How "Cloud Compulsion" Impacts Legal Preservation and eDiscovery Compliance
By Andy Jurczyk, CIO and M. James Daley, Senior Counsel-eDiscovery and Information Governance and Data Privacy Group, Sey
Cloud computing enterprise email management systems are being implemented, or seriously considered, by organizations worldwide. However, migration to a Cloud-based system is not for the IT faint of heart; it is a significant undertaking in terms of time, cost and legal risk. Before taking the leap, organizations need to carefully consider whether Cloud-based solutions will satisfy their business and legal requirements. That is, will such solutions be judged as reasonable and legally-defensible when tested by Courts, Regulators and Prosecutors?
“The CIO must first team with Legal and specialized outside eDiscovery counsel to identify critical requirements imposed by your unique litigation/regulatory portfolio”
It’s no wonder that this trend toward “email as a service” is increasing. Generally, 71 percent of global businesses expect to have such applications in the cloud by 2017, and enterprise spending on cloud services is projected to triple between 2011 and 2017.Two principal drivers of this trend are anticipated reduction in total cost of ownership, and keeping pace with changes in technology.
Yet after investigation, many organizations with substantial litigation and regulatory compliance portfolios are finding that Cloud-based email systems don’t satisfy their legal retention and eDiscovery requirements. Why? Because these systems do not provide email archival features, and functionality necessary to support such requirements. Without such compliance tools, they risk substantial sanctions regulatory and eDiscovery sanctions as well as costs. And these risks are magnified if an organization’s current robust on-premises capability becomes diluted due to the switch.
For example, the Office of the CIO of the State of Washington, following a detailed requirements gap analysis of Office 365, concluded that due to the State’s legal preservation and eDiscovery compliance requirements:
“Office 365 does not satisfy the state's critical records management requirements to accurately store, protect, search and retrieve email records. This alternative would increase time and effort for records management and increase the risk of failing to satisfy public disclosure and litigation requirements, resulting in financial loss.”
The State of Washington exploratory team also noted: “Microsoft could not provide an operational Archive search environment for the team to evaluate all requirements,
Additional organizations, across diverse industries, have also concluded after investigation that use of Cloud-based email management systems without the additional of separate journaling or archival functions just creates too much legal and business risk. Their experience has also found that expected cost-savings from Cloud-based solutions is rapidly eroded by costs of: migrating essential email to the Cloud; integrating third-party email journaling and archival functions; integrating legal hold process management and notification tools, as needed; unanticipated additional IT resources to fashion PowerShell scripts to enable email eDiscovery searches and collections; increased internet bandwidth (if available), to perform eDiscovery functions in a timely and sufficient manner; and loss of productivity due to a negative performance impact of concurrent Cloud-based eDiscovery operations on email production environment resources.
Even more troubling are records retention and eDiscovery gaps that have been discovered. For example, in reviewing Office 365, Osterman Research notes the following such gaps: an inability to index and search for external SMTP addresses, as well as other values across multiple mailboxes—attributable to a lack of true built-in email journal archiving; an inability to ensure email preservation integrity, because end users can manually modify applied retention policies, and delete messages, thereby creating a risk of spoliation and sanctions; an inability to selectively engage the litigation hold setting in Office 365, resulting in an “all or nothing” choice that, if activated, preserves all email in the entire mailbox--eliminating targeted, discrete preservation at individual email level and exacerbating—rather than reducing—over saving; the inability to search bcc and distribution lists, because Office 365 is designed to only search the email sender’s email boxes; an inability to efficiently preserve a departing employee’s email mailbox during the off-boarding process—instead, the mailbox must be manually placed on hold and converted to an inactive mailbox in order to preserve their email; a lack of Legal Hold management, notification, acknowledgement and tracking or other Legal Hold administration functions; a lack of support for broad search criteria, requiring manual selection of individual targets, a search string size limit, and limited ability to search metadata fields; the lack of any “quick peek” early case assessment functionality; an inefficient and potentially data corrupting search workflow process that involves conducting slow, high-volume email data exports in the form of “data dumps”, with a corresponding additional risk of metadata alteration or loss; and an inability to conduct timely and sufficient email searches and exports, due to throughput performance limitations of 1GB per hour, based on Microsoft’s own estimates.
One reason these gaps give pause is that Courts as well as United States Department of Justice, Securities and Exchange Commission, and Federal Trade Commission have adopted detailed eDiscovery rules and specifications, such as selectively searching across mailboxes for external email addresses, blind carbon copy (bcc) and distribution list recipients, and to perform horizontal and vertical email deduplication.
Also, many Cloud-based email services separate email message content from email metadata, creating a risk of corruption when the information is extracted and recombined, and provide no support for Chat data—an increasing source for business communication. At minimum, Cloud-based email services require third-party email archival tools to satisfy email preservation compliance and eDiscovery functionality requirements.
How can you help? The CIO must first team with Legal and specialized outside eDiscovery counsel to identify critical requirements imposed by your unique litigation/regulatory portfolio; and second, invest the due diligence process to validate these can be met. Otherwise, the anticipated savings will quickly evaporate, in place of increased infrastructure, resource, and eDiscovery costs, as well as accompanying risk of regulatory and eDiscovery sanctions and costs.