4 Dec 2019 by Mike Weaver
Inspire: Winning Hearts and Minds
Successful change management requires inspirational leadership. Here’s how to keep your team on track.
Effective December 1, 2015 changes to the Federal Rules of Civil Procedure in the United States will take effect. The change to Rule 37E is particularly interesting from an e-discovery stand point. The change is causing some waves with organizations in how they protect their data. At first glance, the rule change may seem minor and time will tell how it is enforced, but the potential is quite large.
At a high level, in my own words and not as an attorney, the rules in the US are changing from “good faith effort to protect information” to “taking reasonable action to prevent deletion”. The definitions are vague, and the penalties do not have a lot of guidance. The potential for companies to receive high fines for failing to take action to preserve materials is a real risk once this change takes effect. In the day where people can do anything on their smart phones, many fail to understand the challenges around preserving content in large corporate systems. Either way, this change poses a considerable challenge for companies to preserve in-scope data.
In General, the US courts have not been holding companies responsible for failing to preserve documents / items that were on legal hold as long as they did a good faith effort to protect them. This meant that even if the company was required to keep something, if they did a good faith effort to preserve the item, they would not be held accountable. In many cases a yearly compliance course, legal hold notices, and so on were sufficient (“we had a bad employee, but we as a company worked in good faith to create a culture of compliance”). In general, fines would only be levied if the company willingly deleted data. In more recent years, courts have tried to levy fines for companies that didn’t take systematic steps to prevent employees from deleting data. This rule change is trying to set direction on the conflict.
If the data should have been preserved, the company did not take “reasonable steps” to preserve the data, and it cannot be retrieved – then the company can be fined. It is unclear what reasonable steps are; however, the committee notes show the intention is to get companies to take greater steps to preserve their data. The fine should be “no greater than to cure the prejudice”. This is where the definition stops, allowing for a broad interpretation by the courts. The fear is that in a day where people have unlimited drop box storage and can do anything from their smart phone, courts are out of touch on how difficult it is to protect this information from being deleted. This puts companies in a position where they have to make considerable investments to protect their information, regardless of the cost (aka a centralized repository).
The second stage of fines is pretty much the old standard; fines resulting in willfully destroying data to avoid prosecution.
Where do PSTs come in?
PSTs can hold critical emails in a court case. PSTs, or personal folders, can be stored anywhere; laptops, desktops, thumb drives, network storage, and more. For example, if your organization is not backing up this data, (laptops) and an employee deletes items they should not have, you may find yourself in a bad position with this rule change – even if you trained the employee not to delete the items. With the rise in organizations moving to Office 365, Microsoft has also addressed the PST issue with their new Office 365 Import Service. Tony Redmond, MVP, took a look at this service in his blog Using intelligent capture and analysis tools to eliminate PSTs
Most interpret this change as meaning you need to prevent users from deleting this data, and protect the file itself. This is a pretty difficult, and expensive, task.
Instead, most organizations may find it far more cost effective to centralize and get rid of PST files. See our post on Enterprise migration tools for PSTs.
What should I do?
For E-Mail Administrators and Managers, seek advice from your legal department on these changes. Determine how your organization views these changes and how this impacts data problems like PSTs. Centralization projects take time, ensure you give yourself enough time to comply.
For Legal Departments and CEOs, take time to understand the changes – they are important to the future of your organization, and there is no getting away from them. Work with your IT department to understand the risk that is out there. Build a strategy based on your interpretations of the changes and work to clear barriers for the IT department.
We have all been trying to get rid of PSTs for years. However, the driver was usually a combination of technical and cost drivers – see 10 reasons to avoid using PST files. With these changes, senior directors can no longer afford to ignore the risks PSTs pose to their business – you may find the cost avoidance a far higher driver than ever before, and find you have buy-in to complete the task.
Mike Weaver is Product Manager and Pre-sales engineer at QUADROtech. He’s an expert on all things Exchange, Enterprise Vault and PST FlightDeck. When not hard at work, you can find him travelling, training for Triathlons, or roaming the beautiful scenery of the Connecticut Berkshires.