Legal preservation and eDiscovery compulsions
Cloud computing enterprise email management systems are being implemented, or seriously considered, by organizations worldwide. However, migration to a Cloud-based system is not for the IT faint of heart; it is a significant undertaking in terms of time, cost and legal risk. Before taking the leap, organizations need to carefully consider whether Cloud-based solutions will satisfy their business and legal requirements. That is, will such solutions be judged as reasonable and legally-defensible when tested by Courts, Regulators and Prosecutors?
It’s no wonder that this trend toward “email as a service” is increasing. Generally, 71 percent of global businesses expect to have such applications in the cloud by 2017, and enterprise spending on cloud services is projected to triple between 2011 and 2017.Two principal drivers of this trend are anticipated reduction in total cost of ownership, and keeping pace with changes in technology.
Yet after investigation, many organizations with substantial litigation and regulatory compliance portfolios are finding that Cloud-based email systems may not fully satisfy their legal records retention and eDiscovery requirements. Why? because many fail to provide adequate email archive, eDiscovery and compliance features, and functionality. Without these tools, such organizations risk substantial regulatory and eDiscovery sanctions, damage to brand, and increased costs. These risks are magnified if an adversary can show that the organization diluted its capability in bad faith, on the pretext of cost savings and keeping pace with technology.
The CIO must first team with Legal and specialized outside eDiscovery counsel to identify critical requirements imposed by your unique litigation/ regulatory portfolio
For example, the Office of the CIO of the State of Washington, following a detailed requirements gap analysis of Office 365, concluded that due to the State’s legal preservation and eDiscovery compliance requirements:
“Office 365 does not satisfy the state's critical records management requirements to accurately store, protect, search and retrieve email records. This alternative would increase time and effort for records management and increase the risk of failing to satisfy public disclosure and litigation requirements, resulting in financial loss.”
The State of Washington exploratory team also noted: “Microsoft could not provide an operational archive/search environment for the team to evaluate all requirements, or supply an adequate amount of test data to satisfactorily evaluate search capabilities.”
Additional organizations, across diverse industries, have also concluded after investigation that use of cloud-based email management systems without the addition of separate journaling or archival functions may create too much legal and business risk. And the anticipated cost-savings from cloud-based solutions can be rapidly eroded by costs of email migration; integrating third-party email journaling and archival functions, if needed; incorporating legal hold process management tools, as needed; increased internet bandwidth (if available), to perform eDiscovery functions in a timely and sufficient manner; additional IT resources to support eDiscovery searches and collections; and potential negative impact of the cloud-based eDiscovery operations on email performance.
Even more troubling are potential records retention compliance and eDiscovery gaps. For example, in 2015, Osterman Research noted the following such gaps with some Cloud-based solutions: an inability to index, search and export messages with external SMTP addresses, as well as other values across multiple mailboxes; an inability to ensure that legal hold and retention policies cannot be manually modified; an inability to selectively preserve email, rather than via an entire mailbox; difficulty searching and exporting by bcc and distribution lists; and the inability of some to preserve a departing employee’s email mailbox, without first manually placing it on hold and inactivating; a lack of Legal Hold management functions, including notification, acknowledgement, and reminders; metadata field search and export function; the loss of a “quick peek” into the content for early case assessment and case strategy purposes; an increased risk of metadata corruption and loss due to the “data dump” export process; and most importantly, the potential inability to perform timely and sufficient eDiscovery due to import and export throughput performance limitations..
Many of these potential gaps can restrict an organization’s ability to comply with detailed eDiscovery rules and specifications adopted by the U.S. Department of Justice, Securities and Exchange Commission, and Federal Trade Commission, such as selectively searching across mailboxes for external email addresses, blind carbon copy (bcc) and distribution list recipients, and to perform horizontal and vertical email deduplication.
Also, many Cloud-based email services separate email message content from email metadata, creating a risk of corruption when the information is extracted and recombined, and provide no support for Chat data—an increasing source for business communication. At minimum, many Cloud-based email services appear to require use of Email Administration permissions or third-party email archival tools to satisfy email preservation compliance and eDiscovery functionality requirements.
How can you help? The CIO must first team with legal and specialized outside eDiscovery counsel to identify critical requirements imposed by your unique litigation/regulatory portfolio; and second, invest the due diligence process to validate these can be met. Otherwise, the anticipated savings will quickly evaporate, in place of increased infrastructure, resource, and eDiscovery costs, as well as accompanying risk of regulatory and eDiscovery sanctions and costs.