the legal admissibility of emails, however, remains fuzzy and there is considerable confusion among IT directors as to what should be kept – and for how long – and what should be discarded.
“The largest issue in email compliance is understanding which regulations are applicable,” says Charlie Brett, an analyst at IT management adviser the Meta Group. “This is particularly true in the US, where regulatory bodies such as the Securities and Exchange Commission and legal binds, such as HIPAA and Sarbanes-Oxley, have set requirements for privacy, retention and supervision of email,” he says.
The rest of the world, including the European Union, Canada, Japan and several other nations are not far behind in implementing similar regulations, he adds. “However, brute-force email capture and storage is still the standard operating procedure, especially in environments with thousands of users.”
In less-regulated organisations, some US-based legal counsels are recommending aggressive email purging policies – but that is the direct opposite of what is typically recommended in Europe. Either way, says Brett, “organisations must begin addressing efficient methods to capture, store and search those emails, and to treat all email as valuable – though potentially risky – corporate content.”
To have and to hold?
The trouble with email management is that it frequently relies on human intervention in order for decisions about retention and deletion to be made. That involves a hefty management burden – although systems can be set to automatically follow deletion rules.
Wright of Willis has reservations about tools that automatically delete emails according to predefined policies. “We won’t do automatic deletion on the basis that there is always an exception to whatever rule you could possibly come up with and time/date is far too blunt an instrument when it comes to deleting information in our industry,” he says.
Neither does he believe that retaining electronic copies of emails would enable Willis to manage risk any better than it already does. “To my mind, the legal position is far from clear: it’s very typical that, in court, email retention won’t help you much, because it’s extremely hard to prove that the emails relating to a specific case are complete, and have not been tampered with in any way.”
Not only that, he fears that retained emails could pose a significant threat to the business. “Employees use email as an informal, spontaneous means of communication. My main concern is that a few words in the wrong place or in the wrong tone could, in court, prove to be extremely damaging to our company.”
That is an accurate perception, says Sanjay Bhandari, senior associate at law firm Baker McKenzie. “Email is informal in tone and people are more likely to be caught off guard in an email exchange. Lawyers are getting wise to this and I have already seen numerous examples of requests for pre-action disclosure focused on emails. Opponents then seize on the informal or unguarded nature of emails and quote them back in the case to create a prejudicial impression,” he says.
That said, there is currently an overwhelming lack of UK case law relating to the disclosure of electronic documents. To compound the situation still further, the Civil Procedure Rules (CPRs), introduced by Lord Woolf in 1999, provide no specific guidance as to how the disclosure of electronic documents should be handled.
One of the main principles behind the CPRs is ‘proportionality’ – that the costs of conducting a case should be consistent with the amount of money being claimed. But electronic documents create a problem in this regard, in that their ease of creation and replication means that they tend to exist in huge volumes. No matter what efficiencies technology can bring to the process of managing them, this has a potentially significant effect on the cost of managing a particular dispute.
As a member of the Commercial Litigators’ Forum (CLF), a body composed of representatives from a range of major commercial law firms, Bhandari is working with his peers to clarify this situation. “The issue of electronic evidence generally seems to be a taboo subject among disputes lawyers, with little open discussion of how we ought to approach the difficulties posed by electronic documents,” he says.
The fundamental problem is the definition of a ‘document’ by the CPRs, which failed to anticipate the widespread use of electronic evidence in litigation, despite being introduced after the use of email had become widespread. The CPRs define the document as being the medium containing the information, rather than the information itself. While that makes sense when considering paper documents, it creates many problems when applied to records stored electronically.
In effect, it makes the hard drive, backup tape, memory strip, CD or floppy disk a document, despite the fact that these mediums will potentially contain millions of other files that have no relevance to the matter in hand. That, in turn, potentially increases the number of documents that need to be searched. In the absence of official guidance or case law on the extent of a search of electronic documents, the Commercial Litigators’ Forum (CLF) suggests that it is imperative that both sides in a litigation situation agree the parameters of a search for electronic documents before it begins (see box, ‘Discovery ground rules’).
The danger for litigators and their clients, of course, is disclosing too much information to the other side. Moreover, as Bhandari points out, the increasing capacity of electronic storage devices means that it may be many years before residual data is overwritten. He suggests that replicant, backup or residual data should only be disclosed in exceptional circumstances
In the US, he points out, the courts generally give the dissenting side in a court action access to the documents it wants, but at its own expense. The Woolf reforms have encouraged co-operation between the parties and what the CLF is proposing is not really any more than is already expected.
The main solution to the email management headache, he says, is to train staff and remind them of best practice in the creation of an email. “Email should be treated more like a formal letter than an informal telephone conversation. Most staff writing formal letters subconsciously apply this test but draft email as if they are talking to their friends,” he says. “Maybe they should be asked how they would feel if their email appeared on the front page of The Times.”