November 19, 2010

Follow Up Conversation with Don Skupsky. The offer I couldn't refuse

by Cary J. Calderone, Esquire

After my last blog article, I wanted to follow up and share some of the items that I discussed with Donald Skupsky, JD, CRM, FAI, MIT, after his presentation.   It seemed like we had very different ideas on email management best-practices for organizations.  Just to be fair, open and up front, I shared my concerns with him and in typical fashion, once we had a more in depth discussion on the issues, it turns out we agreed on quite a bit.  For example, we agreed that most employees keep far too much email. 

The numbers he presented estimated that only 5% of email actually includes content substantial enough to be considered a Record.  I would add a few more percentage points for material related to Records. He also explained that there are some companies, a few, that do have a policy to tag and keep business record emails and have the rest deleted in 30-45 days, and they have been successful in defending their practices. They use a folder for Work-In-Progress but the main inbox gives the user a very short period of time to decide if an email is a Record, and then to move it to another location or repository for safekeeping, otherwise, it gets deleted.  There are a few companies that purport to use this policy, but I sure would like to see if they actually adhere to the policy in sufficient fashion to have it withstand legal scrutiny.

Mr. Skupsky also believes too many companies use a fall-back policy where they end up keeping pretty much everything, and this is a terrible practice.  I have witnessed this policy in action quite a few times. One company kept so much electronic information that when they needed to search its email archive, they were limited to 4 concurrent searches and it would take upwards of 12 days to get the first search results back. Not a very good system for Early Case Assessment or a Litigation Response team, to be sure.  So we both agree that when it comes to email, keeping everything, is a bad policy.

Ultimately Mr. Skupsky described himself as a bit of a devil's advocate.  By challenging a company with a 45 day email deletion policy, he believed it was more likely that ultimately, even if they would not agree to 45 days, they would agree to a relatively short deletion period of 6 months or a year.  He explained that if they were not challenged early, so they had to act to manage their email, users always defaulted to retention periods that are too conservative and too long or, they never take any action at all.  The end result would once again be email inboxes that are not managed.  His position is that if they are not going to manage it, then they are better off not keeping it.  So, while I cannot argue with Mr. Skupsky's goals, I will still persuade my readers to consider employing a different tact.  I prefer to suggest simple and straight-forward policies and guidelines that will help them eliminate upwards of 50% of their non-record and non-business related email quickly.  Too many users have stated that they would love to delete many emails but they were not sure if they could or should, so they kept them all.  Mr. Skupsky and I are both shooting for keeping less mismanaged information, but my method is likely to err on the side of keeping more business emails rather than fewer.  The lawyer in me wants you to keep information that may help us understand your case.  Is it a perfect system?  No.  But making users affirmatively move Records, to safeguard them from deletion seems riskier.  After the first 50% is removed from the inbox, we can then work on managing the next 30-45%, which will likely be more challenging, but can be better managed with some department and function-specific policies and procedures, and perhaps some of the great new search and management tools that are available.  Either system correctly employed and monitored will reduce a great deal of email clutter.  And, this, in and of itself, will provide a huge cost-savings for the over-stressed IT department.  It will also enhance any Litigation Response program that needs to address eDiscovery.  I just want to be more comfortable that the Litigation Response team will find relevant information on their own servers, before they see it produced by an adverse party in litigation!

My approach comes from the basic belief that the use of technology is critical to an organization's success and they must keep up with new productivity features to stay competitive.  So, I want to allow for expanded usage, and less effort to manage that usage.  Mr. Skupsky believes records retention practice actually can help support the use of technology too.  He just abhors mismanaged data growth.  So while on the surface we agree, I lean toward recommending any Retention and Records and Information Management policy will be flexible enough to be updated, and amended to reflect the ever-changing needs of the users.  And, whenever possible, allowing the users more use of the data and any new technology enhancements.  The new reality is many companies are now contracting and performing other substantial business functions via email, electronic exchanges, and even Social Networking sites.  So if the RIM program is too limiting on the use and retention of electronic data, it runs the risk it will become impossible for employees to follow it thereby making it irrelevant. The days of following simple static rules that worked fine for slow moving paper are gone.  It is time to keep up with email, Facebook, Twitter, and whatever may come next.

Special thanks to Donald Skupsky, for taking the time to consider and respond to my comments.  

November 11, 2010

ARMA Session-Retention for Electronic Records-Or, Don Skupsky, some of your tips should sleep with the fishes

by Cary J. Calderone, Esquire

Donald S. Skupsky, JD, CRM, FAI, MIT is certainly one of the most respected and recognized Records Management thought leaders.  If he is not the Godfather of Records Management, he is certainly a Godfather.  His book/treatise is still the foundation for many corporate Record Information Management programs.  However, coming from my background as a lawyer and IT consultant, (see blog post "Who are you talking to?") some of the RIM ideas he presented in this talk are really not applicable in the 21st century world of managing electronic data.  Case in point, he suggested companies have a policy to delete email after only 30-45 days?  Whoa!  This is really not a "best practice" for most companies.   Let me explain.  

When I started helping companies update their RIM programs and become DRED ready, I found some challenges with the old guard Records Managers who cut their teeth, and perhaps their fingers, on paper. The drill was, declare a Record, protect it for the retention period and shred the other convenience copies.  Simple.  As readers of this blog already know, there are many reasons why this approach no longer works for email and other fast-moving electronic forms of communication.  (see Shout out to Records Managers)

While Mr. Skupsky has expanded on his original definition of what is a "Record" to allow companies to define it to include various electronic forms, at other times during his presentation, he seems to completely forget the main reasons companies have and use technology.  For example, let's consider his suggestion of as little as a 30 day retention period for email.  Under his 30 day policy, users are supposed to take any email that qualifies as a "Record," (defined by the company policy) and move it to another document management system or, print it out for safekeeping and storage.  Even if your company does not already have a specific legal requirement (like SEC 17 a-4, or Sarbanes-Oxley) to retain email communications, there is a very good chance employees who use their email as a work productivity tool have a habit of keeping them for later reference for at least a year or two, if not forever.  Can you imagine how many people would not bother complying with the rule if it meant moving only select "Record" emails to another system or printing them out for safekeeping? 

In today's world, employees are using search technology, like Google Desktop and other search engines and crawlers, to mine their own electronically stored information for answers.  It is a basic form of Knowledge Management and in many cases, a major productivity enhancement.  So, if you have a 30 day deletion rule, and nobody wants to follow it, chances are, they won't.  Which means you will end up with a policy that ultimately shows at least one part of your RIM program is a sham.  Not a good move if you end up in litigation someday.  

Moreover, even if the 30 day policy is supported enough to pass a test in a discovery dispute in court, it is still not advisable.  What about your early case assessment needs?  Email that might be critical to determine if a potential matter has merit, may be deleted from your servers, but it will likely still be in the possession of your potential adversaries.  Or, perhaps it was printed out, or kept in another management program.  How many hours will it take to retrieve and review those stored emails?

Even assuming your employees are willing to perform all the extra work to print and/or move those potentially critical emails, some of them may have content that would show that your employee(s) made a mistake.  How much effort will your employee(s) expend to store, search and retrieve those darn emails that may show they should be terminated?  I would bet that at least a few employees might just let those pesky emails get deleted after 30 days and hope for the best.  Once again, the result is potential discovery trouble for your company.

While I appreciated much of the presentation, it was a little bothersome to hear Mr. Skupsky's dismissive description of "groupware tools" which he "does not like."  In the tech industry these might be separate development applications or wikis or even Instant Message comment threads.  Does Mr. Skupsky believe that all of these amazing advances in the area of software and collaborative development will just go away because they are difficult to track and maintain according to a simple Records Retention Schedule???   I am betting the answer is a resounding "No."  These will be distributed and used and even more tools will be invented.  And, realistically, this will be so even if these tools make records management, more challenging.  Facebook, Twitter, and Cloud applications, may make managing records more difficult, but they are not going away.  We have to learn to proactively manage them.

I understand and respect the established industry protocols and efforts of any company in maintaining a working RIM program, but without a better understanding of how and why the new technologies are employed, creating "dream world" easy-to-manage electronic records policy, is not ultimately going to be productive, and may cause very serious issues in an otherwise well-intentioned RIM program. 

I could not argue against some of his ideas without giving Mr. Skupsky a chance to explain himself, so I spoke with him after the session.  The next blog post will cover our discussion.   

November 10, 2010

ARMA Show-A couple of useful new products and upgrades for your DRED project

by Cary J. Calderone, Esquire

Here are a few interesting product offerings I noticed at the ARMA Show this week.  This is not a product review.   I have not tested the products but just looked at their demonstration modules.   However, I like to point out when I find a product that can and will fix specific challenges for many companies.  The two products I noticed come from,  Page Freezer, and ZL Technologies Inc.


Page Freezer  simplifies the task of maintaining and tracking copies of your website and other online representations and communications.  In my experience I have found many organizations need or want to keep copies of their website information and twitter feeds.  These may include representations of service or product features and sometimes they must be tracked in order to comply with a Public Information request or Legal Hold.  Either way, it is difficult to keep and track a website that may be updated daily by many different departments and authors.  Who is responsible to archive all the changes?  Page Freezer can automatically archive selected pages or entire websites on the fly according to the rules you setup. The product also tracks Twitter updates and supposedly will be able to archive Facebook updates as well.  I know quite a few organizations that would like to be using this tool right now.
ZL Technologies Inc. has added new features that allow its customers to "manage in place."  Many companies operate internationally, and are faced with very challenging and frequently conflicting laws concerning email communications and electronic data storage and retention management.  ZL technologies has added features that will allow its users to archive and manage electronic data in place, even in a location like Japan.  There are many solutions that can managing data in the US, especially when it is all in English.  But when information is collected from many places and in many languages, there are extra challenges to the solution, and there may even be prohibitions against moving some types of data, i.e., across country borders.  In these instances, managing in place can be a most useful feature.   Many companies have tried to move all the electronic data to one central  location, to be managed according to one set of rules.  Not only does this mean potential bandwidth and regulatory problems, but how many people in your main U.S. office can read and manage information that is in Japanese or some other language?  Usually, the answer is nobody.  So you have moved the data away from the very people who are most capable of managing it because they can read it and know the local rules that apply to it.  ZL Technologies is trying to give you, a better way.     

November 3, 2010

Computer Forensics Show

by Cary J. Calderone, Esquire


I was able to spend limited time at The Computer Forensics Show in San Francisco this week. I understand when a show is debuting in a new city it may have issues, but the acoustics at the Herbst Pavilion at Fort Mason were pretty awful and, I am not the only one who noticed. It's too bad because the show did have some very good speakers and covered interesting DRED topics. Still, it was challenging to enjoy their presentations due to the acoustics.  Background noise notwithstanding, here are a few highlights:

Dean Gonsowski, Vice President, e-Discovery Services at Clearwell Systems, presented "Compliance in the Cloud and the Implications on eDiscovery. He provided a very nice overview of many issues that need to be considered when looking for a solution in the Cloud. Even when I asked about a tricky issue, i.e., "what to do when your data may be co-located across international borders?", he provided a thoughtful and practical approach. He had other terrific "checklists" to use when you look at Cloud solutions, but I am not listing them here. You'll have to see one of his presentations yourself.

I also enjoyed the session run by Michael Glick, Vice President of Encore Discovery Solutions "How Advances in Modern Electronic Discovery Practice are Changing Commonly Held Notions About Conflicts of Interest." He described the advantages to litigants following the Sedona Conference Cooperation Proclamation and waiving some potential conflict issues, and cooperating with adversaries during electronic discovery. There area even times when using a single provider and platform can save everybody money and hassles. I asked if Encore had protocols conflict checks for their eDiscovery clients? Much like lawyers and law firms, Encore follows high standards and protocols to ensure they do not represent parties with adverse interests. Pre-engagement conflict checking is too often an afterthought with some consulting groups in the DRED space and it shouldn't be.

On balance, I hope that this conference grows, finds a better location, and returns to San Francisco next year. If they continue with legal tracks that include good DRED discussions, I will attend again.