Is your organization relying on lawyers to avoid producing damaging emails by claiming in court that retrieving them is “too onerous and costly?" Or perhaps by having email destruction policies, claiming that emails are confidential communication, or by delivering truckloads of printed emails during a discovery process?
Morgan Stanley tried these strategies and a few more, but the courts have all but eliminated every one. For example, footnote 11[1] in the case against Morgan Stanley states that “…archive searches are quick and inexpensive. They do not cost 'hundred of thousands of dollars' or 'take several months'.” The results of this approach were a string of adverse judgments against Morgan Stanley, including a $1.45 billion judgment in 2005.
Morgan Stanley is not alone. The main body of evidence that put Arthur Anderson out of business in 2002, after 89 years, came from email. Citibank paid $400 million in fines after Elliot Spitzer subpoenaed emails written by stock analyst Frank Grubman. The stock price of the insurance broker Marsh & McLennan dropped by 50% in 2004 after emails showed evidence of kickbacks. In 2005, a federal judge recommended entry of a default judgment against PriceWaterhouseCoopers for deleting emails relevant to a $139 million shareholder suit.
Read more about Email archiving.
Don't let the IT cost tail wag the corporate dog
Our experience is that most email managers and many CIOs are too concerned about the cost of email systems and cannot judge the risks to the business. One email manager at a Fortune 500 company argued passionately for a policy that “only emails backed up should be archived,” because it was a little cheaper to implement. This person knew emails that were deleted immediately would not be backed up and not be put in the email archive system. This line of thinking by an experienced IT professional fundamentally failed to recognize the legal exposure of not being able to definitively claim to a court that every email is archived.
A complete mindset shift is necessary by corporations to protect themselves. Technology should be used aggressively to reduce the risks to the organization. The infrastructure costs are nearly irrelevant in the business decision. Everything should be archived, and organizations should assume that Instant Messages, voice-mail, Blackberries, and other electronically captured data are all on the table to be archived.
Management needs strong processes to ensure that emails are reviewed and audited and any exposures found and eliminated before they become a problem. HR should actively review emails to ensure compliance. Legal departments need to know of any problems before a litigant sees them or even asks for them.
The benefits of this approach are more than just reducing risk and improving legal defenses. They also include knowing more about litigants than they know themselves and using the information aggressively to turn the tables.
What's a CEO to do?
The key questions a CEO or risk manager should ask are: “Does IT have an aggressive plan to ensure that:
- All emails captured are archived?
- All historical emails can be accessed directly by the lines-of-business, HR and legal?
- There is proactive management oversight to ensure all “smoking gun” emails and IMs are found (e.g., any showing evidence of fraud, harassment, collusion, illegal activity, etc.) and appropriate action taken?
- Internal audit, HR, and compliance managers are aggressively using and reviewing the use of email archives?
- The emails in the archive systems are organized according to the principles of provenance (history) and original order, and that emails can be shown not to have been tampered with?”
If the answer is no, then responsibility should be taken away from IT and given to the corporate risk manager to fix within 6-12 months.
Want to read more about implementing Email archiving?
Action Item:
Footnotes: Source: [1] Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co. Inc., (Fla. Cir. Ct. Mar. 23, 2005).