Email Acceptable Use and Retention Policies - Keep it Simple
I was recently involved in a consultation session with a Client who was looking to consolidate his email infrastructure from a decentralized model with many servers and domains in 10+ countries, to a centralized model where all the servers would be located in a single country. The stakeholders wanted to understand what shifts this would cause to their regulatory obligations and how they should consider various deployment options in this context.
Here is a summary of our discussion:
There are no hard int'l rules that have been tested to my knowledge, at least not formally in court with regard to moving electronic records around. In fact there is 2 contexts to your query: i) moving the records around and then what is the optimum email storage structure to minimize risk, and ii) how does discovery and rules regarding official corporate records work across multiple geos.
Regarding point i:
What I have read about and also discussed with clients is the following 2 approaches:
[1] Consolidate all servers and content in new geo, and have this geo's rules & regulations apply to all content (historical and future). A smart twist on this is to set an Archive anchor point at the day of consolidation, and manage historical (now archived) content as per old policies set while server was in original geo, and all new content managed according to regulatory frameworks in new geo.
[2] Consolidate all servers & content but continue to manage content as if it was virtually still in geo of original creation. Under this scenario, content created in France (sent or received) would be stored in Canada but not discoverable under Canadian laws or regulations, only under French ones. Of course from a technical perspective, I would recommend encryption on the message store, with the encryption keys being kept in the geo where the data was originally created.
Depending on the Risk Management strategy of the company and the value of the data, an option to strongly consider would be to keep the smallest minimum timeframe of international email on production servers (max 90 days). Everything older would be moved to Archival storage. Search indexes (which are not the messages or attachments) can be stored in Canada since these are not the actual record and as such is not discoverable. The archived actual messages are stored in an Object Storage system (like M+Securestore) with an off-site instant mirror.
So in essence there is a primary write of the message to a device here, and then an immediate replication to a device in the geo of origin, followed by the deletion of the original write. In this way it can be clearly demonstrated that the message was in fact never stored in Canada but simply "in transit" to its long-term storage location in the originating geo. If they wanted to also keep a copy of the message locally as a back-up of the remote location, this is both possible and OK. The local copy (Canada) is being made solely for disaster recovery, it cannot be discoverable - only the original record can be requested and it would sit outside of Canada.
Under civil law and copyright interpretation, the fact of where the digital content resides (stored as bits) can be disconnected from the regulatory obligations, or lack thereof attached to it. For example, if a contract is created, printed and signed in France, then an scanned copy is sent via email, and the email is stored in Canada - nothing about Canadian discovery regulation or laws will apply to this email or attachment.
Another example is e-commerce web sites that are hosted in other countries - the authorities of the hosting country does not have the right to interfere unless the complaint originates from a matter brought to a Canadian court, and then will likely only be allowed to request discovery for content created by Canadian workers.
Under criminal law, (think child porn) this construct does not apply and the country where the data is stored has full rights to exercise legal intervention on its soil and courts will not hesitate to provide the required search warrants or subpoenas.
Keep it Simple....
My advice is that simplicity dictates that a multi-national org should try to have a single retention/discovery policy that meets the baseline requirements of all geos, and then manage the occasional exceptions. If one thinks of a corporate Code of Ethics, there is usually only a single version.
Regarding point ii - it gets pretty messy, pretty fast:
Let us set the stage; a Canadian company, with a French wholly-owned subsidiary where email is considered private and requires a court order to discover, employing a German resident contractor working on a project for a Japanese client. The Japanese client decides to claim negligence on the part of the German contractor and sue the Canadian company in a Japanese court for damages and breach of contract.
Part of the lawsuit involves requesting access to encrypted email messages on the German Contractor's laptop that were circulated between the French and German, and that are believed to exist archived (in cleartext) on the corporate email servers in Canada.
What can be discovered? Who can decide who needs to produce what? How much will be spent in external legal fees? Experience to date shows that there is no cut & dried answer, there is no "good & perfect" response, only a bunch of "it depends" - and alot of the "it depends" has to do with the amount of money at stake.
So how can a company mitigate against these types of risks? There is really only 1 way - via a clear and well implemented Acceptable Use and Retention Policy that will ask exactly these types of questions and set the tone for the scope of involvement and technology deployment required to match this scope. Letting courts or lawyers decide about matters of internal policy is usually not a good choice. Being well prepared and having predetermined answers put the organization in a position to respond as needed, and in a matter that is consistent with its best interests and the ever-evolving legal & regulatory framework.
Best,
--Pierre
– Pierre Chamberland
Pierre Chamberland is the Chief Energizing Officer at Messaging Architects.
