Are There Any Smart E-mail Retention Policies? 367
An anonymous reader writes "In an age of litigation and costly discovery obligations, many organizations are embracing policies which call for the forced purging of e-mail in an attempt to limit the organization's exposure to legal risk. I work for a large organization which is about to begin destroying all e-mail older than 180 days. Normally, I would just duck the house-cleaning by archiving my own e-mail to hard-drive or a network folder, but we are a Microsoft shop and the Exchange e-mail server is configured to deny all attempts to copy data to an off-line personal folder (.PST file). The organization's policy unhelpfully recommends that 'really important' e-mails be saved as Word documents. Is anybody doing this right? What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?"
imap? (Score:3, Interesting)
if your orgs exchange server has their imap connector enabled, you can use a different client that doesn't follow the commands of the exchange server to pull emails, but it sounds to me like your org is smarter than that.
Re:Look !! This is not NEWS !! (Score:3, Interesting)
Way to be a jerk. Slashdot isn't only about the latest iPhone release, or patent trolling. It's about everything technical, and this is good question.
I'm a big fan of plain text email and copy and past really isn't all that time consuming if I were forced to save anything worth saving for longer than 180 days.
Re:Online Email service (Score:2, Interesting)
How about the reverse problem? (Score:5, Interesting)
The IT staff at my former employer saved copies of all email that went through the server... indefinitely. No, they didn't tell employees they were doing it. And yes, they had a search engine so they could do across the board searches of whatever terms seemed interesting at the time.
I find it interesting that different companies are going to different extremes. Some are limiting their exposure by trying to delete all mail and others are saving all mail in order to be able to comply with court orders (or perhaps just get a bit big brother-ish.
For a REALLY strange twist, the company I'm speaking of forced employees to maintain mailboxes under 100MB... while the server admins never deleted a single email that hit the server.
Project Completion and Architectural Decisions (Score:5, Interesting)
* Perpetual archiving of e-mail - wastes server disk space, increases tape backup volume, and (more notoriously) can leave "clues" that predatory litigators salivate over.
* Non-archival of e-mail - internal accusations and decisions can't be resolved, difficult to track decisions and their history, circumventable by printing the e-mail with headers.
The solution is as follows:
1. Digest only the final decisions of e-mails and the essential reasoning thereof, or make a digest of the decisions in a collaborative project wiki where buy-in from the stakeholders can be tracked.
2a. Upon project completion (ISO9000-type project gating), archive all project files, documentation and essential digest e-mails.
2b. Simultaneously destroy all other e-mails using secure forensically-unrecoverable techniques to prevent accidental recovery by thieves.
3. Any other e-mails regarding general architectural or administrative decisions which have implications for future development in the company should be digested, placed on a company wiki, and then the remainder securely destroyed.
Using this method, any questionable or potentially illegal decisions can be greatly avoided or reduced from a purely legal perspective while retaining sufficient information to continue operations and development. This policy won't end all legal issues, but the key is to have procedures that are centered around the guise of IT efficiency and operational simplicity to purposely dispel any other alleged intent by third parties that expressed or implies destruction of future evidence.
Re:How about the reverse problem? (Score:3, Interesting)
My former company began archiving all email permanently due to some lawsuits, and it was the best thing that ever happened to me. FINALLY that 12MB limit on email disappeared. I never could figure out how a major tech company couldn't manage a quota higher than 12MB in this area of cheap storage...
Re:You'd better comply with Sarbanes-Oxley (Score:2, Interesting)
Never mind SOX. We ran into this at a company I used to work for. Afer getting hit a few times they decided to implement a 30 day clean out. Important messages were to be printed out. (Oh yeah, they were so cheap that most departments were stealing paper from other departments)
Then someone mentioned that email was used to track changes to military contracts and when dealing with government stuff, had to be retained as well as backed up.
The lawyers were literally sending out memos on this hourly with one group saying "Run the deletions now!" and the other telling us to save everything. Of course both groups were threatening the admins with their jobs if they didn't comply.
Most people got so fed up they just ignored everyone and did what their local user base required.
This company mangaged by threat and it reached a point where one Sysadmin on a conference call exploded, described the parental heritage of the managers in great detail, announced that he was f***ing sick of them all and slammed the phone down. He packed his stuff, tossed his cell and pager on his desk and walked out.
There were other, less public incidents.
what a bunch of crappy responses (Score:2, Interesting)
Okay - having implemented one of these from being someone on a cyber security team, I know first hand what goes on behind the scenes and everything that goes on. Our company implemented one of these projects. 180 day retention for USER email boxes. If you need to keep something for retention purposes, you have a DL setup which does not have the same rules and a few team members have access to. Simple. If you need it after six months, every desktop has a PDF writer (free cute PDF) and they can print it and save it.
Now
So at my company - just so you know. All
So lets see, what else. Oh yes, all emails are scanned incoming and going out to validate compliance to corporate policies. So no "autoforward" rules in outlook to forward any mail you get to your gmail account (as well as all popular web and ISP accounts are blocked). Our company takes it as it is a place of business, not a place to deal with external distractions. You can call someone if you want to talk to them - just don't email them.
So why do you ask why we go to these extremes. We have to. Government regulations on our business. Several people have access to information that requires government clearances, and we get bent over a barrel when any of that goes out the door. Does it work? Yes. Do people like it? Well they have gotten used to it (we implemented it 4 years ago). The VP with 9Gb of mail was pretty pissed for a while, but realized his life was much easier.
Just to let you know - for those of your pansies saying to let it all go free and don't work for criminals, etc. A company is never the criminal, it is the people in the company that are the criminals. So restricting the people that are potential criminals removes that temptation and will allow you to do your job more effectively.
Last point, I know the next logical point most people bring up in this argument, which is hire better people if we are firing people that have done things wrong. Every person before they get hired has a criminal background check and over 80% of our company had at least "classified" level government clearance. So, the government trusts them, as well as they had the skills to get into the job, and the temperament to get along with the people at the company. They were still fired for doing something like selling one companies info, to another, even with all the things in place.
You cannot change human behavior, but you can try to circumvent it so that it is an overt act and then it is something they willingly did, and then you can throw the book at them for doing it because it was pre-meditated.
I explain this stuff to folk daily (Score:2, Interesting)
The purpose of the policy is to protect the company. This may be from litigation or from the cost of a fishing expedition -- think of the cost of having to pull everyone's every email *from backup*. Discovery permits the lawyers to go through your every backup because there just might be an email in there that proves their case and you might have deleted it.
If you have a policy that is generally followed that states when emails are deleted, you save yourself a lot of grief. But. You also need to have a process to stop this regular deletion if a court action is started or management has good reason to believe one is coming.
If you are in an environment where a six month old email saves you serious grief, it may be time to look for another job. I have been there and it always turns ugly. Being able to prove you are not at fault is not the same as proving you are right or to be trusted. Which is a drag, but nonetheless the case.
A good retention policy balances the business needs for retaining emails (which usually does not take CYA into account), regulations (like SOX and PCI and GLBA), and technology costs and efficiencies. A bad one picks a number out of a hat and flails. If the policy doesn't make sense, you could politely ask whether you could please have an exception. Policies are supposed to include exception processes.
Re:imap? (Score:5, Interesting)
It's not unreasonable in such a litigious society.
In a litigious society, wouldn't it be best to save all of your email, so you can use it to protect yourself in court?
If you're deleting all your email, then the only evidence that will come out in court will be from the people suing you.
Re:Horrible policy (Score:4, Interesting)
Re:Cheating is a bad idea (Score:1, Interesting)
That's been my experience. Innocent until proven guilty is only applicable to the criminal court system.
To go a step further, a family member of mine is a judge. He directs people to send all e-mail to his private account, as technically the state has the right to read, modify and delete his work e-mail. He has seen enough corruption in government (he has also been a mayor and a state legislator) to know that essentially allows the more senior judges control over his career. At the most innocent, by cherry picking phrases from his e-mail they can amplify potential mistakes he may have made. At the most heinous, they can fabricate something which would be part of his official correspondence and implicate him in something illegal. If there is something which must be sent through official channels, he requires only a paper copy... which is the way law worked for centuries anyway.
It is paranoid, but you should think of work e-mail as a tool which can be used against you when the shit hits the fan.
what e-mail isn't (Score:3, Interesting)
Frankly, examine your work-processes. E-Mail is not a general filing system, or a task-management system, or anything else that would require you to keep stuff around forever. In fact, doing so is - according to my observation - the #1 reason why most people can't use mail productively.
A tiny fraction of mails actually needs to be kept around for a long time, and I have a folder for those. It's on the order of 0.01% of the total volume. If I had to export that in some format, be it word, .txt or whatever, it would be a tiny hassle.
For everything else, I'd be happy to get the stuff I haven't needed for the past six months automatically deleted, because the chance is 99.99% that I won't need it anymore, anyways, and looking through the pile to check for things that I might still need takes away my valuable time.
The unofficial email backup policy (Score:3, Interesting)
It's not unreasonable in such a litigious society.
In a litigious society, wouldn't it be best to save all of your email, so you can use it to protect yourself in court?
If you're deleting all your email, then the only evidence that will come out in court will be from the people suing you.
Many times the most damning evidence is your own email. ( "Fred, the folks in accounting say that delays in production will cost more than the wrongful death lawsuits. So forget about re-designing the gas tank." ) Your own email can be used to prove things like knowledge and intent, which can greatly increase your liability.
The best way is to have an official policy that email is deleted as soon as is reasonable, probably just a few months. But have an unofficial policy that all email is saved forever.
One guy buys disks with cash and makes copies after hours and stores them off site. ( This guy is probably a corporate officer with lots of stock options. )
Then, when you are sued, you can have your lawyer look at the email and decide if it helps your cause or hurts it. If it hurts, you destroy the disks - which is easy since they never officially existed. If it helps, you 'accidentally' find an old disk that someone 'forgot' to destroy.
My policy (Score:3, Interesting)
Re:Doesn't belong there. (Score:3, Interesting)
Just a funny/sad story here. So an email in GroupWise is just a record in a database. The space left in the record is greater than 2,000 bytes after the pointers and subject line are filled in. If the body of your message is less than 2,000 bytes, the whole message is just one database record. If the body of your message is greater than 2,000 bytes, the first chunk is stored in the database record, and then an overflow file is created.
BTW - I hate HTML email. Doubles the size of every message, practically guarantees that an overflow file will be created, and for what? Oooh! Comic Sans Serif!!!
So some daffy in one of the departments gets the idea that email to and from the public needs to be stored in .PDF form. So she starts going through all her email from current to past. She prints out a message, slaps the printout into a scanner, and scans the image into a .PDF. Saves the .PDF to the network. Literally, she turns thousands of 2KB - 4KB searchable, indexed, (with metadata and attachment) messages into thousands of 2MB unsearchable, unindexable, (sans metadata and attachment) .PDFs. We only found out, because 20 GB later she filled the hard disk for her department. (Their server space was already running on empty, but when they ran out so much faster than we had planned, we had to go looking).
I don't know if she deleted her public facing emails after that. If she did, we're screwed.
You may argue that email is not a document repository - but that only is true if your email system wasn't designed to be a document repository. GroupWise has a built-in DMS (and has had, since the late 1990's), and it is a far more efficient system than Just A Bunch Of Disk Space (what with single-instance-storage and built-in indexing and all that).