Is Your Email a Ticking Legal Timebomb?

A couple of months ago, I postulated here that, far from being dead, email is alive and kicking in business organizations around the world. We talked about how to secure those messages from attackers, but that’s only part of the problem inherent in managing an email system. There’s another type of outsider to whom you might someday have to give access to all those internal communications: the legal system. Regulatory agencies can demand to audit your mail system, or courts can subpoena stored mail messages that are evidentiary in nature as part of the discovery process in the event of a lawsuit or criminal charges. That means you’d better have a good email archiving system in place. But what exactly are the characteristics of a good system?

According to a study conducted by the Radicati Group, the market for information (including email) archiving is a fast-growing one, expected to reach more than $6.3 billion by 2016. That’s not surprising, considering the ever-increasing number of government and industry regulations, many of which require the retention of business-related email messages and other electronic information for specified periods.

The discovery process is designed to ensure that both sides in a court case (civil or criminal) have access to all relevant evidence in order to prepare their cases. It occurs prior to the actual trial, when the attorneys file discovery requests asking for the production of documents by the opposing party. The process is governed by law (in the U.S., the state or federal Rules of Civil Procedure or Rules of Criminal Procedure, depending on the jurisdiction and nature of the case).

E-discovery pertains specifically to electronically stored information (often called ESI). Email is frequently requested in e-discovery – and although there are some communications that are privileged and not discoverable, the opposing party can ask for anything that might be relevant to the case.

Even small organizations often send and receive hundreds or thousands of messages per week. You don’t want to spend days or weeks searching through those messages, either. If you’re going to be able to provide what was asked for (and only what was asked for) in a timely manner, intelligent archiving is a must.

There are plenty of solutions out there, but choosing the right one can be an overwhelming task. It’s not enough to simply save all email messages; a good system needs to ensure that the messages are easily searchable so you can find what you need, when you need it. There should also be a mechanism for purging messages from the system (if desired) when the retention period has passed. Be aware that even if the retention period for a particular message has passed, if you continue to retain it, it’s still subject to discovery.

Obviously, a core requirement for a good email archiving solution is a reporting tool that can apply business intelligence principles to your email, extracting the information you need from what can be an enormous volume of data. You don’t want to wait until you’re in the midst of a lawsuit to know what’s in your email archive. The best tools can actually help you to prevent lawsuits in the first place, by assisting you to identify potential security breaches and legal issues before the fact.

The reports should tell you if there are emails leaving your organization that contain confidential client information (personal identifying information, social security numbers, credit card information and so forth). This is a potential source of legal risk in light of privacy laws such as the state laws modeled on California’s “Shine the Light” law that govern a business’s exposure of sensitive personal information. The best tools will allow you to analyze the content of the email messages based on keywords or key phrases, and also identify messages that use inappropriate language (which could result in damage to the company’s reputation or, at worst, lawsuits alleging harassment). You should also be able to analyze email traffic patterns, discover to whom outside the company messages are being sent, and track after-hours email activity, which may be more likely to contain illicit content.

In today’s tightly regulated and highly litigious society, it may not be possible to escape being hit with an email audit or subjected to electronic discovery at some point, but if you’ve prepared for that eventuality by enacting well-thought-out policies and following through on them with a good email archiving solution that includes an excellent reporting tool, your response will be less stressful, less time-consuming and less expensive.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them! 

About the Author: Debra Littlejohn Shinder

DEBRA LITTLEJOHN SHINDER is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and client and server security over the last fourteen years. These include Scene of the Cybercrime: Computer Forensics Handbook, published by Syngress, and Computer Networking Essentials, published by Cisco Press. She is co-author, with her husband, Dr. Thomas Shinder, of the best-selling Configuring ISA Server 2000, Configuring ISA Server 2004, and ISA Server and Beyond. Deb has been a tech editor, developmental editor and contributor on over 20 additional books on networking and security subjects, as well as study guides for Microsoft's MCSE exams, CompTIA's Security+ exam and TruSecure’s ICSA certification. She formerly edited the Element K Inside Windows Server Security journal. She authored a weekly column for TechRepublic’s Windows blog, called Microsoft Insights and a monthly column on Cybercrime, and is a regular contributor to their Security blog, Smart Phones blog and other TR blogs. She is the lead author on Windowsecurity.com and ISAServer.org, and her articles have appeared in print magazines such as Windows IT Pro (formerly Windows & .NET) Magazine. She has authored training material, corporate whitepapers, marketing material, webinars and product documentation for Microsoft Corporation, Intel, Hewlett-Packard, DigitalThink, GFI Software, Sunbelt Software, CNET and other technology companies. Deb specializes in security issues, cybercrime/computer forensics and Microsoft server products; she has been awarded Microsoft’s Most Valuable Professional (MVP) status in Enterprise Security for eight years in a row. A former police officer and police academy instructor, she has taught many courses at Eastfield College in Mesquite, TX and sits on the board of the Criminal Justice Training Center there. She is a fourth generation Texan and lives and works in the Dallas-Fort Worth area.