If a court requested all your company emails between September and December of 2011, would you be able to provide them? Do you know where they are backed up? Do you know IF they were backed up?
One of an IT manager’s most important functions is backing up data. It's critical to protecting the business in case of a server crash. But there are legal requirements when it comes to backups, too. We're discussing one such requirement in today's WOOF: your legal requirement to keep archives of electronic communications.
What is the California Electronic Discovery Act?
The California Electronic Discovery Act (“EDA”) was enacted in 2009. You can read the full California EDA here (PDF): http://www.leginfo.ca.gov/pub/09-10/bill/asm/ab_0001-0050/ab_5_bill_20090629_chaptered.pdf
. It contains the following:
- If your company is sued or subpoenaed, the Electronic Discovery Act says you must produce records relevant to the complaint. This includes Electronically Stored Information ("ESI") such as emails, instant messages, social media posts and other communication logs.
- All ESI must be archived (backed up) in a way that allows for simple and quick retrieval in the event of legal proceedings.
- The EDA places responsibility for producing ESI records on the entity subpoenaed—your business.
In addition to making sure you can comply with any future document subpoenas, having ESI records readily available can help your company in a number of ways. ESI records can provide proof of trade secret theft, help in a criminal investigation, or defend against harassment and other employee claims against your company.
What happens if you can’t comply with a legal request for records? You can’t find the requested emails among your backups, for instance.
If you can prove that your company has lost backups of ESI through no fault of your own (like accidental damage to your servers), then you may not be liable. However, if you COULD have kept records of emails and did not, then you are liable if subpoenaed and could face fines and sanctions
Federal and State e-discovery legal problems are common. Here are just a few examples:
- If Morgan Stanley had been able to locate and produce all of their email pursuant to an SEC request for documents, they may have avoided a $15M fine.
- During a lawsuit by AMD over monopoly allegations, Intel executives' "lost" email significantly affected their defense – executives thought all email were being backed up by IT, even deleted email. Some employee email was lost because workers failed to move messages from their “Sent” folder into other folders and it was automatically deleted, while other email were lost because Intel failed to notify hundreds of employees to retain email related to the case. This suit was settled for $1.25B.
- Apple, Inc. achieved a partial reimbursement in a 2013 District Court case with Ancora Technologies. Ancora had responded to an e-discovery request with documents "in a format that was not 'text searchable' and did not provide the associated load files or OCR data in a .TXT file format."
- In 2010, the Financial Industry Regulatory Authority (FINRA) fined Piper Jaffray & Co. $700,000 for violations related to its failure to retain approximately 4.3 million emails from November 2002 through December 2008.
In hindsight, those fines and settlements would have bought a lot of data protection!
How You Comply with the Electronic Discovery Act: Backup Your ESI
Keep reliable backups of all online conversations, and make sure you can access them later. That’s how you stay in EDA compliance. This is how you do it:
- Archive all emails, instant messages, blog posts and social media with regular backups.
- Check your backups regularly (twice a year minimum), to ensure that they’re discoverable in the event of a legal request.
- "Discovery Search" became standard in Microsoft Exchange 2010 and aids in ESI archival. Exchange 2013 has In-Place eDiscovery, which helps you archive & retrieve ESI from not only Exchange, but also SharePoint and Lync. We recommend moving to Exchange Server 2013, if you aren't already on it.
Action Steps to Get & Stay Compliant
If your backup procedures follow the guidelines above, you can breathe easy. You’re already compliant with the Electronic Discovery Act. If you aren't sure (or know you’re missing something), then this is what you need to do – right away!
- Verify that you are backing up emails and instant messaging logs. Ask your systems administrator for a backups report.
- Note the location of your backups in company documentation. ESI backups should be in an accessible location and well organized.
- Also, note in documentation how long it would take to retrieve specific ESI from backups. Run a test to estimate the time. For instance, how long to retrieve all emails from September to December 2011?
- If your backups are managed by a consultant or service provider, request a backup schedule from them for your records.
- If you aren’t backing up any ESI logs, start doing so at once! Keep your ESI for a minimum of seven (7) years. Ask your systems administrator or IT consultant for help with setup.
Risks of Using POP Mail for Business
If you use POP mail
for your email delivery, you are faced with a difficult scenario for maintaining a viable backup of your employees’ email. With POP mail, all mail is downloaded from the host’s servers to your employees’ local machines. These can become corrupt or deleted by employees. This would leave your company vulnerable in the event of a document subpoena.
Companies Large and Small Must Comply with the Electronic Discovery Act
All companies, large and small, should have a policy in place for retention of Electronic documents. Take the time to create such a document, or enlist the aid of a consulting firm like PlanetMagpie in order to create one that fits your needs. A reasonable policy concerning retention of documents will help your company in the event that you need to produce electronic documents.