Commonly asked questions about email usage and policy controls – John Isaza, Esq.

Ask a RIM Law Expert

This is part of a syndicated column I have created for ARMA chapters. My column is devoted to answering information governance, records management, privacy and related legal questions from Chapter Members or sharing my thoughts on current hot topics. As you read my column, please note that although I am an attorney specializing in these areas of law, these are only my opinions. My opinions should not be construed as legal advice. Kindly consult with an attorney for more formal advice.
Over the last several months there has been much brouhaha regarding Hilary Clinton’s admitted use of her personal email account for state department affairs during her tenure as U.S. Secretary of State. Most recently, it has come to surface that Mrs. Clinton may have deleted emails that were relevant to a pending Federal investigation. Call it “Email-Gate” if you will.
For this column, I will address commonly asked questions about email usage and policy controls, using Mrs. Clinton’s Email-Gate as a backdrop.

How can an organization find out if an executive is using personal email accounts for business? Is it typically after something goes wrong (like a lost laptop or a compromised password)?

Typically this is discovered during routine audits. However, audits may be infrequent or recommendations from audits may be ignored. Therefore, for some organizations it takes an embarrassing event to bring attention to the issue. At its core, the biggest problem arises with the ever increasing use of personal devices in the workplace, such as mobile devices, or alternatively for those logging into work from their home computers or laptops.
The issue of BYOD (“Bring Your Own Device”) to work has been on the radar of most large organizations for the last three to five years. Organizations are definitely trying to set policies around BYOD, but they are succeeding only to varying degrees. Presumably, the BYOD policy will stress that personal email accounts are never to be used for personal business. Unfortunately, in practicality this can be a challenge. When a device has multiple accounts attached to it, one can easily foresee the user erroneously sending a work-related email from a personal account. Once that happens, the recipients may reply to all, and the stage is set for a breach in the BYOD protocol.

What are some good tips for a company to prevent use of personal emails or applications for business purposes?

This goes to the core five sections of the BYOD policy, and the related procedures and guidelines. The key areas to cover include: 1) guidance on acceptable uses of personal devices to transact official business, including instructions on distinguishing personal email account usage from official business accounts; 2) a list of the types of sanctioned devices (e.g., Ipad, Blackberry, Iphone, etc.), and rules of engagement with IT; 3) logistics such as whether the company will reimburse for usage of the personal device; 4) a security section that addresses encryption and other features that must be enabled to protect the data in the event of a loss or breach; 5) a section on risks, liabilities and disclaimers to help protect the organization against the employee misuse of the device.
Armed with the BYOD policy, other organizational documents (e.g., Password, Cloud Computing or Social Networking policies) could get into the specifics of training and auditing the policy for compliance, as well as the frequency for these.

Who is at fault for user violation of email protocols?

Ultimately progress and the competition to stay on top of it are at fault. The adoption of technology has far outpaced the ability of organizations to keep up with them, including the State Department or any others in the government or private sector. Consumers and customers demand the immediacy facilitated by technology, so people, processes and procedures take a back seat in favor of adoption. In the ideal scenario, before any organization rolls out or permits any new technology (e.g., Blackberries, email tools, social media, content management, etc.), the organization needs to vet its change management (i.e., a controlled roll-out that ensures proper user adoption and compliance), including its ability to audit and monitor compliance. In today’s fast-paced world, however, the audit and monitoring part of the process is constantly a work in progress. Those looking for “fault” should be looking to fault those who do not learn from their experiences. In those instances, those in charge of the roll out of the program are at fault for not paying attention to system failures.

All that said, a corporate leader confronted with a systematic policy failure, coupled with high level (customer) demands to keep up with technology, faces a losing battle. The key is to strike a balance between controls and business needs. Few organizations have figured this out, so unfortunately for the State Department this could be a catalyst for more attention devoted to the change management and processes involved before the adoption of technology.

Are personal emails discoverable in court?

Yes. A few courts have already broached this issue. Discoverability depends on what side of the case you fall into. For instance, in Stengart v. Loving Care Agency Inc., Case No. A-3506-08T1 (NJ Sup. Ct, Appellate Div., June 26, 2009), the court ruled that the employee’s personal email communications with her attorney, through her work computer, were not discoverable because the employer she was suing allowed her some personal use of office computers for personal business. If the employer policy had forbidden personal use of office computers, the outcome could have been very different.

In another case, Lake v. Phoenix (Ariz. Ct. App., No. 07–415, 1/13/09), the court noted that courts in the state have distinguished between “public records” and all other records created as a result of government employees’ activities. The issue of public records is a close cousin of the discoverable records issue in litigation. In either scenario, the personal email of an employee is not necessarily discoverable or a public record. It all depends on the context of the communication and the jurisdiction where it occurred.

Such context presented itself in O’Neill v. City of Shoreline, 2010 WL 3911347 (Wash. Oct. 7, 2010). There the Supreme Court of Washington held that emails sent to a government official’s private email home account were considered subject Washington’s Public Records Act (“PRA”). On September 14, 2006, Diane Hettick, a private citizen, sent an email to Lisa Thwing, a private citizen, containing criticism of the Shoreline City Council (“the Council”). Thwing forwarded that email to herself and then to Shoreline Deputy Mayor Maggie Fimia and others using the blind carbon copy function. The email to Fimia (the Mayor) was unsolicited and was received “at home on her personal computer.” However, Fimia took the extraordinary measure of reading the email out loud at a city council meeting. As a result, the Court held that an e-mail sent to a personal home computer, but discussed at a city council meeting, is a “public record” and should have been disclosed in response to a request under Washington’s Public Records Act.

What are some best practices in encouraging — or compelling — the deletion of old emails?

All these issues go the core tension between records retention and the need to dispose of expired data. If the information exists, it is discoverable if it is relevant to the subject matter of the lawsuit or investigation, even if it is merely anticipated or foreseeable litigation. Therefore, it behooves the organization to dispose of needless emails and data before litigation/investigation hits or becomes credibly probable.

If the organization has a retention schedule, and the “record” has expired, then it should be disposed immediately in accordance with the retention policy, unless of course the expired record is subject to a legal hold at the time. Otherwise, the organization opens itself up for liability and discoverability of emails that could be read out of context. The real trick for organizations is to determine which emails are a “record” that must be retained per the policy, versus all other non-record data that can be disposed at any time as long as it is not subject to a legal hold.

John Isaza is a California-based attorney, CEO of Information Governance Solutions, LLC and law Partner at RIMON, PC, a twenty-first century law firm that includes specialty in electronic information governance, records management and overall corporate compliance. He may be reached at John.Isaza@InfoGovSolutions.com or John.Isaza@RimonLaw.com. You can also follow him on Twitter and LinkedIn.

[1] See generally, Isaza, J. and Jablonski, J, 7 Steps for Legal Holds of ESI (ARMA 2009).

Five e-discovery cases worth discussing – John Isaza, Esq.

Ask a RIM Law Expert

This is part of a syndicated column I have created for ARMA chapters. My column is devoted to answering information governance, records management, privacy and related legal questions from Chapter Members or sharing my thoughts on current hot topics. As you read my column, please note that although I am an attorney specializing in these areas of law, these are only my opinions. My opinions should not be construed as legal advice. Kindly consult with an attorney for more formal advice.

This month there are five e-discovery cases worth discussing. We begin with a technology-assisted review opinion.

Judge Andrew J. Peck of the U.S. District Court for the Southern District of New York signed an order on March 2, 2015 in Rio Tinto PLC v. Vale S.A. In it he approved a discovery protocol for the use of technology-assisted review (TAR). In his ruling, Peck stated that “it is now black letter law that where the producing party wants to utilize TAR for document review, the court will permit it.” Nevertheless, Judge Peck noted in a footnote, possibly with a sense of irony, that “where the requesting party has sought to force the producing party to use TAR, the courts have refused.” (Emphasis added.)

The Rio Tinto decision is notable, not only because of Judge Peck’s continuing support of TAR in e-discovery, but because he took the time to succinctly explain how TAR works. The process begins with keyword searches that are conducted on a data set. The top-ranked documents from each search are manually coded as either responsive or not. This is where TAR really comes into play. The coded documents are then considered the seed set used to train a learning algorithm that ranks documents “by the likelihood that it contains responsive information.” At the end of training, the coded training documents are put in the learning algorithm, which identifies a subset as “likely responsive.” These documents are deemed to be responsive and thus receive a score that exceeds a pre-set threshold value. The review set is manually coded, and thus responsive documents are produced.

The above explanation, coupled with the courts’ continuing support of TAR, now begs the question: can we somehow apply this technology and a similar protocol to identify “records” for records management purposes, without relying on end users to declare and classify?

Blue Sky Travel & Tours, LLC v. Al Tayyar, 2015 WL 1451636 (4th Cir. Mar. 31, 2015) is a duty to preserve documents case. The defendants had failed to produce relevant documents despite a court order. As a result, the Federal Magistrate imposed sanctions using a standard that required the defendants to stop their normal document retention policy once they were on notice of pending litigation. The appellate court found the Magistrate’s standard to be an abuse of discretion. The court of appeals determined that the correct legal standard for preservation should be more narrow than simply a notice of the pending litigation. The defendants were only required to preserve documents the defendants knew, or should have known, were or could be relevant to the parties’ dispute.

The distinction in this case is subtle but important: mere notice of pending litigation is not enough according to this court. The court deemed that an element of knowledge of what they knew or should have known to preserve is the more correct standard for sanctions.

In Perez v. Metro Dairy Corp., 2015 WL 1535296 (E.D.N.Y. Apr. 6, 2014), the plaintiffs sought sanctions for the defendants’ failure to produce certain employment documents. The defendants objected on the ground that those documents had been collected in connection with a different court order on another case. They also claimed they had not had the opportunity to back up their data or make any copies. The court held that “under the specific circumstances of this case,” the defendants had no obligation to make copies of their data before complying with the court order. The court found no indication that they “acted with any intent or knowledge that the records would be unavailable to plaintiffs in discovery.” Thus, the court could not find that the defendants acted with the “requisite culpable state of mind” and denied plaintiffs’ motion for sanctions.

Gladue v. Saint Francis Medical Center, 2015 WL 1359091 (E.D. Mo. Mar. 24, 2015) is an employment case. The plaintiff sought sanctions for the spoliation of emails. After the plaintiff had been terminated from employment, but before the plaintiff had filed suit, the defendant deleted the plaintiff’s emails as part of a routine audit procedure. Once defendant learned of the lawsuit, it attempted to retrieve the emails by conducting a systemwide search for emails sent to or received from the plaintiff in the accounts of every employee identified in the parties’ Rule 26 disclosures. This resulted in 24,000+ email threads. However, the defendant admitted that in all likelihood it had not retrieved every relevant deleted document. Thus, plaintiff sought sanctions for spoliation. Under these facts, the court held that the defendant had no duty to preserve when it deleted the emails after the plaintiff’s termination of employment, since it did not know of the pending lawsuit or did not anticipate it. The court lauded the medical center’s attempt to recover the deleted emails, which exercise actually yielded a sizable amount of emails. All that said, the court deemed that that the missing emails were not relevant to plaintiff’s claim, and thus denied plaintiff’s request for sanctions.

Both Perez and Gladue demonstrate how the courts are already beginning to back off the former knee-jerk temptation to issue sanctions at the mere claim that information was destroyed. The pendulum may be swinging in the other direction.

Lunkenheimer Co. v. Tyco Flow Control Pacific Party Ltd., 2015 WL 631045 (S.D. Ohio Feb. 12, 2015) is almost a case of “anticipated litigation,” but not quite. The key fact here is that Tyco Flow is an Australian corporation. The discovery issue concerned whether the defendant had a duty to preserve prior to answering the complaint and consenting to jurisdiction in the United States. The court found that although the defendant was a foreign corporation with no presence or significant sales in the United States, it was not excused from its duty to preserve solely because it was a foreign company. Nevertheless, the court found that the duty to preserve “arose when Defendant was served with the complaint in December 2011.”

It is surprising that the court did not delve into Tyco Flow’s knowledge of anticipated litigation prior to service of the complaint. It appears the court gave the defendant the benefit of the doubt because it was foreign.

John Isaza is a California-based attorney, CEO of Information Governance Solutions, LLC and law Partner at RIMON, PC, a twenty-first century law firm that includes specialty in electronic information governance, records management and overall corporate compliance. He may be reached at John.Isaza@InfoGovSolutions.com or John.Isaza@RimonLaw.com. You can also follow him on Twitter and LinkedIn.

Ohio State University – Archives@50

Archives@50

OSU-Archives-50-year-Seal-160x160
University Archives 50th Anniversary Open House and Reception.
Come toast the University Archives, take a tour of our facility, participate in a hands-on experience with interesting and unique artifacts, and watch rarely seen historical film footage.

For more information: http://library.osu.edu/find/collections/the-ohio-state-university-archives/archives-50/

Date: May 14, 2015
Time: 4:00-7:00 pm; short program at 5 pm
RSVP: Ashley Foster by May 1 at 614-292-8174 or foster.912@osu.edu

Location: Archives and Book Depository Building 2700 Kenny Road Columbus, Ohio 43210

Ask a Law Expert by John Isaza, Esq.

“This is part of a syndicated column I have created for ARMA chapters. My column is devoted to answering information governance, records management, privacy and related legal questions from Chapter Members or sharing my thoughts on current hot topics. As you read my column … ” Ask A Law Expert By John Isaza – 2015 January

————

From John’s bio on RimonLaw.com
“John Isaza, Esq., FAI heads the Information Governance & Records Management practice at Rimon. Mr. Isaza is internationally recognized in the emerging legal fields of information governance, as well as records and information management (RIM). He is one of the country’s foremost experts on RIM issues, electronic discovery, and legal holds. He has developed information governance and records retention programs for some of the most highly regulated Fortune 100 companies, including related regulatory research opinions. His clients range from the Fortune 100 to startups.”