Egan Orion of the Inquirer reports that just yesterday a federal judge ordered the White House "to show just cause within three days why it should not be required to produce to the court forensic copies of all its data storage media used by any employee between March 2003 and October 2005." Orion describes how the Bush administration "dismantled the Lotus Notes based Automatic Records Management system" used by Bill Clinton and instead moved to "an email system based on Microsoft Exchange." He also references White House spokeswoman Dana Perino, who said in a conference last April "I wouldn't rule out that there were a potential 5 million e-mails lost."

That is an astronomical number of missing electronic communications to let sink in if it is indeed an accurate statement. What triggered the move from Lotus Notes to Microsoft Exchange if the Clinton administration had no problems with its email archiving? How will the testimony of Theresa Payton, CIO for the White House Office of Administration, affect the role of email archiving giant Microsoft Exchange in the market place? Will Exchange take a hit in popularity because of its association with the Bush administration fiasco? Perhaps the most significant consequence of the missing emails is the reality that history relating to the U.S. Invasion of Iraq in March 2003 could be lost forever. With paper copies and hand written documents becoming more of a celebrated art form than a daily operational occurrence, email communications are an intrinsic part of our society. Email retention and email archiving have already begun playing a role in the preservation of our way of life. However, there are usually two sides to everything, and in this case our government recognized the potential PR nightmare that could await them if official documentation was released over what was actually said regarding the situation in Iraq. It is important that a high degree of accountability is being ordered here, as it is the government's job to answer to the people.

Well, there are a few points I would like to make here. Firstly, drawing the line as to what kinds of electronically stored information (ESI) should be made publicly available is not an easy thing to do. There might be TONS of emails and electronic correspondences in this world, but which ones should we have access to? As it stands in March 2008, most of the information Alderman is describing CAN be obtained, just not by historians and biographers. Industry regulators and the U.S. Court system have access to this information in the event of an email audit or an eDiscovery situation. Health care professionals and patients also have shared access to information under HIPAA regulations. Secondly, there is certainly ways to access, manage, and use "computer-generated communications" as Alderman describes them. This process is called email archiving and the general concept is referred to as email retention. The majority of U.S. Businesses are compelled to archive email under regulations such as HIPAA, SOX, FINRA, SEC, NYSE, NASD, and GLB. All organizations are also required to maintain electronic communications and all relevant ESI in case of an FRCP e-discovery proceeding (as of December 2006). Additionally, government officials and politicians are bound by state sunshine laws and legal requirements to retain emails as public information. I believe Alderman is pulling for a grand method of national archival, but to say that current ways of storing electronic information do not exist is not at all accurate.

Part one can be found HERE.

Jefferson Graham of USA Today reports that "Google's attempt to build a home for personal health records online could potentially make the ads more lucrative than Web search, a top equity analyst says." Showing off its Health program at a conference in Orlando, "Google said it wouldn't start out selling ads but wouldn't rule it out. Google Health is expected to launch this year." Gene Munster, an analyst at Piper Jaffray, "firmly believes ads will happen." Graham quotes him as saying: "advertisers would pay absurd amounts of money to be seen when someone wants to, say, refill a subscription online. This is more lucrative than commerce-related search."

Like I said in my last post regarding Google's attempt to tackle electonic patient medical records, this comes down to personal feelings about targeted marketing. Advertising is at the heart of making this new venture into health care worthwhile for everybody's favorite search engine. Do you feel comfortable knowing that your medical records information will be used to assist in the campaign of targeted ads? Does it matter in the first place? Will this further propel the popularity of G-mail? How will this affect email archiving? If more companies turn to G-mail will this have an adverse effect on email archiving providers? Will Google become known as the definitive email compliance source for health care professionals? Stay tuned.

I was reading an article this morning on Continuity Central which has given me an idea for a new series of posts. Dave Hunt wrote an article addressing the specific FRCP rules which relate to email retention and email archiving. When most U.S. Businesses think about the 2006 FRCP amendments they just know they have an obligation to archive email. But do they know how the eDiscovery process works? What does the court look for with regards to ESI (electronically stored information)? Does the law MANDATE an email archiving solution? A look into the eDiscovery framework seems like an important step to take for an organization to understand the big picture of email compliance.

Dave Hunt wrote: "it is important to note that there are not substantive requirements, guidelines or directives under these new rules that you can pull out and implement. Much like the existing discovery rules, the new amendments are directed to the ways lawyers and courts handle and conduct cases in the federal court system (and in many, if not all, states). They deal with the ways electronic information will be gathered and produced in the litigation context. They do NOT mandate records management requirements. As a result, organizations have not found the clarity and certainty they might have expected from the new amendments."

I would like to start off this series of FRCP eDiscovery amendments by focusing on an interesting legal document entitled: "The Safe Harbor Rule." In an article section called: "Preserve the Safe Harbor," Dave Hunt provided the following information: "of course, some believe that they can just hide or delete emails or other files. Quite apart from the moral aspects of such a decision, such an action would take a litigant out from under the only real 'get out of jail free' provision of the new rules. Rule 37f is the so-called Safe Harbor Rule, which states that "absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good faith operation." This rule may offer companies protection should relevant ESI be lost, but only if a "routine, good faith" discovery process is fully defined, fully documented, and fully followed. Hiding or deleting emails would not be consistent with such a process, and demonstrates bad faith. Contempt is punished by fine and imprisonment.

Indeed, proof of non-tampering is essential. This proof is not confined to the data being stored, but security in such areas as mailbox access, system access, and procedures for access control, allowing only authorized custodians to emails and network files. Encryption and intelligent key management, regularly and reliably used, is also an element of proof that the files are genuine and reliable."

Good faith is a significant part of the law, as attempting to do the "right" thing is looked upon favorably in the eyes of the court. It is important to know that if you have an email archiving solution in place, even if ESI is strangely missing, it will be meaningful to U.S. judges. The Safe Harbor Rule rewards those companies who realize what must be done and take the necessary steps to make it happen. However, it is not a good idea to bank on a "get out of jail free card" if you have not integrated your systems for email compliance.

Stacie N. Galang of the Salem News Online reports that Peabody Public School "will start archiving all e-mails -- including those by teachers and other staffers -- beginning March 3rd as state officials warn public agencies they must store such public records." School Committee members have received adequate warning as Superintendent C. Milton Burnett has "circulated a memo to all staff about the change affecting the district-based email system." Burnett said, "all staff is advised NOT to utilize Peabody Public Schools e-mail or Peabody Public Schools Network Systems for any correspondence relating to student or staff personnel issue or personal items." However, citing the new email archiving policy as frustrating, fear-inducing, and counterproductive, a large number of school related personnel are seeking to have the law overturned.

Why are people so upset here? Are they wrong? Justified? What sensitive spot is email archiving hitting? Well, I want to start off by saying I firmly believe email archiving laws are raising significant questions regarding public knowledge and what should be made available for industry regulators to see. People are upset here because they believe that this is an issue of their "right to personal privacy" being taken away. In the same article I referenced above, The Salem News quoted a woman as saying: "the law seemingly makes no distinction between a true public record and a personal document." It also mentioned "criticism by Committee members concerned that information discussed about students or School Department personnel could reach public view." These are both valid points that should be taken seriously. There are unquestioned benefits to archiving email, such as the ability to prove or disprove conflicting evidence at a later date. It is also a way to prevent conspiracies and under the table dealings from manifesting into reality. However, where is the line of privacy drawn? Which electronic communications should be allowed to be kept private? What if personal information about a student really did manage to leak out into the open? Is that right? What does the public have a right to know? I think that is the biggest question here. Email archiving and email retention policies really could be a serious plus for society if managed the right way. However, there must be more attention paid by academics to the reasons behind new legal implementations, as well as detailed explanations by law makers about the specifics of regulations.

I came across an interesting article earlier today on Computer Technology Review regarding the current & future expectations of an email archiving solution in light of modern FRCP eDiscovery requirements. William Tolson has compiled an expert list of capabilities to be considered when choosing an email archiving solution that I feel all U.S. Businesses should review. I am posting an excerpt of his writing below along with the capabilities he feels are pertinent in meeting the demands of regulatory and legal compliance:

"Email archiving solutions should address critical customer requirements around email information archiving, eDiscovery, regulatory compliance, business continuity, and storage optimization. Enterprise-class solutions provide legal search work flow, immediate mailbox and message recovery, disaster recovery, email archiving, and self-service search and access in one solution. By leveraging cost-effective storage, these solutions also optimize email storage and reduce overall infrastructure costs. Next generation email archiving solutions deliver rapid, comprehensive search across millions of emails for litigation ready production and provide the following capabilities:

Rapid eDiscovery: Auditors and legal staff must be able to quickly perform sophisticated search and discovery across centrally managed mailboxes to meet compliance requirements.

Automated, Exchange Disaster Recovery: Reliably protect Exchange information through non-invasive, continuous application shadowing. This process preserves the consistency and integrity of Exchange data and enables "one-click" full email data and service recovery when needed.

Mailbox Storage Management: Reduce storage requirements on the Exchange Server by migrating or "extending" attachments based on policies of age, document size, or mailbox size.

Self-service search of archived data: Seamless self-service access to end-user archived data, enabling them to find potentially lost or deleted messages without IT assistance.

Enhanced support for Exchange 2007: Live Communication Server (IM) and 64 bit Servers - extends content management to include instant messaging and takes advantage of new Exchange 2007 features for disaster recovery, folder level retention, and mailbox level journaling.

Automated PST File Archiving: New "crawler" automatically searches and retrieves PST files from servers, desktops, and laptops based on administrator-defined policies.

Active Directory Integration: Leverages roles defined in Active Directory and provides a version history of Active Directory, including distribution lists. Contents of distribution lists are viewed as they appeared when an email was originally sent or received.

Public Folder Archiving: Performs archiving and continuous data protection for Public Folders and allows auditors to search all Public Folder content and re-create chain-of-custody for compliance and legal discovery.

Scalable Storage & Reduced Archive Storage Requirements: Designed to deliver improved scalability and performance for the archive server with support for multiple databases and extensible storage volumes.

Each of the above criteria is highly relevant in ensuring a smooth email litigation process should such a situation arise. However, does relevancy equal necessity? Which of these factors are truly "business critical"? How essential is having support for Exchange 2007? Does a company need public folder archiving? When does storage really become a problem? Are the above capabilities best used in an in-house or an outsourced email archiving solution? I believe it is important for a business to understand what they need to comply with corporate regulations and legal requirements without spending money and time on things that are simply not necessary. What are the intricate parts of an email archiver that you truly NEED to satisfy compliance? I would like to address this topic in full soon. Stay tuned.

I believe the term of the day is: "HIPAA compliance." This two word phrase is beginning to make the news in a big way. On one hand you have the CMS (Centers for Medicare and Medicaid Services) ready to conduct stringent HIPAA security audits of hospitals, and now on the other hand you have Google looking to become the top player in the electronic medical records arena. At the root of Google's potential conquest is the technology and desire for patients to manage their personal health care records. This need is owed in large part to HIPAA, which ensures that the privileged relationship between doctor and patient is upheld. According to HIPAA, electronic patient health care data must be retained and kept secure in order for a health care provider to be deemed HIPAA compliant. However, providers such as the Cleveland Clinic have begun offering personalized tools for patients to manage their health records online. This new trend is certainly a fine idea and on part with a continuously evolving society, but are there some risks to be noted here? Are there reasons to be cautious of what Google is doing?

Firstly, what is in this for Google? I mean, nothing this noble could come for free, right? Of course not, and the concept to be aware of here is called "targeted marketing." I am posting an additional excerpt from Douglas Cress below because I think it is important to read:

"Anyone who has spent any time on the Internet (or sorting through spam in their email inbox) should have a sense of how profitable medicine is on the Internet. Based on some cursory keyword research, and my rough calculations, Google is earning $20 million in annual revenues from the keyword 'Viagra' alone. 'Ambien' costs $2.43 -$3.65 per click; local queries like 'Brooklyn dentist' cost $3.71 - $4.98 per click. If Google delivers on their promise of a web portal with 24/7 access to health care information - and they're certainly well positioned to, with their global web-based architecture and a focus on security - the upside could be tremendous. Google will have the ability to offer a free service supported by advertisers. Think GMAIL for medicine - with ads for doctors, pharmacies, drugs, and devices peppered beside your personal health records and delivered using the same contextual advertising Google is known for."

This means that much to the delight of health care advertisers your medical records information will be used to assist in the campaign of targeted ads. There is also the issue of Google security here, is a simple password alone really enough to make you feel confident that your electronic health care data cannot be breached? What if your information is hacked? It's true that it is possible for any system to be tampered with but would you feel more confident in a security provider that specializes solely in that field, or a gigantic corporation that merely uses it as an additional service? Will Google work on encryption? Will Google's program only be compatible with health care providers that currently offer patients with the tools to manage medical records? If not, how would it work? If Google succeeds and takes this mainstream, how will this affect the email archiving industry? Will health care professionals flock to Google for their HIPAA email compliance needs? Stay tuned.

K & L Gates at the eDiscovery law blog has announced the enhancement of their searchable e-discovery case database and has "added a number of new attributes -- several of which correspond with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure (FRCP)." As I mentioned in a recent blog entry regarding an eDiscovery index on the Arkfeld and Associates website I believe that this new feature will be a significant asset if you find yourself involved in the process of electronic discovery research by case. I am posting the updated attributes from K & L Gates just below because I think they are a top notch addition to all current eDiscovery research tools.

"You can now select the attribute FRCP 37(e) Safe Harbor, "cick" Search," and view a list of cases that have cited or discussed the new "Safe Harbor" rule. Other new attributes that we have added include:

-FRCP 26(b)(2)(B) "Not Reasonably Accessible"

-FRCP 34(b) Procedure or Format

-FRCP 26(b)(2)(C) Limitations

-FRCP 26(b)(5)(B) or Proposed FRE 502

-Early Conference or Discovery Plan

-Local Court Rule, Form or Guideline

-Motion for Preservation Order

What's more, the database now contains over 900 e-discovery cases from state and federal jurisdictions, with new cases being added very week. Now more than ever, our database is an excellent source of information on developing e-discovery case law around the country."

This database is an excellent resource for those organizations that are in the early phases of integrating an email archiving solution. With over 900 e-discovery cases from state and federal jurisdictions, there is substantial access to learn how courts view email compliance with FRCP eDiscovery proceedings.

Brian Fonseca of Computerworld reports that "District Court Judge Colleen Kollar-Kotelly this week issued an order enabling the Washington-based Citizens for Responsibility and Ethics watchdog group to perform limited questioning of White House officials." The group had filed suit against the White House Office of Administration last May "seeking access to White House e-mail under the federal Freedom of Information Act." The discovery ordered by Kollar-Kotelly was issued to "determine whether the Office of Administration is subject to the Freedom of Information Act." This will be a situation to keep an eye on as the office contends "it is not subject to FOI requests." Additionally, Fonseca provided insight from Mike Osterman, president of Black Diamond, Wash.-based Osterman Research Inc., who said: "many businesses operate under the false assumption that e-mail is not a business record. A lot of people are not implementing e-mail archiving [processes]; they're saving e-mail, but not in a cohesive or consistent way. Companies can say 'Yes, we need to archive,' but [the process] must be policy driven and taken out of users' hands."

Even though I probably shouldn't, I still find it fairly remarkable that the White House simply cannot respond about the whereabouts of many missing emails. With the advent of internet technology there seems to be this general attitude that electronic communication does not have to be held up to the same standard as traditional paper documents. Many corporate executives and government officials seem to think they can pretend conversations never happened by simply deleting email backup tapes. In theory paper copies could just be burned up, but it seems that the ease of conveniently "losing" emails is what makes it so much more noticeable. It does not require a lot to act as if nothing ever happened. However, with industry regulations and legal expectations tightening the grip on corporate behavior, abusing the age of email messaging is only going to get harder to do. It is high time for all organizations to integrate an email archiving solution, especially when the center of the American universe is being thrown into the grand spotlight for this exact reason.

The Sarbanes-Oxley (SOX) act, as described by Chen, requires all public companies to retain their business records, including email, for at least five years. Since Sarbanes-Oxley does NOT specify which documents are relevant and which are not, it makes the practice of email retention significant for all public companies. Businesses cannot afford to preserve only select electronic communications. But with that being said, I have several questions in regards to the survey conducted by Harris Interactive. If the survey results are truly accurate, what does this say about company email policies? Are organizations effectively communicating the use of business email for personal reasons? How about what language is considered proper? Or how about the tolerance of humor? And if a company DOES have this policy circulating around, then why are so many employees ignoring it? Apathy? No fear of consequences? The survey results say that nearly all the employees polled do not believe that they have ever sent a risky email. Therefore it seems that most employees are not even aware that they are doing anything wrong. I believe that companies need to lay out specific rules within the employee email policy and hold review sessions to make sure that the rules are being followed. Additionally, I think that consequences are necessary and should be mandatory to enforce the rules. With SOX email compliance such a crucial item on the business agenda, more companies should be taking the time to make sure that their employee email policy is stringently regulated.

According to the American Health Information Management Association (AHIMA) website, the event often referred to as "hipaa security week" will be held April 13th - 19th, 2008. AHIMA states: "CONFIDENTIAL IS ESSENTIAL--Protect Health Information" is the theme for Health Information Privacy and Security Week 2008. This invaluable awareness event, held April 13th through 19, assures our communities that the industry takes extraordinary measures to put health information in the right hands and keep it there. It is a positive reminder of the importance every healthcare professional should place in this crucial aspect of medicine. A message that resonates throughout the nation's facilities."

With the CMS bearing down on the enforcement of HIPAA security compliance, this years health information privacy and security week will likely get taken a little more seriously. The protection of electronic patient health care data is an extremely important measure for our society to take, and I believe that the CMS's current agenda is definitely helping the cause. Email compliance and email archiving solutions are necessities for health care professionals at this point, especially for those that do not want to deal with the repercussions handed down by Tony Trenkle and the Office of E-Health Standards and Services.

Caymanian Compass, the Cayman Islands' leading newspaper, reports that a seminar on email archival and disaster recovery will take place on February 21st at the UCCI (University College Cayman Islands) Executive Training Center. According to Rob Eyers, responsible for enterprise business development at Kirk iSS, "Public and private sector organizations in the Cayman Islands are facing similar challenges to their counterparts in other offshore jurisdictions." He then adds: "the increased use of technologies such as email, sms, instant messaging, Microsoft Office and a range of other types of electronic communications have resulted in substantial growth in data within the enterprise and in turn created a significant data management problem for the IT Department. With 83% of business communication now being electronic, organizations need a solution to reduce the cost of storing, managing, and discovering this electronic tidal wave of business information."

There are a couple of points I would like to make here. Firstly, there has been a recent surge in the amount of educational resources regarding eDiscovery and email archiving. Within the past month alone I have written about professional research papers, legal guidelines, reports, conferences, and even a judicially acclaimed reference on the topic. What is the significance here? I believe that both industry leaders and experts are finally recognizing the sheer volume of companies that are simply unprepared to deal with the pressures of satisfying an ever strengthening corporate & legal governance. Education and integration of email archiving solutions will continue to be a process, but there is little doubt that progress is being made. Secondly, the geography of email archiving and the locations that might be subject to email compliance regulations in the near future will be interesting to keep an eye on. That this seminar is taking place on the Cayman Islands, a British overseas territory, is a sign of society and corporate governance moving in a specific direction.

According to report on patient privacy (RPP), the industry's most practical source of news on HIPAA patient privacy provisions, the compliance reviews which began last month "are separate and unrelated to audits being conducted by the HSS Office of Inspector General (OIG)." Tony Trenkle, director of the CMS Office of E-Health Standards and Services, told RPP that "the focus is broader than just hospitals, although they are included. In the future we may work with OIG, but these are two separate proceses." Trenkle's senior policy advisor, Lorraine Tunis Doo, added: "we will interview the people who are appropriate to the documentation and policy and procedures that we need to evaluate. Whoever is relevant will need to be there. It could be different at every review." In regards to the 283 security complaints logged by the CMS as of December 2007, Trenkle said: "the majority of allegations are of inappropriate access and risk of inappropriate disclosure."

Well, as the Centers for Medicare and Medicaid Services (CMS) start to integrate the compliance review process there are a bunch of pertinent questions that come to my mind. Firstly, how will the CMS reviews impact the current state of electronic patient health care data and email management? Would a serious HIPAA violation change the way that electronic information is managed by health care providers? What is the difference between a HIPAA security compliance review and an OIG audit? Would the agency doing the testing (OIG or Office of E-Health Standards and Services) impact the stringency required for the security and privacy of an email archiving system? Will the OIG and CMS Office for E-Health Standards and Services be working together in the future? If the answer is yes, would this create a uniform policy and method for testing electronic patient health care data? Would the OIG merely be setting the stage for Tony Trenkle by doing preliminary investigation work? How many entities will be reviewed? What other health care providers and facilities will be subject to HIPAA email compliance regulations besides hospitals? Stay tuned for updates.

In this entry I would like to focus on the cost of an in-house email archiving solution versus that of an outsourced service. Firstly, which one is more cost efficient? This question is an important one for most small to mid-sized businesses as they need to keep email archiving within a tight IT budget. Organizations will be pleased to know that the answer is an outsourced service, and it is usually by a significant amount. But why? Why are in-house solutions so much more expensive? It all comes down to the sheer amount of work that is required to keep the in-house solution up and running. The IT team is responsible for monitoring all incoming and outgoing electronic communications, maintaining email archiving appliances, and ensuring proper systems integration. There is also the issue of storage space, which could add up in a hurry if your business has thousands of emails entering and leaving the archive daily. Outsourced services retain all of your email messages for you and present you with advanced search options to quickly retrieve specific emails that have been captured in the archive. However, the big question that I am posing here is: are there any distinct advantages to an in-house email archiving solution that would justify the high cost to maintain and integrate? Why do some organizations PREFER the higher cost?

In one word, the answer is trust. Companies simply do not feel comfortable trusting an outsourced email archiving service to sift through their email and have access to private information. But is that really what happens? Do email archiving services take such advantage of their clients? No, they don't. Why not, you might ask? Roles based permission access, industry regulation authorities, and business reputation are three critical factors that ensure outsourced email archiving safety. Are there any distinct advantages to an in-house email archiving solution that would justify the high cost to maintain and integrate? There are some loose arguments to be made in favor of an in-house solution, but stay tuned for part II for more information.

Legal Blog Watch reports that on February 5th Claire Duffet of Law Technology News attended a morning session of the NY LegalTech panel entitled: "Actionable E-discovery: Finding the Right Balance of In-house and Outsourced Resources." According to Duffet there were 300 attendees in the room who had to answer the poll question: which step in the eDiscovery process is most concerning? 43% said that this step is in the processing review and analysis, 33% said that its in preservation and collection, and 13% said information management with identification, production, and presentation rounding out the rest of the responses.

Duffet mentioned the presence of several significant eDiscovery figures including: attorney Marie Lona, partner and chair of the e-discovery and electronic information practice group at Winston and Strawn, Tom Hall, managing attorney for discovery and litigation technology at Cleary Gottlieb Steen & Hamilton, Mikki Tomlinson, litigation support manager for Chesapeake Energy Corp, and moderator Kelli Brooks, principal of forensic technology services at KPMG. Tom Hall discussed the serious sanction handed down in the Qualcomm Inc v. Broadcom Corp by saying "My risk aversion advice: Don't do that."

EDD (electronic data discovery), as evident by the 46,000 missing electronic documents in Qualcomm, is an extremely important business continuity measure in the year 2008. Panel discussions such as the one above are instrumental in the education process for U.S. Businesses to learn about the dangers of avoiding email compliance and email archiving solutions. Perhaps the question is: is it better to retain electronic correspondences using in-house or outsourced solutions? This depends largely on the finances of a company, but there is a strong argument to be made for an outsourced service. They are generally more cost efficient, provide IT relief, and automatically provide you with regulatory and legal compliance.