CSI: Lost e-mails

Forensic experts sift through electronic data looking for key bits of evidence.

Your CIO calls. He just had a visit from the CEO, who just met with the company lawyer. Maybe an ex-employee is suspected of stealing trade secrets. Maybe a sexual-harassment suit has just been filed against the company. Maybe there's a Securities and Exchange Commission or even an FBI investigation.

In any case, what the CIO wants is e-mail. Not just any old e-mail but e-mail going back five years from two-dozen end users, some of whom no longer work at the company.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Your CIO calls. He just had a visit from the CEO, who just met with the company lawyer. Maybe an ex-employee is suspected of stealing trade secrets. Maybe a sexual-harassment suit has just been filed against the company. Maybe there's a Securities and Exchange Commission or even an FBI investigation.

In any case, what the CIO wants is e-mail. Not just any old e-mail but e-mail going back five years from two-dozen end users, some of whom no longer work at the company.

And you just can't dump terabytes of raw data on the CIO's desk. You need to sort the e-mails by cross-referencing them against a list of 25 keywords. And you have to weed out all the cc's and other forms of duplication.

Oh, and you need to produce hard copies of the e-mails in 14 days, no ifs, ands or buts.

If this scenario occurred at your company, would you be prepared to handle it with ease or would you be headed for a serious meltdown?

In today's world of rampant litigation and regulation, even if you're not an Enron or a WorldCom, even if your company is squeaky clean, it's wise to assume that sooner or later, you will be compelled to produce e-mail records.

In fact, Renew Data, an Austin, Texas, computer forensics company, met with more than 100 of the Fortune 500 this year and found that each company is facing an average of 125 non-frivolous lawsuits at any given time. In any sizeable corporation, "A lawsuit is not an event, it's a process," says Renew Data CEO Bob Gomes.

In addition to lawsuits, regulations can result in requests for e-mails and other documents. Financial-services firms are watched closely by the SEC. Companies involved with the healthcare industry, even tangentially, must comply with the massive Health Insurance Portability and Accountability Act. Inquiries, requests for information and penalties can come from any number of state, industry and federal bodies.

The bottom line is if you haven't recently overhauled your policies and procedures for saving e-mail, now's the time.

Lawyering up

For the past decade, IT managers have worked hard to strengthen lines of communication with the business side of the company. Experts say it's now time for IT to extend that effort to the company's legal department.

"IT should not and cannot dictate the policy" on saving data, says Ray Paquet, an analyst at Gartner. "This is fundamentally a legal issue, especially in publicly traded or highly regulated companies."

When meeting with your employer's general counsel, he says, IT should "make it clear that you'll do whatever he needs done - but that nothing in life is free. Increased data retention costs money."

"Whether companies save too little information or too much, we find that they're often surprised by their data retention," says Simon Platt, leader of the computer forensics practice at Deloitte & Touche in New York. According to Platt, it is IT's job to eliminate this surprise factor. "There's got to be communication between the CIO and general counsel. IT can help [the legal department] understand how much e-mail they're retaining, how much of it can be realistically accessed and how expensive that will be. General counsel can help decide how much [e-mail] the company should be retaining, then set and enforce policies."

Your decision on how and how long to save e-mail should merely be part of an overall data-retention policy. IT, legal counsel and top business executives should formulate this policy, Paquet says, after considering industry regulations and legal precedent. For example, the SEC dictates that brokerages must be able to produce three years' worth of records "immediately" upon request.

So how long should you hang on to old e-mail? There's no concrete answer, but the ever-declining cost of storage is driving many companies to save e-mail for long time periods, even if regulators don't force them to.

Solvay Pharmaceuticals, an Atlanta subsidiary of Solvay S.A. in Brussels, Belgium, recently needed to quickly find a year's worth of e-mail messages from certain employees regarding certain topics (Solvay is reluctant to discuss the specifics of the case). The problem was complicated because Solvay uses a third party to manage its Microsoft Exchange servers.

After evaluating various retrieval options, the company turned to Renew Data. Bruce McMillan, Solvay's manager of emerging technologies, says the vendor "was able to search through the e-mail month-by-month, capture it, remove duplications [such as cc's] and put it in any format we needed" more quickly than Solvay's internal IT staffers could have.

After that experience, Solvay changed its data-retention procedures, McMillan says. "We used to recycle tapes after a certain period of time. Not anymore - we're saving everything."