Many organizations don’t have e-mail policies

* Companies lack policies on e-mail retention and deletion

As part of a major survey we just wrapped up on hosted messaging, we asked organizations about the e-mail policies that they have established - or that they haven’t.

We found that the most commonly instituted e-mail policy focused on limiting the amount of storage per server through the establishment of quotas. Three out of four organizations have such policies, which are typically designed to maintain an acceptable number of mailboxes per server, to keep back-up and restore times at reasonable levels and so forth.

Less common, however, are policies related the retention or deletion of e-mail. We found that fewer than half of organizations have retention policies in place that specify how long to keep e-mail, while only slightly more have retention policies focused on limiting the length of time that e-mail can be kept. Even fewer organizations have policies about when to delete e-mail.

One of the problems organizations face if they do not have appropriate policies regarding e-mail retention or deletion is that they expose themselves to greater liability in the event of a lawsuit or regulatory action. For example, imagine that a court orders a plaintiff to turn over to a defendant all relevant e-mail from five senior executives that discuss a particular topic. If the plaintiff is unable to do so, a court can instruct a jury to consider that the plaintiff might have had something to hide in those e-mail messages and to take that into account in their deliberations - not a very welcome prospect if you’re being sued.

Similarly, if you’re being investigated by a government agency and you keep stuff in e-mail longer than you must, you might be exposing yourself to greater liability. For example, my neighbor used to be a senior executive at a company in the aircraft industry. His company was required to keep certain types of documents for seven years - at seven years plus one day, all of those documents were destroyed in order to limit potential liability.

In short, all organizations should have an e-mail retention policy in place that focuses on retention and deletion schedules, acceptable use of e-mail and the like. I’d like to hear your thoughts on this issue - please drop me a line at

Learn more about this topic

Anti-spam market weeds out vendors

Network World, 06/27/05

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022