Tips for creating a solid e-mail retention and deletion strategy

A survey we conducted on messaging archiving earlier this year found that a significant percentage of organizations have neither an e-mail nor an instant messaging retention policy in place. However, such a policy is increasingly critical as a best practice for messaging management and because of the increasing regulatory and legal discovery considerations. In other words, you should retain e-mails and instant messages, and should have a policy in place to do so. Here are a few things to consider when designing retention policies:

* Understand all records-retention regulations that apply to you and your industry. Although most of these requirements are media-independent, because a growing proportion of business records are transmitted through and stored in e-mail, records-retention requirements increasingly apply to e-mail and, to a lesser extent, to instant messaging.

* It's also important to understand requirements that don't ostensibly apply to your organization or industry. For example, while Sarbanes-Oxley applies only to public companies, some companies won't do business with privately owned companies that are not Sarbanes-Oxley compliant.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A survey we conducted on messaging archiving earlier this year found that a significant percentage of organizations have neither an e-mail nor an instant messaging retention policy in place. However, such a policy is increasingly critical as a best practice for messaging management and because of the increasing regulatory and legal discovery considerations. In other words, you should retain e-mails and instant messages, and should have a policy in place to do so. Here are a few things to consider when designing retention policies:

* Understand all records-retention regulations that apply to you and your industry. Although most of these requirements are media-independent, because a growing proportion of business records are transmitted through and stored in e-mail, records-retention requirements increasingly apply to e-mail and, to a lesser extent, to instant messaging.

* It's also important to understand requirements that don't ostensibly apply to your organization or industry. For example, while Sarbanes-Oxley applies only to public companies, some companies won't do business with privately owned companies that are not Sarbanes-Oxley compliant.

* While the chief legal counsel and chief compliance officer might be the primary drivers for retention policy creation and management, all areas of an organization need to be involved in the policy process in order to achieve buy-in.  IT needs to manage the technical details of the archiving and related solutions, in addition to the work of senior management, finance, HR and other departments.

* Managing the tensions between competing interests is critical: Legal decision-makers often want to delete everything from e-mail and instant messaging as quickly as possible in order to limit their organization's liability, while compliance decision-makers want to keep lots of stuff in order to minimize the risk of non-compliance. Satisfying both extremes may prove difficult but is necessary nonetheless.

* Make sure users are fully involved in the process in order to achieve buy-in and compliance with new retention policies. This is critical because users need to be educated about what compliance means for them and the impact that it will have on the way they work and use corporate resources.

I'd really like to hear your comments and observations on the points included here, as well as other things you've found to be successful and unsuccessful when it comes to creating and maintaining e-mail and instant messaging retention policies.

Read more about software in Network World's Software section.