Personal Email May Be Discoverable

This entry was sent to me today by Scott Roseland at CyberControls.net:

Around the same time that a number of White House staff members were trying to extricate themselves from the probing questions of certain congressional inquiries about personal e-mail accounts being used to allegedly bypass the official government provided e-mail service, a very interesting survey was being released called, "Survey of Rogue Email Practices." The MessageOne survey, conducted by independent research firm Osterman Research focused on interviewing employees of mid to large sized U.S. corporations to learn about their individual e-mail usage habits and patterns. Not too startling was the fact that the average employee sends and receives an average of 170 e-mails per day at work and that nearly a third of the respondents use their personal e-mail accounts (e.g. AOL, Yahoo mail, Hot Mail etc.) for business purposes at least twice a week. More startling is the fact that 17% of the respondents use their personal e-mail accounts for business every day.

Besides the obvious exposure that this "rogue" e-mail pattern poses to business organizations from an information security perspective, the potential for legal liabilities is off the charts. The employees offered numerous explanations for their use of personal e-mail accounts to conduct business such as; the e-mail server was down, I was working from home or offsite, I wanted to bypass my company's e-mail system altogether etc.

Over the past few years, a number of e-discovery disputes have had to overcome the hurdles of privacy concerns when a requesting party has been in pursuit of "all" business-related e-mail pertaining to the case. For a producing party, it may no longer be sufficient to only include the client's corporate e-mail account(s) on litigation hold as savvy requesting parties will expect all forms of e-mail communications including third-party providers of e-mail services to be identified and reviewed for disclosure in the FRCP Rule 16 (c) Pretrial Conference.

In many instances, the identification and recovery of Internet based e-mail accounts messages may require a computer forensic examination be conducted on the computers used to create and/or access such business related e-mail messages for relevance and privilege purposes. Depending on the list of recipients that a particular message was received, the circle of interest will expand for subsequent searches and litigation hold obligations.