Cool Green IT Products from DNS-DIRECT

IGEL Slide

Save money & energy Green IT

WEB UD2 Summerpromo 600px

Sunday, 7 November 2010

Email laws you should know about.



overview
The purpose of this email archiving white paper includes (amongst other things):
            to highlight the importance of proper and up to date email archiving
            To provide specific examples and scenarios to show why proper and up to date email archiving
systems are essential for your organisation’s well being 
            to show why it is important for organisations to review and consider their email archiving systems, processes and policies now
Many information managers will say that basic, usually folder-based search-and-retrieval functions in their email applications are simply not enough to rise to the challenge of their organisation’s business needs, and that an up to date and state-of-the-art-email storage facility with enhanced retrieval and management capabilities is the only viable solution if an organisation wants to make the most of the email information that it holds and wants to protect itself against any claims made against it.
The need for proper and up to date email archiving is key due to the fact that use of business email has grow exponentially over a relatively short period of time, bringing with it the huge advantages of worldwide, low cost, easy and near-instantaneous communication. But as everyone that is directly or indirectly involved in the management of it systems knows, the growth in email usage has brought its own challenges.
The concept of information governance is not a new one, but the challenge posed by the sheer volume of information generated by email is. Even organisations with well-defined and well-enforced policies on the use of traditional communications have struggled to police electronic communications. The sharing of internal information is a key challenge for many large organisations, and unless information can be easily located and retrieved, an organisation can risk confusion, duplication of effort, embarrassment and wasted costs.
On top of these costly irritations, the same organisation may also suffer more serious losses resulting from an inability to take action against wrongdoers, and an inability to defend itself adequately against legal actions, some of which might be based on questionable evidence.
Where organisations have not really reviewed their email archiving systems or policies, or are not willing or reluctant to address email archiving (since it has not been prioritised), recent legal and commercial developments are likely to make them think again about looking at the issue of email archiving and how this is dealt with in their organisations.
Legal compliance
Legislation that has come into force makes it a sensible step for organisations to have reliable and secure email archiving solutions in place. Some of this legislation is explained below.
1.            Industry-Specific Regulations
Organisations will need to pay specific attention to the regulations governing the vertical industries in which they operate. For example the Financial Services Authority (FSA) is the independent body that manages the regulation of financial services providers in the UK under the Financial Services and markets Act 2000 (and any updates to this Act). The fSA lays down strict requirements to protect the consumer against malpractice, and has wide investigatory and enforcement powers to ensure those requirements are observed. The FSA’s regulations require all financial institutions to store all business emails sent and received for up to six years, and some emails indefinitely, so that cases can be reviewed.
2.            Data Protection Act
The data protection Act 1998 (“dpA”) applies to the private and public sector alike and continues to create headaches for those with poor data management facilities.
The dpA gives individuals the right, on producing evidence of their identity, to have a copy of personal data held about them. Personal data covers information that relates to a living individual from which that individual can be recognised, where that information is processed automatically as part of an electronic mail system, as well as manually and in other automatic processing contexts. Without the ability to retrieve reliable information, and an accurate audit trail, an organisation will be exposing itself to unnecessary risks.
The definition of “personal data” changed in 2005, due to the decision in a case called Durant v. financial Services Authority, in which it was decided that for information from which an individual can be recognised to be personal data, an additional requirement is that the information has to be focused on the individual, biographical in some significant sense, and likely to have an adverse effect on the privacy of that individual.
Guidance on the definition of personal data to has also been provided by the EC Article 29 Working party. The Working party has issued an opinion which attempts to summarise the “common understanding of the concept of personal data” amongst EU Member States.
the opinion, published in June 2007, analyses the four main elements which make up personal data, being any information
(1) relating to (2) identified or identifiable (3) natural person (4)”
The Working party adopted a wide interpretation which contrasts with the approach utilised by the english court of Appeal in durant v financial Services. Whilst their opinion is not binding, it does provide a basis for the interpretation of the ec data protection directive (95/46/ec) by data controllers and national data protection authorities.
in any event, all this activity regarding retrieving personal data pursuant to a subject access request must be completed within a 40-day time limit for compliance which runs from the date that the request and the fee have been received and the retrieved information must be assessed to remove third party data and other information that should not be disclosed. organisations recovering personal data from email records are only entitled to charge up to £10 (although other charges may apply for certain types of information such as manual health records). in practice, the task of retrieving personal data that is requested by an individual under the DPA can be onerous and so there is a cost benefit in ensuring that requested emails are retrieved as quickly and easily as possible.
The dpA also requires organisations to take appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data, and against accidental loss or destruction of personal data. In the context of email management, this means that access to any email system and related storage device should be controlled, whether that access comes from within or outside an organisation. What is “appropriate” depends on the state of technology at the time that the requirement is being considered, and the costs of that technology in relation to the likely threat to the individuals whose data may be processed. An average workplace email system is likely to contain a large amount of personal data, some of which will be sensitive and classified as sensitive personal data under the dpA. this “sensitive” personal data will require a higher standard of security than other types of data. For example, the system may contain sensitive personal data such as details of an employee’s health, or details of action to be taken against an employee for criminal wrongdoing. this sensitive personal data needs to be treated with special care and so an encrypted, secure archive is likely to help to fulfil this requirement with ease, and provide an essential backup should the main system fail in some way which leads to loss of personal data and sensitive personal data.
3. FOia
one of the most shocking aspects of the freedom of information Act (foiA) is the fact that it is retrospective. Public authorities are obliged to provide information in emails that were generated before the date the foiA came into force, forcing them to search through archives if requests for information are made. Cases suggest that if a document is at all recoverable (for example, a trace of it remains on the network) it must be retrieved in order to comply with foiA. many of those charged with information governance have concluded that basic, usually folder based search-and-retrieval functions in their email applications are simply not enough to rise to the challenge, and that a state-of-the-art-email storage facility with enhanced retrieval and management capabilities is the only viable solution.
Public Authorities are also expected to comply with a statutory code on records management that has been issued under the foiA, (called the s46 code). very early on in the history of the foiA it was anticipated that records management (or rather a lack of it) would be a major hurdle for compliance with the new right to public information. the code requires all public bodies to treat the records management function “as a specific corporate programme”. The Code emphasises that electronic records, such as emails, should be managed with the same care accorded to manual records, and that the records management programme, “should bring together responsibilities for records in all formats, including electronic records, throughout their life cycle, from planning and creation through to ultimate disposal.”
Winning Business
The current economic climate means that organisations face a competitive environment for competing for and winning new business. Because of this, as customers become more aware and concerned about keeping their data and information secure, they will want to ensure that their suppliers have systems and processes in place (including safe, secure and reliable email archiving systems) in order to keep customer data and information safe and secure.
Examples of customers that might be particularly concerned about how their suppliers deal with their information (and how emails are dealt with and stored) include customers such as:
a.            government departments (e.g. the ministry of defence) – information passing between government departments and its suppliers can be particularly sensitive;
b.            Financial Institutions (e.g. banks and insurance companies) – financial institutions need to ensure that their end users are confident that end user information is always handled in a safe and secure way by the financial institution itself and its suppliers;
c.            Companies that are listed on the stock exchange – this is particularly important because leaks in sensitive information such as m&A activity can affect share price;
d.            companies in highly competitive and fast moving areas – here leaks of information could lead to large losses or missed opportunities
e.            companies in highly creative areas – here leaks of data or information could stunt or destroy new ideas or their impact upon the market
f.            Companies or firms such as Solicitors, Accountants and Investment Advisors – here professional regulations, rules and guidelines may insist that information (including emails) are kept confidential, safe and secure.
because customers such as the ones above will need to keep their emails safe and secure and have appropriate systems in place to do so, they will naturally expect that any suppliers that they engage to do work for them will have equivalent (or better) email processes and systems in place to secure and safeguard emails and data. Suppliers that can demonstrate that their email processes and systems are of a high standard can help them to attract business from customers like the ones above.
4 protecting the organisation
1.            The Employment Tribunal
As anyone involved in it security will know, some of the greatest threats for an organisation come from within. email misuse is an ever-present threat, which needs to be managed carefully, and in many cases email will provide evidence of other types of wrongdoing. As many employers will know to their cost, employees are well protected under law, and the employer needs to be sure of its grounds before making a dismissal. Without the ability to retrieve reliable information from emails, and an accurate audit trail, an employer will be exposing itself to unnecessary risks.
In some cases there will be insufficient evidence to justify action against an employee who is clearly not behaving in the interests of the employer; in others, the fairness of a dismissal made on suspect evidence will be challenged in an employment tribunal. The highest possible award in an employment Tribunal for unfair dismissal claims is currently £65,300.
However, if a dismissal is made without sufficient evidence for that dismissal, an employee may claim that the dismissal was founded on discriminatory grounds, such as race or sex, which entitles an employee to unlimited damages (plus a possible additional award of damages for injury to feelings which can be increased in certain exceptional circumstances). It should also be noted that only in very unusual circumstances will an employer be able to recover its legal costs if it is successful in an employment tribunal.
In relation to disciplinary action, an inability to take decisive action, or to detect wrongdoing, based on poor records management, will weaken the ability of the employer to enforce that policy when it needs to. If there is a hit-and-miss approach to enforcement, it is far easier for a sacked employee to allege that he or she has been unfairly treated because previous offenders have escaped with lesser penalties.
The evidence obtained from an insecure and unreliable system that is not governed by clearly documented and enforced rules will be open to dispute and questioning by the opponent.
Hence, for this type of situation it is crucial to have accurate, up to date and complete email records in place in order to ensure that the organisation has all the relevant information at its disposal in a short period of time.
2.            Court Actions
a. Overview
Litigation has become a fact of life and so organisations have to have everything at their disposal that can help them avoid litigation and, if litigation occurs, help them limit any losses that they may suffer.
In most Court cases, a wronged party has six years from the date that a contract has been breached or a civil wrong committed to bring a court action.
Even when a court action is taken promptly, a case may not come to court until several years after the event, and memories of the exact events will be hazy, or those involved may be unwilling, or may refuse to be witnesses. Some witnesses to the relevant event may have left the organisation or may be difficult to trace (particularly if they have moved abroad).
Often the only clear, contemporary evidence will be contained in emails. conversely, an organisation may need email evidence to launch its own action to protect its position. A party in a dispute may have a significant advantage over its rival if it can retrieve the evidence faster.
5
Without proper email archiving in place, organisations may end up scrambling around for emails and information in response to court requests and/or the rival’s requests for information. This loses valuable time and can lead to additional costs and delays which can ultimately damage the organisation’s case. This is because if information had been more readily available it would provide more time for it to be analysed and considered by lawyers.
further, the lack of readily available evidence may lead to a settlement of a dispute by organisations where it might otherwise have been successfully fought and won if proper email archiving processes and systems had been in place, which would have allowed the organisation to store, search for and find all relevant emails in a short space of time.
b.            Court Practice Rule 31
Practice Direction 31 of the Civil Procedure Rules makes it clear that email and electronic communications are documents capable of being disclosed by the parties to a litigation. The practice direction also highlights that even where an email has been deleted, if it is reasonably possible to retrieve it, it should be retrieved.
The definition of an electronic document can include email, other electronic communications, word processed documents and databases. It can cover:
readily accessible emails stored on computer systems and other electronic devices emails stored on services and back up systems (e.g. archived emails) emails which have been deleted but which may be recoverable from a computer’s hard disk (deleted data) information about the history of the email which is stored automatically whenever an email is created
also worth noting that potential locations for emails that need to be disclosed can include:
pcs, laptops and electronic notebooks mobile phones, pdAs and other handheld devices such as blackberries and i-phones. databases Servers, back-up tapes and off site storage portable storage devices (cds, dvds, discs and memory sticks)
key point here is that discussions and disclosure relating to relevant documents will go far beyond
the what is located in filing cabinets and correspondence but will extend to emails that may be located in various locations such as on mobile phones or on portable storage devices.
An additional point to note is the weight that can be attached to favourable evidence is based on the reliability of that evidence. the evidence obtained from an insecure and unreliable system that is not governed by clearly documented and enforced rules will be open to dispute and questioning by the opponent.
organisations that are able to demonstrate that the email evidence has been created, compiled, stored and retrieved in accordance with good industry practice are likely to enhance the reliability of their evidence. indeed, where an organisation can show by production of supporting evidence that the system in which the email evidence was held is secure and separate from the main system, that there is an audit trail, and that the policy in relation to archiving is consistently applied, that organisation has the best chance of its evidence being believed.
Where it can be shown that the policy is consistently applied because the system operates in accordance with policy rules, rather than human compliance, the weight of the evidence can be even greater.
6
Updates to CPR 31
The Civil Procedure Rules Committee has recently released “Practice Direction 31B” in draft form together with an accompanying questionnaire. its purpose is to encourage and facilitate the disclosure of electronically stored information (eSi) in a proportionate and cost-effective manner based on the completion of the questionnaire.
it is proposed that the questionnaire will ask the parties to consider issues such as:
            the date range that the searches should cover;
            the custodians or creators of documents;
            the forms of communications and electronic documents that were used;
             the database systems and document management systems which may contain disclosable data; and
            the appropriateness of using keyword searches or automated searches as part of the process of
determining which documents should be disclosed.
completion of this questionnaire by the parties would provide key information in a structured manner in relation to litigation and would allow the identification of issues that might arise in relation to searches for electronic documents.
in addition to the questionnaire, it has also been suggested that the questionnaire should include a section entitled “disclosure of electronically stored information” requesting information from parties on whether they hold documents in electronic form which clearly shows the importance of information such as emails.
c.            The British Standards Institution Code (The BSI Code)
the bSi code of practice for Legal Admissibility and evidential Weight of information Stored electronically relates to the authenticity, integrity and availability of electronically stored information. it is particularly relevant where evidence is used in disputes between parties. iSo 15489 (bS iSo 15489- 1:2001) is the international standard on records management. As there is overlap between the bSi code of practice and the international Standard, the 2004 revision of the code of practice was to ensure that the two documents could be implemented together.
compliance with this code does not automatically ensure that the documents relied upon are reliable, however it may strengthen any claim of authenticity. Conversely, failure to comply with the code may leave an organisation open to the suggestion that their evidence lacks integrity.
Failure to have the best possible archiving system and procedures could mean the difference between winning and losing an important case. It may also have a significant impact on the cost of the litigation. A poor retrieval system would mean added expense in form of IT experts needed to filter all the available data and to identify potentially relevant documents, remove duplicated documents and process electronic data.the cost of electronic disclosure is also taken very seriously by the courts. in 2006 a working party chaired by mr Justice cresswell reported on how the civil procedure rules and commercial court guide apply in relation to the disclosure of electronic documents, the report noted;
“At the conclusion of the trial (or earlier if appropriate) judges should give separate consideration as to the cost incurred in relation to e-disclosure and who should pay those costs, having regard to the reasonableness and proportionality of the disclosure requested and given, the relevance of the disclosure given or ordered to be given to the issues in the case presented at trial, and the conduct of the parties generally in relation to disclosure”.
Given the potentially huge expense of fighting court actions, this is something where organisations should look to manage away the risk. practical steps that organisations can take include:
7
1.            enhancing the reliability of email evidence by using a system that can manage emails in line with good industry practice;
2.            having internal procedures in place that control the use of email in order to avoid damaging disclosures being made; and
3.            understanding the legal rules which may allow the disclosure of emails to the other party to be limited.
by taking the above steps, an organisation can help its case when handling email effectively before and during any litigation.
however, organisations need to think about this sooner rather than later as an organization never knows when it might become embroiled in any action which turns upon the storage and retrieval of emails.
d.            Case Law
Digicel (St Lucia) Ltd and other companies v Cable and Wireless plc and other companies [2008] EWHC 2522 (Ch)
here the court looked at what constitutes a ‘reasonable search’ for electronic documents. in this case it was held that the defendants had not carried out a reasonable search “in so far as they had omitted to search for, and in, the specified email accounts, to the extent that those email accounts might exist in the back-up tapes which had survived.”
Goodale v The Ministry of Justice [2010] EWHC B40 (QB)
this litigation involved prisoners who said that they had been mistreated by the prison system. the ministry of Justice (moJ) argued that it should not have to carry out a search for electronically
stored information (“ESI”) on the basis that it would be a disproportionate exercise.
The Court said that it was not satisfied with the argument put forward by the MoJ. This was because the moJ had not estimated the cost of collecting documents or the best ways of searching for those documents. in fact, it was stated that the court was “staring into open space as to what the volume of the documents produced by a search is going to be”.
The Court ordered disclosure of ESI. The Court knew that there would be difficulties locating key documents but said that the appropriate way to proceed was with a crude search and then, having established the number of documents in issue, work with experts to reduce the core set and de- duplicate before moving to the review stage.
A comment on this case is that had all documents (including emails) been filed and stored electronically with a appropriate electronic archiving system which had the relevant search functions then then locating, identifying and correlating all such documents could have been done in a speedy and cost effective way.
Earles v Barclays Bank plc [2009] EWHC 2500 (QB), [2009] All ER (D) 179 (Oct).
here, the question posed was whether or not an individual authorised the bank to process some bank transfers. this question could have been answered by looking at calls or e-mails between the parties.
however, the bank’s legal department and its solicitors did not retrieve and search the e-mail account of a key former employee or retain the employee’s laptop.
8
The Court stated: “One expects a major high street Bank in this day and age of electronic records and communication with an in-house litigation department to have an efficient and effective information management system in place to provide identification, preservation, collection, processing, review analysis and production of its electronically stored information in the disclosure process in litigation and regulation.”
Although the bank won this case, it was stated that its conduct of electronic disclosure fell below the standards to be expected and this would have to be taken into account when the Bank was claiming its costs in relation to the case. this was on the basis that if the electronic documents had been disclosed earlier by the bank, then there could have been an early decision and judgement in the case rather than the case becoming protracted and progressing to a full hearing.
3.            Criminal Liability
failure to implement proper email archiving systems could lead to breaches of legislation. Some of this legislation includes criminal penalties. Some examples of these are listed below.
a.            Section 61 of the DPA (Liability of Directors)
Where an offence under this data protection Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.
b.            Section 77 of the Freedom of Information Act
Section 77 of the foiA makes it a criminal offence to alter, deface, erase, destroy or conceal any record, including an email, with the intention of preventing disclosure by a public authority. this criminal penalty can be imposed on the individuals concerned, and this personal liability can fall upon employees and officers of an organisation, or consultants and other temporary staff. Clearly, a system with the built-in ability to protect system integrity and to provide a reliable audit trail could provide vital evidence to protect a public authority from liability where the wrongdoing is committed by an individual acting for his or her own ends.
c.            s. 183 CA 2006 Offence of failure to declare interest
A director who fails to comply with the requirements of section 182 (declaration of interest in existing transaction or arrangement) commits an offence.
A person guilty of an offence under this section is liable:
            on conviction on indictment, to a fine;
            on summary conviction, to a fine not exceeding the statutory maximum.
proper email archiving can help to show that directors have disclosed their interests properly and at the relevant times.
d.
1.
Section 52, Part V Insider Dealing CJA 1993
An individual who has information as an insider is guilty of insider dealing if, in the circumstances mentioned in subsection (3), he deals in securities that are price-affected securities in relation to the information.
9

2.            An individual who has information as an insider is also guilty of insider dealing if —
a.            he encourages another person to deal in securities that are (whether or not that other knows it) price-affected securities in relation to the information, knowing or having reasonable cause to believe that the dealing would take place in the circumstances mentioned in subsection (3); or
b.            he discloses the information, otherwise than in the proper performance of the functions of his employment, office or profession, to another person.
3.            the circumstances referred to above are that the acquisition or disposal in question occurs on a regulated market, or that the person dealing relies on a professional intermediary or is himself acting as a professional intermediary.
proper email archiving systems can help to prove or disprove any allegations regarding insider trading (especially where such information is demanded by regulatory bodies).
Although the limited liability nature of companies means that directors are not usually liable for the acts of the company, it is true to say that certain elements of legislation make directors liable for the acts of the company and/or their duties whilst overseeing the acts of the company. email archiving can therefore help to limit the risk of directors that face claims of personal liability by helping to prove that legislation has been complied with or that directors have acted appropriately at the relevant times (where such acts may have happened many years ago).
because of this and the issues above:
a.            directors and senior personnel at companies will be keen to ensure that their email archiving systems are up to date and accurate so as to protect them from personal liability for breaches of certain elements of legislation;
b.            it directors at companies, consultants to companies and other staff responsible for the it Systems at companies will want to ensure that the directors of the company (and the company itself) do not even face the possibility of any kind of liability which could have been avoided had proper email archiving systems been in place; and
c.            directors of Companies will not want to miss out on winning business (or losing existing business) because the email archiving system that they are using is out of date or not good enough for their current requirements and business needs.
SUMMARY
clearly, there are many reasons why an organisation should ensure that the information in its email communications is properly managed. from a practical perspective, email communications now form part of the mainstream business record of an organisation, and should be treated as such. Adequate records are essential for the efficient running of any organisation, irrespective of any legal requirement, and for those records to be of use, they must be reliably stored and capable of being retrieved swiftly and with ease.
this white paper is not intended to give legal advice, and merely seeks to give an overview of the legal issues that are relevant to the management of email records, nor does the writer or the writers firm endorse the product of any particular vendor. demonstrably, however, the volume of legislation that surrounds information management is growing at an ever-increasing pace as the law catches up with the march of technology. Legal and regulatory compliance issues are becoming a routine consideration for it departments, and each organisation will need to obtain its own legal advice and assess which pieces of legislation are applicable to its operations.
every compliance strategy will have to involve a consideration of the technical, as well as the organisational means of implementation.
10
no compliance strategy will be effective without proper consideration of how the strategy will be implemented in practice, or of how to demonstrate that compliance. organisations will also need to take special care to ensure that the email archiving solution they purchase delivers the functionality needed to make the task of compliance as efficient and cost effective as possible.
hence, the message is clear – considering and implementing proper email archiving systems is not a discretionary add on but is, in fact, critical for the well being of your organisation.
11

ABOUT THE AUTHOR
Jimmy Desai is a partner at law firm Beachcroft LLP (www.beachcroft.com), and specialises in technology, ip & internet Law.
He has worked for a wide range of clients including US and international companies, major IT companies on international deals (e.g. BT plc), public sector and government departments, universities, high profile and hi-tech companies, major users of IT (including financial institutions such as banks and insurance companies), high Street retailers, investors and individuals for more than 15 years.
he regularly has articles published in a wide range of ip and technology journals, magazines and newspapers. he is the author of it outsourcing: A Legal & practical guide (published in 2009) and SLAs: A Legal & practical guide (to be published in September 2010).
he is a member of ScL, tipLo, itmA, itechLaw and intellect.            he also has a masters degree in electronic Engineering and post graduate legal qualifications in Technology and IP law.
He is a visiting lecturer at the University of London and speaks at conferences and seminars in the UK and abroad. he presents it, ip & e-commerce tv programmes on Law channel tv.
Jimmy is also listed as one of the top 40 IT & e-commerce lawyers in the UK in the International Who’s Who of it & e-commerce lawyers 2010 edition which is compiled on the basis of research and the votes of other it & e-commerce lawyers and clients.


No comments: