D4 eDiscovery Service Blog
Jun 26
2013

Email Retention Policy - 7 Factors to Consider Before Creating an Email Retention PolicyBy Cynthia Courtney, Esq., VP, Discovery Engineering

One of the thorniest issues of records and information management is how to address e-mail. Even after a policy has been implemented, an executive may ask a lawyer, “What should I do about e-mail?” A number of years ago I was asked to advise a client what factors it should consider regarding e-mail retention. The considerations are the same today as they were when I first advised this client. They are: business needs, legal requirements, organizational culture, approaches to retention policies, litigation holds, automation, and implementation.

1.  Business Needs

Fundamental to the creation of any electronic record retention program is the need to answer basic questions about an organization’s records, by (1) defining what constitutes a “record”; (2) listing and categorizing record types; (3) documenting how long the business requires that each type be retained and (3) for what reason. As a corollary, the organization should track how accessible records must remain over time, which drives the form in which documents will be stored. A consideration of question (1) will likely compel the conclusion that many e-mails will never become records at all and thus will not require retention.

2.  Legal and Regulatory Requirements

The laws and regulations that govern the organization’s activities will determine retention periods for many record types. Federal laws such Sarbanes-Oxley, Gramm Leach Bliley, IRS and SEC rules impose specific record retention requirements. State laws such as wage and hour laws are sources of retention requirements. Legal retention requirements may be indirectly implied from other sources such as statutes of limitation. Internal business considerations will also create legal retention needs. For example, companies that take great pains to protect sensitive trade secret information may retain e-mails for a certain period so that a dedicated security unit can scan e-mails for suspicious content. In addition, the importance of electronic discovery and the amended Federal Rules of Civil Procedure have demonstrated that retention policies will be influenced and shaped by case law.

3.  Organizational Culture

An organization’s culture and habits inform the creation of an e-mail retention policy. The creators of a policy should understand employees’ existing practices. If employees are accustomed to complete freedom in retaining and organizing e-mails and other electronic documents, a policy that curbs that freedom may initially be unpopular. Policies that require a change in existing behavior are best implemented by making key groups such as Legal, IT, HR and business units stakeholders in the process of establishing a new policy. Some commentators also advise rolling out the policy incrementally, for example, by implementing a pilot project in a single department such as HR.

4.  Approaches to Scope and Length of Electronic Record Retention

Record retention literature describes a number of approaches to e-mail and electronic record retention. Although an organization may elect to keep forever all electronically stored information, including e-mail, there is no legal obligation to do so. The Supreme Court endorsed this principle in Arthur Andersen LLP v. United States, 544 U.S. 696, albeit too late to help Arthur Andersen.

Organizations impose electronic retention limits for two cost-related reasons: To reduce the storage costs, and to reduce the cost and risk in litigation of handling large volumes of electronic information. Storage costs are known and predictable; e-discovery costs are notoriously unpredictable. Organizations that retain all e-mails may be required to identify, collect, process and review e-mail that legally could have been discarded.

Many organizations implement limits on e-mail retention such as limits on mailbox size and automated deletions. Organizations that adopt automated e-mail deletion may combine that feature with an education program for employees and empowerment of employees to elect to retain important e-mails. An organization may also limit the amount of e-mail storage space allotted to each employee.

5.  Litigation Holds

A key feature of electronic record retention programs is an organization’s ability to efficiently and quickly impose a litigation hold in the event of a claim or lawsuit. Case law has established that a duty arises to preserve documents when a complaint is received or when litigation is probable. Organizations may suspend automated e-mail deletion programs or the recycling of back-up media until a decision is made about what documents and information must be retained, and possibly for the duration of the litigation. Amended Federal Rule of Civil Procedure 37(e) contains a “safe harbor” provision which protects a party in the event that information is discarded, destroyed or overwritten as a result of “the routine, good-faith operation of an electronic information system.” However, once a party is on notice that information must be preserved, the safe harbor provision does not apply.

6.  Automation

Organizations increasingly turn to automation in developing electronic record retention programs. Many organizations allow employees the freedom to accumulate an unlimited volume of e-mails and files with no controls on categorization, management or deletion. Some organizations use automated features already available in existing programs to control retention such as the mailbox size limits mentioned above.

An organization may take a more significant step into automation by investing in an e-mail archiving program. Before purchasing a major application, an organization should assess its current capabilities to determine what leveraging of additional infrastructure is possible. Two large-scale automation options are worth noting: The “matter centric” document management system and the e-mail archiving system. Organizations considering these options should consider conducting a request for proposal (RFP) process in which a team of individuals (internal and possibly external) views demos, interviews vendors, collects important information through a survey, and makes a supported recommendation to management.

Document management systems have long been used to organize and categorize documents. More up-to-date versions of these software applications operate directly in an e-mail program such as Outlook and allow for rapid categorization and “bucketing” of e-mails into folders specified by the organization. Another highly automated but expensive option is the e-mail archiving solution, in which e-mails are housed in the vendor’s archiving program, and the employee sees only a link to that e-mail. One advantage of this solution is that a single individual can manage litigation holds and can run searches directly in the program. A disadvantage of such programs is that they are often enthusiastically embraced as a way to alleviate “bloat” in the e-mail system before the organization takes the initial step of asking why the “bloat” exists in the first place.

7.  Implementation

The creation of an electronic record retention policy is an important undertaking. That said, it need not be overwhelming or overly complicated. If such policies are not scalable in terms of scope and detail, organizations will not adopt them. Ideally, such a policy should be created by a group of interested stakeholders. It should have the avowed support of management. The policy should be in writing, and should be connected to other policies relating to desktop computing and the use of organization assets such as PCs and mobile devices. It should be issued by a senior officer and should be rolled out with an announcement and accompanied by training. Going forward, the policy should be subject to audit, and employees should be held accountable for compliance. There should be ongoing education, training, and resources, including a contact to whom questions can be directed, or even a dedicated e-mail box.

What are the challenges you have faced when implementing an email retention policy?


————————————————————————————————–

People Who Read This Post Also Read:

The State of ESI Inaccessibility in 2014

9 Steps to a More Defensible Email Collection Protocol

6 Tips For a Rock Solid eDiscovery Interview and Manage eDiscovery Costs

Putting the ‘Three ‘A’s’ of Preservation’ into Practice | eDiscovery Update

Don’t Be Afraid of Document Management! | 7 Best Practices for Getting Started

[WHITEPAPER] Preservation of SMS Messages: A Mobile Device eDiscovery Guide for Litigants

10 Tips to Achieve Proportionality in eDiscovery

Litigation Readiness – 10 Best Practice Tips

3 Reasons Why eDiscovery Data Should be Processed in Coordinated Universal Time (UTC)

Metadata and eDiscovery: Metadata, Metadata, it’s Everywhere [WHITEPAPER]

Litigation Holds Dos and Don’ts [SLIDESHARE]

3 Tips for Counsel to Ensure Preservation of Evidence and Avoid Sanctions

Legal Hold and Data Preservation Best Practices [WHITEPAPER]

Are you using a spoon to dig an eDiscovery ditch?

Tags: , , , , , , , ,

7 Responses to “7 Factors to Consider Before Creating an Email Retention Policy”

  1. My challenge is simple – how long do I need to retain e-mails and what current law requires any specific time frame? I’ve looked through tons of court rulings, Rule 26, 33 and 34 and not one says any length of time. My need is that I’m going to be working with a nonprofit group working as their IT, Marketing and Web Manager and there has been retention discussions that no one can nail down – any help would be most appreciated – thanks – Laddie

    1. Cindy Courtney says:

      Laddie: Retention periods are determined by the type of record, not the form it comes in. An e-mail, Word document, or Excel file has a retention period based initially on whether it has been defined by the organization as a “record” requiring retention. From there, the duration of retention is determined by statute or regulation, or business need. Without knowing whether any statute or regulation applies to your organization’s records, it is not possible to say how long e-mails must be retained. Let me know if you would like to have a live conversation.

  2. dave says:

    If a company has a no-retention policy and email is limited by the size of mailbox. Which in this case, would effectively limit a users capability of storing no more than 8mo – 1yr of email, how would that affect a legal e-discovery order? Is the company in trouble for not providing archiving at all?

  3. Cindy Courtney says:

    I don’t know of a case in which a policy like that is categorically held to be insufficient; it is more a question of what the company does and how promptly they act when a preservation obligation arises. It may be necessary to consider how, technologically, to capture older e-mails that must be preserved but which would otherwise be discarded or deleted because the user has no more space in the mailbox.

  4. Warren Ellis says:

    I have a simple question. Who is responsible for creating a records retention policy, Records Manager, Supervisor, or a committee?

  5. Mike says:

    Scenario: We have a Retention Policy saying that we’re only keeping 1 year’s worth of email and our email archival solution is configured as such, but our email server has no retention policies applied (thus allowing users to keep mail as long as they want in their mailbox). A FOIA or other legal request comes in asking for emails about a certain person/topic/etc. that pertains to the last 6-18 months.

    Can we cite the policy and only provide the emails in our Archival solution (satisfying the 6-12 months portion of the request) or will we have to dig through our live mail server to get the remaining emails from 12-18 months time period?

  6. Ben Altman says:

    Mike,
    Any E-mail you still have is fair game for discovery. If you have a “do not keep more than X months policy” you should find a way to enforce it. It is otherwise pointless (from a legal standpoint)

Leave a Reply

*


Connect with D4