10 guidelines for setting retention policies

As if you aren’t busy enough, you now play the role of protector of electronically stored information.

With new regulations and the recent changes to the Federal Rules of Civil Procedure, legal departments are turning to IT leadership to manage the retention, deletion, search and recovery of electronic information. For IT management in large companies, this means tracking billions of e-mail messages, database records and desktop files as they move across tens of thousands of servers and desktop computers.

In many organizations, figuring out what to keep is as difficult as managing the data itself. To help, here are 10 guidelines for the retention and deletion of electronically stored information:

Start by looking in the mirror: When it comes to the retention of electronic information, businesses have a tremendous amount of latitude. While the new Federal Rules of Civil Procedure make it advantageous to have a policy, they don’t govern how long data needs to be held. So, if you are worried about e-mail and other information, delete it quickly. If you think it is valuable to your business, keep it for as long as it is useful.

Diagram of whether your data is stored correctly

Don’t let users determine what you keep: If you are letting users decide which messages and documents are kept, you don’t have a retention policy. Good retention policies automate the preservation of electronic information and then mandate the destruction of documents in accordance with stated policies.

Understand the cost of litigation: According to the international law firm Fulbright and Jaworski, the average billion-dollar U.S. company is currently facing more than 500 discrete lawsuits. Electronic discovery for a single lawsuit can cost hundreds of thousands or even millions of dollars. If mistakes are made, litigation can be lost on process grounds, regardless of the merits of the case.

Take advantage of safe harbor provisions: New court rules allow organizations with standard retention policies to delete information unrelated to the case with impunity. If you don’t have a formal retention policy, the deletion of any information may be held against your organization in court.

Remember the regulations: There are thousands of city, state and federal rules which require retention of electronic records – from Occupational Safety and Health Administration (OSHA) to the Sarbanes-Oxley Act to the Fair Labor Standards Act. While a 60-day e-mail retention policy may be the right strategy for litigation, you’ll need to make sure your policy includes exceptions where regulations require longer retention rules.

Prepare now for electronic discovery: When litigation strikes, electronic discovery soon follows. Companies often have only a few weeks to scour billions of messages and files for relevant data. If you are not prepared for e-discovery, the costs of manual search and recovery can be staggering.

Start where the lawyers start — e-mail: While all types of electronic records are subject to retention and discovery — database records, files on servers and personal computers, electronic communications, CAD files — not all are equal targets when litigation starts. When it comes to managing electronic information, companies should be smart and start where the lawyers start: with e-mail. As one lawyer said, “e-mail is where the juicy stuff is.” Only e-mail includes important documents sent as attachments with unguarded narrative context provided by employees. Lawyers know how to find the good e-mail messages for a case, so it’s usually where they look first.

You need one retention policy today: Even before litigation strikes, courts require companies to protect potential evidence from unlawful destruction or spoliation. Litigation holds are the one retention policy that no company can afford to ignore. Since evidence can be in the past or future, organizations need to put processes and technology in place to protect e-mail and other records from destruction during litigation.

Invest in process and technology: Effective retention-policy management requires both new processes and new technology. To implement a defendable retention policy, you will need to put in place clear written standards and plan on extensive ongoing user training. You will need to implement processes that look for violations and immediately correct problems. For electronic communications such as e-mail, process is not enough. With millions or billions of messages to manage, most companies require a third-party archiving service or solution to manage the collection, retention and deletion of individual messages.

Electronic information is hard to destroy: Everyone knows that electronic information can be endlessly duplicated throughout the enterprise with a simple click of the button. E-mail messages, for example, often sit in multiple systems and on backup tapes that must be simultaneously managed to ensure compliance with complex retention policies. If you delete messages from one system and leave them on another, they are still subject to electronic discovery.

By using these 10 guidelines it is possible to create a retention policy that meets business needs and government requirements and significantly reduces litigation risk. While it won’t be fun, this is the reality of the information technology managers’ new role as the protector of electronically stored information.

D’Arcy is vice president of marketing at MessageOne. He can be reached at Paul_darcy@messageone.com.

Learn more about this topic

 
Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies