Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font


<<   CONTENTS   >>

The E-Mail Problem

E-mail proliferation is a problem faced by every company. Confronted with growing storage costs and system performance issues, companies are limiting the amount of e-mail that employees can keep. Tape or other backups are “snap shots” of data at a particular time and do not keep a complete record of all e-mails. While limiting e-mail volume is legally appropriate, and in many cases advisable, the company must also ensure employees (or an automated system) do not delete e-mails that are required for ongoing business operations or legal compliance. Companies should implement policies and practices for ensuring required e-mails are not prematurely destroyed, for example, by migrating or archiving required e-mail records to a document management system or secure networked data servers.

Authorized Storage Locations

Electronic records can be stored in a variety of locations—network servers, local hard drives, home computers, laptops, handheld devices, smart phones, CD-ROMs, flash storage devices, web-based e-mail applications, and online backup sites. Multiple locations add to the difficulty and cost of locating and producing records and increase the likelihood that records will be lost, not produced when they should be, and/or improperly disclosed to third parties not entitled to access the records. When a company is required to locate and produce electronic records in litigation (as a party or a third-party witness), it must search all locations for potentially relevant records and produce those records. Companies should require storage or records in locations and in manners that facilitate prompt and cost-effective location and production and consider limiting the locations where electronic records may be stored by employees.

As noted above, electronic records should be stored only in company-approved and controlled locations. The next step is to create a data map or inventory of where all electronic records and other ESI are stored (e.g., file servers, e-mail servers, identified drives, storage networks, and removable media). This is important to facilitate the company in locating electronic records when they are needed for litigation or other legal proceedings. The data map is also critical to complying with the e-discovery rules, which require early and proactive disclosure of electronic records and information regarding their location and accessibility.

Confidentiality and Security

Electronic records often contain sensitive information valuable to the company, such as trade secrets, financial data, business plans, and other confidential business information. Similarly, with the increase of legislation regulating privacy of personal information, companies are under increasing obligations to maintain the privacy of such data. Accordingly, the company should implement and enforce policies and practices that protect the confidentiality, integrity, and security of important business information and adequately protect the privacy of personal information.

Third-Party Vendors

Many companies use independent contractors and outsource functions and operations of the business, resulting in third parties having primary responsibility for storing, retaining, and disposing of company records. Outsourced functions include areas such as information technology, accounting, human resources, or other business processes. In such instances, the company should require the outsourcer to comply with the company’s records management policies through appropriate contract language, monitoring, reporting by the outsourcer, and periodic auditing of the outsourcer.

Proper Destruction

The flip side of retention is destruction. In order to obtain the benefits of having a policy and avoiding liability for improper destruction of records, it is necessary to destroy records in accordance with the policy. The company should regularly destroy records in accordance with its policy, subject to suspension of destruction pursuant to a litigation hold. Records destruction is typically undertaken on a periodic basis, such as annually. A general identification of what records are destroyed should be maintained. Additionally, records containing confidential or sensitive information, such as health information or financial information, should be destroyed in a manner maintaining the confidentiality of the records. For example, such records should be shredded rather than simply thrown out with the trash.

It is not uncommon to require vendors and other third parties to destroy and erase company records according to a particular standard or industry best practice. Common language is along the lines of the following: In the event any hardware or storage media must be disposed of or sent off-site for servicing, provider shall ensure all client confidential information has been “scrubbed” and irretrievably deleted from such hardware and/or media using methods consistent with best industry practices (i.e., at least as protective as the DoD 5220-22-M Standard, NIST Special Publication 800-88, Guidelines for Media Sanitization, or NAID standards).

Summary

By instituting reasonable and appropriate measures, such as those described in this chapter, businesses can achieve better compliance with applicable document retention laws and regulations and can better protect their valuable proprietary information. These measures can also greatly reduce the costs of discovery in litigation.

 
<<   CONTENTS   >>

Related topics