Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2014-09-03 20:00:00Format, images and links may no longer function correctly.
Management of traditional business information assets was relatively straight forward when the company owned and supplied everything but the phone service to employees. As we move into a cloud based, Bring Your Own Everything world of remote employees and mobile personal access, the conservative custodial legal hold approach throws such a wide net that it will certainly catch personal communications and other ESI. For smaller U.S. companies, this has driven up discovery costs without causing much concern over the inadvertent trampling of non-existent employee privacy rights. Global corporations are wrestling with segregating ESI from countries with serious civil and even criminal penalties for the same cavalier email harvesting, especially in the European Union. The June 25, 2014 decision by the Supreme Court of the United States (No. 13-132) soundly affirmed the expectation of privacy on mobile devices against law enforcement inspection without a search warrant. While this decision applies only to criminal ‘discovery’, a non-attorney interpretation can easily see potential impact for corporate discovery dragnets. Now that Microsoft’s new eDiscovery Center and most enterprise archives support ‘hold in place’ based on legal hold searches, custodians may lose the ability to ‘clean up’ their personal email and files that have accidentally been archived or migrated to SharePoint. So what can corporate legal and IT departments do when custodial privacy rights demand that their personal ESI be removed or excluded?
For companies that either do not have or do not use systems to preserve emails or files in place against accidental custodial or retention deletion, the main concern will be hold compliance monitoring and giving custodians a documented process for removing or designating non-business ESI. The vast majority of eDJ’s consulting clients have some form of automated retention expiry that acts on email or files in structured repositories/archives. These systems stop or minimize the ongoing creation of corporate data landfills packed with redundant, outdated or trivial non-record content. But automatic expiry requires a practical method for applying legal holds. Preservation collections just move the landfill to legal’s storage, so most corporations opt for ‘hold in place’ searches based on custodial criteria. Here is where we run into problems with private email or files that custodians can no longer delete .
One proactive approach is to recognize that users WILL keep personal ESI in corporate mailboxes and SharePoint sites. If users can designate these folders by a common name or tag, your systems may be able to exclude them from hold searches. This puts the onus for designating private ESI on the custodians and assumes that they will clean up Sent folders or folder/tag items on an ongoing basis. Real world experience tells me that you will still need a reactive process to remove holds or ‘redact’ private ESI on custodial request. Modern legal hold searches are meant to minimize custodial impact, which means that most custodians do not realize that the items are locked down on hold until they suddenly figure out that their entire personal financial history from that house loan application may be at risk of being collected and reviewed in a discovery matter. Just searching or accessing a user’s business mailbox without their consent may run afoul of strict EU privacy laws in certain countries. I have helped design and implement discovery systems to work around these issues, but they have always included complicated technical/ethical walls that raise the response cost and time significantly. Software companies like Symantec are creating Mobile Application Management suites that segregate/encrypt work applications on mobile devices. These are relatively new technologies, but I believe that the key to conquering privacy issues will be enabling users to run separate profiles and applications simultaneously without serious user impact.
Greg Buckles can be reached at Greg@eDJGroupInc.com for offline comment, questions or consulting. His active research topics include analytics, mobile device discovery, the discovery impact of the cloud, Microsoft’s 2013 eDiscovery Center and multi-matter discovery. Recent consulting engagements include managing preservation during enterprise migrations, legacy tape eliminations, retention enablement and many more.