E-mail, voice mail, and instant messaging: a legal perspective: an organization that uses messaging faces a legal landscape that urges, if not demands, a rational policy for managing messaging data.
* discusses e-mail voice mail and instant messaging as records from a legal perspective
* provides examples of messaging restrictions and guidelines in the United States and worldwide
* examines considerations for policies for managing messaging data
Since the early 1990s, e-mail has become ubiquitous worldwide, Many businesses are dependent on it. and a significant percentage of all private individuals in the developed world are equally dependent on it as a means--often a primary means--of communication with others, More recently, instant messaging (IM) has achieved a similar status. In many environments business and personal, it is an important communication tool. Lurking on the sidelines is still another widely used tool, voice messaging.
These tools pose formidable challenges in many respects. From a business and management perspective, their utility--often very high--is counterbalanced by their unstructured, inherently difficult-to-manage nature and the sheer volume of data that is transmitted and accumulated using them. From a legal perspective, their rapid acceptance, combined with the equally rapid changes in the technologies of which they are a part, makes it difficult for the often slow moving legal world to keep pace with them.
This confluence of factors poses several issues for the organization that uses these technologies extensively:
* Storage of large volumes of e-mail, voice mail, and IM imposes significant costs on an organization in terms of infrastructure and equipment, manpower, and other resources.
* The difficulties of managing millions--or even billions of informal data objects, created with little or no attention to formal structuring or indexing, make systematic management and recovery of them challenging and expensive.
* The e-mail so stored is subject to legal process, requiring searches that may prove difficult and expensive.
From a legal perspective, another group of issues arises:
* Are data objects created using these technologies "records"?
* If so, must they he formally managed?
* What retention period is appropriate for them?
* Are all these technologies the same legally, or do they fall into different classes?
These business and legal issues collectively pose a very formidable conundrum for any business or other large organization.
What Exactly Are E-mail, Voice Mail, and IM Legally?
From a management perspective, e-mail, voice mail, and IM (hereafter collectively called "messaging") as "non records" or legal non-entities would be the most convenient situation. An organization would therefore be free to manage or not manage them as it saw fit. Included in this approach would presumably be the option to establish an arbitrary retention period suited to the convenience and budget of the organization.
A good deal of law impacts messaging. Much of it is indirect in that it does not specifically refer to the technologies themselves. Nonetheless, it does have a direct impact on the way messaging must be managed. The ultimate sweep of that law is perhaps best characterized by an analysis of the United Nations Commission on International Trade (UNICTRAL) Model Law on Electronic Commerce, which serves as the basis for many national laws governing the topic.
According to UNICTRAL, "'Data message' means information generated, sent, received, or stored by electronic, optical, or similar means including, but not limited to, electronic data interchange (EDI), electronic mail, telegram, telex, or telecopy."
Consideration of this brief provision reveals that its scope is broad indeed: Messaging of all sorts, regardless of the technology, is a "data message" within the meaning of this law.
UNICTRAL also describes several legal attributes of a data message:
* "Information shall not be denied legal effect, validity, or enforceability solely on the grounds that it is in the form of a data message."
* "Information shall not be denied legal effect, validity, or enforceability solely on the grounds that it is not contained in the data message purporting to give rise to such legal effect, but is merely referred to in that data message."
* "Where the law requires information to be presented or retained in its original form, that requirement is met by a data message if: (a) there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form, as a data message or otherwise; and (b) where it is required that information be presented, that information is capable of being displayed to the person to whom it is to be presented."
* "[The preceding] paragraph applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the information not being in writing"
* "In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to deny the admissibility of a data message in evidence: (a) on the sole ground that it is a data message; or (b) if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that it is not in its original form."
* "Information in the form of a data message shall be given due evidential weight. In assessing the evidential weight of a data message, regard shall be had to the reliability of the manner in which the data message was generated, stored, or communicated to the reliability of the manner in which the integrity of the information was maintained, to the manner in which its originator was identified, and to any other relevant factor."
* "Where the law requires that certain documents, records, or information be retained, that requirement is met by retaining data messages, provided that the following conditions are satisfied: (a) the information contained therein is accessible so as to be usable for subsequent reference; (b) the data message is retained in the format in which it was generated, sent, or received, or in a format which can be demonstrated to represent accurately the information generated, sent, or received; and (c) such information, if any, is retained as enables the identification of the origin and destination of a data message and the date and time when it was sent or received."
* "In the context of contract formation, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be expressed by means of data messages. Where a data message is used in the formation of a contract, that contract shall not he denied validity or enforceability on the sole ground that a data message was used for that purpose."
Consideration of these provisions reveals that they, too, have enormous impact: Messaging and--all other electronic data capture--is instantly placed on par with paper, microfilm, and other traditional media. Data created or captured using messaging technology is a record in precisely the same circumstances as its paper counterparts. It has the same force and effect legally as its paper counterparts and can be used in all the legally significant ways that its paper counterparts can be used. The provisions also have the effect of bringing messaging data within the scope of thousands of other laws in every legal jurisdiction in the world that require data or records to be kept or that regulate information once it has been captured. UNICTRAL is not merely an academic exercise; in one form or another, this law or something close to it has been enacted in at least 31 countries and more can he expected.
UNICTRAL and its progeny represent the continuation of a long trend rather than radical new thinking: At this point, electronic data technology has a decades long history of acceptance by the legal systems of the world, so the acceptance of the next step in that technology--e-mail, IM, and voice mail--comes as no surprise. UNICTRAL is merely one of a large body of statutes, evidentiary rules, case decisions, and other authority permitting or authorizing the use of electronic data, including messaging technology. Thus, the outcomes logically arising from this acceptance should not be surprising either.
Is Messaging Regulated by Law?
In short, messaging is regulated by law in precisely the ways that its paper counterparts are regulated. There are many examples of this:
* In industries such as financial services or law, the U.S. Securities and Exchange Commission (SEC) has deemed that written client communications must be preserved for a period of years. Either expressly or by implication, regulatory authorities have in many cases indicated that this includes communications via messaging.
* In civil-law countries, business related correspondence must frequently be retained for a period of years. Some countries have explicitly included "data messages" in this requirement; in other cases, the existing requirements, which usually predate messaging technology, must be fairly construed to include messaging, given that they include not only paper correspondence, but also telegraph and similar correspondence that is captured (e.g., Mexico Commercial Code Art. 49, requires retention of" letters, telegrams, data messages, or any other documents ...").
* Most public records laws define "public records," "government records," and similar terms in a manner that includes recorded data captured by messaging technologies (e.g., Australian Guidelines on Managing Electronic Records as Documents).
* Data privacy laws in a number of countries regulate or prohibit the transmission or distribution of personal data on individuals. The European Union Data Privacy Directive, the model for most such laws, is in torte in the European Union, thereby affecting most of Western Europe; in addition, such widespread jurisdictions as Hong Kong, Australia, India, and many Latin American countries have or will soon enact similar legislation.
Thus, messaging may be regulated both with respect to management and retention, and to the nature and destination of the transmission itself.
When Messaging Isn't Directly Regulated ...
Even in situations where messaging is not directly regulated by a law, it is likely' to be the source of a vast amount of legally significant data. Any discussion of a legally significant nature, whether it is a transactional negotiation, regulatory issue, human resources, or other issue, generates data that may have evidentiary, compliance, or other legal significance. As already observed, under current law, such data arising from use of messaging has full legal effect. An organization may, therefore, find itself in a situation where messaging data constitutes a primary, or perhaps the only, evidence of some transaction of importance to it. An organization in this position can ill afford a poorly thought-out policy for managing messaging or, worse, no policy at all.
An organization that uses messaging is therefore faced with a legal landscape that urges, if not demands, a rational policy for managing messaging data. The question then becomes, "What is that policy?"
Any messaging policy initially requires consideration of two things: a philosophy and a technology investment. What each of these looks like depends upon a variety of factors, including:
* The size and complexity of the organization
* its usage and dependence on messaging
* The legal requirements applicable to it
* The money it has to spend
Any organization, large or small, has to decide philosophically whether, and to what extent, it is willing to commit required or important data to messaging technology. In doing so, it must bear in mind that data capture is only the first management step. Once captured, data must be retrieved with some level of accuracy and completeness, often using retrieval parameters set by parties other than those who captured the data in the first place, including courts, litigants, regulators, and other outsiders.
Current out-of-the-box messaging technology has little if any records management functionality--particularly for environments where the number of data objects under management may be millions or billions and may involve complex matters. Therefore, a decision to rely heavily on messaging technology may require a large investment in technology assistance in the form of specialized software or other tools to manage the messaging data. Even then, the organization may find itself incurring significant costs in personnel time and other resources needed to search and retrieve in such a massive data set.
For some organizations, this may not be desirable or even possible: budget constraints, personnel limitations, or other factors may preclude a large, single-purpose technology purchase, or technology limitations may preclude data management adequately precise for their needs. Other solutions are available: Messaging data may be stored as word processing data or printed out and managed as part of a paper filing system, or it may simply be left in the messaging system. Whether any of these are feasible or desirable depends upon a variety of factors unique to the organization. In some cases, use of difficult-to-control technology such as IM may simply be undesirable.
The organization must also make decisions on a variety of technical records and information management issues, including:
* Is retention of messaging to be single- or multiple-period, based upon subject matter?
* Is the data structure to be used for managing messaging data to be a mirror of the physical file plan or electronic file plan? A simplified version? Something else entirely?
Each of these issues--and there are many more--forces choices upon the organization. Each may or may not be possible in a given technology environment or business culture, and each, if possible, imposes costs of many different varieties on the organization.
The organization must also take into account the law governing its information. If it is in a heavily regulated environment where messaging data is subject to severe regulatory demands, a substantial technology and training investment may be unavoidable if messaging is to be used at all. Similarly, if the jurisdiction in which it does business imposes a long retention period on messaging data, that long-term storage will impose a cost on the organization that must be accounted for in assessing the value of messaging. If data privacy is an issue, messaging policy must contain guidelines on what information may be sent properly via messaging, and where, to whom, and under what circumstances sending it is appropriate.
In no case is the array of available solutions likely to include an ideal solution. Messaging technology does not yet have the management tools needed for an ideal solution, and the way we use it is simply too imprecise and informal to lend itself to an ideal solution. There is a conflict here--the spontaneous and informal nature of messaging is an attribute that contributes greatly to its value as a communication tool. The more we attempt to control and manage it, the more we interfere with that spontaneous and informal nature, and, thereby, with its value to us. Ultimately, a balance must be struck between control and utility, recognizing that these two needs are at odds with each other.
That balance can only be struck by an organization that knows a great deal about itself, including its needs, its values, its complexity, its mission, its people. It must also understand a great deal about the role messaging plays in its activities and the value messaging adds, whether as increased profitability, better public service, or something else. Only when these things are understood can a sound and cost-effective messaging policy be developed and implemented.
John C. Montana, J.D., is a records management and legal consultant and principal of Montana and Associates. He may be contacted at email@example.com.
Editor's Note: This article is based on a study recently conducted with funding from the ARMA International Educational Foundation. The full results of the study are available at www.armaedfoundation.org.