Given the client’s lack of a dedicated information governance program and decades of operating without a distinct and enforced email policies, a myriad of obstacles stood in the way of establishing a new approach. FTI would first need to understand the client’s email and file share universe, and identify any information within those systems that was subject to existing legal hold obligations. With that a baseline, the team could begin disposing of unnecessary data and prepare the archive for a new retention policy.
More than 1 billion items lived in three regional email archives in the U.S., APAC and EMEA, and tens of thousands of PST files persisted on numerous global file shares. There was no documentation of what was stored in the archiving system and what was not. The legal department was concerned that the introduction of a policy would be met with resistance and confusion from employees unaccustomed to any form of email and records oversight. More, misunderstanding about the difference between emails and records was widespread across business units, making it difficult for teams to delineate varying retention rules and procedures for different types of files.
The company had also historically allowed employees to use their company issued email account for personal use. As a result, proper remediation required an exercise to separate personal email from company archives, ensure no sensitive data was contained within emails designated as belonging to an employee, and save those emails in a format that could be taken home for personal records.
The client needed to address all of these factors, while maintaining compliance with legal hold obligations and Securities and Exchange Commission (SEC) regulations that require financial services institutions to preserve all employee communications for a minimum of five years.
Over a multi-year project, FTI Consulting set out to document the instances of email wherever it resided—including on backup tapes and in PST format on file shares—remediate it, and move it as needed to the email archive. The team locked down all of the email pertaining to custodians and date ranges relevant to existing legal matters in the U.S., EMEA and APAC, and from there, applied a conservative seven-year retention policy and automatic disposal through the email archive’s retention management capabilities.
In parallel, FTI worked closely with the IT department to scan global file share systems and identify outdated and unnecessary PSTs for remediation. This effort was undertaken in multiple phases, to address file shares including: home drives, e-discovery, share drives, PST files belonging to senior leadership and unidentified/orphan PSTs requiring additional research to determine ownership.
To address the instances of personal email, FTI’s managed review team was tapped to review subsets of email for company information, parse it out and deliver it to individuals as a PST file scrubbed of any sensitive information. One of the lead reviewers also supported the client’s information security team with ongoing monitoring and management of any unexpected threats relating to employee personal use of company email.
Throughout the effort, FTI’s team conducted in-person interviews with all lines of business to inform decisions about what data could be disposed of, and any emails or files that needed to be stored for business value or compliance requirements. These interviews also guided the development and design of the global retention schedule, which was vetted among stakeholders as it evolved.
FTI also led a change management program to overcome potential resistance to the retention policy.