Posted on: June 26, 2013

in Blog

7 Factors to Consider Before Creating an Email Retention Policy

Email Retention Policy - 7 Factors to Consider Before Creating an Email Retention Policy

One of the thorniest issues of records and information management is how to address e-mail. Even after a policy has been implemented, an executive may ask a lawyer, “What should I do about e-mail?” A number of years ago I was asked to advise a client what factors it should consider regarding e-mail retention. The considerations are the same today as they were when I first advised this client. They are: business needs, legal requirements, organizational culture, approaches to retention policies, litigation holds, automation, and implementation.

1.  Business Needs

Fundamental to the creation of any electronic record retention program is the need to answer basic questions about an organization’s records, by (1) defining what constitutes a “record”; (2) listing and categorizing record types; (3) documenting how long the business requires that each type be retained and (3) for what reason. As a corollary, the organization should track how accessible records must remain over time, which drives the form in which documents will be stored. A consideration of question (1) will likely compel the conclusion that many e-mails will never become records at all and thus will not require retention.

2.  Legal and Regulatory Requirements

The laws and regulations that govern the organization’s activities will determine retention periods for many record types. Federal laws such Sarbanes-Oxley, Gramm Leach Bliley, IRS and SEC rules impose specific record retention requirements. State laws such as wage and hour laws are sources of retention requirements. Legal retention requirements may be indirectly implied from other sources such as statutes of limitation. Internal business considerations will also create legal retention needs. For example, companies that take great pains to protect sensitive trade secret information may retain e-mails for a certain period so that a dedicated security unit can scan e-mails for suspicious content. In addition, the importance of electronic discovery and the amended Federal Rules of Civil Procedure have demonstrated that retention policies will be influenced and shaped by case law.

3.  Organizational Culture

An organization’s culture and habits inform the creation of an e-mail retention policy. The creators of a policy should understand employees’ existing practices. If employees are accustomed to complete freedom in retaining and organizing e-mails and other electronic documents, a policy that curbs that freedom may initially be unpopular. Policies that require a change in existing behavior are best implemented by making key groups such as Legal, IT, HR and business units stakeholders in the process of establishing a new policy. Some commentators also advise rolling out the policy incrementally, for example, by implementing a pilot project in a single department such as HR.

4.  Approaches to Scope and Length of Electronic Record Retention

Record retention literature describes a number of approaches to e-mail and electronic record retention. Although an organization may elect to keep forever all electronically stored information, including e-mail, there is no legal obligation to do so. The Supreme Court endorsed this principle in Arthur Andersen LLP v. United States, 544 U.S. 696, albeit too late to help Arthur Andersen.

Organizations impose electronic retention limits for two cost-related reasons: To reduce the storage costs, and to reduce the cost and risk in litigation of handling large volumes of electronic information. Storage costs are known and predictable; e-discovery costs are notoriously unpredictable. Organizations that retain all e-mails may be required to identify, collect, process and review e-mail that legally could have been discarded.

Many organizations implement limits on e-mail retention such as limits on mailbox size and automated deletions. Organizations that adopt automated e-mail deletion may combine that feature with an education program for employees and empowerment of employees to elect to retain important e-mails. An organization may also limit the amount of e-mail storage space allotted to each employee.

5.  Litigation Holds

A key feature of electronic record retention programs is an organization’s ability to efficiently and quickly impose a litigation hold in the event of a claim or lawsuit. Case law has established that a duty arises to preserve documents when a complaint is received or when litigation is probable. Organizations may suspend automated e-mail deletion programs or the recycling of back-up media until a decision is made about what documents and information must be retained, and possibly for the duration of the litigation. Amended Federal Rule of Civil Procedure 37(e) contains a “safe harbor” provision which protects a party in the event that information is discarded, destroyed or overwritten as a result of “the routine, good-faith operation of an electronic information system.” However, once a party is on notice that information must be preserved, the safe harbor provision does not apply.

6.  Automation

Organizations increasingly turn to automation in developing electronic record retention programs. Many organizations allow employees the freedom to accumulate an unlimited volume of e-mails and files with no controls on categorization, management or deletion. Some organizations use automated features already available in existing programs to control retention such as the mailbox size limits mentioned above.

An organization may take a more significant step into automation by investing in an e-mail archiving program. Before purchasing a major application, an organization should assess its current capabilities to determine what leveraging of additional infrastructure is possible. Two large-scale automation options are worth noting: The “matter centric” document management system and the e-mail archiving system. Organizations considering these options should consider conducting a request for proposal (RFP) process in which a team of individuals (internal and possibly external) views demos, interviews vendors, collects important information through a survey, and makes a supported recommendation to management.

Document management systems have long been used to organize and categorize documents. More up-to-date versions of these software applications operate directly in an e-mail program such as Outlook and allow for rapid categorization and “bucketing” of e-mails into folders specified by the organization. Another highly automated but expensive option is the e-mail archiving solution, in which e-mails are housed in the vendor’s archiving program, and the employee sees only a link to that e-mail. One advantage of this solution is that a single individual can manage litigation holds and can run searches directly in the program. A disadvantage of such programs is that they are often enthusiastically embraced as a way to alleviate “bloat” in the e-mail system before the organization takes the initial step of asking why the “bloat” exists in the first place.

7.  Implementation

The creation of an electronic record retention policy is an important undertaking. That said, it need not be overwhelming or overly complicated. If such policies are not scalable in terms of scope and detail, organizations will not adopt them. Ideally, such a policy should be created by a group of interested stakeholders. It should have the avowed support of management. The policy should be in writing, and should be connected to other policies relating to desktop computing and the use of organization assets such as PCs and mobile devices. It should be issued by a senior officer and should be rolled out with an announcement and accompanied by training. Going forward, the policy should be subject to audit, and employees should be held accountable for compliance. There should be ongoing education, training, and resources, including a contact to whom questions can be directed, or even a dedicated e-mail box.

What are the challenges you have faced when implementing an email retention policy?

Blog Subscription