Continuing in my role as the Greek chorus of the e-mail world ("Woe is us, woe is us") I have spent the last two weeks getting you worried about what your users write in their messages and the problems of monitoring. I finished last week by asking, "But what about e-mail retention? How long should you keep e-mail around?"

I asked my e-discovery expert, Elizabeth Charnock of Cataphora, her advice about corporate retention policies.

My first question was the obvious one: Why is an e-mail retention policy important?

Charnock's answer: "Despite the old chestnut about consistency being the hobgoblin of small minds, there is a practical reality that a very well-defined e-mail retention policy that is consistently executed is next to impossible to challenge in the event of any kind of litigation. Let's say a company deletes all e-mails from its mail servers automatically on the last day of each month. Anyone showing up with a subpoena for electronic data on the first of the month is then out of luck, at least with respect to items that existed only on such servers."

Charnock went on to point out: "If, on the other hand, like Frank Quattrone [former head of Credit Suisse First Boston's technology investment banking business, who looks like he will be doing time for financial chicanery] you suddenly decide one day that you ought to remind your employees about your not very well-enforced retention policy, you are opening yourself up to the accusation that this reminder was motivated by fear or certain knowledge of specific events. Leaving the door even a crack open with respect to allegations of selective 'end of lifing' of data is an unnecessary and foolish business risk."

Asked what a good, general retention policy would be, Charnock says "it depends on the needs and characteristics of the business. There is no one-size-fits-all policy."

She points out that regulatory issues aside, some key issues to consider are:

• How bad is it if e-mails accidentally are deleted as a side effect of enforcement of the policy? Are there regulatory issues? Compliance issues? Other issues? Other costs?
• 
  
  
• Can the end users of greatest relevance to the matter being investigated reasonably be expected to manage important information on a continuous basis? If not, can they be expected to reliably segregate important information before a reminder of automated "sweeping" of the mail servers?
• 
  
  
• Is the business one that gets sued frequently? Is e-mail monitored on an ongoing basis for issues ranging from compliance violations to inappropriate behavior?

Charnock says, "The ultimate question is, all things considered, in the case of the individual business, what system of retention yields the highest ROI and/or least risk."