Are There Any Smart E-mail Retention Policies? 367
An anonymous reader writes "In an age of litigation and costly discovery obligations, many organizations are embracing policies which call for the forced purging of e-mail in an attempt to limit the organization's exposure to legal risk. I work for a large organization which is about to begin destroying all e-mail older than 180 days. Normally, I would just duck the house-cleaning by archiving my own e-mail to hard-drive or a network folder, but we are a Microsoft shop and the Exchange e-mail server is configured to deny all attempts to copy data to an off-line personal folder (.PST file). The organization's policy unhelpfully recommends that 'really important' e-mails be saved as Word documents. Is anybody doing this right? What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?"
You'd better comply with Sarbanes-Oxley (Score:5, Informative)
And for those of you libertarian-for-yourself, statist-for-big-companies types out there, this is what happens when the government pokes its nose into regulating business; they don't just make Microsoft's life miserable. All aspects of life and business will be intruded upon. That's just how Big Nanny works.
Re:Sarbanes-Oxley Question (Score:2, Informative)
I'm posting as AC because I'd probably end up fired for mentioning this.
We keep emails essentially forever. Our company uses its own email system, though it used to use exchange (and people still want to keep using it, despite the fact that it sucks ass). Everyone has 25GB of email space, with more if you request it (and, I assume, are approved for it).
If there's something you don't want potentially showing up in a court room you shouldn't be emailing it in the first place. You don't know if the other person is saving it locally (and putting those exchange restrictions isn't going to stop this). Same with IM, you don't know if the other person is logging it.
Perhaps I'm part of the internet generation but I don't see the point in destroying information; no matter how bad it is it may have some unforeseen future usefulness. Bad stuff has a tendency to hang around much longer than good stuff anyway.
You cannot rely on people not saving information to get you out of legal trouble, instead rely on not saying those things in the first place.
Re:Sarbanes-Oxley Question (Score:5, Informative)
Deleting email is just fine with Sarbanes Oxley as long as you have a specified policy and follow it to the letter. It would be okay to have a policy that email is auto-deleted after 30 days, if your company wanted to do that.
What is specifically NOT okay is deleting email once an investigation is underway or if there is reason to believe you will be investigated. In those cases, you have a duty to preservce evidennce. if you delete email under these circumstances for example, the judge may instruct the jury to assume that the email was incrimating or may rule summarily against you. Either way, your company is hosed.
Re:How do you like prison (Score:3, Informative)
Re:Printers are your friends (Score:3, Informative)
Two different questions (Score:2, Informative)
Are there any good retention policies out there? No. The good retention policy is to save what you need, delete what you don't. Which is not a policy at all.
What would I recommend for a corporation? Don't use e-mail at all. If you refuse to follow that advice, use a system that deletes on first read and cannot be used to create copies (harder than it seems).
There are several reasons for keeping mail. At the top of everyone's list is self-preservation. It's important to be able to prove that this or that decision was made for these reasons or that so-and-so really did tell you to do whatever. This is necessary because in the modern corporate ethos, the employees and shareholders take all the risks and senior management reaps all the gains. Everyone needs protection. But it probably won't help you.
Another, better, reason is the reason writing was invented in the first place: to recall past events and information not held in one's memory. This is where the "right policy" really shines. Unfortunately, anything worth keeping is also worth a subpoena when someone decides to fuck with you (or your company, but remember that companies do not suffer, their employees and shareholders suffer; if something you wrote, or kept, harms "the company" you can bet it will end up harming you a lot more). So short of obliterating most of the civil law on the books today, we're back to keeping nothing. You as an individual stand to lose your life (if you lose your job and are blackballed, you will die or wish you had). But as always most of the gains from saving mail accrue to senior management in the form of better corporate performance and higher pay. You have no personal incentive to save anything unless you are preparing for a wrongful termination lawsuit. In that case I hope you have printouts, because the mail your lawyer subpoenas probably won't be there no matter what any "policy" says.
Cynical? Sure I am. But that's just the way it goes. The wise employee does not commit to writing anything of any conceivable value or interest. If it's worth saying, it's worth saying in a hallway conversation. If it needs to be written down, be sure your name does not end up on it. Then you don't need to care what senior management is telling you to retain or purge. And if you need some piece of information you would have had if you'd saved everything, just wing it. You would not have received any incremental benefit from doing your job better and you're going to take the fall when things go wrong no matter what you do, so you might as well not bother. Get as much money out of them in the meantime as you can, and protect it from debasement by converting it into gold and silver. Then when the system inevitably flushes you out, you'll have something to survive on.
Being an employee is like buying bonds. In the best case, you get a small fixed income stream for a while. In the worst case, you get nothing. There is no upside. There is nothing to strive for or invest yourself in. But unlike the bond market, where you can buy CDSs, there is nothing you can do to protect yourself from your employer. Since you can't help yourself and have no incentive to help your employer, the best thing to do is muddle along, keep your head down, and do everything you can to avoid being noticed. Not bothering to write anything down is just one example of this approach. In this way you may survive until macroeconomic conditions inevitably make "painful decisions" necessary for senior management, better known as cancelling your employment and wishing you the best of luck somewhere else while cancelling dividends or buybacks (making those shares and options they insisted you accept as part of your compensation package worth dramatically less and fucking over the existing shareholders as well). But take comfort - your beloved senior managers are safe and secure no matter what happens; even if the company folds they took home enough in their first year of work to live on for life. Doesn't that make you feel better?
Re:You'd better comply with Sarbanes-Oxley (Score:3, Informative)
Just say you misplaced the emails. It worked for the Whitehouse and President Bush.
Re:How About Not Screwing Anybody Over? (Score:1, Informative)
It is not a troll. It is a perfectly legitimate response to the post.
Whoever modded it a troll-- go fuck yourself.
Re:imap? (Score:3, Informative)
Where do you guys live?
I'm building a hosted Email service and one of the things our clients demand is that we be able to keep all email (including the deleted ones) for 7 YEARS.
They site regulatory compliance issues and corporate governance rules that were changed after the whole Enron, Worldcom series of fiascoes.
So what your company and the original questioner's company are doing is illegal in some places. Jamaica only imitated America on this as far as I know but feel free to enlighten me.
An example: Ant poison (Score:3, Informative)
Here's an example.
A company made ant poision, but the federal regulatory agency made them take it off the market.
Their law firm recommended that they appeal the agency's decision in court, so they did. They lost. The law firm recommended that they appeal to a higher court, so they did. They lost. The law firm recommended that they appeal to the U.S. Supreme Court. The company sent a fax telling the law firm not to do it. The law firm appealed to the Supreme Court anyway. They lost.
Doing that, they ran up bills of $400,000. The ant poison company refused to pay. The law firm sued for the bill.
To prove their case, the company had to find the fax machine's printed confirmation, to prove they sent the fax. They couldn't find it. They lost. They had to pay the law firm.
(This is my quick recollection from a Wall Street Journal story.)
Admittedly this is about a fax, not an email, but the principle should be the same. If they had a copy of an email saying, "To confirm our conversation today, we don't want you to appeal any farther," they would have won the case.
So yeah, there are some emails you should save forever, particularly CYA emails.
Sounds like a bad policy to me (Score:3, Informative)
How many cases have there been where email evidence was used to nail the guilty bastards?
So tell me, is it really a good thing for emails to be deleted?
What does it tell you about the company? It has lots of guilty bastards? Do you want to continue working in such a company? They could blame _YOU_ for something and if you're innocent where's the evidence to protect you? If you're keeping your evidence against company policy have a nice day
As for personal emails, I try to keep most personal emails. Hard disk space is cheap, so why bother taking the time to figure out whether an email is important or not?
You might not even want to bother deleting spam - some people keep a store of spam so that they can test/tune antispam systems/filters.
Lastly, I think many people do work with projects that last more than 6 months. Sometimes your memory might fail, sometimes your boss's memory might fail, sometimes your colleagues forget.
And sometimes when people ask the same questions it's convenient to just dig out the reply/explanation and resend it (email programs should have a decent and fast search - kmail is too slow). If it keeps happening maybe you put it in a FAQ somewhere and then you might add a link to it
Same exact situation here. (Score:1, Informative)
My company set up exactly the same email retention policy about 6 months ago. I either drag/drop the emails into a temp desktop folder until I get time to file them where they need to go. I also set up rules that forward a copy of any incoming AND outgoing mail to a special gmail account, which I then sync to my windows machine at home..I often remote desktop into my machine at home because i know its going to be much faster to search.
In any case, having old email around saves us 10x more than it would hurt us.