A recent report from Ferris Research estimates that the total number of business e-mails sent in North America alone will surpass 139 million in 2009 and 143 million in 2010. This volume of email growth continues to put pressure on IT staff in every size organization to manage its inflow, outflow and retention. While the mechanics of managing emails inflows and outflows can be fairly straightforward, when it comes to setting policies as to how long to retain these emails, the picture can start to get a bit hazy.
Federal Rules of Civil Procedure (FRCP), industry regulations and internal policies all influence which emails should be archived, how long these archived emails should be retained and when they should be deleted. But all of these different factors contribute to high levels of confusion surrounding how long emails should be retained and getting the retention policies set correctly and letting either IT or Legal independent of the other set these email retention policies is not necessarily the best policy.
Look at this from the perspective of IT. IT is increasingly tasked with keeping its infrastructure costs low. So when IT looks how to best control or limit these massive volumes of e-mail, less is more. Since the more email they keep, the more storage they will need and emails they will have to search so it is not surprising that they may recommend purging email archives after a short retention policy. This has led some companies to adopt retention policies of varying lengths but a 90 day retention policy is fairly common.
So if your company fits this description, you need to consider the following:
- Document retention policy. Do you have a document retention policy that explicitly covers email? If so, was it developed with the input and perspective of IT, Legal, and Compliance, or just IT?
Having a policy that guides email retention is a must and once the policy is in place it should be followed. If your retention of e-mail is 90 days then you should adhere to this standard and not let 90 days mean 60 days, or 6 months etc. as inconsistent adherence to email retention policies is even worse in the eyes of the court than having a wrong policy in place. Safe harbor in eDiscovery rests in an organization adhering to its policies and procedures that guide the destruction of its email data.
- Legal Hold of E-mail. If your policy guides destruction of email at the end of every 90 days but you can reasonably anticipate legal action on these emails then you are bound by FRCP to hold those documents in anticipation of a possible discovery.
Destruction of emails once you know a legal hold is necessary could expose an organization (public or private) to court sanctions for spoliation. So if you even suspect you might need to retain emails, you better have a means to hold on to them. eDiscovery rulings are often a moving target and knowing exactly when to start retaining e-mails critical to a case can be very difficult as shown in the recent case of Phillip M. Adams & Associates, L.L.C. v. Dell, Inc., 2009.
- Regulatory Factors. Is e-mail retention for your company guided by government regulation such as Sarbanes-Oxley (SOX)? Publicly traded companies, healthcare institutions and financial services organizations all are subject to regulations that affect how long they retain emails. These regulatory considerations often have strict penalties attached to them for non-compliance.
Retention periods can also vary depending on the information contained within email, whether it is financial statements, HR data, patient information, or contractual discussions. Each could have different regulatory retention requirements based upon the information contained in the email.
We are not suggesting that expanding email stores for indefinite periods of times is the right approach but one can not naively assume that if you delete all emails after 90 days that courts will find you blameless. They will not. Managing ever expanding email growth and the risks and costs associated with retaining emails too long can seem like competing priorities. But if organizations consult with the other appropriate internal departments and take these risks into consideration, as they do routine maintenance on their email they will not expose the organization to extraordinary risks.
Archiving products such as Estorian’s LookingGlass provide companies the ability to take control of email so they aren’t faced with an “all or nothing” approach to deletion of e-mail data to keep in line with storage limitations which puts them at significant risk. LookingGlass not only gives companies the ability to control email to meet regulatory and eDiscovery challenges but also purge emails in an orderly and timely fashion based on an organization’s retention policy.
In this new world of ever increasing regulatory burdens and eDiscovery, it is no longer acceptable for companies to develop a 90 day retention policy based on keeping storage costs low without giving consideration to eDiscovery and regulation. A well thought out data retention policy takes into account the risks outlined above so companies have a framework from which to work to do ongoing maintenance of archived email stores.
The 90 day retention policy which some organizations use and are already accustomed does not have to die but it does need some tweaks to hold up under the scrutiny of today’s legal system. Products such as LookingGlass enable organizations to create and enforce policies that satisfy the legacy 90 day time frame for those emails that are no longer needed but also introduce new ones that meet regulatory as well as eDiscovery mandates. In so doing, it allows organizations to evolve their email policies to meet today’s challenges without creating undue risks or resulting in unexpected legal liabilities.