E-mail: Risky business?
Pervasive use and poor archiving of e-mail opens door to new legal risks and issues
By John Chivvis
“E-mail may be the lifeblood of business, but it’s also the focus of litigation, because that’s where all the smoking guns are.”
Attorney and Risk Management Expert
Lord, Bissell & Brook
$1.45 billion. That was the size of the judgment against Morgan Stanley after the financial giant failed to produce requested e-mails for use in a lawsuit. The ruling against Morgan Stanley resulted in part from its inability to find requested electronic documents due to missing or reportedly “destroyed” files.
$29 million. That was what Laura Zubulake was awarded in a discrimination lawsuit when, according to the now oft-cited ruling, her former employer failed to produce “backup tapes containing relevant e-mails” and “other relevant documents in a timely manner.” In fact, it was the failure to provide the documents that led the judge to let the jury infer that the employer was hiding something.
So what might an e-mail cost you and your agency? That is a question more agency owners are asking themselves because the growing trend—especially in an industry that touts “going paperless”—is toward more messages, images, faxes, voice mails, and documents being stored electronically. “Over 60% of business-critical information is stored electronically—most of it in e-mail,” says Jon Neiditz, attorney and risk management expert for the Chicago-based law firm of Lord, Bissell & Brook, “and less than one third of it is ever printed.
“Some business owners don’t realize that e-mail messages are not the same as spoken words, but in fact are treated by courts and regulators as documents,” says Neiditz. “What’s more, many e-mails are not only documents but business records, too, and therefore subject to record retention requirements.” Because of this, more insurance professionals are being exposed to a new level of risk.
CPCU PANELISTS AGREE THAT E-MAIL SECURITY IS PARAMOUNT
By Donald S. Malecki, CPCU
Cyber liability is always one of the more well-attended sessions on insurance issues today, regardless of the forum. The panel discussion on cyber liability insurance issues at the Chartered Property Casualty Underwriter Society’s 61st annual meeting in Atlanta on October 24, 2005, was no exception.
According to Michael J. Highum, moderator of this panel, only 22 states require the reporting of data breaches. As a result, many companies don’t report breaches or are slow to report. Highum, vice president with the McGowan Insurance Group, Indianapolis, offered the following statistics that help to amplify this growing concern:
• 85% of companies report at least one computer security breach each year
• 90% report vandalism attacks
• 78% report denial of service attacks
• 64% acknowledge financial losses due to cyber attacks
• 80 is the number of public data security breaches since February 2005
Staying ahead of those who break into supposedly impenetrable systems is the name of the game, said panelist Edward Bilinski of Pearson Media Group. He stated that malware, comprised of spam, adware—60% of which is intended for identity theft—and spyware is the latest threat.
Employment and training practices are the top issues from the perspective of panelist Richard P. Reed, vice president at Chubb & Son, because most problems having to do with computerization are “inside” jobs created by disgruntled employees. Underwriters look at this situation very carefully, Reed said, when considering a risk for insurance.
Another area being looked at by underwriters, Reed said, concerns outsourcing. When a company subcontracts people to work on computers, there can be problems, because these people are not controlled to the extent that employees are.
From the standpoint of risk profiles, the panelists stated that the profiles are changing. Interestingly, both viruses and denial of service attacks have decreased, presumably because of the wide use of anti-virus software and aggressive law enforcement. However, there has been significant growth in the area of unauthorized access by insiders and targeted attacks by outsiders.
Peter Vogel, an attorney with the firm of Gardere Wynne Sewell and co-chairman of his firm’s Internet and Computer Technology Practice Group, said the number one problem in his view was the lack of communication between information technology people and upper management within companies. Companies also need to establish and maintain corporate data and document retention policies, he added.
He said companies need to follow Internet usage policies and deploy enterprise-wide contractual management practices. In doing so, they need to prevent employees from using their employers’ computers to run their own businesses. The law in the United States, Vogel explained, is that an employer has a right to everyone’s e-mail. In the United Kingdom and Canada, however, it is just the opposite, he said.
In summing up the legal “best practices,” Vogel offered the following to consider:
• Establish and maintain corporate data and document retention policies
• Follow industry, federal and state regulations
• Follow Internet usage policies
• Adhere to license restrictions.
Vogel warned that adherence to licensing restrictions is especially important, because there are organizations currently working as “licensing police.” To put it bluntly, he said, any violation in this area is a “copyright infringement.”
In concluding his remarks, Vogel offered the following words of wisdom: “I would never put in an e-mail that which I would not want a member of the jury to know.” *
In fact, there is a growing industry based on what is called “e-discovery” which focuses on systematically finding, restoring, culling through, and reading of electronic documents for use in litigation. “It is not just about e-mail and traditional electronic documents, but also can include instant, text and SMS messaging and, on the frontier, voice mail,” says Neiditz.
According to a 2004 survey by the American Management Association (AMA) and ePolicy Institute, 20% of the 840 businesses responding had been subpoenaed by a court or regulatory body to produce employee e-mails, up from the 14% reported in the 2003 survey; 13% reported that they had battled a workplace lawsuit based on employee e-mail. Yet, despite the growing evidence that e-mails and instant messages are a primary source of evidence, employers are “largely ill-prepared to manage e-mail and instant messaging risks,” according to the survey. The survey found that “merely 6% of organiza-tions retain and archive business record IM, and only 35% have an e-mail retention policy in place.”
Neiditz warns that “tried and true” practices such as 30-, 60-, 90-day e-mail destruction policies are violating record retention regulations and reinforcing poor practices when it comes to litigation. “These destruction rules can end up really hurting you,” says Neiditz.
“Old e-mail destruction policies weren’t really designed for managing compliance; instead they were typically driven by storage capacity considerations, not business or compliance needs,” says Neiditz, pointing out that in over 70% of businesses it is the IT department that oversees electronic record retention. So, for the sake of storage, some businesses opt to “save nothing.”
The problem for agencies is that due to decisions like Zubulake, the “save nothing” approach can hurt more than it helps. That is because, according to Neiditz, once a business’s lawyer issues a “litigation hold,” the burden to produce all—not some or most—documents in a lawsuit is often on the business. Even without a litigation hold, the business is under increasing pressure to assure that its e-mail meets many record retention requirements, from insurance department requirements, to human resources document requirements, to tax requirements, to Sarbanes-Oxley requirements.
For most agencies, another difficulty lies in the current mindset for retaining data. Records and files are backed up in case of disaster, not archived for potential retrieval or discovery. “One study indicates that only about 20% of businesses are actually ‘archiving’ their documents,” cites Neiditz.
The use of backup tapes, typically for restoring data after a disaster, is also problematic because backups are not designed to handle the needs associated with culling through archives. Neiditz says that trying to use a backup system to search for and investigate documents is difficult, and in the case of Morgan Stanley, “While ‘saving everything’ through the use of a backup system would achieve compliance,” says Neiditz, “you tend to get the ‘deer in the headlights’ look from owners when the backup tapes start piling up and suddenly, they need to produce something.”
Then there is the human element. “In the past, everything was put into a paper file, and when the time came, you would literally destroy the file,” says Neiditz. “The problem with an electronic message is that it can go so far, so quickly, and to so many people. A disgruntled employee or customer may still have a copy of it. The big cases often turn on e-mail that has been ‘destroyed’ by the company but later turns out to have been saved by the plaintiff.”
As a result, Neiditz says that business owners are getting serious about cracking down. This includes developing clear e-mail usage and retention policies as well as Web, e-mail and content monitoring practices to ensure compliance. Neiditz cites a 2005 “Electronic Monitoring Survey” conducted by the AMA/ePolicy Institute that said over 80% of employers who monitor their employees notify their employees of their monitoring practices and that 26% of employers reportedly fired employees for misuse of Internet resources, and 25% dismissed employees for misuse of e-mail resources.
Neiditz recommends that agencies take an integrated approach to eliminating the potential for “e-discovery” by adopting a strategy that “prevents your employees from creating the e-mails that will do you in” in the first place. This includes developing that strategy and the necessary backing policies, looking at technology options for creating a robust and accessible records archive, and then providing the necessary training on those business practices and resources.
Ultimately, insurance is all about reducing or eliminating risk. And, unfortunately, these days, e-mail and other unstructured messages are risks. “Never before has so much risk been associated with records retention,” says Neiditz, adding, “E-mail may be the lifeblood of business, but it’s also the focus of litigation, because that’s where all the smoking guns are.” *
Before you hit the “send” button on that e-mail or message...
Attorney and risk management expert Jon Neiditz offers these four reminders to help reduce the likelihood that your e-mails will come back to haunt you.
1. Maintain a firm basis for all assertions. Whether it’s a Word document or a simple e-mail, try to make sure that what you write is based on known facts, careful research and/or sound arguments. If possible, back up what you write with the facts.
2. Write for unintended and unforeseen readers. As you write, especially e-mail, remember how easy it is to forward an e-mail to anyone, even those you don’t know. Never use e-mail without adequate precautions when communicating sensitive or business-critical information that could damage your agency or your fellow employees if read by the wrong person.
3. Assume that your words or phrases will be taken out of context. Avoid using colorful words that could be taken out of context and used against you or your agency. That’s because in a lawsuit or news story, that is precisely what will likely happen—especially since e-mails are usually inadequate for conveying mood and context.
4. Write as if the document will not be destroyed. When it comes to e-mail, you should never think of it as truly “deleted.” Therefore, be careful and decide whether your message should be delivered electronically instead of over the phone or in person. If you do choose to write something, write it to stand the test of time.
John Chivvis is a Texas-based writer who specializes in topics of technology implementation. His work has appeared in a number of national and regional publications.