Major public corporations are not nimble. They do not quickly change practices or corporate culture without a lot of resistance and persistence. In recent engagements with Fortune 100 clients, it has become clear that the major transformations required to become litigation ready must be sponsored at the C-level to have even a chance of success. In large companies, practices and general culture become ingrained and comfortable, even if inefficient or just blatantly wrong. Given that most public corporations will face hundreds of discovery events per year, one would expect a greater level of discovery maturity across the market. Instead, we see a lot of corporations engaging in cyclical RFPs, but not pulling the trigger on funding until a hot case gets attention from the Board of Directors.

                On the other hand, small-medium businesses (SMBs) do not have the same problems with momentum and high discovery burden. During a recent consulting engagement with a small, high-tech company, I realized the size and relative infrequency of discovery events reduces the need for internal discovery capabilities, especially if the SMB has outsourced significant IT infrastructure to a SaaS provider like Estorian LookingGlass.  Inside counsel and IT still need to understand the new FRCP requirements and are responsible for managing the internal response, but having a SaaS provider for your messaging, archiving, applications and even document management shifts the burden of documentation and change management to the provider.

                More importantly, it disarms accusations of deliberate spoliation or designing a system to deliberately destroy critical evidence. This is one of the hidden benefits to SaaS that few companies factor into their ROI calculations. When selecting a provider, companies should understand and document the provider's procedures, technology and data integrity practices. Most importantly, they should make sure that they can provide Chain of Custody information to authenticate ESI that is searched and restored from the provider's systems. The good news is that any SaaS provider with a decent customer base and at least two year's of historical ESI should have already been through this fire drill. Having done an initial fire drill, the legal department can now focus on the comparatively simpler job of documenting their hold decisions, searches and other discovery actions. Depending upon the outsourced system, legal may be able to handle discovery without putting the preservation burden on the business users. There will always be custodian interviews, paper and local documents to collect, but inside/outside counsel are well prepared for this.

                Overall, SMB's have a potential shortcut to 'Litigation Readiness' through SaaS outsourcing of the primary messaging and file storage systems. Legal definitely needs to be involved in the provider selection and RFP process, but IT should welcome another sponsor to the project. Legal should request documentation on system capabilities (search/culling for Rule 26 disclosures and Meet & Confer), Chain of Custody, exception reporting, deposition fees for authenticating evidence (Rule 30(b)(6)), SLA's for retrieval rates, physical/electronic security and the actual storage format of the ESI. The last is particularly important in case the requesting party makes arguments for using alternative search engines on the ESI. Governmental agencies are required to store records in an open format like MSG files for email, so any SaaS provider who has public sector clients should utilize an open format storage system. With a little research and diligence, SMB's can leverage SaaS to achieve litigation readiness in a cost effective manner.

                In a recent conversation with Gary Tidd, CEO of Estorian, he mentioned a sharp rise in interest from State, Local, Education and Departments (SLED in sales-speak). Many smaller state agencies like school boards and police departments were seeking a fast, low threshold way to comply with new email retention requirements. His comment resonated with several recent news stories about the consequences when governmental entities fail to keep email or even worse, when they have it on tape and cannot get to it in a timely efficient fashion.

Federal agencies have had information access and retention requirements since the Freedom of Information Act was signed into law by President Lyndon B. Johnson on July 4, 1966. President Bill Clinton amended the act in 1996 to include electronic information. All of the States have enacted some form or open record or Sunshine Law legislature that defines retention requirements and access procedures for requesting public records. Florida is well known for having one of the most comprehensive Open Government initiatives.

Many or most states put these Sunshine laws into effect well before email became the dominant communication platform. As many as 18 states do not address email as a record in their policies and most states allow their agencies to 'self-select' records that will be kept versus deleted as a temporary communication. If this sounds confusing, think about the poor IT director for a state transportation agency or school district. They have these broad preservation mandates without detailed instructions and usually little or no budget to accomplish the directive.

That spells out an immediate opportunity for a SaaS email archiving provider like Estorian LookingGlass. Some states like Illinois have chosen a traditional enterprise archiving platform and have a licensing option for all smaller state agencies. But that still does not provide the budget for the required servers and storage. As long as the SaaS solution meets accessibility, security and open source storage format requirements, the smaller municipal and state branch offices should be able to immediately archive overloaded Exchange servers and remove scattered PST files from the small network. This would enable the agency to comply with litigation or open records requests via search rather than the more expensive, laborious manual collection process.

Missouri's Republican Governor Matt Blunt probably wishes that his offices had email archiving in place to fend off the attacks from the Democratic Attorney General Jay Nixon. Accusations of deliberate email destruction were raised after the Governor terminated his top lawyer. Requests for the emails in question were met with a $540,000 price tag. The Governor has committed to put an email archive system in place, but it will cost the state $2 million.

The consequences for lack of access can be high. Just ask the former Houston District Attorney, Chuck Rosenthal. He was forced to resign his office after embarrassing and potentially criminal email came to light in a civil suit. His IT staff was unable to extract and cull email from tapes in a timely fashion. So the court stepped in and found approximately 2,500 email deleted after the preservation order, emails regarding an ongoing affair and political activities on city time. We could go into the woes of Detroit's Mayor Kwame Kilpatrick, but I think that you get the picture.  Email and other electronic communications are defacto business records and public agencies must take steps to preserve and give access to government records or face the consequences.

                In a recent blog on Quon v. Arch Wireless, I talked about how poor policy and process cost the Ontario Police Department the right to search and review messages. There is another ongoing federal request for declaratory judgment in Washington DC by a law firm, Newman, MacIntosh & Hennessy LLP. The meat of the matter at issue is whether transmittal of Electronically Stored Information (ESI) outside of the United States of America waives 4^th Amendment Protection (Privilege) in light of the ongoing governmental foreign surveillance.  Without diving too far into the case, the law firm wants the court to declare that it is safe to send client data to an India-based litigation support services company, Acumen Legal Services. They have also opened ethics inquiries to the D.C. and Maryland Bar Associations for guidance.

                In our growing out-sourced, SaaS based economy, corporations are increasingly turning to providers outside of the United States to process, host, review and even store ESI. The consequences of this world wide economy are slowly and at times inconsistently being litigated in various jurisdictions. These cases raise serious questions about corporate ownership, foreign privacy conflicts, privilege waiver and Intellectual Property waiver whenever corporate ESI is transmitted to foreign countries. Few countries have the same patent, IP and other protections for corporate ESI that have been enacted within the US.

So what about all the multinational public corporations? The ones with Exchange servers in Europe, Japan, India, China, Korea, etc? Their internal email is crossing that same border and subject to the foreign surveillance that has Newman, MacIntosh & Hennessy concerned about their client's privileged email. Is corporate counsel effectively waiving privilege when they give legal advice to an overseas director? Given some European countries' stance on employee privacy, US corporations may already be in violation of Belgium, German or French laws simply by searching and reviewing foreign employee email to comply with US regulations or discovery requests. All of this is a complicated maze of unintended consequences that most companies deal with by turning a blind eye to the foreign communication stream.

Looking beyond the obvious communication channels, some companies are starting to ask hard questions about foreign based communication services. Because RIM's Blackberry servers are located in Canada, does that mean that all email sent to/from a Blackberry has now had privilege waived on it? RIM's technical documentation makes it clear that the messages are encrypted at the corporate server level, but the message headers are still exposed and that can include more than just the address information.

Whether we are talking about email, IM, Text, VOIP or any other communication stream, recent cases have challenged the presumption of corporate privacy, privilege and ownership. Proper policy and training seem to be the answer for domestic corporations who use a SaaS email provider or other US based Text/SMS provider. When dealing with world-wide infrastructure, a corporation must engage specialized counsel and actively monitor cases and publications like those of The Sedona Conference Working Group 6: International Electronic Information Management, Discovery and Disclosure. Although the rules seem to be changing, companies can make informed risk vs. cost decisions to minimize their potential exposure if they are cognizant of the issues and do not just pretend that they do not exist.

                The recent Quon v. Arch Wireless decision has raised many questions about a company's ability and right to monitor employee communications. Fortunately, a deeper read shows that the real issues centered around the employee's reasonable expectation of privacy, which a well documented and communicated policy solves handily. So an employee might ask, "I know that the company owns my email, but do they really read it?"

                Unless you are a financial company regulated under NASD Rule 3010 or 3110, you are almost certainly not opening and reading the your employee email without cause. Knowing that the company has the right to review the communications is very different from expecting that it will be done routinely. Most employee's are comforted by the assumption that 'it won't happen to me as long as I follow the rules'. An argument could be made that absent a public practice of routine or random checks, every employee has an implicit reasonable expectation of privacy. A well implemented policy lays the foundation to the employer's rights over the messages, but anything is possible given the right venue, counsel and fact pattern.

                This illusion of privacy or at least anonymity encourages improper and unprofessional communication modes. If you knew that your boss would read every one of your email some day, you would think twice about off color jokes, vendor social invitations and other messages that easily give the wrong impression. You would also probably update your resume and find another job outside of such an Orwellian atmosphere. We do not want someone reading our email without cause, period. We have gotten used to thinking of email and IM as being personal modes of communication when they are essentially a form of broadcast communication.

                So how is a company to walk this fine line? The burden of checking even a small percentage of random messages has proven less than optimal in regulated environments. The SEC has recently modified rules to allow companies to utilize automatic categorization systems to screen for messages of higher interest. If you dive into these applications, you quick discover that they are nothing more than static rule filters. They are effectively large searches that run on every item as it passes through the message system and then acts on items that meet the rule criteria by placing tags, quarantining the message or sending alerts.

                With the increase in SaaS and outsourced messaging/archiving systems, this categorization functionality is now becoming accessible to SMB customers. Estorian's LookingGlass service can actually categorize traffic in motion and alert management to potential loss of trade secrets, fraud activities or HR violations from saved searches that have and action associated to them.

                This kind of monitoring by impersonal, rule based filters shows that the company is serious about protecting their information assets and yet avoids the stigma of a person looking over the employee's collective shoulders. No filter or rule is perfect and they will require an investment to create, test and regularly update, but they demonstrate that even a small public company can enforce retention and message system usage policies without breaking the bank or waiving effective ownership of the ESI.

                Corporations that have invested in messaging archives and services are reaping benefits far beyond reducing risk and discovery costs. The ability to find every message to or from a user has enormous business intelligence and incident resolution potential beyond the traditional discovery scenarios. The traditional archiving platform value propositions of storage reduction and retention management showed clear ROI (Return on Investment) for large enterprise infrastructures where the investment in servers, centralized network storage and IT expertise were a tiny fraction of the overall cost of keeping and retrieving ESI.

The secondary business usage scenarios were just an added bonus in light of multibillion dollar discovery budgets. Not so for a small to medium business in a non-regulated industry with only 1000 - 2000 users. With only one Exchange server and probably one messaging administrator, there has been understandable reluctance to make the $50 - 100,000 investment for the smaller pieces of litigation and volume of historical email. The litigation profile of these smaller, more nimble corporations did not justify the expense and effort to implement enterprise wide archiving before the new Federal Rule of Civil Procedure came into effect on 12/01/2006. Now the single or minimal inside counsel are struggling to explain to their board of directors why the possible sanctions and bad publicity require such a drastic change in their corporate data management lifestyle.

"Why can't we just make everyone keep PSTs and keep the back up tapes?" asks the CIO. Using mailbox limits forced users to move email off of the expensive network storage to cheap local storage. It also created thousands of copies and put the core of the corporate IP at risk, but that was not IT's problem.

The dramatic increase in the hosted and SaaS archiving services over the last two years have suddenly given these corporations a way to realize the benefits from archiving without the heavy up-front investment. Many have quickly uncovered the hidden business value of enterprise search across the complete historical message collection. Suddenly, they can backtrack leaked pricing, salary and other trade secrets to find the few rotten apples in their barrel and weed them out.

One of the hardest things in a HR investigation is to disprove false accusations of sexual harassment, inappropriate content, fixed bids and many other scenarios. It is very easy to fake printed out email and IM conversations that would not stand up to close scrutiny if still in electronic form. The only way to prove that someone did not send a message is to have all the messages within that time frame and the ability to retrieve them. Think about how hard it is to set the context for an off-color email without having the complete historical conversations between a supervisor and a former employee.

Beyond actual HR investigations, corporations are now realizing that in today's highly mobile labor environment, it is critical to have the ability to transition historical communications when a valued decision maker decided to depart for greener pastures. A responsible director will organize their ESI and participate in the transition process, but that can take weeks of effort and usually is limited to active projects. What about all of the ESI around completed contracts, deals and ongoing business relationships? "It's in my PSTs." So are all kinds of sensitive communications that you may not want to make available to everyone who inherits any portion of the departed roles.

So archiving and enterprise search are not just for storage and discovery management, especially when we now have low-threshold options available.

                The 9^th Circuit of Appeals reversed a district court ruling, Quon v. Arch Wireless, in which a wireless text messaging service turned over message transcripts to their customer, the Ontario Police Department, during an investigation on an officer's excessive use of the department provided pager. The fact pattern has some twists and turns, but buried within the opinion are issues that are worth exploring for every corporation contemplating out-sourcing their communications via SaaS or other external provider.

                To summarize the case, Officer Quon overran the 25,000 character allocation on his departmental pager. After paying for the monthly overages 3-4 times, a supervisor requested the prior month's transcript to determine how much of the overage was personal usage, a violation of computer usage policy. Because of an unofficial policy of not auditing the text message contents if the officer paid the overage fees, the court found that Officer Quon and the others caught up in his personal, overtly sexual text messages had a reasonable expectation of privacy, despite having signed a typical "Computer Usage, Internet and Email Policy" to the contrary.

                The arguments around defining Arch Wireless as a Remote Computing Service (RCS) or an Electronic Communication Service (ECS) are fascinating in their potential scope and byzantine twists. All of these issues are centered on Fourth Amendment rights and the Stored Communications Act (SCA) of 1986, part of the Electronic Communication Privacy Act. The basic conflict is between an employer's right to monitor or investigate employee communications and their employee's reasonable expectations of privacy. Arch Wireless was found to have acted as an ECS provider, which limits the Ontario Police Department's ability to investigate with showing due cause.

                Realizing that this published opinion by the 9^th Circuit does not immediately or even inevitably apply to the rest of the federal courts, it could be interpreted as one of the first rulings for a more European style of personal ownership of communications sent via an employer's system, at least when that system is not owned and run by the employer. This 'could' limit a company's ability to monitor for inappropriate or even illegal communications usage.

                A deeper read of the finding provides a reality check. The Ontario Police Department had numerous opportunities to expand their policy to explicitly call out the pager usage as well as their audit policy. The right policy, education and acknowledgement program would have prevented employees from forming the wrong 'reasonable expectation of privacy' while using departmental pagers. Does this make you want to check on your corporate Blackberry policy? It should.

                Using a SaaS email or archiving provider such as Estorian's LookingGlass should not preclude you from monitoring and investigating your corporate email, but it should warrant a detailed policy review. A pager, IM or other transient communication provider falls under the higher ECS definition, which means that only a named sender/recipient should be able to request a copy of the communication. Whereas a SaaS email archiving provider seems to meet the RCS definition or even a lower standard that allows the contact entity (billing contact) to request copies of the communications.

                This decision raises interesting questions about who really owns the communications as technology and market forces blur the old lines of enterprise systems, documents, phone calls, shared services and more. We should all hope that Arch Wireless appeals the ruling to the Supreme Court or that another similar case soon finds its way to the top of the judicial ladder.

                Email archives originated to solve two basic pain points back in the middle nineties. The driving concern was the serious mailbox size limitations of Exchange 5.5 and earlier.  They earliest archives focused on moving older and large messages into the central archive to control mailbox sizes and preserve the user experience. The second challenge came from regulated financial and trading institutions needing to comply with NASD 3010 and SEC 17a preservation and retrieval requirements. These rules forced the banks and trade firms to invest in specialized Write Once Read Many (WORM) style hardware and software solutions.

                The financial market drove the early development of email archives and shaped the assumptions of what an archive should do and how it should store the messages. All of this concern around defensibility and compliance pushed the developers to lock down archived items in immutable, proprietary compression formats. Worse, since compliance purchases were driving the sales, the storage platforms engineered for the archives focused on read/write performance and single instance physical storage and practically ignored the retention management issues that this created.

                Ten years later, the reality is that the dominant, established products have the storage and compliance issues covered, but are weak on lifecycle management and extraction of business intelligence from this repository of the sum of corporate knowledge. Worse, for those corporations that invested early in a system that is clearly not meeting their business needs, many are now looking at literally hundreds of terabytes of email that cannot actually be deleted on any kind of rational, defensible basis. The WORM storage they chose utilizes item collections or cabinets to keep performance reasonable, but individual items cannot be deleted or expired.

                Smaller companies can learn from the early mistakes of the big boys. Most are not regulated and do not envision retaining all communications forever. Few companies really need to keep business records (beyond the unavoidable tax and public filings) beyond the usual business cycle for their industry. This can be calendar quarters for an online resale site or decades for a mining company. The important thing is to have plan and process that enables employees to keep and access what is critical to their jobs and the company, while shedding non-business messages.

                Given the number of innovative new archiving products and services that have surfaced in the last year, you will want to look carefully at how your communications are stored. Most federal and many state entities are required to store public records in an open source format to make sure that the information is not lost if a software provider goes out of business. Estorian's LookingGlass Interactive Archiving delivers on this requirement by storing the items in Microsoft Outlook MSG files and then zipping collections to effect up to a 65% compression as compared to the Exchange Store size. Even the LookingGlass Spherical Indexing is addressable directly from SQL, keeping the entire solution accessible in case of migration resulting from a merger or acquisition.

                So when you are shopping for a solution to your growing messaging environment, remember to make sure that the solution you pick will not turn into the retention nightmare down the road. Ask the hard questions about retention management, migration strategies and storage formats.

The dirty little secret of discovery search is the myriad attachments and files that cannot be rendered into absolute text that meets the simplistic Boolean criteria that is the output of the typical attorney salvos. No one wants to talk about all the images, audio, video and other categories that give heartburn to the viewers and iFilters used by the search engines. Lawyers, service providers or even IT execute the searches using the agreed upon search criteria, deliver back the results and do not ask the critical question, "What did we miss?"

Back in the dark old days of purely paper productions, which is only 8-10 years ago, no one wanted to open the Pandora's box and talk about email and other ESI. Instead, they asked the custodians to simply print out everything relevant and deliver it with the rest of the 'records'. Imagine the inefficiency of a senior vice president staying late to print a year's worth of manually selected email. Then the vendor made three or more copies for internal, external and expert review. The story gets worse from there, but that is supposed to be old news. I remember a client telling me, "We don't ask about email and they don't ask about email. Get it?"

That brings us back around to the 'unindexable'. Now it is not really unindexable, it is just expensive and complicated to deal with in comparison to the typical MS Office files. In many cases there is a good argument that these file types are just not germane to the key issues in the matter. In some cases, they are clearly germane and critical to understanding the fact pattern at issue.

So if a company has invested in a centralized message archive and has enabled a 100% capture system like Estorian's LookingGlass, Exchange journaling or transaction log shipping, then it would understandably and rightfully rely on these systems as the 'true' repository of communications over the incomplete user collection. The tendency will be to negotiate search or collection criteria with the other side as the primary collection to be reviewed. If critical items are not found by the search, the odds are good that within the sea of ESI these items may not be manually turned over by the custodians that are interviewed. "After all, we have everything in the archive, don't we?"

Good validation testing of search methods, quality assurance checks and sharp counsel can catch these issues. They can make sure that descriptions of the search and collection systems clearly represent known exceptions and search limitations to protect the corporation against accusations of deliberate lack of compliance. But what if the other side singles out a series of pictures of an accident scene and demands that you find them, even if the file names and properties were altered as they were forwarded through the chain of command? Even worse, what if you find clearly inappropriate images during your review and the CEO demands that you find every copy within the firewall and get a list of the offenders to HR?

In this age of rising eDiscovery costs, many small players seem to be getting left out in the cold. Implementation of a traditional full featured enterprise archive happens in response to combined IT and Legal pain that finally exceed the threshold and cut lose the capitol budget to reign in bloated Exchange environments and service provider profits. But selecting the right solution for a large public company or governmental agency is an entirely different process from the immediate needs of the SMB market and smaller state or county entities. Recent changes in the dominant archive platforms seem to acknowledge this reality as some of them raise the minimum target sale and focus their channel on large enterprise sales.

So what is a smaller player to do? Well there are quite a few new SaaS offerings to consider. The model makes sense for many smaller companies with 1-100 users, especially if they are a service company that wants to minimize overhead and infrastructure. If you have good access to bandwidth or your employees are geographically diverse, then chucking the entire messaging platform can be very attractive.

But outsourcing your informational assets may not be an option for regulated verticals or public agencies with FOIA requirements like the Florida Sunshine Laws. A Florida school system must retain communications record and make them available upon proper request.  More challenging than a FOIA request, many smaller companies face potential economic disaster from just one serious civil lawsuit. Large public corporations are required to carry excess umbrella insurance and reserves against risk. They can more easily absorb the typical $1 million deductible that may cap their loss for cases. A $1 million dollar deductible could cripple a small company, assuming that it has a properly structured insurance envelope. This puts small companies and under-budgeted state and local agencies into a unique place in the archiving market.

So the under-represented segment of the market needs an archiving and discovery solution with a low entry and implementation threshold. Moreover, it has to be easy to use and administrate as smaller entities may not have dedicated personnel with deep skills. Some of the archiving players seem to have focused on meeting these challenges. Estorian's Looking Glass Interactive Archive is sold on a subscription model with an entry point as low as $400 per month. The system leverages the Exchange's 'Receive As' functionality to intercept active traffic without using Journaling. This also enables them to scan the mailbox and attached PSTs via MAPI call to dynamically track the folder location and other user actions on the items in the mailbox.  This makes it easier to roll outfor smaller companies, because journaling and stubbing are de-emphasized.