Continuing in my role as the Greek chorus of the e-mail world ("Woe is us, woe is us") I have spent the last two weeks getting you worried about what your users write in their messages and the problems of monitoring. I finished last week by asking, "But what about e-mail retention? How long should you keep e-mail around?"
I asked my e-discovery expert, Elizabeth Charnock of Cataphora, her advice about corporate retention policies.
My first question was the obvious one: Why is an e-mail retention policy important?
Charnock's answer: "Despite the old chestnut about consistency being the hobgoblin of small minds, there is a practical reality that a very well-defined e-mail retention policy that is consistently executed is next to impossible to challenge in the event of any kind of litigation. Let's say a company deletes all e-mails from its mail servers automatically on the last day of each month. Anyone showing up with a subpoena for electronic data on the first of the month is then out of luck, at least with respect to items that existed only on such servers."
Charnock went on to point out: "If, on the other hand, like Frank Quattrone [former head of Credit Suisse First Boston's technology investment banking business, who looks like he will be doing time for financial chicanery] you suddenly decide one day that you ought to remind your employees about your not very well-enforced retention policy, you are opening yourself up to the accusation that this reminder was motivated by fear or certain knowledge of specific events. Leaving the door even a crack open with respect to allegations of selective 'end of lifing' of data is an unnecessary and foolish business risk."
Asked what a good, general retention policy would be, Charnock says "it depends on the needs and characteristics of the business. There is no one-size-fits-all policy."
She points out that regulatory issues aside, some key issues to consider are:
How bad is it if e-mails accidentally are deleted as a side effect of enforcement of the policy? Are there regulatory issues? Compliance issues? Other issues? Other costs?
Can the end users of greatest relevance to the matter being investigated reasonably be expected to manage important information on a continuous basis? If not, can they be expected to reliably segregate important information before a reminder of automated "sweeping" of the mail servers?
Is the business one that gets sued frequently? Is e-mail monitored on an ongoing basis for issues ranging from compliance violations to inappropriate behavior?
Charnock says, "The ultimate question is, all things considered, in the case of the individual business, what system of retention yields the highest ROI and/or least risk."
Given that disk space is getting less expensive every year, keeping everything forever is feasible and, indeed, being done in practice. Is that a good idea?
She reckons it probably isn't: "The cost isn't much of a motivator, obviously, but the best case is that, apart from litigation, old archived information is unlikely to ever be resurrected. Of course having it around for litigation is a double-edged sword, but one side is usually much sharper than the other. So it is very hard to find much upside in such a strategy, but there are some downsides - at least some costs, and possibly a really large downside if the company is issued an incredibly broad subpoena that they can't manage to negotiate downward."
In other words, once you've exercised your common sense about your e-mail retention policy you'll probably need to talk to an expert to make sure you are managing your risk as effectively as possible.