Are There Any Smart E-mail Retention Policies?

An anonymous reader writes "In an age of litigation and costly discovery obligations, many organizations are embracing policies which call for the forced purging of e-mail in an attempt to limit the organization's exposure to legal risk. I work for a large organization which is about to begin destroying all e-mail older than 180 days. Normally, I would just duck the house-cleaning by archiving my own e-mail to hard-drive or a network folder, but we are a Microsoft shop and the Exchange e-mail server is configured to deny all attempts to copy data to an off-line personal folder (.PST file). The organization's policy unhelpfully recommends that 'really important' e-mails be saved as Word documents. Is anybody doing this right? What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?"

adaptation

The end result of all the bullshit lawyers try to shove on people who actually produce things for a living is the same. We route around it. This policy will cause people to use webmail, alternative email clients, IM, and other technologies to get on with getting work done, while the lawyers remain blissfully ignorant.

Printers are your friends

Print every email you get, I'm sure it won't effect your bonus.

Re:Mod parent up as funny

My company gets a lot of material for jobs via email. The email gets printed out and attached to a carbonless job form. The details from the email are written on the job form (plus extra details we need to do the job). When the job is done, this paper monstrosity is sent to billing, including the email. On top of this we want to search the details of the job, so we scan the docket into the computer after the job is done. We scan the email as well. So what started out as 8KB of text ends up as 300KB-800KB of images, with a lot of extra work in between. Never underestimate to power of business to create work.

Cheating is a bad idea

Cheating, as the author suggests, is a bad idea. The company is doing this for a reason... to protect themselves from extra BS when they get sued.

If you don't want to have to go through that extra BS (believe me, you don't) and/or you don't want your company or yourself getting in even more legal trouble when they deny something exists (because it shouldn't according to their policy) when it really does (because you didn't follow the policy) then don't be an ass. Do what they tell you like a good little minion.

How about the reverse problem?

The IT staff at my former employer saved copies of all email that went through the server... indefinitely. No, they didn't tell employees they were doing it. And yes, they had a search engine so they could do across the board searches of whatever terms seemed interesting at the time.

I find it interesting that different companies are going to different extremes. Some are limiting their exposure by trying to delete all mail and others are saving all mail in order to be able to comply with court orders (or perhaps just get a bit big brother-ish.

For a REALLY strange twist, the company I'm speaking of forced employees to maintain mailboxes under 100MB... while the server admins never deleted a single email that hit the server.

Re:Cheating is a bad idea

Here is the thing I don't understand...

This is a double edged sword.

It is nice that you won't have incriminating emails around so that people can find them during discovery.

but what happens when you need those same emails that are over 180 days old that would have EXONERATED you?

I guess you just have to say... "oh well, sorry, we don't have a copy of the [warning/caution/acceptance] that puts us in the clear..., I guess we're screwed".

Re:Cheating is a bad idea

but what happens when you need those same emails that are over 180 days old that would have EXONERATED you?

I guess you just have to say... "oh well, sorry, we don't have a copy of the [warning/caution/acceptance] that puts us in the clear..., I guess we're screwed".

It's a fair question, and one I've certainly struggled with. Ultimately, you have to come up with a balancing of the possibilities. On one hand is the possibility that an email over 180 days exonerates you and on the other is an email over 180 days old that sends your executives to prison. The calculation may be that it's harder for someone to prove you guilty, than to be forced to prove yourself innocent. Apparently the balance for this company is at 180 days. That's a bit short for my taste, but that's what this company has decided.

Re:Cheating is a bad idea

This is why some investment banks save everything. They create a rebuttable presumption that if they don't have it, it doesn't exist. (Often helpful when the other side alleges there is a "smoking gun")

Re:Cheating is a bad idea

> but what happens when you need those same emails that are over 180 days old that would have EXONERATED you?

Well, obviously this company has decided that old emails are much more likely to work against them, and this even overrides the loss of productivity due to important emails going missing etc. I really wonder what kind of business this company is in, and what their business strategy is :-(

Or maybe it is just one CEO that knows something funny went on, and now he/she is trying to destroy the evidence whatever the cost.

Let it be deleted

Seriously.

Let the 180 day limit on email remain as 'someone elses problem'. How many times do you really need to get an email six months old? You'll end up with a cleaner, faster and less stressful mailbox.
 
Of course, there may be the odd email you need, so every week why not look at the oldest week's worth of mail in your mailbox, and anything you REALLY have to keep, just forward it to yourself. Then it will stay in your mailbox for another 180 days. But try to only forward the things that are vital.
 
Of course you may be able to forward to an offsite mail account, but I'm assuming that isn't allowed. No company is going to restrict you from forwarding emails to your own company account.
 
Jolyon

Re:Let it be deleted

I often find I need e-mails that are 10-15 years old. I haven't retained everything over that time, but what I've retained is both interesting and useful. Frivolous emails are certainly deletable. But the non-frivolous stuff? That leaves a lot of stuff whose value does not deprecate with time. In the end, knowledge is its own currency, and those who choose to throw that currency away simply make themselves poorer.

Re:Let it be deleted

How many times do you really need to get an email six months old?

It's saved my ass more than once. There are few things more satisfying than having a project manager start an email tirade against you because she thinks you didn't tell her about a change that needed to be made later in the year, and being able to forward that old email to her and tell her "yes, I did tell you about it, I even sent you the documentation for it way back when."

You'd better comply with Sarbanes-Oxley

Destroying e-mail - something that used to be a good idea - can now be a crime even absent an active criminal investigation. For firms affected by Sarbanes-Oxley, you'd better comply with e-mail retention rules [s-ox.com].

And for those of you libertarian-for-yourself, statist-for-big-companies types out there, this is what happens when the government pokes its nose into regulating business; they don't just make Microsoft's life miserable. All aspects of life and business will be intruded upon. That's just how Big Nanny works.

Re:You'd better comply with Sarbanes-Oxley

Destroying e-mail - something that used to be a good idea - can now be a crime even absent an active criminal investigation.

Unless the email is destroyed on an ongoing basis as part of a clear and documented policy, which makes it perfectly legal.

Sounds exactly like this "ask slashdot" question.

Not a bad idea?

I tend to see e-mail as something you use for temporary exchange of messages and tasks/information held therein, not something to be used to archive material.

I'd argue the company's policy isn't actually far wrong, surely anything over about 180 days is something that is more suited to permanent archiving anyway?

I'll admit when I was working in tech support and I had our corporate Microsoft keys e-mailed me I kept them in my personal folders for a couple of years but realistically I have to admit I think these would be better placed in an information repository suited to more permanent store of information.

The company does then of course run the risk of people storing data that puts them at legal risk in that information repository instead however!

I'm not sure though that there are many circumstances where an e-mail client needs to act as a long term information store. I find it's generally the case that if you need to store it for a long while, it'll almost certainly be something that others in your company will need access to should you get hit by a bus tomorrow and as such, maybe shared folders (with appropriate permissions) are a better choice than personal folders?

Sarbanes-Oxley Question

You left out something very important. Is your large company publicly traded in the US? If yes, it could be looking at violations of Sarbanes-Oxley if they really are purging (and not retaining) e-mail "in an attempt to limit the organization's exposure to legal risk."

But that is likely not the case. It is more likely the company is trying to limit the amount of data stored on its Exchange system. Adding storage and additional backup capacity is expensive. Implementing a policy that requires end users to keep the size of their mailboxes down does not work, because many people insist they need every bit of those six years of archived e-mail; people use e-mail as much for CYA as doing real business. So, this solution was selected. If it really is important, make the end users do some work to keep it and don't force the company to re architect its storage system to keep years of CYA and personal mail.

Re:Sarbanes-Oxley Question

Deleting email is just fine with Sarbanes Oxley as long as you have a specified policy and follow it to the letter. It would be okay to have a policy that email is auto-deleted after 30 days, if your company wanted to do that.
What is specifically NOT okay is deleting email once an investigation is underway or if there is reason to believe you will be investigated. In those cases, you have a duty to preservce evidennce. if you delete email under these circumstances for example, the judge may instruct the jury to assume that the email was incrimating or may rule summarily against you. Either way, your company is hosed.

Your email? Excuse me??

That email belongs to the company, not you. As someone who accumulates 90% of his work stress from dealing with employee email usage atrocities (please don't email an mp3 mix cd image to 150 of your closest friends from your workstation, kthx), let me tell you what's wrong with your plan.

Its company property, governed by the policy in place for whatever reason, feel free to violate the policy if you don't want your job.

Not to mention what will happen if it comes to light that you are violating policy during a discovery proceedure, especially if it comes to light because you brilliantly decided to forward critical confidential company correspondence to somewhere like a Gmail account.

Brilliant. Really. Good luck finding a job after that.

Project Completion and Architectural Decisions

A balance needs to be struck between the negatives of two strategies:

* Perpetual archiving of e-mail - wastes server disk space, increases tape backup volume, and (more notoriously) can leave "clues" that predatory litigators salivate over.
* Non-archival of e-mail - internal accusations and decisions can't be resolved, difficult to track decisions and their history, circumventable by printing the e-mail with headers.

The solution is as follows:

1. Digest only the final decisions of e-mails and the essential reasoning thereof, or make a digest of the decisions in a collaborative project wiki where buy-in from the stakeholders can be tracked.

2a. Upon project completion (ISO9000-type project gating), archive all project files, documentation and essential digest e-mails.
2b. Simultaneously destroy all other e-mails using secure forensically-unrecoverable techniques to prevent accidental recovery by thieves.

3. Any other e-mails regarding general architectural or administrative decisions which have implications for future development in the company should be digested, placed on a company wiki, and then the remainder securely destroyed.

Using this method, any questionable or potentially illegal decisions can be greatly avoided or reduced from a purely legal perspective while retaining sufficient information to continue operations and development. This policy won't end all legal issues, but the key is to have procedures that are centered around the guise of IT efficiency and operational simplicity to purposely dispel any other alleged intent by third parties that expressed or implies destruction of future evidence.

It's not just the company you protect

I don't know how often I've saved my own can by retrieving an email from someone denying one thing or another or if a project goes south due to additional requests. By demanding that all requests be in written form or in email, I can produce a paper trail of all the requirements for a given project. As developers, we do nothing unless we have an official request. This limits our responsibility when things go over budget or behind schedule.

Deleting emails when a project is over is not necessarily a good idea, either. Patterns of irrational and poorly thought out requests can be produced over a long time period and this can also be used to cover one's caboose or even to give priorities to scope creep during crunch time. If things are going slow and they want some feature added in, we might be more inclined to meet that request. But if we're facing hard deadlines, we can push back and make the requester decide which are the most important features to add.

Doesn't belong there.

Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.

Go with the flow

If the information is important enough to keep around after six months then it should be documented either as a policy or white paper. It seems that what your organization is attempting to do is to limit email to functioning as a communications medium. They don't want your Exchange servers to be an information repository. I can see the logic in what they are doing. In all seriousness if you haven't acted on information in an email in six months it either wasn't that important, or you're not staying on top of your responsibility. If it is information that needs to be kept because it is integral to the functioning of your department then there are better places than email to keep that information.

Horrible policy

As an attorney who practices e-discovery, I can tell you that any company which implements the policy described above better hope to god they never find themselves embroiled in multi-state class action litigation. Sooner or later, they will run into a judge who views the destruction of evidence for the express purpose of avoiding liability as a bad thing and they will lose the case. A policy designed to protect the company from litigious plaintiffs will have the opposite result and create huge awards for the plaintiffs. If you work for a large company which has been sued in major litigation, you should probably assume that all of your e-mails will be read by an attorney at some point and write your e-mails accordingly.

Re:Don't break the law...

It isn't just about breaking the law. Someone sends an email to a coworker, telling them "I suppose that if someone is using our Webelfetzer 1000 while hopping up and down on one foot in the shower, they might slip, and bang their head," and then a year later someone is using a Webelfetzer 1000 while hopping up and down on one foot in the shower, and they slip and bang their head, and sue, and their lawyer finds the old email, and screams: "See! You knew this was a threat, and you didn't warn anybody!" and then doubles the damages they're asking for.

Re:imap?

It's not unreasonable in such a litigious society.

In a litigious society, wouldn't it be best to save all of your email, so you can use it to protect yourself in court?

If you're deleting all your email, then the only evidence that will come out in court will be from the people suing you.