The Case for Electronic Conversation

Jon Neiditz

Jon.Neiditz@nelsonmullins.com

Partner and Information Management Practice Leader

Nelson Mullins Riley & Scarborough

2

Discussion Agenda

1. How the unintended consequences of email got us here

2. Current demands on lawyers and companies3. Best available means of coping with the complex

environment we inherit4. Rethinking communications technology for:

• record creation and• communications for which a record is inappropriate or

unnecessary• enabling the "hallway" conversations of the past

3

Seeds of the Tragedy of Email

1. The invention of email• Replacing speech itself due to the efficiency and

convenience of asynchronous communication• Offering the illusion of privacy as in a conversation

between two people

2. The tragic flaw• Emails were given eternal life and ubiquity• In our society, permanent, public utterances made under a

false belief in privacy are the ideal fuel for litigation and investigations

• Social networking, IM, SMS and other electronic communications approaches have the same flaw

Much care has to be taken with design and education in order for the change to be

positive. We don't have natural defenses against fat, sugar, salt, alcohol, alkaloids - or

media. - Alan Kay, 1994

4

Email and the Myth of Tithonus

• When Eos asked Zeus for Tithonus to be immortal,she forgot to ask for eternal youth (218-38). Tithonus indeed lived forever– "but when loathsome old age

pressed full upon him, and he could not move nor lift his limbs, this seemed to her in her heart the best counsel: she laid him in a room and put to the shining doors. There he babbles endlessly, and no more has strength at all...." (Homeric Hymn to Aphrodite)

• In later tellings he eventually turned into a cicada, eternally living, but begging for death to overcome him. Tim Berners-Lee forgot to make an

expiry date compulsory ... any information can just be left and forgotten.

Brian Carpenter, 1995

5

How the Story Unfolded

1. Since emails become the central focus of litigation and investigations, Zubulake and progeny impose sanctions and adverse inferences for failure to preserve or produce relevant emails.

2. Enormous risks and uncertainties have led many to "keep everything."

3. Keeping everything exacerbated the huge search costs of sifting through the terabytes of data in search of smoking guns.

4. FRCP changes tried to mitigate the unbearable costs of ESI disputes by encouraging early agreements on ESI, but early discussions only accelerate the searches and their costs if ESI is not limited and organized. Faith in law will not be an effective

strategy for high-tech companies.

- John Perry Barlow, 1994

6

Pandora's Box of New Media Released by the Nostalgia for Synchrony

• IM, SMS/Text, Blackberry PIN-to-PIN, Twitter and other new communications media were born out of the desire to recapture the immediacy of spoken conversation in a multitasking world

• All of them share the tragic flaw of email; they can be recorded, if not by you, then by the other side

• Their proliferation can make the explosion of volume posed by email into a much bigger problem for organizations

7

How Messaging has Changed Counsel's Role

• Case law puts increasing demands on counsel to assure and attest to detailed and consistent processes relating to: – holds – searches – record, document and ESI retention and destruction

programs• These demands (together with information security,

privacy and other issues) force counsel to control or represent complex controls on information

8

• Cache La Poudre Feeds, LLC v. Land O’Lakes, Inc., 244 F.R.D. 614 (D.Colo. 2007)– Court faults Land O’Lakes for simply directing employees to

produce relevant information, and then relied upon those same employees to exercise their discretion to determine what information to save, rather than actively supervising a process.

• Google v. Am. Blind & Wallpaper Factory, 2007 WL 1848665 (N.D.Cal. 2007)– Google alleges American Blind efforts to preserve, collect,

and produce relevant evidence inadequate.– American Blind asserted preservation notices were sent to

custodians.– Court ordered American Blind to provide declarations

stating “what they did with respect to preserving and collecting documents.” (emphasis in original)

Holds: Attorney Accountability for a Complex Compliance Process

9

Search Methods and Performance Closely Scrutinized

Peskoff v. Faber 240 F.R.D. 26 (D.D.C. 2007)"Once the search is completed...Defendant must also file a statement under oath by the person who conducts the search, explaining how the search was conducted, of which electronic depositories, and how it was designed to produce and did in fact produce all of the emails I have just described . . . An evidentiary hearing will then be held, at which I expect the person who made the attestation to testify and explain how he or she conducted the search and ...why I should find the search was adequate.“

10

Consistency: The Email that Changed Governance

• AA records retention policy said client documents should be destroyed after an engagement concluded.

• Federal prosecutors said no partner or employee interviewed had ever known about or followed that policy.

• A “reminder email” concerning the policy was sent by AA counsel to AA’s Enron partners, and they began to destroy Enron documents.

• The Government’s case against AA was based in part on the fact that the policy had not been implemented by AA consistently.

“Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the party’s electronic information systems.”

FRCP Rule 37(e)

11

Surely an ESI Map Will Help….

12

The Trend in Security Incidents and Their Detection

13

Layers of U.S. Information Security Laws

• HIPAA Security, and now ARRA/HITECH– Coming soon to business associates near you

• GLBA Safeguards – Applied beyond financial institutions under FTC’s broad

Section 5 consumer protection powers ("Unfair Trade Practices"), since 2004

• State Breach Notification Laws in 45 States, D.C., P.R. and V.I.• Federal Breach Notification

– HIPAA Breach Notification from ARRA– FTC Breach Notification from ARRA

• Broad State Requirements of Security for Personal Information in 10 States (now establishing the high bar in several of them)

• FCRA/FACTA: Disposal Rule and Red Flags Rule• State Secure Destruction Laws in 23 States! • State SSN Protection Laws in 29 States! • Sarbanes-Oxley• Other ID Theft Laws

14

ARRA: Extreme Rights-Based Approach to Notice-Triggering Information

State (More or Less Harm-Based) Model: "Personal information" means:– an individual's first name or first initial

and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

1. Social security number.

2. Driver's license number or California Identification Card number.

3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

4. Other factors added in many states.

– Only 6 states cover paper breaches

ARRA's Pure Rights-Based Model: ANY "Unsecured" Protected Health Information (including paper)

– DHHS tries to infer a harm-based standard from "compromises" in its interim final rule

– Waxman et al. attack– Congress will probably win

given the statutory language– The outcome will make no

sense whatsoever as policy– Defensible destruction of

electronic communications never looked so good

15

• Only 2 approved methods for protecting: encryption or destruction.

• 2 types of encryption specified: for data at rest (with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices) and for data in transit (those that comply with the requirements of Federal Information Processing Standards ("FIPS") 140-2). So if the standards are adopted as proposed, encrypted email should meet FIPS 140-2.

• 2 methods of destruction specified: for non-electronic media (paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed) and for electronic (electronic media should be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved).

• Only applies to breach, but DHHS standards for encryption and destruction are likely to have broader impact.

Stimulus Act – Encrypt or Destroy

16

A sound data security plan is built on 5 key principles:

1. Take Stock

2. Scale Down (e.g., destroy)

3. Lock It (e.g., encrypt)

4. Pitch It (e.g., destroy)

5. Plan Ahead

FTC Best Security Practices

17

PCI DSS – The Ultimate "Encrypt, but When it Really Matters, Destroy" Message

* Data elements must be protected when stored in conjunction with PAN

18

Expect Large, Ongoing LegalChanges in These Areas:

• The Cloud– Privacy– Security– eDiscovery– Records Management – Authenticity/Admissibility/Enforceability of

Documents• Behavioral Targeting

– Chiefly Privacy• Defensible destruction of electronic

communications will look even better than it does now

19

All We Counsel Generally Have are Mitigation Strategies

• Records and information management programs that are:– consistent enough to be defensible and – simple enough to be consistently applied.

• Training on document creation and recordkeeping discipline with aggressive, defensible destruction of unnecessary documents

• Electronic resources policies that divide electronic communications and collaboration technologies into 3 large categories:1. Technologies that may not be used to do Company business, period;2. Technologies that may be used to do Company business, but only

for "casual" and other "transitory" communications, and not for creation of records or for matters subject to holds; and

3. Technologies that may be used for the creation of records and to address matters subject to holds.

20

Key Components of a Records & Information Policy Now

1. Policy document emphasizing accountability and the primacy of holds

2. Simplified, functionally-defined schedule3. Hold Process4. Roles and Responsibilities5. Implementation and Administration6. Imaging Process for e-Records7. Separate but closely linked: Electronic

Resources Policy that draws the line on electronic resources that can create records and address issues subject to holds

21

Three Questions

1. What if we had a do-over, a mulligan? • How easy would it have to be for end-users?

2. Why can we not have the benefits of the information society without always subjecting ourselves to the detriments of the e-discovery society, the privacy of a conversation with the efficiency of text messages?

3. If you accept the legitimacy of Category #2, why would you fill that bucket with communications technologies that the other side can record? • Why keep anything that is supposed to be "transitory?"

22

The Sedona Conference Email Commentary Tries to Help

'While some courts are uncomfortable with automatic deletion of active email after a short period, no court has found such a process to be unreasonable where provisions for litigation holds are included and the user has alternative methods of disposition prior to deletion. If discoverable information is not preserved by a user before the copy is eliminated by automatic deletion, but after a preservation obligation has attached, a court will examine whether the use of the automatic deletion feature was “routine” and operated in “good faith,” which is fact specific.

'Notably, an organization is perfectly free to choose the degree to which it relies upon the discretion of individuals in managing email and applying records schedules; It is not an indication of bad faith to rely upon individual user discretion. That said, an organization must provide those employees with adequate training and direction to exercise judgment with respect to the retention and destruction of emails.'

23

Will Collaboration Software Replace Email?

• The General Counsel of General Motors influenced the Sedona email commentary by taking the position (which it has continued to maintain) that emails cannot be used to create GM records, that records are created only through the use of (engineering-focused) collaboration software.

• Therefore, all emails could with confidence be destroyed shortly after sending or receipt.

• Many organizations similarly now look to SharePoint as the proper future locus of business communications.

24

Collaboration Software as Email Replacement: Pros and Cons

Pros: • Takes on the illusion of

privacy effectively; people are less likely to write silly, colorful, private things in engineering collaboration software.

• Does not merely rely on denial that emails create records; provides an alternative medium for communicative record creation

Cons: • 30-day email retention

policies always drive underground archiving

• Nothing stops the other side from retaining email

• Email is designed to create records

• "Most things that succeed don't require retraining 250 million people."

- Waring Partridge, 1995

25

Why use a medium designed to create records for:• Informal communications?• Internal, preliminary discussions about promotion or

discipline of employees?• Brainstorming (except to prove pre-existing use for IP)?• Personal communications?• Personal information that is notice-triggering or a PCI

DSS violation in the event of a security breach?• Unofficial announcements?• Sales processes – pricing strategy, prospect reactions?• Project work– client reactions, financial issues?• Preventing unintentional disclosure of IP and trade

secrets?• For your eyes only (privileged, confidential or sensitive)?• Other off–the–record conversations?

26

The Opposite of GM's Approach:Electronic Conversation

• Email, IM, social networking technologies and other forms of "informal" communication – including all those designated "casual and transitory" – all create records, if not for you then potentially for the sender or recipient, and the court, and the rest of the world, forever and ever.

• Efforts to destroy them soon after send/receive almost always creates underground archiving in organizations.

• Instead of trying to define email as recordless (as did GM), what if we instead acknowledge that email and archiving are a good way to keep records (that may or may not be replaced by collaboration software)?

• For communications that are supposed to be transitory, what if we use another communicative method with the intuitive ease of email that does not create records?

27

“Business is not required to communicate via e-mail. Unless the law orregulators demand a record of your discussion or transaction, privaterecordless communication conducted in person, on the phone,or viaelectronic confidential messaging is legal and may be the mostappropriate form of business communication.”

Source - ePolicy Handbook 2nd edition

A New Perspective?

28

Go Ahead, Ask the Hard Questions

Jon Neiditz

(404) 322-6139

jon.neiditz@nelsonmullins.com