E-Mail Retention: The High Cost of Digging Up Data

By Kim S. Nash  |  Posted 2006-08-02

In the cool air of a law firm conference room one day last summer in New York, conversation flares hot.

Hostile lawyers handling a sex discrimination case against investment bank WestLB shoot questions at Ken Bigelow, chief information officer at the New York branch of the German investment bank, which has $314 billion in assets. How does the company preserve e-mail? How often? For how long?

Lawyers for the plaintiff, Claudia Quinby, are fighting about which e-mail, instant messages and other electronic information WestLB should turn over to them. Quinby, a former saleswoman in the equities group, sued WestLB in U.S. District Court in New York in September 2004 for sex discrimination, retaliation and violation of the federal Employee Retirement Income Security Act.

She claims the bank discriminated against her because of her gender by cutting her bonus pay and that when she complained, it retaliated by wrongly firing her in June 2003. She was rehired three months later, then wrongly fired again in April 2004, she says in her lawsuit, filed just 17 days before her pension would have vested. WestLB admits terminating Quinby twice because it was "dissatisfied with plaintiff's performance," according to the bank's response. WestLB denies her other accusations. Quinby says she has lost pay and professional opportunities and suffered emotional distress.

Click here to download a PDF of this story.

To try to prove their case, Quinby's legal team requested that WestLB exhume thousands of e-mails and documents from as far back as 2000 for key players in the case, such as her former boss, peers and human-resources managers. They sought messages containing anti-female language, for example, or online conversations to support claims that Quinby was excluded from key get-togethers and that WestLB violated laws in how it let her go.

At his deposition that July afternoon, Bigelow acknowledges he didn't know of Quinby's lawsuit until a few days earlier, when WestLB's in-house counsel told him to make sure no e-mail was deleted.

WestLB had recently started to collect electronic evidence for the case, according to court papers. Bigelow was there to explain the whereabouts of the company e-mail that Quinby demanded, and how the bank's technology systems were set up so that Quinby's side could assess for themselves what information might be available to them and how onerous it would be for WestLB to produce. He was questioned under oath for 2 1/2 hours.

On some points, the CIO doesn't have answers. When asked how long the bank keeps recordings of its traders' phone conversations, for example, Bigelow doesn't know. "It just slipped my mind," he says, according to a transcript of the proceeding. Who at WestLB would know, one of Quinby's attorneys asks. "I hate to say it, but you would call me. I just would have to look to find out."

He doesn't know which relevant e-mail for Quinby's former colleagues still exists in the company's Lotus Notes databases. Some messages may have been deleted by the people who sent or received them before nightly backups were launched, he explains. Others were likely overwritten, as WestLB had recycled backup tapes since 2001. Others disappeared when, in keeping with company policy, the e-mail accounts of departing employees were erased. "I don't think I could testify that all e-mails are in the database," he says.

Unfortunately, for CIOs in similar situations, the "I don't know" response ranks as the legal equivalent of "the dog ate my homework." Now that the Sarbanes-Oxley Act and other laws dictate that companies not destroy data records, e-mails and even instant messages are being used increasingly as evidence in high-profile court cases. Technology managers must get at their data fast and vouch for its completeness. Those who can't produce what the courts require on a timely basis put their companies at risk for fines or punishments.

It's already happening.

Across industries, big companies are scrapping with judges and regulators over data.

  • Philip Morris USA was ordered by a U.S. District Court judge in Washington, D.C., to pay $2.75 million in fines when it came out during federal tobacco litigation in 2004 that 11 managers didn't save printouts of their e-mail messages, as per company policy. As an added punishment, those managers were barred from testifying at trial, according to the order from U.S. District Court Judge Gladys Kessler.

  • Banc of America Securities, a brokerage arm of Bank of America, "repeatedly failed promptly to furnish" e-mail, compliance reviews and stock-trading records during a preliminary investigation in 2001, the Securities and Exchange Commission said. The brokerage also gave "misinformation" about its records and provided incomplete, unreliable data—some of it 15 months after first requests. In a 2004 settlement between the brokerage and the SEC, the SEC found the brokerage violated two Exchange Act sections and Banc of America agreed to pay a $10 million fine.

  • Last year, in a lengthy sex discrimination case against UBS Warburg filed in 2002, a U.S. District Court judge in New York found that the company deleted e-mail in violation of a court order and couldn't produce backup tapes. The judge told the jury they could "infer that the [missing] evidence would have been unfavorable to UBS." The jury decided against the bank and awarded plaintiff Laura Zubulake $29.3 million. Although UBS Warburg denied discriminating against her and said it would appeal, the bank settled the case last September for an undisclosed sum.

    What happened at Morgan Stanley last year, however, stands apart because of the huge judgment levied against it in a Florida state court. The investment bank repeatedly failed to turn over data related to a fraud suit last year brought by Coleman Holdings Inc., the owner of camping gear maker Coleman Co., according to an order written by the judge in the case, Elizabeth T. Maass. One of Morgan Stanley's technology workers concealed knowledge of 1,423 backup tapes, later found in Brooklyn, N.Y., when he certified that the bank had produced all its evidence, according to court documents. At least three other times, the judge said, the bank lost or mislaid backup tapes.

    Fed up, Maass took dramatic action. She read a three-page statement to the jury detailing the missteps—which included overwriting e-mails and using flawed search software that hampered searches of Lotus Notes messages. She told the jury to assume the bank acted with "malice or evil intent" unless it could prove otherwise.

    Morgan Stanley lost the case, big: The jury awarded Coleman $1.6 billion. The bank is appealing.

    More and more cases are going to turn on electronic evidence, says Richard Herrmann, a partner at Morris, James, Hitchens & Williams, a firm in Wilmington, Del., that specializes in business law. "This issue will become mainstream," he says.

    WestLB and company officials, through one of the company's lawyers, Dawn Groman Darringer of the firm McDermott, Will & Emery, declined to talk about the case.

    But in court documents, Bigelow predicted that collecting pertinent e-mail wouldn't be simple. In the end, the bank spent months digging through its IBM Lotus Notes servers, AXS-One broker e-mail archiving system, Bloomberg instant messaging service and more than 180 magnetic backup tapes, according to court filings.

    WestLB also had to enlist two vendors—document recovery specialist Kroll Ontrack and Hewlett-Packard—to help. Between them, they ultimately produced 650,000 pages of evidence, the filings say.

    Costs piled up. Bills from Kroll and HP came to more than $480,000. That doesn't include the cost of diverting technology personnel to collect tapes and live e-mail. Nor the bills from lawyers for reviewing each page, which at the height of the ordeal, one of WestLB's attorneys said in court, entailed 10 to 12 attorneys working days, nights and weekends last summer at a cost of $200,000 to $300,000 per month.

    Throughout, WestLB and its information-technology department found it hard to answer the basic question asked by opposing attorneys and, later, an exasperated U.S. District Judge William Pauley. In essence: Where is your data and why can't you get it?

    Next Page: Risks Are Rising for E-MailE-Mail">

    Risks About to Rise

    Along with e-mail, corporations wrestle with information on PCs, cell phones, handheld devices, flash drives, application servers and Internet-based phone systems. Ninety percent of all documents created and received by businesses are now electronic, according to ARMA International, a group of professional information managers. An average PC can contain 1 million pages of information—a number that litigators considered "mythical" just 15 years ago, says George Socha, a lawyer and founder of Socha Consulting LLC, an electronic discovery advisory firm in St. Paul, Minn.

    In terms of archived data, Baseline estimates that there are 13.4 million terabytes of information stored magnetically worldwide, 255,000 terabytes on film, and 1,965 terabytes on paper and optical disks. As one terabyte equals about 1 trillion characters, all told that's 13,656,965 trillion letters and numbers warehoused in the business world.

    "There is more data than anyone can handle," Socha says.

    Lawyers play on this data chaos and "use e-discovery as a club in order to draw the attention of the defendant as to the seriousness of the issues," Herrmann adds.

    Despite the volume of data, companies do have to comply with industry regulations for data retention. For example, the SEC says financial services firms must keep broker e-mail for three years; the federal Health Insurance Portability and Accountability Act (HIPAA) says hospitals and doctors must keep billing records and authorization forms for six years, and other patient data, including e-mail discussions of a patient, for the life of the patient.

    Aside from such specific rules, companies can set their own retention policies—but most don't.

    Sixty-six percent of companies lack policies for saving, purging and managing e-mail, according to a survey last month by the American Management Association and The ePolicy Institute, which advises companies on Internet risks. No policy is risky when subpoena rates are rising, says Nancy Flynn, executive director of The ePolicy Institute in Columbus, Ohio. Twenty-four percent of the 416 companies surveyed had electronic messages subpoenaed by lawyers or regulators last year, up from 14% in 2003.

    Expect additional pressures in December, when amendments to the Federal Rules of Civil Procedure go into effect. The new rules require lawyers to know enough about their clients' information systems to disclose all sources of electronic information relevant to a case. That includes sources where data is not "reasonably accessible" because it is costly or hard to produce. Dusty and perhaps forgotten backup tapes are a prime example. If one side wants hard-to-get information, the other side has the burden to show why they can't have it.

    Discovery will be broader and more expensive, Herrmann says: "All information, no matter where it's housed—voice mail, BlackBerrys, handhelds, instant messaging—it's all fair game."

    When a company faces legal or regulatory questions about its e-mail and data retention practices, it's the corporate chief information officer, among other corporate officers, who will be called to answer, says Linda Sharp, a legal consultant with Kroll in Palmdale, Calif. Companies can't shift the onus to their law firms, Sharp says: "It's your data. It's your responsibility. It's your board of directors and your stockholders when the stock is going to plummet."

    Unfortunately, most companies and their CIOs today would likely find themselves in the same situation as WestLB.

    Next Page: WestLB Tackles Electronic Discovery

    Just Like You

    Like any investment bank, WestLB advises clients on which international stocks to buy and sell. The 37-year-old company is based in Düsseldorf, Germany, but runs large offices in London and New York. Privately held, WestLB hit hard times recently as the German economy sagged. After reporting $5.1 billion in losses from 2002 through 2004, the bank wanted to cut costs by, among other things, outsourcing global technology operations to Hewlett-Packard.

    The five-year, $500 million deal in 2004 immediately saved WestLB overhead, in part because the bank was able to shift 450 technology employees—almost all of its systems staff—to Hewlett-Packard. HP took over desktop computers, e-mail, telecommunications and networking, customer support and Web activities for the bank in January 2005, 3 1/2 months after Quinby filed her lawsuit, according to court filings. The vendor is not a defendant in the suit.

    To help manage the outsourcing transition in the U.S., Ken Bigelow, a six-year veteran of WestLB in New York and head of trading technology in that office, was promoted to CIO of the New York office in November 2004, he said in his deposition. He was the third CIO there in three years.

    Bigelow described WestLB's e-mail systems in his deposition last summer.

    At the center is Lotus Notes, the second most popular mail system in the world, behind Microsoft Outlook, says messaging market researcher The Radicati Group. All WestLB employees use Notes for everyday e-mail, and the Notes servers are copied every night to magnetic tapes.

    Such tapes are the standard for backing up data at large companies, according to Todd Stefan, principal at Setec Investigations, a computer forensics firm in Los Angeles. "Tape is used everywhere," he says.

    Quinby and the rest of WestLB's sales team used Notes, but their messages were archived differently, according to Bigelow's deposition and affidavit, because of the SEC's requirement to save their e-mail for three years. For the first two years, it must be "readily accessible," meaning the company or outside auditors must be able to retrieve it from a live server. Archival backup tapes warehoused offsite at a disaster recovery facility don't qualify. At WestLB, in addition to nightly tape backups of the Notes servers, broker e-mail was also saved to optical disks via AXS-One's namesake archiving package. Countrywide Financial, Fannie Mae, and MONY Group are also AXS-One customers, according to the vendor's Web site.

    In a setup like WestLB's, AXS-One would run on the same Sun Solaris server as Lotus Notes, with a C++ interface to the e-mail program, says Marie Patterson, vice president of marketing at the Rutherford, N.J., vendor. She declined to talk about WestLB specifically, but explained that after someone hits "send," AXS-One holds the message at the e-mail gateway so it can save a copy of it, plus any attachments, before allowing it to pass to the recipient.

    While tape backups snare whatever happens to exist on the Notes server at the moment the backup routine launches, AXS-One keeps in a storage system a single copy of every message created by employees whose mailboxes are connected to it.

    WestLB also uses the instant messaging function built into the Bloomberg terminals that bring stock market and other financial data to subscribers. Bloomberg often archives instant messages for customers.

    Bigelow also recounted WestLB's other archiving systems and procedures.

    Every night, backup utility software automatically copies the company's entire Notes server onto 20 to 40 magnetic tapes. At the end of a month, one of these nightly snapshots—usually the one from the last day of the month—is designated WestLB's monthly backup. Daily archives are kept at HP or the bank's disaster recovery vendor, Iron Mountain, for 15 weeks, monthlies for 13 months. Then, they are overwritten as the tapes get reused after 15 weeks or 13 months.

    At the end of a year, a backup from late December is designated the backup for that year. WestLB keeps annual snapshots indefinitely.

    WestLB's backup tapes aren't meant to be a reference library of 365 days of electronic activity, Bigelow said. They're intended to capture a reasonably complete set of data at a moment in time, to be used to rebuild servers after a disaster. They wouldn't, for example, catch an e-mail exchange between two people at 10:30 p.m. if both of them immediately deleted the messages before an 11 o'clock backup.

    From the tapes and disks it had, WestLB technology managers scrambled to satisfy Quinby's data demands. But the legal review of the resulting torrent of documents "paralyzed us for a significant period of time," said WestLB lawyer Groman Darringer in court papers. The bank's lawyers and technology people worked full-time on the case for weeks.

    Next Page: A 'Boys' Club'?Boys' Club'?">

    A 'Boys' Club'?

    Quinby had no problems with her boss, John Parker, when she first came to the bank, according to her complaint. Her job was to provide research and recommendations on European stocks to American investors. A report from Parker called her "an outstanding contributor" and "an integral part of our success."

    But their relationship soured in 2001, after Parker was promoted from executive director to co-chief executive officer of the division. Quinby maintains she was a "high caliber" employee whom Parker mistreated. She charges that "WestLB took no discernible action to address the issues," according to her lawsuit. The bank, through Groman Darringer, declined to comment by phone and e-mail.

    Parker left the bank in March 2005, according to court documents. He is not a defendant in the lawsuit and told Baseline he has "absolutely no comment" on the case.

    Last February, however, in an affidavit, Parker disputed Quinby's charges. He said Quinby was terminated the first time, in June 2003, as part of a "head count reduction" and the second time, in April 2004, because of "performance problems," including "lack of progress with her assigned accounts."

    WestLB's office was a "boys' club," Quinby's legal team says in court documents. Traders routinely looked at pornography on work computers, used foul language that demeaned women, and exchanged e-mails and Bloomberg instant messages that describe sexual acts in graphic and insulting terms. WestLB's lawyers replied, in documents, that "inappropriate language" had no connection to Quinby's termination. They say Parker used equally inappropriate language when he talked about men.

    Parker said in his deposition that he reviewed samples of the bank's e-mails to make sure they conformed to NASD guidelines, which as a senior manager he was required to do. He said he talked to employees about improper computer use. He recounted how Quinby came into his office in 2001 to ask him to stop calling the traders "girlies" when they had done something wrong. He recalled apologizing to her even though, he noted, California Gov. Arnold Schwarzenegger also uses the term.

    Next Page: What's In Your E-Mail? s In Your E-Mail?">

    What's In Your E-Mail?

    In May 2005, Quinby changed lawyers, and her new legal team, headed by Kathleen Peratis, a partner at Outten & Golden in New York, expanded the ways they asked for WestLB's electronic evidence.

    Peratis wanted WestLB to search for e-mail and Bloomberg messages from mailboxes of 19 current and former equities executives, human-resources representatives, bank managers and others, using more than 170 terms. These ranged from Quinby's name and initials, to employment-related words like "fire" and "bonus," to derogatory sexual slang.

    "Outrageous," complained Joel Cohen, another lawyer for WestLB, to Judge Pauley. The request would cost the bank "hundreds of hours of work," according to a transcript of a hearing in June 2005. It took the bank another month and several more hearings to get the request narrowed, to 17 people and just a few search terms. For most mailboxes, the key words were "Claudia," "Quinby" and her initials. But for others, there were extra terms, such as "lawsuit," "fire," "axe" and "complain."

    But even this tapered search proved challenging because of the way backup tapes work.

    Of the three places where WestLB stored e-mail—Lotus Notes, AXS-One and backup tapes—the tapes were the most complete source of information. They captured messages companywide and at least some messages that employees had later deleted off the active servers.

    For many companies, backup tapes can be a savior and a nemesis. At $20 to $50 each, tapes are cheap. And unlike a hard disk, tapes are sturdy enough to travel well to an off-site storage facility. Backup tapes work well in disaster recovery because they hold a snapshot of a company's systems at a given point in time. Restore the tapes, and you can re-create the downed system. New Orleans-based Oreck Corp. relied on tapes to get running again after Hurricane Katrina last year.

    But tapes are also the most expensive source from which to extract e-mail because of the specialized knowledge involved to pinpoint the kind of specific data demanded in an audit or lawsuit.

    To restore a tape, it must be run on the same brand and version of the software and server from which it was originally made. To search a tape, Kroll technicians first copy it to protect the data, explains Dave Schultz, a senior legal consultant at Kroll. He declined to talk specifically about Kroll's work at WestLB, but described his company's general practices.

    Kroll then uncompresses the data and restores it onto a server in a format that humans can read. Each of the mailboxes in question would then be searched electronically for e-mail with subject lines or body text that contained the approved keywords.

    As Jessica Grossman, another lawyer for WestLB, explained to the judge, she and her team would type a search word and get back a long list of documents containing that term. They would then have to open each document to find the word, highlighted in blue.

    "If the word came up on page 38 of a 70-page document, we would have to sit and go from page to page to find where the word came up. It was hard on your eyes sitting on the computer there," she said. "We were working around the clock."

    Backup tapes are not indexed, so data must be read in sequence. Hundreds of thousands of e-mails may sit on a tape, each with multiple threads that accumulate as they are sent back and forth with additions or links to different people. Then, lawyers must check every message that's recovered, to judge whether it's pertinent or private attorney-client material.

    "A backup tape of a server is like a bunch of text dumped into a 55-gallon drum," says David Duryea, a principal with Endeavor3 LLC, a forensics expert in Beachwood, Ohio. He advises his clients never to use e-mail to conduct transactional business, such as customer service, because the contents are so hard to track.

    In mid-July last year, Kroll got overwhelmed by the sheer volume of data on the tapes, WestLB told the court. Kroll's estimate of three to six weeks to complete the job stretched to 3 1/2 months.

    To try to make the court's deadline, which was pushed from July to August to September, WestLB brought in HP, its outsourcer, to help Kroll. HP copied the contents of 16 e-mail boxes from the Lotus Notes server onto CDs, according to Kevin Faulkner, a risk management consultant working for Quinby's side. That meant fewer backup tapes for Kroll to process.

    Faulkner maintains the bank should have been able to handle that job on its own. But "neither WestLB nor HP is experienced in or purports to have expertise in electronic discovery issues," said Michael Waxenberg, director of business infrastructure management in the bank's technology group, in an affidavit. HP says it does not comment on customers.

    Also a problem was getting usable e-mail from the bank's AXS-One system, Waxenberg told the judge in an August 2005 hearing. When trying to get search results out of AXS-One's proprietary format and into something more common, such as a Lotus Notes file, most attempts to export files from AXS-One crashed, inexplicably, at around 150 messages, he said. Not helpful when result sets contained as many as 10,200 messages. Kroll was unfamiliar with AXS-One data formats, and the bank was reluctant to get help from AXS-One, Waxenberg said. "I have a rather acrimonious relationship with them because we're in the process of decommissioning their product," he told the judge. WestLB didn't have a support agreement with AXS-One, he added, so any help from the vendor would have meant paying it a consulting fee. AXS-One CEO Bill Lyons says the company does not comment on specific customer installations.

    Meanwhile, Bloomberg turned over at least 75,000 pages of WestLB's instant messages, in Microsoft Word format, on CD-ROMs.

    "This is the most enormous e-mail search the bank has conducted in a litigation," Groman Darringer told the judge in that same August hearing.

    By October, Kroll's searches had produced 649,517 electronic pages of e-mail, human-resources records and other evidence from 75,281 different documents, according to an affidavit by Kroll project manager Lori Carey. Kroll had billed WestLB for more than $380,000, including a 25% premium for expedited processing. HP estimated the cost for its help at another $100,000, Faulkner said.

    Three-quarters of the pages and 86% of documents came from the backup tapes, according to Carey. Being reliant on tapes cost WestLB hundreds of thousands of extra dollars, Faulkner estimated.

    That is partly because of the way data is stored on tapes, but also because, in Faulkner's view, Kroll should have bypassed the tapes to take e-mails directly off Lotus Notes for about $10,000, a fraction of what WestLB was charged. Kroll's Schultz declined to comment on WestLB but says Kroll's pricing is "pretty much standard."

    And the searches, Groman Darringer acknowledged in court, were "not perfect." For example, they turned up lots of false positives, or irrelevant documents—a "significant portion" of the first 220,000 pages produced, according to WestLB lawyer Cohen.

    Kroll's "ineffective" search techniques produced these extra pages, Faulkner claims. For example, the search term "CQ," Quinby's initials, delivered documents with variations of the word "acquire," which is used frequently in a bank. "You can't just look at keywords," Faulkner says. "You have to look at the meaning behind them." In an affidavit, Faulkner said Kroll could have structured the query by using syntax to avoid turning up words that contain "CQ"—by typing spaces before and after the letters.

    Schultz says his company's use of search techniques, including tiered searches to narrow results, depends on "the time and money available."

    On each set of search results, WestLB's legal team then ran another search for words like "attorney," to identify documents that might be private attorney-client privileged material and therefore not to be presented to the other side. Lawyers then had to review these pages manually to glean context and judge whether each one qualified as privileged. Despite the scrutiny, at least 100,000 pages of private material slipped by and went to Quinby's lawyers by mistake, according to a hearing in February 2006, during which WestLB argued for the return of some of the documents.

    For example, one e-mail message filed in court says WestLB was eager to settle with Quinby and avoid a lawsuit, "given that we already have 2 other lawsuits already filed with the EEOC [Equal Employment Opportunity Commission] about gender discrimination." That message was written in 2003 by the bank's former head of human resources, Betsy Austin.

    The bank had to fight in court to get those pages back, explaining to the judge how "onerous" the multilayered electronic search and subsequent manual review were.

    "It was like finding needles in a haystack," Groman Darringer said in court. "We had cadres of lawyers having to go through this production. And there were so many documents, a review could only be done once" to allow WestLB to meet the court's deadline.

    Next Page: How Not to Get Paralyzed Paralyzed">

    How Not to Get Paralyzed

    WestLB continues to try to right itself financially. It regained profitability last year, making $490 million. Parker has moved on, and is now chief executive of the New York office of Global Investment Holdings, an investment bank in Turkey. Quinby is looking for work as her suit approaches its second anniversary next month.

    Still unresolved is an argument over whether Quinby should pay any of WestLB's expenses for retrieving and producing its own data.

    Quinby, WestLB argued in a letter to the judge, "was highly compensated during her career and, thus, is able to share costs for a production upon which she insisted." According to court documents, Quinby had a base salary of $175,000 with a guaranteed bonus of $475,000 for 1999. In 2000, she received a $575,000 bonus. In 2001, her bonus dropped to $100,000. She did not receive a bonus for 2002 and was terminated, for the first time, in 2003.

    Peratis counters in an interview that when Quinby first complained to HR of discrimination in 2002—or when she filed a complaint with the EEOC in 2003—WestLB could have reasonably anticipated litigation and kept pertinent e-mail and other documents at the ready by stopping transfers to backup tapes and leaving the documents on the live Lotus Notes servers. "All the money they've spent producing it was due to things that were their fault, not ours," she says.

    The situation was avoidable, experts say, with a combination of policy and technology.

    Dangerous are the gaps at many companies between the technology, legal and compliance departments, says Cyndy Launchbaugh, director of marketing at ARMA International, the information managers' group.

    The Sarbanes-Oxley Act for financial data, HIPAA for health care, and other federal and state regulations that govern specific industries are forcing these departments to work together. But historically, the different groups grew up separately, with different priorities, Launchbaugh says: "All of them hold a certain piece of the puzzle, yet no one of those has it all covered."

    The CIO may, for example, install instant messaging to speed communication among different divisions. But corporate lawyers such as Herrmann at Morris, James, warn against it. When choosing new technologies, a CIO must consider potential litigation risks, Herrmann says. His advice on instant messaging: Ban it. The quick conversation IM was built for could cause damage. "People really don't think on IM," he says.

    Bawdy talk among WestLB salesmen over instant messaging about "shagging the cleaning lady" and other more explicit activities described in court papers now resides in the public record, thanks to the Quinby lawsuit.

    If an outright ban of instant messaging won't work, Herrmann says, don't install a server-based version of IM because you will be liable for saving, storing and producing those messages in a lawsuit. Instead, employees can download individual-use copies of instant messaging applications on their personal computers. "A CIO cannot ignore potential litigation," he points out.

    Whatever technology a company adopts, it should create—and stick to—one consistent policy for archiving and purging data, Herrmann says. A company may decide, for example, to archive e-mail and instant messages daily and purge them after one year. If, during an audit or lawsuit, the company is unable to produce data that its policy says it should have on hand, it risks repercussions. They range from admonishments from a judge or regulatory body to multimillion-dollar fines, as happened to Banc of America Securities and Philip Morris USA.

    "The smartest thing a company can do is have a program for managing electronic information so it is destroyed when it should be and not warehoused indefinitely," Herrmann says.

    Indeed, before a court battle or regulatory investigation ever arises, companies should assemble an electronic discovery team, advises Jonathan Sachs, a legal consultant at Kroll. Include a mid-level systems staffer who is involved in daily technology work, along with internal and external lawyers, a senior management executive and, perhaps, an outside discovery expert, Sachs says.

    Together, the team can devise a plan for collecting, reviewing and presenting data to the other side. Items would include who will be assigned to find and restore backup tapes, procedures for lawyer review and formats for conveying the data, such as Microsoft Word documents, .TIF image files on CDs, or boxes of printouts, stapled and collated.

    Specialized software can help companies manage and get at archived data, says Bob Best, CIO of UnumProvident in Chattanooga, Tenn. Producing electronic documents "was a big issue for us two to three years ago," Best says.

    UnumProvident, a $10.4 billion insurance company, faced several class-action suits in state and federal courts in 2002 and 2003, by customers who accused the company of illegally denying their claims. In one case, a U.S. District Court judge in New York, Denise Cote, found that pertinent e-mail wasn't preserved, in part because UnumProvident failed to tell its outsourcer, IBM, to keep the messages until two weeks after the court ordered the insurer to save the e-mail, according to her August 2003 opinion. The insurer wasn't fined or punished, but the judge reprimanded the company: "If UnumProvident had been as diligent as it should have been in complying promptly with the [court] order, maybe fewer tapes would have been inadvertently overwritten," Judge Cote wrote.

    UnumProvident now uses KVS, an e-mail archiving system sold by Symantec. The software runs about $15,000 for 500 users, and Best says it's necessary so the company can comply with regulations and respond quickly to urgent data requests. "It's just something you have to do as part of the business," he says. "We've worked hard at that."

    Finally, create a retention and disposal policy for e-mail—and enforce it. Many companies have policies written in employee handbooks that employees never actually follow, says Flynn of The ePolicy Institute. Companies should comply with laws and regulations that dictate saving e-mails, but otherwise e-mail should be deleted regularly, Herrmann adds: "The more information available at the time of litigation, the more difficult it is to manage."

    CIO Bigelow is now on to the more traditional technology work of overseeing his outsourcer. Court papers don't say whether WestLB has changed any technology practices, and the company would not discuss them with Baseline. But the case that WestLB lawyer Groman Darringer told the judge last summer was "extremely burdensome" is still open. The issues of sex discrimination and retaliation that triggered the suit have yet to be argued.

    At presstime, Judge Pauley hadn't yet decided whether to send the case to trial or award a summary judgment to one side or the other, based on the 650,000 pages of evidence that have surfaced so far.

    —With reporting by Todd Spangler

    Next Page: WestLB Basics

    WestLB Basics

    U.S. Headquarters: 1211 Ave. of the Americas, New York, NY 10036
    Phone: (212) 852-6000
    Business: Investment banking.
    Chief Information Officer: Ken Bigelow
    Financials in 2005 (for parent company, WestLB AG): $715 million in profit before taxes; $490 million net profit.
    Challenge: To adhere to internal data retention policies, comply with regulatory rules for saving data, and produce documents related to lawsuits completely and in a timely manner.
  • Raise the percentage of women in management positions across WestLB AG from 12% in 2005.
  • Cut personnel and operating expenses by $296 million between Jan. 1, 2006, and Dec. 31, 2007.
  • Maintain profitability achieved in 2005 by earning at least as much profit in 2006.