PC Week

COPYRIGHT 1997 Ziff-Davis Publishing Company) Copyright 1997 Information Access

Company. All rights reserved.

Monday, October 6, 1997

Vol. 14, No. 42

E-Mail Is Not Beyond The Law

Aragon, Lawrence

Why didn't you delete it?!" It's a question echoing through the halls of IS departments as electronic data turns into key evidence in trials costing employers millions of dollars. Autodesk Inc., Hughes Aircraft Co. and Sprint Communications Corp. are just a few of the major corporations that have been stung by electronic files found in the legal discovery process. Autodesk is appealing a $25.5 million judgment against it in a case hinging on E-mail that pointed to theft of trade secrets from Vermont Microsystems Inc. Hughes last year lost a wrongful termination suit in which deleted E-mail took center stage. And Sprint settled a patent infringement case last October after a court ruled it had destroyed electronic evidence being sought by the plaintiff, Applied Telematics Inc.

Despite such negative publicity, most IS managers have not established electronic data preservation policies. Jeff Stieglitz, of Toyota Motor Sales USA Inc., is one of the early few aggressively researching the subject. He spoke to IS staffers at 100 companies before writing an electronic communications policy for his Torrance, Calif., employer, but "the vast majority" had no policy for retention of data. Undeterred, Stieglitz, an R&D manager in Toyota's IS department, sought direction from the Electronic Messaging Association (www.ema.org).

Who's to blame?

IS managers may feel that since they're not to blame for alleged misdeeds, they're insulated from the proceedings. Wrong. When discovery bills start to mount, they are the ones top management zeros in on and asks why they maintained backup tapes of 10-year-old data. That happened with a large corporate client of Joan Feldman, president of Computer Forensics Inc., of Seattle. "Whether or not there was anything bad in those tapes was less of an issue," Feldman says. "The burden and the cost of reviewing all of that accumulated data was enormous--$500,000 to $750,000." The huge tab weighed on the company's decision to settle the case, she says.

Here's what it comes down to for IS managers: Pray your company never gets sued, or get together with top management and the legal department to craft an electronic data preservation policy and gain the authority to give it teeth.

The first choice really isn't an option. Not only do IS managers run the risk of being held responsible for their policies (or lack of policies), they also stand a good chance of getting deposed in litigation regarding their company's record-keeping procedures. With that in mind, attorneys, consultants and IS executives offer the following advice:

Find out exactly what you have. "You may have something that is going to benefit you [in litigation] that you're unaware of, or might have something that's going to benefit your opponent; it's better to know than be surprised," says Rick Moher, a computer evidence consultant for Ontrack Computer Evidence Services Inc., of Eden Prairie, Minn.

Some tips from Computer Forensics: Create an inventory of all hardware and software; check the age of the hardware (since older systems are more likely to have old strands of data); and take a statistical sampling of hard drives on PCs, servers and other storage devices.

Write an electronic data preservation policy. That means getting together with your legal department and top managers, says Jim Barresi, corporate attorney for $11 billion Star Banc Corp., of Cincinnati. All parties must be involved because it's difficult to know how long you should keep certain kinds of documents, such as loan applications, which the law requires to be kept for six years, he says.

At least create a policy for E-mail. "The biggest thing you need is a policy on how long you retain E-mails," says Peter Reed, CEO of Vermont Microsystems, of Winooski, Vt. "The documents that came out of Autodesk were voluminous." After losing the suit to Vermont Microsystems, Autodesk established a 90-day limit on E-mails. When the policy went into effect, it found one employee with five years' worth of messages, says Autodesk CIO Bill Kredel, in Sausalito, Calif. The company is now considering reducing that limit to 60 days for legal reasons as well as due to the high cost to store E-mail, Kredel says.

Write an encryption policy. The Internet is home to more than 2,200 freeware or shareware encryption programs, and some employees use them at their own discretion, warns John Jessen, CEO of Electronic Evidence Discovery Inc., of Seattle. "One to five years from now, no one remembers the password, or the employee is long gone," he says. And if encrypted data is subpoenaed and a company can't decipher it, the company may get charged with "purposeful destruction of evidence," Jessen says. Hiring a company such as Electronic Evidence to unencrypt the data can be expensive. Jessen says it costs less for him to do a keyword search on 1 million files than to extract information for just 100 encrypted files. He advises companies to standardize on one encryption package with a master key technology, conduct regular audits to make sure other encryption tools aren't being used and create a policy about the kinds of data that should and shouldn't be encrypted.

Make sure deleted documents are really deleted. The delete key is a misnomer. It tells a computer that a cluster on a hard drive is available to be overwritten; it does not empty the cluster. That's why computer sleuth Ontrack was able to help an Ohio company prove that an ex-employee stole company records, even after he "deleted" the files. Several utilities promise to eliminate deleted files, such as WipeDisk from Symantec Corp. and SecureDelete from Cipher Logics Corp. But you'd better know what you're doing, or you may give yourself a false sense of security. Reed, of Vermont Microsystems, says a former employee used a utility to try to erase incriminating evidence in the Autodesk case, but Reed's development staff was able to find enough data on the man's home and work PCs to make the case.

Get creative. Biotechnology company Amgen Inc. conducted what it called a "Trash Bash" in the spring. Employees were encouraged to throw out old paper files and computer disks. But after getting high-profile coverage in The Wall Street Journal, Amgen now declines to say anything about its retention policies or Trash Bash. Feldman, of Computer Forensics, says a client who wishes to remain anonymous conducts a "file cleanup" every year and gives an award to the employee with the most megabytes shredded. She emphasized that the process must be overseen by IS, especially if disk-wiping utilities are used. For a typical department of 30 PCs, IS staffers will need to spend about 45 minutes with each PC user, Feldman says. Since it can be time-consuming, she suggests conducting the cleaning in stages and by department.

Watch your step. Instituting policies and procedures is fine, but you must keep a close eye on how they are implemented. You don't want to end up like Hughes. In a wrongful termination and defamation suit brought by Garreth Shaw, a former in-house attorney, Hughes was asked to produce E-mail related to Shaw's firing. Even though the company knew it was being sued, it maintained its policy of deleting electronic messages every 90 days--eliminating the E-mail in question. Shaw's attorney argued that Hughes had destroyed evidence, so the jury should consider the missing evidence as "favorable" to Shaw. The judge agreed, and the jury subsequently awarded Shaw $593,000 in damages, including $90,000 related to the destruction of the evidence, which raises another critical question: "Why did you delete it?"

Pay now...or later

If a company needs to review E-mail contained in 12 monthly backup sessions, it must consider the following costs, and this may be just a portion of electronic discovery costs.

Average person hrs: (not machine time)

Restoring the sessions to a drive (not one in use).: 100
Redacting E-mail to eliminate duplicates.: 250
Converting E-mail messages to text for easier search/manipulation.: 250
Searching and printing.: 60

Total cost (at $150 per hour):: $99,000

Cost to hire a third party to develop an electronic risk control plan, which aims to reduce the cost of discovery by cleansing systems of unnecessary data. $20,000 to $75,000

Source: Computer Forensics Inc.



REGION:            United States (US)

Word Count: 1354

10/6/97 PCWEEK 111