Proofpoint: Security, Compliance and the Cloud

Our live web seminar series continues on Wednesday, June 15th as Proofpoint email archiving experts present, "Why Relying on Exchange 2010 Alone for Archiving Could Cost You."

Join us to learn about recently introduced email retention and discovery features in Microsoft Exchange 2010, the extent of those features and how they match up with today's enterprise requirements for archiving and eDiscovery.

We'll discuss why those new features may not adequately address the full legal discovery, compliance and mailbox management features your organization requires.

As I've noted here regularly, failure to properly retain email and deploy the necessary technology to enable rapid discovery of electronic records in the case of lawsuits or regulatory actions can end up costing your organization significant time, money and effort.

We'll also discuss best practices for preparing your organization for the most common eDiscovery scenarios, the feature requirements you should consider when evaluating email archiving solutions and recent trends - such as the growing use of social media in the enterprise - that you should factor in when making decisions about your enterpise archiving strategy.

To register, visit our webinar registration page or simply fill out the form below. As always, all registrants will receive a link to the replay of the live webinar, so feel free to register even is you can't make it to the live event.

Our friend Keith Shaw over at Network World has a great new "Panorama" podcast up today where two email archiving experts—Proofpoint's own Andres Kohn and AppRiver's James Dean—talk about the email archiving challenges that both enterprises and SMBs face.

In "E-mail Archiving Challenges: Two Perspectives", Andres takes the enterprise perspective while James represents the SMB space.

You can have a listen by visiting Network World's site here:

http://www.networkworld.com/podcasts/panorama/2010/060710pan-archiving-twosides.html

Or you can download an mp3 version directly to your local machine here:

http://podcasts.networkworld.com/panorama/2010/060710pan-archiving-twosides.mp3

With eDiscovery, archiving and litigation readiness very much in the headlines these days (see my recent posts about BP and Piper Jaffray), you might want to learn more about the issues discussed in this podcast. In our upcoming live web seminar, "Surviving eDiscovery" we'll discuss initial steps for compliance and litigation readiness as well as provide practical advice for both legal and IT teams. To register, please visit:

http://www.proofpoint.com/id/survive-ediscovery/index.php?id=6

Interesting article from the Wall Street Journal online yesterday about brokerage firm Piper Jaffray being fined $700,000 for "alleged shoddy email practices," exposing some of the risks related to email retention and eDiscovery.

The gist of the story is that Finra (the Financial Industry Regulatory Authority) seems to have fined Piper Jaffray for "failing to save 4.3 million emails between 2002 and 2008," according to the Journal article. Apparently, the firm also failed to disclose to Finra that it was having "intermittent trouble with email retention and retrieval during the relevant period."

You can read the full article, "Compliance Watch: Investors Often Stuck when Emails Surface" at the following URL:

http://financialadviserblog.dowjones.com/blog/stay-ahead-of-your-clients/0/0/investors-often-stuck-when-emails-surface

Don't think that this story is just a cautionary tale for financial services firms. Even if your organization isn't regulated by Finra, it's still common to find yourself in a position where you need to quickly, accurately and completely find and hold emails that are relevant to a legal action.

In fact, our most recent annual research on this topic (see Outbound Email and Data Loss Prevention in Today's Enterprise, 2009) found that nearly 25% of large enterprises said that employee email had been subpoenaed by a court or other regulatory body in the past 12 months.

Failing to promptly and comprehensively respond to an eDiscovery request can result in negative inference finding in courts of law that can ultimately lead to a guilt verdict (or the type of regulatory enforcement that seems to be going on in the Piper Jaffray case).

While we see many media reports about "smoking gun" emails, email can also come to a company's defense. That is, if a company is able to rapidly search its historic email, it can better defend itself in a legal action and better analyze the merits of a lawsuit and make better decisions about whether to fight or settle a pending case. (This technique is known as "early case assessment" in the eDiscovery world.) One typically doesn't hear about the many situations where early case assessment is used to settle a lawsuit or defuse a regulatory action before it becomes a news event!

To learn more about these sorts of eDiscovery issues, the Federal Rules of Civil Procedure that affect every company and how email archiving solutions can help lower both email retention costs and related risk exposure, download our whitepaper, Email Archiving: A Proactive Approach to eDiscovery by visiting:

http://www.proofpoint.com/id/email-archiving/index.php

Posted by Fortiva Blog Editor

The final three case examples in today’s post complete my series on FRCP Case Law Review. Clearly, these examples reinforce the need for organizations to centrally archive all email, enforce policies and litigation holds, perform enterprise search and easily conduct early case assessment, all of which can be accomplished by implementing an effective email archiving solution such as Fortiva. 

Complete Information Expected; Relying on End Users for Policy Enforcement is not Sufficient
Intel vs AMD (April 2007) - Ordered to search back-up tapes to find user-deleted email, resulting in millions of dollars in expenses In this case, Intel claimed that it put a clear retention policy in place once it learned of AMD’s legal intentions. Employees, however, didn’t always follow the instructions. Intel was compelled to search back-up tapes to produce past email messages. In April 2007, the Wall Street Journal reported that Intel “spent $3.3-million to process computer tapes to help recover missing emails and expects to spend ‘many millions of dollars’ in the effort.”

United Medical Supply v. United States (Sept. 8, 2006)- Sanctioned for allowing deletion of email by depending on employees to follow policy In this case, the government was sanctioned for allowing email to be deleted. There was no centralized email archive, so the government depended upon employees to follow policies for keeping email. A government attorney properly notified those involved to hold email according to the policy, however, some emails were still deleted. The court ultimately ordered the government to reimburse United Medical Supply for some of their discovery costs and barred them from cross-examining United Medical Supply’s expert witness on various aspects

Litigation Hold Must be Implemented and Enforced When Litigation is Expected
Doe v. Norwalk Community College (July 16, 2007) - Failure to conduct legal hold results in adverse jury instruction, legal fees awarded In this case, the court specifically cited the defendant’s failure to “put a litigation hold in place.” The court said that Doe was entitled to an adverse instruction to the jury regarding destroyed evidence. In addition, the court awarded some legal fees and the reimbursement of expert fees.

Read more on the FRCP Case Law Review series - Part 1 - Part 2 - Part 3 -

Posted by Fortiva Blog Editor

In my previous post, I reviewed a couple of FRCP related cases that clearly illustrated the notion that under the FRCP, deadlines must be met and cost is not a valid excuse.  Here are some more interesting e-discovery case summaries where the stipulations of the FRCP were upheld. These law suits could have easily been avoided had the defendants been proactive and implemented effective solutions that would allow them to perform searches and retrieve relevant electronic records in a timely manner.

Need to be Prepared to Produce any Emails, Regardless of Format
Peacock v. Merrill (Jan. 17, 2008). In this litigation, the defendants sought production of electronic tax information, and the plaintiff claimed the motion was moot, arguing she had already fully produced responsive documents. The defendants sought an exact replica of a floppy disk to determine if the plaintiff fully complied with the discovery request. Relying on FRCP 34(b)(i)-(iii), the court ordered production of disk files in native electronic format to ensure access to all metadata, determining that the date stamps of many of the documents were relevant.

Mere Assertion of Burden Insufficient to Relieve Production Duties
City of Seattle v. Prof’l Basketball Club (Feb. 25, 2008). In this dispute over performance of a lease agreement, the plaintiff filed a motion to compel the defendant to search and produce responsive e-mails from six of its eight members. Having produced 150,000 e-mails from two of the members, the defendant objected to this request, claiming the search would “increase the universe exponentially” and would generally produce irrelevant documents. Finding a principal-agent relationship between the defendant and its members, the court determined sufficient cause to demand the documents from its members as the defendant was in possession, custody or control of the e-mails at issue. The court, therefore, ordered the defendant to produce e-mail from the remaining four members at issue, finding the defendant’s claim of burden to be insufficient under Fed.R.Civ.Pro. 26(b)(2)(B).

Simon Prop. Group, Inc. v. Taubman Ctr., Inc., (Jan. 24, 2008). In this suit involving securities and tort claims, the defendant contested the enforcement of third-party subpoenas. The defendant argued that compliance with the subpoenas would be unduly burdensome and expensive since the search terms provided by the plaintiffs resulted in the identification of over 250,000 files. The defendant claimed it would take three full-time employees four weeks to determine the responsiveness of those documents. The plaintiffs offered to narrow the scope of the search by time period, search terms and perhaps even limit the number of servers to be searched. The court granted the plaintiffs’ motion to enforce the subpoenas, holding the requests were not unduly burdensome as discovery of electronic files are common place in business litigation.

Read more on the FRCP Case Law Review series - Part 1 - Part 2 - Part 3 -

Posted by Fortiva Blog Editor

Since the Federal Rules of Civil Procedure (FRCP) were amended in December, 2006, much has been published on this topic.  Numerous studies and papers tackled topics from how companies were responding, to whether or not they were prepared, and even whether or not they understood the amendments and their implications. 

While all these surveys, studies, articles and discussions were taking place, real cases, with real organizations were being tried in real courts – with real consequences.  Over the last year and a half, a multitude of court opinions on electronic discovery have been issued. While these rulings vary in their impact, they all point to the fact that the FRCP is an undeniable reality for organizations right now.  All organizations, and IT departments in particular, should be aware of what’s really expected by the courts and must be prepared to comply with the FRCP.

This blog series will review the most notable recent e-discovery cases, illustrating how the courts interpret and uphold the FRCP requirements, and the consequences they dole out for non-compliance.

Deadlines must be met; Cost is not a valid Excuse
Best Buy v. Developers Diversified Realty (February 1, 2007) - Ordered to produce information within 28 days, regardless of cost. In this case, the defendants (Diversified) argued that the emails and other electronic documents that were requested by Best Buy were not “reasonably accessible” (they existed only on archived, electronic backup tapes). Diversified cited a cost of $125,000 to recover the information. The judge did not accept the argument and ordered that the information be produced within 28 days, including IT time and legal preparation.

Williams v. Taser International (June 4, 2007) - Ordered to conduct specific searches and produce results in 30 days, regardless of cost. In this case, neither party could agree on what data should be produced for discovery. In an effort to move the case forward, the judge ruled that the defendant, Taser, must run twenty-one (21) specific searches to identify a collection of "presumptively responsive documents." Taser had thirty (30) days from entry of the Order to produce all such documents in a “searchable, electronic form”.

And this is just the tip of the iceberg.  Stay tuned for more case reviews in my upcoming blogs.

Read more on the FRCP Case Law Review series - Part 1 - Part 2 - Part 3 -

Posted by Alan Armstrong, VP Business Development

My final article in the FRCP readiness series is about Collection, Search, and Retrieval – the most expensive, tedious, and time-consuming element of the legal discovery process. To paint some context, allow me to start with a story about Dave, an Assistant General Counsel at a Fortune 500 company.

Recently I was in a meeting with 20 people, including Dave, where this company was evaluating  Fortiva against an in-house competitor. Fortiva was the underdog, as this in-house competitor is considered the leader in the space for companies who want to go through the hassle of managing their own email archive.

Dave was attending the meeting mostly out of obligation to review all the vendors being considered, but his underlying goal was to find a way to do better “Early Case Assessment”, to reduce the cost of collection and processing, and to just know, going in to a “meet and confer” meeting, what data can be discovered, and at what cost.

Until this moment in the meeting, Dave was fairly nonplussed with our discussion. His eyes were not glossing over exactly, but he definitely had not been enthused. We were in the middle of a product demonstration, when our SE began to show the Fortiva search capability. All of a sudden, there was a rustling of papers at Dave’s end of the room. Remember, there were 20 other people in this room, so I didn’t have eye contact with everyone. After a bit of mumbling back and forth, the project sponsor, Andy, interrupted: “I just want everyone to know what’s going on here … when Fortiva shows you this search capability, they are executing a search against their production database, not a demo system.”

It seems that Dave was flummoxed by the response time of the search.

This is not surprising:  in many cases, it can take days (or even weeks) for Legal to retrieve the results of a search request, and the request must be executed by IT. As a result, Dave was shocked and stopped the meeting to clarify what had just happened. For him, real-time search in the hands of Legal rather than just IT was a game changer.

Let’s just say Fortiva won that account over the in-house competitor who could not offer a search performance guarantee. (We challenge our competitors to offer an SLA around search).

Dave’s reaction reveals a lot about the difficulties that Legal has in meeting its objectives. Knowing what kind of data the company has and being able to search and retrieve it can be very costly and time consuming.  And because a “meet and confer” must occur within 99 days of filing, counsel must know what data exists, where it exists and the cost and timeframe of retrieval.  Dave and others in his situation have told me that it is quite common for legal to be unsure about what it can deliver and at what cost.  This can result in over-promising and under-delivering, not to mention the possibility for fines and “negative inferences”. The search technology we showed him was exciting precisely because it would enable Dave to know what he has and make a more informed decision sooner.

Bottom line, here is some advice to prepare for e-Discovery:

1. Ensure you can identify sources of data and be prepared to  start to collect, search and review relevant email data when notice of suit first received
2. Invest in real-time search technology
3. Ensure data is easily searchable to perform early case assessment

Hope this helps.

Alan

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5

Posted by Alan Armstrong, VP Business Development

“Stop recycling the tapes!” Our prospects often described this as their approach to litigation holds before implementing Fortiva.

FRCP now requires that companies place a litigation hold on data immediately upon hearing of a potential lawsuit. This means that companies cannot wait even until the lawsuit is officially filed; they must place the hold upon suspicion of an impending lawsuit.

A Litigation Hold suspends disposition of information pending the outcome of a related lawsuit. The typical approach has several problems, but the primary problem is the lack of precision; when you place a hold on a set of tapes, you are retaining all of the information on those tapes, which will certainly be more information than you are required to retain.

And with more information comes a greater cost of processing and filtering, but worst of all it increases the risk of retaining information beyond its desired retention policy.

The other problem with the typical approach to litigation holds is that they often rely on end users to refrain from deleting information. After legal makes the “backup tape retention order”, the next step is often to instruct users to stop deleting any relevant information.

Does this sound dangerous? Consider:

• When legal asks an end-user to stop deleting information related to a legal case, they are frequently asking someone under investigation to preserve incriminating evidence.
• “They have been warned” doesn’t cut it. In case you are thinking that it may be OK if an end-user deletes information, even if they do so illegally, think again. The court holds the company and its lawyers responsible for the enforcement of retention policies. For examples of this, see the Qualcomm and the Intel vs. AMD cases.

Our recent survey found that companies are largely catching on. When asked whether companies had formalized and enforced a litigation hold process for email, the results were encouraging:

These numbers are a stark contrast from our survey of March 2007, when 91% said that they had no litigation hold in place.

You may rightly ask, then, what is the alternative to the blanket approach of litigation holds. The answer lies in centralizing control of the information. In the Fortiva archive, creating and enforcing a litigation hold is as easy as a few clicks, and no action is required by end users. With this approach, you can easily implement the best practices that we recommend:

1. Empower legal counsel to oversee litigation hold process and ask IT to demonstrate that litigation holds are being enforced
2. Never rely on end users to enforce a litigation hold
3. Narrow litigation hold to include only responsive information (by keyword, custodian, date range, etc)

If you follow these directions, you will no longer have to retain “all or nothing”. Take a look for yourself.

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5

Posted by Alan Armstrong, VP Business Development

In this series we are looking at the basics of FRCP compliance. In my previous article, I pointed out that many companies fail to meet the most basic federal rules because they get embroiled in debates about retention policy. Indecision means non-compliance!

I think the reason that companies fail to decide is because they are focusing on the wrong question. Most times the debate is about whether information is a legal asset or a liability, and that question cannot be definitively answered; in some legal situations, the information will be in your company’s favor while in others, it will be against you. The trouble is, the potentially incriminating information can’t really be controlled or even destroyed (too many copies exist, and once the email is sent outside your company, you don’t have the power to destroy it). In their indecision about retention policies, companies continue to go through expensive discovery procedures, and must eventually deal with the incriminating or exculpatory information.

I suggest that you consider this issue from a different angle: Information discovered early is a strategic weapon. Forget about assets and liabilities; in every legal case you’ll have to deal with both. What can make the difference, though, is the ability to pinpoint information instantaneously. With the right information in hand, your company can use the information strategically to have cases withdrawn or dismissed before they even get to the “meet and confer”, or worse yet the costly discovery phase.

To illustrate, allow me to share the story of one of our customers, anonymously of course.

John (not his real name) described a legal action that came against his company. The company was in the middle of a very large business transaction, and a supplier sensed that the company was vulnerable to a legal attack. The suit was launched, and of course legal came to IT looking for evidence. Because John had implemented an email archive (Fortiva), and imported all historical email into the archive, he was able to instantly query the archive for relevant email.

With a small and targeted set of search results, he quickly exported the data to PST and provided it to one of the company’s contract administrators. After reviewing about 100 emails, the contract administrator pulled 16 emails that clearly demonstrated than the supplier’s claim was false.

Our customer John took those 16 emails, sent them to the plaintiff, and the case was immediately dropped. Needless to say, John was pretty proud of his foresight. Because he had retained email, he had more information than the opposing side.

Bottom line: For Legal, Email, in a searchable archive, can be more than an Asset. It can be a strategic weapon that you can use to defend your company.

So how long should you retain email? If you get beyond the false dilemma of asset vs. liability, you can let the business drive retention policy. I hope that helps you simplify the whole question.

-    Alan

PS: This argument only makes sense if you have an archive that your legal counsel can search quickly and painlessly. Most archiving software is painfully slow to search, so your legal counsel may not even have imagined it would be possible to access the “strategic weapon” on their own in 20 seconds or less. That’s why Fortiva issued the Search Challenge. As far as I know, Fortiva is the only company in the industry to contractually guarantee search performance. And if our logic is right, it won’t be easy to emulate. See our series on search for the gory details.

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5

Posted by Alan Armstrong, VP Business Development

A mentor once counseled me that the most important thing about a company strategy is to have one. It may sound trite, but it is actually quite profound; he is saying that there may be many valid strategies, but ultimately you just need to pick one, stick to it, and focus on execution.

What’s the relevance to email and document retention? In this series we’re focusing on the basics of FRCP compliance, and the first question that always comes up is: What retention policy should we implement? The FRCP guidelines on retention policies are similar to my mentor’s advice on strategy:

1. Have a policy
2. Enforce the policy
3. Be able to demonstrate that you are enforcing the policy

Were you looking for something more specific? Unless your company is regulated in some way (financial services and some healthcare companies may fall under more specific regulations), the FRCP does not specify a retention policy.

Many companies that I meet with wish that the fed would simply dictate a timeframe for retention, because in the absence of such specifics, many companies fail to decide on a policy, and as a result, fail to comply with the regulations.

Once you decide on a retention policy, you can begin to move towards compliance. I’ve seen several companies who delay and delay and delay, until ultimately they are caught in a legal situation by their own inaction.

So my primary message here is: Decide on a policy!

But how do you decide on that retention policy? Stay tuned for my next post.

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5