Have you ever had to respond to an e-discovery request for your company? Sometimes just the thought of facing a legal action can make seasoned Exchange Server administrators want to turn in their passwords and retire or find a new career as a janitor. Microsoft Exchange Server is a trove of information in almost any organization, but will you be able to find what you need when slapped with a discovery request?
Although email and Exchange Server aren't necessarily the only targets of e-discovery, it's quite possibly where the bulk of your data resides. "Email makes up so much of what is discoverable," said Barry Murphy, co-founder and principal analyst for eDJ Group, an analyst firm focused around e-discovery and information management. "There's this notion that everything passes through the Exchange server at some point, so it's usually the number one priority in any kind of e-discovery," Murphy said.
No one knows better what data lives in Exchange than the Exchange administrators who deal with it daily. Therefore, it makes sense that those admins should take an active -- or indeed, proactive -- role in protecting that data and ensuring the company is ready to face any legal challenge. That doesn't mean you need to know what's inside every email message on the system -- which of course would get you in a whole different kind of trouble -- but at least you should know where the data is, and try to maintain only the data that is required.
The introduction of Personal Archives in Microsoft Exchange Server 2010 as well as the continued push to move messaging data to the cloud can only complicate the matter of managing your data. And at the same time, data protection legislation isn't going away -- if anything, it's getting stronger. "It's an incredibly complex world of data," said Kevin Foisey, chief software architect at STEALTHbits. "As you impose more and more rules over the top for the management of that data, the frameworks that do the management of that data need to be more and more agile."
So what can you do to manage data? A few things spring to mind. First, if your organization is in a highly regulated sector, such as health care or financial, make sure you're up-to-date with the latest data security procedures and rules that apply. Even if you're not part of such an industry, familiarize yourself with the data protection legislation for your state or region. Wherever possible, take it as a best practice to adhere to these standards even if they might not apply to your specific organization: Make your data safer than is required.
Second, if you haven't already done so, consider implementing a comprehensive data retention policy for email and other documents within your organization. This process is where you set rules for how long an email message, for example, will be kept in a user's Outlook before being automatically deleted; and it's also where you define what type of documents must be maintained for longer periods. With Exchange Server 2010, you can apply retention tags and policies to automate this process; other Exchange versions and other mail systems will have their own versions of this procedure.
The important thing here is to work with your company's legal department up front to determine what policies are appropriate and how long different types of data should be kept. Users tend to want to keep everything in their Inbox, but by getting rid of the unnecessary and useless bits, you'll not only be using less storage but also have less data to search if you do get slapped with an e-discovery request. You could even argue (and yes, I would, as part of a company that's gone through this process) that forcing users to hold on to less can ultimately make them more productive. As part of partnering with legal, make sure expectations are clearly communicated to end users because you don't want them just squirreling away email messages in local PSTs or other places to prevent them from their proper expiration.
As a third preventive measure, you can look at what third-party products can do to help you secure data in your environment as well as prepare or manage e-discovery requests that you receive. As Murphy said, "Companies are getting smarter about e-discovery. Because it's an inherently reactive process, they're going to expect that the people running their messaging systems are increasingly adept at getting this information and getting it quickly so that legal can start reviewing that information within hours of a request as opposed to within weeks." Having a good solution in place to find appropriate data before you get such a request could be crucial.
However, you might also find products that secure your environment, help enforce internal policies, prevent data leaks, and thereby reduce the chances that you'll be asked to respond to e-discovery requests. As Foisey said, "Companies want to know who's accessing the content, and specifically they want to be able to lock it down. When they find stuff, they want to be able to go in and say this is sensitive information in this location, and lock it down -- regardless of what the Windows permissions say." STEALTHbits offers DLP Lite to perform this level of protection.
Above all, don't wait until you have some kind of snag to look for solutions to this growing data problem. You know data is accumulating, and the more data you have, the more likely you're going to encounter some kind of trouble as a result of it. "In companies, IT often is sort of looked at as the support organization," Murphy said. "I think there's an opportunity for a lot of these IT pros, especially in the messaging world, to sort of be heroes in their organization by being proactive about how to handle issues that come up around e-discovery. There's a real opportunity for them to have an impact on their organizations and even their careers."
You have the power to take the fear out of e-discovery. Educate yourself and prepare. You might never receive an e-discovery request, but then again, do you want to take that chance?