News Stay informed about the latest enterprise technology news and product updates.

VoIP and SOX: Tricky recipe for CIOs

Adam I. Cohen is a partner in the litigation department in the New York office of Weil, Gotshal & Manges LLP. Nationally recognized for his work on discovery and document retention issues associated with electronic information, he is the co-author of Electronic Discovery: Law and Practice. The authoritative 2003 primer has already been cited in four landmark e-discovery decisions by federal district courts. asked Cohen how CIOs should be treating that murkiest of electronic records -- Voice over Internet Protocol (VoIP) data. The takeaway? Do exactly as company lawyers tell you to.

What is the difference between record-keeping of VoIP messages versus traditional telephone messages?
There are going to be different types of records created by telephone calls when you do things digitally. When you do things digitally as opposed to the old-fashioned way, it creates new challenges in terms of retention. For example, if you look at old voicemails, analog form, there wasn't much expectation in the way of preserving them.

With digital voicemail systems and systems that turn voicemails into wave files that then get e-mailed, now you have this whole new possibility and treasure-trove evidence and information that would be potentially subject to preservation obligations, just like any other form of information. The key thing to remember is that the type of media in which the records are stored is largely irrelevant when it comes to determining your obligations to preserve. And, as the types of media that are creating these records with different types of digital information multiply -- for example, records created through VoIP -- it becomes more and more critical for companies to be very focused on their policies and practices regarding information management. How does a company decide what to retain?
What you need to retain is going to be dictated by subject matter, not by type of media. So, for example, if there are records created by a VoIP system that deals with your 10K, the fact that some records are created by VoIP has no bearing whatsoever on your preservation obligations. You're going to have to figure out a way to deal with that. You can't say, oh well, this is stored in this type of media and these records are created by this type of software application, therefore I don't have to worry about preservation.

For more information

VoIP and compliance confusion

The best laid VoIP plans

When you talk to companies, do you find that many believe they don't have to keep a record of it because it was done over the phone?
Absolutely, there is a lot of uncertainty in terms of what exactly is the extent of preservation obligations with respect to certain types of media. The big issue that still predominates that discussion is backup tapes. While it is entirely possible that at the end of the day the court might say, 'Well, I really don't think it was reasonable to expect you to preserve that type of information,' the way the preservation obligation is generally interpreted is more media neutral. At the end of the day, there might be arguments you could make in terms of burden and cost, as to why you shouldn't have to keep that information, but in the absence of a ruling that says, for example, VOIP is not the kind of information you need to preserve, you'd better preserve it, if it's relevant to subject matter that falls under some preservation obligation. What are the biggest errors in judgment companies routinely make when dealing with electronic records?
One is keeping information that they're not required to keep. The consequence of that is tremendous cost, when in response to either regulatory investigation or litigation they are required to retrieve and search that information and review it for production. They find they have needlessly multiplied their burden by keeping information that has no business use and wasn't governed by some legal preservation requirement.

No. 2, is not having thoroughly thought out and implemented information management policies and practices. You would be amazed at the big companies with vast sprawling corporate networks generating gigantic amounts of information -- a lot of it very sensitive -- that have not made much headway into implementing policies and practices, so they can have some measure of control and can explain why they have certain information and not other information.

No. 3, is they are not in touch with the de facto information policies -- what actually happens at the company. A lot of what happens is driven by IT people. So, for example, somebody in IT decides that because of storage capacity issues, they are going to purge e-mail on active servers every 90 days. Then a litigation happens, or there is an investigation, and either no one was aware of the purge or thought to communicate with IT that they need to perhaps to suspend the purge.

This gets to the heart of our audience. So CIOs need to be brought into the loop?
Absolutely, the interface between CIOs and lawyers is the story. In all these cases where companies have been punished for losing electronic information, 99% of the time it can be attributed to some kind of communications failure between lawyers and IT people. Not bringing IT into the loop on legal issues is a common and serious mistake. Morgan Stanley is probably the most prominent example. A few years back, there was a case, Keir v. UnumProvident Corp., a big insurance company. The decision gives a fascinating inside look at what happened in terms of the miscommunication between the outside lawyers and the in-house lawyers down to the inside tech people at the company and their vendor, IBM, which handled their backup systems. What makes VoIP messages such a potential nightmare is that to produce voicemail that has been sent and saved digitally, you have to listen to it real time and transcribe it.
That's right, and the burden involved in that may result in not having to produce it. But it might not, and when you're dealing with regulators, they are less sympathetic to the burden argument.

Now you don't have to create records that wouldn't otherwise exist. If it is not your normal practice to record those oral communications, you're not required to go out and record them and create records just because you have some preservation duty. It doesn't mean I now have to walk around with a tape recorder and anytime I say something to someone that is relevant to a litigation or investigation I now have to tape record it.

This question and answer interview originally appeared on

Dig Deeper on Network Planning and Testing for IP Telephony

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.