It’s 2 AM. Do You Know Where Your E-Mails Are?

Written by Evan Schuman
December 21st, 2006

One of the nation’s largest investment firms had disciplinary complaint filed against it this week because, at best, it wasn’t sure what E-mail was backed up. The worst case scenario has Morgan Stanley telling investors that their E-mail records were destroyed in the New York City terrorist attack, while they knew the backup records of those transactions were intact.

Although the central facts of the case are in dispute?Morgan Stanley’s position is that the existence of the backup tapes was disclosed while the National Association of Securities Dealers says the disclosure was not made?the big-picture message is Morgan Stanley wasn’t really sure what E-mail copies existed, what time period they covered and where they were.

Legal technology experts say the Morgan case barely touches the surface of the problem. Consider this scenario: For various legal reasons, you need to produce copies of E-mails sent between March 8 and March 20 dealing with the acquisition of the Smith Construction Company.

Due to a fire, the servers were destroyed. For whatever reason, the backup records were also destroyed. Do you have the right to say to the court, “Sorry. We don’t have them anymore”? Are you obligated to conduct a search for those E-mails?

What if some copies still exist on an employee’s laptop? Or an employee’s home PC? Maybe on some portable media, such as one of those little 2-GByte Sandisk drives or burned CDs (or DVDs) or an external hard-disk? Don’t forget those PDA/smartphones, too.

For that matter, what about looking beyond your firewall, outside your LAN’s limits? Your Sentmail files may provide a trail to dozens of partners, contractors, suppliers, consultants and customers that your employees E-mailed those messages to. Those sought-after files may exist those servers, too. In an endless loop, it could then exist on those other companies’ backup servers and home PCs, etc.

The typical E-mail system today does not provide a link to a single copy of the message sitting on a central E-mail server. The systems generate hundreds and sometimes thousands of full copies of these messages, either as straight text or attachments.

That’s not the problem of IT when it comes to preserving backups. But as federal rules change with legal discovery requirements, it’s going to become a very key issue for IT execs, as corporate attorneys will be relying on them to know about every possible copy of every E-mail. (Next step: voicemail, IM and Web comments.)

Corporate attorneys and IT executives “need to understand where they keep their electronic information. There can be a lot of negligence in this area,” said Stan Gibson, partner at Los Angeles-based law firm Jeffer Mangels Butler & Marmaro. “As an inhouse lawyer, you very well may not know exactly what is out there, especially if you don’t communicate with IT well.”

Communicate with IT well? Isn’t that one of those oxymorons, like jumbo shrimp or “the server is a little big”? There’s an old corporate motto that when a non-IT exec start feeling like she’s communicating well with IT, it’s probably time for her to cut back on her liquor.

But Gibson’s point is still quite sound. As companies get more sophisticated technologically, the databases that IT commands are going to become more essential. That goes beyond CRM and ERP data and extends into E-mail and other data files.

Data can no longer be viewed as something concrete that needs to be stored and protected. It’s information to be shared, but also tracked. Companies view their ideas as intellectual property and yet few place any restrictions on where that property can go. Forget restrictions. How about settling for simple awareness?

Another concern showcased by the Morgan Stanley situation is the amorphous area of reputation. Whether it’s reasonable or not, company executives expect IT managers to have control over all company data. That expectation is now being extended to judges, juries and governments.

Two elements in establishing credibility with legal data disclosures: competence (a belief that IT has a professional mastery over its data) and honesty (that it’s saying everything it knows). When data status changes and reasonable steps to pursue data are not taken, that credibility is at risk. With judges, juries and government regulators, that can be something that will prove very costly to lose.

“This will probably cause opponents of Morgan Stanley to constantly question the bona fides of their disclosures,” said Michael Gold, a Gibson colleague who is also a partner at Jeffer Mangels Butler & Marmaro. “These disclosures require a measure of candor.”

As a practical matter, the emergence of personal mobile media makes it many orders of magnitude more difficult to control where information is going. On the plus side, it also makes it so much more likely that almost any piece of corporate communication can be found out there, if you’re willing to look hard enough.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.