Avoiding email spoliation

Danny Bradbury

One of the IT department’s jobs involves a word that they may have never heard before: spoliation. This is a term that lawyers involved in legal e-discovery often dislike, and unless IT managers are prepared for it, they may hate it even more.

Email spoliation refers to the altering or destroying of evidence to be used in a legal case. Spoliation can happen accidentally, or intentionally. When your company is called upon to provide digital evidence in court, it may have to prove that its archived emails were not tampered with, or deleted. But how?

The dangers of spoliation

evidenceIn legal cases, spoliation is a more common problem than you might think. In 2004, a judge in a patent lawsuit fined Samsung $566,000 for destroying and failing to produce evidence requested during email legal e-discovery. In the same year, the USA fined tobacco firm Philip Morris $2.75 million for failing to follow preservation orders and destroying email.

More recently, the Ministry of Transportation in Canada’s provincial Government of British Columbia came under fire for email spoliation. A ministerial aide was found to have deliberately deleted emails pertaining to a public meeting. When investigators subsequently asked to examine mailbox backups to search for the deleted mails, they found that they were not available. An administrative oversight had left 48,000 government mailboxes without backups for several months, putting the Ministry in direct contravention of provincial information access laws.

Thanks to forensic examination and questioning, the aide in question is now the subject of a police investigation, and the government had to cope with an embarrassing public report on the matter.

How do you stop your organization suffering a similar fate? One of the first things a company will see in an e-discovery process is a litigation hold letter. This alerts them to preserve all documents and communications relating to a particular issue that may become part of a legal case.

judgeAt this point, the company must collect and preserve the relevant data, including any emails. When in court, the company must be able to prove the integrity of those emails. That integrity includes ensuring that all relevant information is present, and that the emails have not been changed to suit the company’s legal case.

How email archives can help

An email archive helps a company avoid email spoliation during legal e-discovery in a couple of ways. Firstly, it can be configured so that only authorized managers have access to it. This stops the individual sender or receiver of the email from tampering with it, no matter what they may try to do inside their own production email inbox.

Secondly, messages can be stored in read-only format. Emails can be stored on ‘Write Once Read Many’ (WORM) media, on which data can be written once, but not rewritten.

shutterstock_235336597Emails can also be stored in the archive with a checksum. This is a number representing a calculated summary of the email, often produced using a mathematical algorithm. If the archived file changes, so does the number, making it easy to verify the integrity of emails produced during the e-discovery process.

Email databases each have their own storage formats, explains Eric Vanderburg, director of information systems and security at computer forensics, cybersecurity and e-discovery company JurInnov. In many cases they will store emails together in their own proprietary formats. This means that an e-discovery solution must be designed to support mail integrity verification for particular email systems.

“Systems that harvest email must interface with the email system database,” he writes in a recent blog post. “They preserve the integrity of email by querying the database for mailbox metadata such as the byte count and message count. This data is compared to what is retrieved from the database to ensure that all relevant messages were retrieved and that byte counts match.”

The chain of custody

The other important anti-spoliation technology in an email archive is the retention policy encoded in it. If the IT team can show a workflow in which emails are immediately copied to a read-only archive, then this can help a company’s legal team prove a chain of custody as part of the e-discovery process.

custodyA chain of custody shows how an email’s integrity is guaranteed from the moment it is created and stored until the moment it is produced as evidence. It does that by documenting every step along that path, along with the associated protective measures. With such a system in place, it also becomes much harder for a company to suggest that emails have been deleted on purpose during legal e-discovery.

Spoliation may not be a word that IT Pros need to use very often, but when someone utters it, they should be ready to explain how their archiving system prevents it. Luckily for them, technology can lend a hand.