At Gilbert + Tobin, we have a problem with our email: We have far too much email, as lawyers generally need to keep almost every document that relates to the work they do, having no limit on the size of their mailboxes.
Our largest mailbox is pushing 45 GB, and we have quite a number of users whose mailboxes are in excess of 20 GB. These are numbers that would make a Microsoft Exchange architect blush, as the system was just not intended to handle that volume of data on a per-user basis.
So our IT department has been exploring ways to manage our escalating email infrastructure and storage requirements.
The other day I attended a pitch from a cloud vendor that provides a hosted email archiving solution. It was one of the best vendor presentations I’ve attended. The product is well developed and slick, and would allow us to move all our archived emails off our infrastructure.
Naturally, the offering reflects sound industry practice in relation to security and resiliency: Our data would be stored on infrastructure in an active-active configuration in two geographically diverse tier 1 data centres; our data would be encrypted in transit and at rest.; the vendor's security procedures are certified to ISO27001, and so on.
And if that wasn’t attractive enough, when finance crunched the numbers on the capex and opex savings, as one of the owners of our business I couldn’t help but think it was a forgone conclusion that we ought to implement such a solution.
I’m sure you’ve heard similar stories countless times, and I’m telling you nothing new. But this is something you may not have heard: After reading the contract, which the vendor expects us to sign from start to finish, I soon discovered that what was being offered to me did not seem to stack up.
The contract doesn't require the vendor to implement the security procedures I described above, it does not contain adequate promises in relation to the protection of personal information to enable us to comply with our statutory privacy obligations to our staff and clients, and it does not limit where and in what type of data centre they may move our data to.
And as if that wasn’t bad enough, if we could find something the vendor had failed to do under the contract, it didn’t accept responsibility for the integrity of the data it stores for us (hello, it’s a data archiving solution), and the financial limits on the its liability meant it would never be worth suing them for anything anyway.