As e-mail records are increasingly used in lawsuits to make charges
stick, e-mail management is in the spotlight
If your organisation is sued in the near future, one of the
prosecution's opening gambits may be to seek a court order for the
release of all e-mail records connected with the case. Offering an
unedited transcription of corporate machinations, e-mail messages
represent the digital equivalent of a smoking gun and lawyers are
latching onto them with alacrity to make a gamut of charges stick.
The growing list of organisations (see box below right) forced to
cough up substantial damages or endure punitive sanctions after
losing cases based on incriminating internal e-mails, places IT
departments at the sharp end of a major legal trend. Meanwhile, new
software programs purporting to offer ways to reduce organisations'
exposure to e-mail legal liabilities suggest that e-mail management
could soon become a burning topic for IT managers.
"E-mail is a very important part of the legal landscape because of
the shift to everything electronic," says Catherine Sansum Kirkman,
corporate technology policy expert and partner at Silicon Valley
law firm Wilson Sonsini Goodrich & Rosati based in Palo Alto,
California.
As well as the sheer volume of business transacted over e-mail, the
convenience of the medium makes it an ideal place to look for
compromising information.
"A lot of employees think it is like making a telephone call, but
you cannot simply press delete," says Richard Raysman, managing
partner of New York-based technology lawyers, Brown, Raysman,
Millstein, Felder & Steiner and co-author of a recent research
paper on corporate e-mail policy. After they have been erased from
correspondents' e-mail systems, messages live on as indelible
digital footprints on servers, hard drives and backup tapes. "A few
poorly-worded e-mails and companies find their liability increases
considerably," adds Raysman.
Business is booming for so-called computer forensics firms that
specialise in digging up digital dirt on behalf of litigants. Joan
Feldman, president of Computer Forensics in Seattle, estimates that
55% to 65% of US civil law cases refer to e-mail, up from barely 5%
in 1992. Legal clamour to access e-mail troves is a no-brainer, she
says. "[It] is usually the best source of material that can be
found. E-mail is the recorded conversations of most businesses and
often the sole repository of business documents."
As well as the financial penalties that e-mails can help bring down
on firms, the task of retrieving legacy messages from back-office
storage systems is onerous. In the absence of a definitive ruling,
firms have invested in expensive and protracted e-mail recovery
operations. Feldman says she charges US clients $9,000 to $12,000
per back-up session to restore messages from storage tapes and sift
them for evidence.
While the hyper-litigious US has led the way in the use of e-mail
as courtroom evidence, UK users should gird themselves for similar
assaults on their electronic archives if they become embroiled in
lawsuits.
"There has been a considerable increase in demand from lawyers over
the past 18 months," reports Craig Earnshaw, head of the forensic
computing services group at London-based auditors Lee & Allen.
"Up until recently [UK] lawyers avoided doing anything on the
computer. But they have been looking at how computerised evidence
has helped colleagues or been detrimental to a defendant and are
realising the benefits."
Meanwhile, Feldman says a stream of leading US firms, including
chemicals behemoth Dupont, have called on her practice for advice
on how to minimise their legal exposure from e-mail.
The cornerstone of risk reduction, says Feldman, is a rigorously
applied e-mail retention and disposal policy, and such efforts may
be assisted by new-generation software programs.
San Francisco software developer Disappearing says its Disappearing
E-mail program enables messages to be primed to self-destruct after
a set period of time. Meanwhile a button on the toolbar of
Microsoft's Office XP desktop software suite links users to a free
download as a taster.
A 128-bit key assigned to unscramble an encrypted message is
discarded after a user-specified retention period, effectively
rendering the e-mail indecipherable.
Unlike rival encrypted e-mail programs, such as Hushmail, Zixmail
and Authentica, Disappearing's server-based system does not require
users to download software. It is up to IT managers and in-house
lawyers to determine the life span of different types of electronic
correspondence (see box).
IT managers can apply "chide" commands to remind users to set
destruction dates for messages where default retention periods do
not apply. Meanwhile a "red-button" feature allows the destruction
schedule to be halted if there is a possibility they could be
subpoenaed for a legal case.
One shortcoming is Disappearing's inability to stop e-mail
recipients from printing messages or copying them to other
locations. However the company is working on such capabilities.
Corporate users looking for an extra measure of security may
consider Bellevue, Washington-based Absolute Future's stealthy
Safemessage system, launched last year. Although it features an
e-mail-style interface, Safemessage is not e-mail. Instead, the
encrypted system harnesses file transfer protocol (FTP) to send
messages between peer computers, bypassing servers altogether.
According to chief executive Graham Andrews, using FTP sidesteps
the problem of controlling what recipients do with messages.
However, the system requires special software to be installed on
individual PCs and even Andrews concedes it is not a mass-market
product.
Recently released products offer the basis for minimising
organisations' risk in the current legal climate. Their deployment
within an overall e-mail management policy might encourage users to
consider more carefully how what they write in the heat of the
moment would look in a court of law.
Legal landscape
In administering e-mail disposal policies, IT managers must observe
industry regulations governing retention of certain types of
document. Outside of such obligations, experts advise users to let
rules for the destruction of paper files be their guide.
Accordingly, employment-related messages should be kept for the
duration of workers' employment and tax-related messages for
three-to-five years. Ephemera, like meeting arrangements can be
destroyed within 30 days.
Cautionary tales
n 1995 - E-mail containing off-colour jokes helps seal sexual
harassment charges against a subsidiary of oil company Chevron,
leaving the firm liable for $2.2m in damages n November 1999 - A
judge rules that Microsoft violated US anti-monopoly laws in
exploiting its dominance of the operating system market to squeeze
out rivals in other software markets such as Internet browsers,
partly based on incriminating e-mails sent by chairman Bill Gates.
Microsoft is currently appealing against the verdict. n May 2001 -
E-mail between US office supplies chain Staples and investment bank
Wit Capital is produced in court to prove shareholder charges that
the price at which Staples bought back shares in its Internet
business Staples.com was inflated to allow share-owning executives
to make a profit. Company officials complain that the e-mails have
been "taken out of context."
Stephen Phillips