Nix Smoking Gun Text, E-mail, e-Discovery

Self-Regulation In the Networked Age

Cell Phone, Instant Messages (IM) & Twitter in Litigation and Investigations

The Institute for the Advancement of the American Legal System (IAALS) issued a major report on how businesses can prepare for e-discovery. E-discovery is the requirement to disclose relevant electronic records in litigation.

Electronic business records are dangerous because they can evidence illegal or embarrassing conduct. Foolish employee e-mail, IM, text or cell phone messages can be hard for a corporation to defend in court.

So, as a matter of policy, what is a corporation to do?

The usual response is to place e-records on a short retention schedule, like 180 days. But systematic destruction of e-records brings its own troubles. Court cases penalize enterprises for destroying records too early.

So rather than recommend that businesses destroy records quickly, IAALS recommends that businesses organize electronic records so they are easier to search. A key tool for good organization and searching is an e-mail archival system.

The idea is that most businesses, most of the time, try to be ethical and law-abiding. If they can search for and find all their records, they can find the ones that tell a favorable story. On balance the good records will often outweigh the few bad ones.

Managing Risk
An additional response draws from the philosophy that just as information technology breeds risk, it can be used to reduce risk and provide healthy feedback.

Information technology is all about communication. The communication in employee e-mail will sometimes be unfortunate. But the damage from unfortunate messages can be mitigated by positive messages. Technology enables a business to propagate positive messages.

Here is an example of a positive message: "Acme Corporation does not condone unethical, unfair or illegal activity or statements on the part of itself or its employees. The company repudiates any such activity or statement, and wants to correct it if it ever exists. If any person knows of unethical, unfair or illegal activity or statements by the company or employees, Acme asks that person promptly to notify the company." To get this message out, technology affords corporations myriad tools.

Such a message can be posted on web sites and business-oriented social network pages. It can be published in product catalogs or with purchase orders. It can be referenced at the bottom of e-mails or text messages, or in IM sessions. It can be stated multifarious ways – a corporation can rotate 25 different messages at the bottom of all e-mails. Thus, when bad e-mails are later revealed to an opponent in e-discovery, they include positive statements to temper the negative ones.

The multitude of messages can include humor. A humble example:

Such a message is like the sign on the back of a commercial vehicle: "Report unsafe driving at 1-800-XXX-XXXX." Not only does it hasten the delivery of critical information to the company when it has a problem, it nurtures a culture of honesty and ethical behavior. When an employer repeats a policy through multiple media, employees absorb it.

Legal Incentive
Our legal culture rewards enterprises that genuinely regulate themselves. The Federal Sentencing Guidelines prescribe reduced sentences for corporate criminals that implement programs to deter and report wrongdoing. Government prosecutors are naturally more lenient on defendant organizations that earnestly strive to keep their houses in order. (See the statement of Deputy Assistant Attorney General Robert S. Litt.)

When an enterprise broadcasts it wants to do the right thing, and it requests notice if it is failing, the enterprise casts a burden on its potential adversary (or whistleblower). Effectively the enterprise says, "If you are being mistreated, or if you witness misbehavior, then please tell us now so we can bring it to a swift end and repair the damage." If, after getting this message, an adversary delays in reporting bad news she possesses, she may be opening herself to blame or discredit.

Inspiration from Sexual Harassment Law
Consider the Ellerth/Faragher line of cases in the sexual harassment field. Those cases say an employer is absolved of liability if it maintains a reasonable program against sexual harassment and the harassment victim fails to take advantage of the remedies available under the program.

By the same token, the video above shows a business that is genuinely promoting a program and culture of compliance. If adversaries like regulators, whistleblowers or plaintiff lawyers do not take advantage that program and report the bad behavior promptly to the business, then the adversaries' credibility diminishes.


Mr. Wright teaches the law of data security and investigations at the SANS Institute.

New for 2012: How to archive text messages as legal evidence.

For more corporate record retention, see my article on e-mail archives.


  1. Ben,
    I feel that yes, IT can be used to reduce risk wrt e-discovery. The key word being can. Unfortunately, I see most IT departments not performing the proper vulnerability/threat assessments or putting risk mitigation plans and policies in place to keep the e-records secure.

    A 2006 Ponemon Institute estimate puts 78% of all data breaches are by authorized insiders. Obviously, that definition may be a little broad, but most of that 78% will likely be administrator privileged staff with no checks and balances. These folks may erase logs, adjust privileges, and bypass most security measures. We're not talking email here. If lawyers are investigating some of these events, email retention is of interest, such as in the Microsoft anti-trust case. Email and messaging are neat and tidy. They reside on a few central servers, and the backup, retention, and search methodologies are in place.

    However, in cases where Intellectual Property theft, insider trading or just general corporate malfeasance occurs, you'll also want file shares or local desktop documents. If you don't digitally shred all of those files on time, essentially breaking your retention policy, you run the risk of a judge ordering you to produce everything. Including those files scattered across the enterprise.

    I do see the benefits of positive messages for offsetting negative emails. How do you offset a negatively focussed IT administrator?

    - Jon-Michael C. Brook

  2. Ben-

    I appreciate your comments on my 10 Tips for Evaluating Ediscovery Solutions blog.

    You are absolutely correct that our criminal justice system provides better treatment for individuals and organizations that self-report, investigate and institute rehabilitative actions for wrongdoing.

    As a Colorado licensed attorney, I've had cases where the District Attorney drops charges or substitutes suspended sentences, deferred sentences, and probation for jail time when the Defendants initiated their own remedial and rehabilitative measures.

    And making public statements about intolerance of illegal activity is a good idea. However, it can be a double-edged sword. Companies must set up programs to investigate and deal with reported employee wrongdoing. Those public intolerance statements can be counter-productive if complaints are made and nothing is done about them.

    In my experience, which is primarily limited to state courts, individuals and companies that make a public fanfare of what good citizens they are, and how they don't tolerate related wrongdoing, can get harsher penalties if they don't follow through.

  3. Ben,

    Thanks your your comment in my Death By Email blog.

    While I agree that efforts such as these would help companies, I think that most of the companies that I speak with actually believe that your proposal would increase their risk.

    When we released the InBoxer Anti-Risk Appliance, we emphasized our ability to use language technology to monitor for risks -- such as harassment and privacy violations. We developed sophisticated language models to rate messages on a scale of 0-100 and then to act in real-time based on the ranking.

    Lawyer after lawyer told me that they felt that such a product would increase their risk -- unless they treated every message InBoxer identified as a complaint. If they did not, could not the claimant say that the company had the technology to handle complaints -- but did nothing.

    Since complaints are time consuming and costly, they wanted nothing to do with it!

    I remain shocked.

  4. Ben, thanks for stopping by to comment. We met last fall in Folsom, CA when you came on site at my employer to give the SANS "Business Law and Computer Security" class. Glad to be acquainted with your blog. - Steve Watson

  5. Ben, I like your thoughts regarding the proactive use of technology to communicate corporate policy. And your comment on my blog, the Enterprise System Spectator at

    I would love also to get your feedback on my main point--that e-discovery tools are eliminating much of low-value work that law firms typically do in manually searching paper files :-)

  6. Alan Kaplan sent me the following comment: "I don't agree. The policy, as described, is merely a self-serving artifice. Certainly employees have to be indoctrinated on both legal and company standards that are expected. However, memorializing them on video or on the Goodyear blimp does nothing to convince me that management did anything more than that necessary to try to cover their ass.

    "What is necessary is a sincere effort to do the right thing. The best way to be able to defend that as company policy, is to invest in a viable, real-world inspector general type unit. That unit would report to the CEO or Chairman of the Board. The unit would be charged with investigating all violations of law or company policy.

    "This structure is a lot more than paying lip service to "doing good". When that day comes this approach leaves the company and a very defensible position."

  7. Alan: I appreciate the comment. I absolutely agree with you that a sincere effort is necessary! The policy I suggest should not be mere lip service. Maybe the video could be improved by removing the CEO and putting in his place the firm's Inspector General. --Ben