Proofpoint: Security, Compliance and the Cloud

Posted by Fortiva Blog Editor

In my previous posts I discussed two cases where lawyers were sanctioned for e-discovery misconduct and reviewed in detail some of legal counsel’s e-discovery obligations.   Here are 2 more cases, each one representing another of counsel’s duties when it comes to e-discovery.

Duty to Advise Client of Preservation Duty & Consequences and Duty to Advise with Specificity 

In Samsung Electronics Co., Ltd. v. Rambus, Inc. 2006, it was found that general admonitions by counsel to preserve relevant documents was insufficient and counsel should have instructed on the subject matter and kinds of documents to preserve.  In its findings, the court discussed the duty of counsel to assure retention of documents relevant to litigation, and criticized counsel with respect to advice given regarding document preservation. 

Duty to Supervise

In Cardenas v. Dorel Juvenile Group, Inc., 2006, the court granted monetary sanctions and emphasized counsel’s duty to adequately supervise the e-discovery process. "Trial counsel have a duty to exercise some degree of oversight over their clients' employees to ensure that they are acting competently, diligently, and ethically.  This includes identifying the persons responsible for the matters that are the subject of the document requests; identifying all employees likely to have been authors, recipients or custodians of documents falling within the request; and reviewing all documents received from the client to see whether they indicate the existence of other documents not previously retrieved or produced.”

While this is by no means an exhaustive list of counsel’s obligations when it comes to e-discovery, the implications are clear; it is now considered the professional, personal, and ethical responsibility of lawyers to ensure that e-Discovery is done, and that it is done right.   

It follows them, that legal counsel needs to be proactive when it comes to understanding, recommending, and implementing email archiving and e-discovery best practices for the organizations they represent.

Read more on the Qualcomm and Beyond series - Part 1 - Part 2 - Part 3 -

Posted by Fortiva Blog Editor

If you think the Qualcomm case was an isolated incident with an unusually severe judge and ruling, think again.  The list of cases where lawyers have been sanctioned for e-discovery misconduct is long and distinguished.  Here is a good example.

The 2006 Phoenix Four Inc v. Strategic Resources Corp., decision indicates that counsel has a duty to be proactive regarding their client’s e-discovery.  In this case, SRC Corp. had ceased operations and was evicted from its offices after the legal dispute had commenced.  As a result, during discovery they claimed that there were no computers or electronic records to search.

Although counsel had discussed with the defendants the need to locate and gather paper and electronic documents, it was still found that counsel had “failed in its obligation to locate and timely produce the evidence stored in the server that the Defendants had taken with them.” The court held the attorney responsible for not asking about hidden partitions in his client’s servers, where it turns out, is where most of the evidence was later found.

According to the judge in this case, counsel's obligation is not confined to a request for documents; the duty is to be proactive and search for sources of information.  The expectation was that counsel would undertake a more methodical survey of the Defendants’ sources of information, and not simply accept the defendants’ representation that, because it was no longer in operation, there were no computers or electronic collections to search. 

The judges expectations did not end there, however.  Counsel was also expected to have asked what had happened to the computers and whether information was stored on the server that the defendants had kept.  And, in the absence of a satisfactory answer to that question, counsel would have been expected to direct that a technician examine the server.  According to the court, this forensic effort is no different than questioning the information technology personnel of a live enterprise about how information is stored on the organization’s computer system, and is therefore considered part of counsel’s duty. 

The court found counsel's "deficiencies here to constitute gross negligence" and awarded monetary sanctions against counsel and client.

Read more on the Qualcomm and Beyond series - Part 1 - Part 2 - Part 3 -

Posted by Fortiva Blog Editor

In my previous blog series entitled “FRCP Case Law Review: Is Your Company Really Prepared?” I reviewed some recent case examples illustrating what all organizations, and IT departments in particular, should be aware of when it comes to e-discovery and FRCP compliance.  In my research, I came across several cases where lawyers (not the organizations they represented) were sanctioned for e-discovery misconduct, indicating that in the eyes of the court, legal counsel has very definite e-discovery obligations. 

This series of blog posts will explore some of these e-discovery obligations in light of recent cases where lawyers have been sanctioned for e-discovery misconduct.

In the well-known Qualcomm Inc. v. Broadcom Corp. ruling, the court found that Qualcomm’s attorneys assisted Qualcomm in committing “Monumental Discovery Violations” by:

1. intentionally hiding or recklessly ignoring relevant documents
2. ignoring numerous warning signs that Qualcomm’s document search was inadequate
3. blindly accepting Qualcomm’s unsupported assurances that its document search was adequate.

The significant ruling that followed definitely made the legal community sit up and take notice.  The court sanctioned Qualcomm $8,568,633, ordered certain members of their in-house and outside Counsel to participate in a "Case Review and Enforcement of Discovery Obligations" Program, and referred six of Qualcomm’s outside counsel to the State Bar for possible ethics violations. 

Pretty serious stuff!  And to think, an email archiving solution could have made a huge difference in this, and many other cases, by providing a central, searchable, de-duplicated, repository of email data to use for the enforcement of litigation hold orders and the execution of legal discovery requests.

Clearly, legal counsel has a duty to ensure that their client conducts a comprehensive, appropriate document search.  This begs the question: what other responsibilities lie in the hands of legal counsel when it comes to e-discovery?  Stay tuned for my next blog post in which I will review several more recent cases that clearly answer that question.

Read more on the Qualcomm and Beyond series - Part 1 - Part 2 -  Part 3 -

Posted by Fortiva Blog Editor

The final three case examples in today’s post complete my series on FRCP Case Law Review. Clearly, these examples reinforce the need for organizations to centrally archive all email, enforce policies and litigation holds, perform enterprise search and easily conduct early case assessment, all of which can be accomplished by implementing an effective email archiving solution such as Fortiva. 

Complete Information Expected; Relying on End Users for Policy Enforcement is not Sufficient
Intel vs AMD (April 2007) - Ordered to search back-up tapes to find user-deleted email, resulting in millions of dollars in expenses In this case, Intel claimed that it put a clear retention policy in place once it learned of AMD’s legal intentions. Employees, however, didn’t always follow the instructions. Intel was compelled to search back-up tapes to produce past email messages. In April 2007, the Wall Street Journal reported that Intel “spent $3.3-million to process computer tapes to help recover missing emails and expects to spend ‘many millions of dollars’ in the effort.”

United Medical Supply v. United States (Sept. 8, 2006)- Sanctioned for allowing deletion of email by depending on employees to follow policy In this case, the government was sanctioned for allowing email to be deleted. There was no centralized email archive, so the government depended upon employees to follow policies for keeping email. A government attorney properly notified those involved to hold email according to the policy, however, some emails were still deleted. The court ultimately ordered the government to reimburse United Medical Supply for some of their discovery costs and barred them from cross-examining United Medical Supply’s expert witness on various aspects

Litigation Hold Must be Implemented and Enforced When Litigation is Expected
Doe v. Norwalk Community College (July 16, 2007) - Failure to conduct legal hold results in adverse jury instruction, legal fees awarded In this case, the court specifically cited the defendant’s failure to “put a litigation hold in place.” The court said that Doe was entitled to an adverse instruction to the jury regarding destroyed evidence. In addition, the court awarded some legal fees and the reimbursement of expert fees.

Read more on the FRCP Case Law Review series - Part 1 - Part 2 - Part 3 -

Posted by Fortiva Blog Editor

In my previous post, I reviewed a couple of FRCP related cases that clearly illustrated the notion that under the FRCP, deadlines must be met and cost is not a valid excuse.  Here are some more interesting e-discovery case summaries where the stipulations of the FRCP were upheld. These law suits could have easily been avoided had the defendants been proactive and implemented effective solutions that would allow them to perform searches and retrieve relevant electronic records in a timely manner.

Need to be Prepared to Produce any Emails, Regardless of Format
Peacock v. Merrill (Jan. 17, 2008). In this litigation, the defendants sought production of electronic tax information, and the plaintiff claimed the motion was moot, arguing she had already fully produced responsive documents. The defendants sought an exact replica of a floppy disk to determine if the plaintiff fully complied with the discovery request. Relying on FRCP 34(b)(i)-(iii), the court ordered production of disk files in native electronic format to ensure access to all metadata, determining that the date stamps of many of the documents were relevant.

Mere Assertion of Burden Insufficient to Relieve Production Duties
City of Seattle v. Prof’l Basketball Club (Feb. 25, 2008). In this dispute over performance of a lease agreement, the plaintiff filed a motion to compel the defendant to search and produce responsive e-mails from six of its eight members. Having produced 150,000 e-mails from two of the members, the defendant objected to this request, claiming the search would “increase the universe exponentially” and would generally produce irrelevant documents. Finding a principal-agent relationship between the defendant and its members, the court determined sufficient cause to demand the documents from its members as the defendant was in possession, custody or control of the e-mails at issue. The court, therefore, ordered the defendant to produce e-mail from the remaining four members at issue, finding the defendant’s claim of burden to be insufficient under Fed.R.Civ.Pro. 26(b)(2)(B).

Simon Prop. Group, Inc. v. Taubman Ctr., Inc., (Jan. 24, 2008). In this suit involving securities and tort claims, the defendant contested the enforcement of third-party subpoenas. The defendant argued that compliance with the subpoenas would be unduly burdensome and expensive since the search terms provided by the plaintiffs resulted in the identification of over 250,000 files. The defendant claimed it would take three full-time employees four weeks to determine the responsiveness of those documents. The plaintiffs offered to narrow the scope of the search by time period, search terms and perhaps even limit the number of servers to be searched. The court granted the plaintiffs’ motion to enforce the subpoenas, holding the requests were not unduly burdensome as discovery of electronic files are common place in business litigation.

Read more on the FRCP Case Law Review series - Part 1 - Part 2 - Part 3 -

Posted by Fortiva Blog Editor

Since the Federal Rules of Civil Procedure (FRCP) were amended in December, 2006, much has been published on this topic.  Numerous studies and papers tackled topics from how companies were responding, to whether or not they were prepared, and even whether or not they understood the amendments and their implications. 

While all these surveys, studies, articles and discussions were taking place, real cases, with real organizations were being tried in real courts – with real consequences.  Over the last year and a half, a multitude of court opinions on electronic discovery have been issued. While these rulings vary in their impact, they all point to the fact that the FRCP is an undeniable reality for organizations right now.  All organizations, and IT departments in particular, should be aware of what’s really expected by the courts and must be prepared to comply with the FRCP.

This blog series will review the most notable recent e-discovery cases, illustrating how the courts interpret and uphold the FRCP requirements, and the consequences they dole out for non-compliance.

Deadlines must be met; Cost is not a valid Excuse
Best Buy v. Developers Diversified Realty (February 1, 2007) - Ordered to produce information within 28 days, regardless of cost. In this case, the defendants (Diversified) argued that the emails and other electronic documents that were requested by Best Buy were not “reasonably accessible” (they existed only on archived, electronic backup tapes). Diversified cited a cost of $125,000 to recover the information. The judge did not accept the argument and ordered that the information be produced within 28 days, including IT time and legal preparation.

Williams v. Taser International (June 4, 2007) - Ordered to conduct specific searches and produce results in 30 days, regardless of cost. In this case, neither party could agree on what data should be produced for discovery. In an effort to move the case forward, the judge ruled that the defendant, Taser, must run twenty-one (21) specific searches to identify a collection of "presumptively responsive documents." Taser had thirty (30) days from entry of the Order to produce all such documents in a “searchable, electronic form”.

And this is just the tip of the iceberg.  Stay tuned for more case reviews in my upcoming blogs.

Read more on the FRCP Case Law Review series - Part 1 - Part 2 - Part 3 -

By Fortiva Blog Editor

Earlier, we mentioned that for several reasons email archiving is best managed by a SaaS specialist rather than on-premise. Here is a more in-depth look at the time, effort, and costs involved with each deployment method so that you will get a better understanding of why SaaS is the better choice for an email archive.

Planning
Before implementing an on-premise archive, IT has to conduct some upfront planning that includes identifying the required infrastructure, designing the implementation, projecting growth requirements, and determining the upfront capital costs involved. Adequate planning will run between 3 to 6 months on average. On the other hand, SaaS implementations such as Fortiva require a limited amount of planning on the customer’s part and can be done in 1 to 14 days depending on the size of the customer and number of locations involved.

Implementation
For an on-premise solution, getting up and running means purchasing the required hardware, installing the archiving software, integrating it with existing systems, and testing it to make sure that the solution does not create problems with other applications. If you want to maintain a redundant copy of the archive as a risk-reduction feature, you will have to repeat this process in a secondary data-center and adjust your budgets accordingly. On average, this entire process can take 2 to 4 months for an on-premise solution. For a SaaS solution, getting up and running just means plugging in the application and adding in the user names which can be done in a day. Total implementation time for a SaaS solution is typically 1 to 5 days.

Maintenance & Management of Data
There are several tasks that must be done on an on-going basis in order to maintain an email archive. Generally the tasks include data disposition to ensure that emails that have exceeded the retention term are deleted from the archive; backing-up the archive on a regular basis to make sure archived data is properly preserved and recoverable when required (this can be a challenge as the archive grows over time); monitoring the archive to identify problems; and troubleshooting hardware failures, outages, and other issues as they come up. For an on-premise solution, this will require a great deal of IT time and may require additional resources. However, with a SaaS solution, all these management and maintenance related tasks are taken care of by the solution provider thus allowing the customer organization’s IT team to focus on their other priorities. Additionally, SaaS solutions such as Fortiva provide customers with 24x7 monitoring and issue resolution, which is rarely the case with an on-premise archiving solution.

Performance & Upgrades
The nature of archiving is such that you will eventually run out of storage. This makes it necessary to perform ongoing capacity planning to ensure storage requirements are met as the archive grows. For an on-premise solution, this will require the purchase of additional servers and data center space as necessary. Additionally, it is important to note that technology is constantly being improved and hardware options for data storage will inevitably undergo significant changes within 3 to 5 years.  This makes the likelihood of moving archived data to newer storage technologies very high and will require a high level of expertise on behalf of your IT team. Finally, if the hardware is not upgraded as necessary, it will be difficult for on-premise solutions to search and export data in the case of discovery requests.  With a SaaS solution, the solution provider takes care of the ongoing capacity planning and has the expertise to perform complex and time-consuming tasks such as migrating data to new technologies. SaaS companies, such as Fortiva, are big on R&D and are constantly looking for ways to make the archive better and they ensure that product upgrades are automatically applied without additional costs to the customer. In addition, SaaS solutions leverage the shared infrastructure of a multi-tenant SaaS architecture to provide access to hundreds of servers on-demand ensuring enterprise-grade search performance. In fact, Fortiva is the only company in the industry who backs up their search performance with a guarantee.

Basically, the implementation of an on-premise email archive is a significant commitment and undertaking for IT which only grows as the archive increases in size. Considering the management time, effort, and costs involved with an email archive, the decision to go with a SaaS solution should be an easy one.

By Fortiva Blog Editor

Exciting times are in the horizon as it was announced today that Fortiva has been acquired by Proofpoint, a leading provider of SaaS solutions for email security, data loss prevention and email management. Proofpoint will now be offering Proofpoint Email Archiving as a complementary product to its email security platform. As stated by Gary Steele, CEO of Proofpoint, Inc., “Fortiva’s email archiving solution is the most advanced, secure, easy-to-deploy and cost-effective solution in the market today and we’re excited to have Fortiva’s team and technology as part of Proofpoint. Fortiva’s on-demand solution is a natural extension to Proofpoint’s email security platform, so nearly all of our customers can deploy and benefit from Fortiva immediately.”

What does this mean to Fortiva's customers, partners, and friends? All this means is that customers will benefit from increased R&D investment in Fortiva products, enhanced integration of Proofpoint's complementary solutions, and access to Proofpoint's golbal support and services. Partners will also benefit from Proofpoint's world-class partner program which provides a broader portfolio of solutions.

Read the full press release to find out more about this exciting change.

Posted by Fortiva Blog Editor

Over the past year, SaaS solutions have been rapidly pervading the enterprise space and the SaaS market has been heating up.  Despite this trend, you should keep in mind that SaaS only makes sense for certain types of situations and may not be suitable for every organization. 

So how do you know if SaaS is the right choice for your organization? The first step is to consider both the advantages and disadvantages of the solution, depending on the situation. (Note that not all SaaS solutions are created equal – when considering a specific solution, it is important to review each of the benefits and drawbacks of the solution under evaluation as they will not apply in every case)

Benefits of SaaS
One of the main benefits is the fact that since you do not need to purchase any hardware or additional infrastructure to set up a SaaS solution, you are saving on capital costs; the only cost is the ongoing operating expense every period. You only purchase services that you require and pay-as-you-go.  As such, your TCO is lowered. Also, because you do not have to install additional infrastructure, the implementation of a SaaS solution is quick, easy, and less expensive. Additionally, by having another party (the SaaS vendor) manage this aspect of your business, you are relieving your internal resources of this burden while at the same time enjoying the benefits of constant upgrades and full help-desk services that the vendor provides. Finally, since you are sharing computing resources with other SaaS customers, your users get on-demand access to this powerful infrastructure regardless of how frequently you need to access it.

Drawbacks of SaaS
Since SaaS solutions deliver the same general functionality to every customer, it may be difficult for you to customize your solution. As you run the SaaS solution, you may realize that there are some “add on” costs for additional items such as testing, support, storage, and integration that may not be apparent during the initial sales process. These hidden costs add to the total cost of the service and may make the solution expensive to run. Additionally, with up to 85% of SaaS solutions being sold directly to business units without the input of IT, there is a potential for businesses to make software decisions that cause problems in the long run in terms of integration with other systems, availability and corporate security requirements. Finally, you may also be exposing yourself to increased security threats by sharing your data with a third party vendor.

It’s important to note that not all business applications are ideal for SaaS deployments.  As we talked about earlier, it makes sense to outsource context applications to a SaaS provider so that the burden on your internal resources is relieved and your business can focus on its core functions. 

For several reasons, an email archive is one such business application that is best managed by a SaaS specialist rather than trying to manage it on-premise. For instance, being a storage-intensive application, an email archive takes a significant amount of time and effort on the part of IT to manage; moreover, the resources required – including both infrastructure and IT staff – continue to increase as the data in the archive grows over time. Having a SaaS provider manage this aspect of your business will free up valuable resources and IT time which could be better used towards your strategic activities. The key is to find the right SaaS email archiving provider – one that has all the benefits and is modeled to address the drawbacks mentioned above – to manage this aspect of your business.

Posted by Fortiva Blog Editor

As you may already know, an effective email archive can help your organization save a lot of time and effort if you ever face a legal discovery request. You need to ensure that your archiving solution is well equipped and allows you to perform several functions with ease such as enforcing an email policy, searching and retrieving data, and placing litigation holds. Being able to place litigation holds is especially important so you can save yourself from receiving a guilty verdict due to spoliation.

At Fortiva, we often hear from IT professionals who are confused about the meanings or implications of legal discovery terms.  If that sounds like you, then this series of definitions with related case examples should help you to better understand your legal counsel or HR department the next time you face an eDiscovery request.

Legal Discovery
Basically, legal discovery is a part of the pre-trial phase in a lawsuit when the parties involved in litigation can request documents and other evidence from the opposing side.  The parties can compel the production of evidence by using a subpoena or other discovery devices such as request for production and disposition.  Essentially these discovery orders can target any source of data within an organization, be it electronically stored or on paper, but frequently the email system and file servers are at the top of the list. According to Socha Consulting LLC, for the average litigation case, email represents 80% of the requested documents.

FRCP
The Federal Rules of Civil Procedure (FRCP) governs the conduct of all civil actions brought in the U.S. Federal district courts. Recent amendments made to the FRCP require all companies to retain all their corporate correspondence (including electronic online records) and make them available to the court in case of a lawsuit, without the court having to ask for them specifically.  These amendments were developed to make court proceedings more time-efficient. A brief description of the new amendments and its implications on electronic records retention and management can be found here.

ESI
The Sedona Conference defines ESI as electronically stored information, regardless of the media or whether it is in the original format in which it was created as opposed to stored in hard copy. With over 70% of business-critical information being stored in email and other electronic messaging resources, ESI has become an increasingly important source of evidence in lawsuits today.

eDiscovery
Electronic discovery is commonly referred to as eDiscovery and is defined as the process of identifying, collecting, preparing, and producing ESI for the purpose of obtaining evidence in a legal process.

Litigation Hold
A litigation hold is a communication or process used by companies to advise their employees of pending or anticipated litigation and ensure that relevant records are not destroyed. Relevant records are documents that may pertain to the upcoming litigation and according to the FRCP, this includes email messages and attachments. Failure to preserve documents for a litigation hold can have very negative consequences during a trial (see spoliation below). A litigation hold may also be referred to as “legal hold”, “preservation order”, “suspension order”, “hold order”, “hold notice”, or “freeze notice”.

Spoliation
Spoliation is the destruction or significant alteration of evidence, or the failure to preserve property for use as evidence in pending or foreseeable litigation, audit, or government investigation. Spoliation is considered a criminal act, regardless of whether the records were destroyed intentionally or accidentally, and may result in fines or incarceration. It can also lead to a negative inference finding that can ultimately lead to a guilt verdict.

To effectively prepare for litigation, your organization must be familiar with the laws and regulations that impact your industry. Additionally, it is crucial for firms to have effective technologies in place so that they are able to respond to legal discovery requests and avoid spending a considerable amount of time and money in litigation. Later posts in this series will look at the above defined terms in more detail and provide actual case examples where a lengthy lawsuit could have been avoided had the firm implemented an effective email archiving solution.