Friday, December 26, 2008

Information storage: debunking the myth that electronic information is cheap to store

As the cost of computer storage continues to decline, many companies believe that they don’t need to dispose of any information. Since information is so cheap to keep, why not just keep it all? Who knows when it may come in handy?

There are very real costs to keeping every scrap of information. Below are just a few:

· Increased costs of searching and retrieving business-critical information
· Reduced performance of storage systems – the more information stored on the system, the worse the performance
· Maintenance costs of legacy systems – it becomes increasingly difficult and expensive to keep old systems running, as parts become more scarce, as well as the technicians to service them. At some point, it becomes necessary to migrate the information onto newer platforms, which may, or may not, be easily accomplished
· Slower response times to requests from regulators, which could lead to the imposition of penalties against the company

One of the most significant areas in which this philosophy can damage the company is in the area of electronic discovery. Once the company is aware that it may be subject to a lawsuit, it is then under the obligation to preserve data relevant to the suit. This may a broadly thrown net, to make sure that deletion of relevant information does not occur. For companies that save everything, there is now a significant actual cost to this policy. All of this information must now be searched and collected. One significant cost, however, is the cost to have an attorney review the information. The Sedona Conference, a think tank which has done a lot of work in the area of e-discovery, estimates that the cost of reviewing 1 gigabyte (70,000-80,000 pages) of data is over $30,000.

How can a company address this problem? The only way in which a company can dispose of information comfortably is by the adoption of a records retention schedule. The schedule demonstrates to a court that a company has made decisions, based on legal requirements and business needs, regarding how long categories of information should be kept. As long as the information is not subject to the duty to preserve, called a “Legal Hold”, the company may legitimately dispose of the information pursuant to its records retention requirements in the ordinary course of business.

Given the many costs of storing electronic information, companies should be more judicious in what they keep and why. The importance of a records retention schedule in legally disposing of information no longer needed for business and legal requirements has never been more important.

Monday, November 24, 2008

The Reality of Data Breaches

In 2008 alone, over 270 data breaches were recorded by the Privacy Rights Clearinghouse. These data breaches spanned across a wide variety of organizations --universities, banks, government agencies, department stores, etc. No industry has been spared as new breaches continue to occur on a daily basis. Data breaches have become so widespread that many states have passed legislation addressing confidentiality of personal information. There are many different causes of these security violations. Data breaches occur due to theft of laptops, USB drives, back-up tapes, and other media used to store data away from an organization’s servers. They can occur due to inadequate disposal of items containing sensitive data (e.g. files recycled as scrap paper). Employees give away their user ids and passwords to hackers masquerading as support techs. Misuse of data by employees ranging from inappropriate access to actual corporate espionage has also contributed to data losses.

In general, data breaches are primarily attributed to human error rather than the technology. An organization’s policies and procedures should clearly inform employees on proper handling of data. Providing instruction and training to employees on best practices is also necessary. An effective auditing and monitoring program, as well as consistent enforcement of the program, are also required components of an effective security approach. Technology solutions can help, but cannot replace, a comprehensive program to protect an organization’s information assets.

Friday, November 14, 2008

The Stored Communications Act may affect your ability to view your employees’ text messages

The Stored Communications Act, 18 U.S.C. § 2701 – 2711, generally prevents providers of communications services from divulging private communications to certain individuals or entities. On its face, then, the Act prohibits companies from accessing text messages sent by its employees, if, as many companies do, third-party messaging services are used. (The result may be different if the company uses its own equipment for messaging.)

The Act contains two notable exceptions: If the service provider is an “electronic communications service” or ECS, the provider can release communications with the consent of the originator, an addressee, or intended recipient of the communication. If the service provider qualifies as a “remote computing service,” or RCS, the provider can release communications with the consent of the subscriber, i.e. the company hiring the provider to provide a text messaging service, as well as the other parties.

So, how are an ECS and an RCS defined? The Act defines an ECS as "any service which provides to users thereof the ability to send or receive wire or electronic communications." An RCS is defined as "the provision to the public of computer storage or processing services by means of an electronic communications system."

This distinction can be important if your policies aren’t up to date. If your provider is an RCS, you can request communications from the service provider as a “subscriber.” However, if your provider is considered an ECS, you’ll need consent of the originator or addressees to see the content. Even where you have policies stating your right to monitor all communications, and informing your employees that those communications are not confidential, that may not be enough.

In Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (9th Cir. 2008), the city of Ontario, California had those policies in place. The city had provided text messaging equipment to many employees, including police officers, for use in city business. The city wanted to access certain text messages of police officers who were over their quota of text messages to determine whether the officers were texting for public or personal reasons. (Of course, it didn’t help that one of the lieutenants of the police department treated the messages as personal to the officers by telling the officers that if the officers didn’t want the department to read the messages, the officers should pay fees for exceeding the monthly limit.) The court didn’t even consider whether the policies constituted consent on the part of the officers – by turning over the messages to the city, the court found that the service provider had violated the Act, as the provider was found to be an ECS.

The lesson is that you should get your employees to explicitly give their consent to a service provider to allow your company to access their text messages (or other electronic communications).. Since most companies require their employees to sign for company provided equipment (such as mobile devices or laptops), this consent can be incorporated into that process. In addition, the consent should be clearly explained to them. (And your managers should be warned of the consequences of making exceptions!) Don’t try to figure out if your provider is an ECS or an RCS – the courts haven’t consistently defined what that means. It may not be a bulletproof defense – a court might hold that employees have to give their consent for specific messages – but at least you’ll have a fighting chance.

Tuesday, November 4, 2008

A Legal Hold doesn’t mean hold everything

A common reaction to companies faced with an e-discovery request is to hold, or preserve, everything. While this is a better reaction than doing nothing, it usually stems from fear or ignorance. The fear is that if the company doesn’t hold everything, it will be sanctioned if it can’t produce information responsive to the plaintiff’s requests. The ignorance stems from its knowledge (or lack thereof) of the electronic information it has (or doesn’t have).

Kahn Consulting explains why you don’t have to hold everything in this article.

Monday, October 20, 2008

Good planning means never having to say “whoops?”

The attorney-client privilege is a doctrine which says that you don’t have to disclose information to the other side in a lawsuit which involves discussions with your attorney. The idea is that you should be able to speak frankly to your attorney about case strategy without worrying that the other side will be able to get that information. It’s obviously pretty important to keep these discussions confidential.

However, in certain scenarios, courts have found that parties have waived their privilege. By insufficiently reviewing the electronic information they sent to the other side, the court in Victor Stanley, Inc. v. Creative Pipe, Inc. found that a company waived their privilege. They sent stuff they shouldn’t have, and now the other side could use it against them. It is another reason to have good Records Retention plans and Legal Hold plans in your company, with knowledgeable people overseeing them. Good plans help you know what you have and where you have it, which means you can search and review the information before sending it out to your opponents. You won’t need to say “Whoops! We didn’t mean to send you that stuff!”

Tuesday, October 7, 2008

A lesson in avoiding disaster

In a recent court case, Southern New England Telephone Co. v. Global NAPS, Inc., deliberate destruction of computer files, along with other discovery violations, lead to a $5.2 million judgment against the defendant. Basically, someone had used a program to delete files from company computers when they shouldn’t have and it cost them. How can you avoid this type of multi-million dollar disaster? It would appear that this defendant either did not know what type of software was installed on their computers and who could run it, or they failed to clearly document when it could not be used, or both. Your company needs to have both Retention and Legal Hold policies clearly explaining what records need to be retained to comply with retention laws and what information needs to preserved for imminent audits or litigation. Also, if your employees are using data “cleansing” software, you should control its use through policy, at a minimum. Do you have a plan to protect your computer data if you are involved in a lawsuit? Does your plan (usually called a Legal Hold) clearly prohibit an employee from deleting or altering your computer data and set forth dire consequences if they don’t follow the plan? It should!

Welcome to Information Nation

Welcome to Information Nation, the blog on information management compliance by Kahn Consulting, Inc. Information Nation will present news and events happening in the legal, compliance, and policy arenas of information technology and information lifecycle management. Information Nation will focus on issues of interest to all executives and managers concerned about the impact of information on the enterprise. Topics such as information management policy development and implementation, records retention, compliance assessment, electronic discovery, and the proper role of technology in these areas are just a few of the subjects we plan to address.

The main contributors to Information Nation will be the professionals of Kahn Consulting, Inc.; professionals with years of experience assisting companies in harnessing their information assets and helping them maximize the value of those assets. The experts at KCI take a multidisciplinary approach—from legal, technological, records management, business, and compliance perspectives. You can expect to see posts covering all of these domains.

Our objective at Kahn Consulting is to provide value for all of our clients. Our objective for this blog is to provide value for you.

Thanks for being a citizen of Information Nation.

Sincerely,

Randolph A. Kahn, ESQ.
President and Founder
Kahn Consulting, Inc.