Should you keep old e-mail?

Last week, the Tokyo Stock Exchange fell dramatically in response to an allegation that Livedoor Company – a multibillion-dollar Japanese Internet company – had misled the public with regard to a key acquisition and consequent violations of Japanese securities laws. A former senior manager with the firm had provided to authorities copies of internal company e-mails he had sent to and received from other Livedoor managers – hours after these e-mails were provided to the authorities, they raided Livedoor’s head office.

As I see it, there are two key takeaways from this event. First, although I have no idea whether or not Livedoor is guilty of what it’s accused of, it’s always a good idea to obey the law. For companies operating in the United States, for example, there are a number of regulations from the Securities and Exchange Commission and other regulatory bodies that require retention of records, including those stored in e-mail. Not to store these records and to make them available on demand can result in the imposition of enormous fines, damage to a company’s reputation and other ramifications.

From the perspective of this column’s focus, however, the second key message from this event is less black-and-white: should your company keep old e-mails?

If your company has a policy of destroying old e-mails after 90 days, for example, you can prevent incriminating evidence from being discovered in the type of raid that occurred at Livedoor corporate headquarters. While there could be incriminating evidence that occurred within the previous 90 days that could come back to haunt you, major scandals usually take quite some time to discover, so a 90-day deletion policy will probably eliminate most of the damaging evidence from your company’s mail servers.

This type of deletion policy works well to mitigate the risk that an organization faces from embarrassing or illegal activities being discovered through e-mail – that is, of course, unless there is a risk that an employee might just keep a copy of old e-mails in some sort of personal archive. Imagine, for example, that the employee who supplied his e-mails to the authorities in Japan had these e-mails on a USB keychain device or his laptop. No deletion policy will ever eliminate these e-mails.

Since it is difficult, if not impossible, to prevent employees from keeping copies of their old e-mail, what’s the alternative? The best alternative, in my opinion, is to keep all e-mail that you might need for a future regulatory audit or lawsuit. While you might be preserving information that is incriminating to your firm, it’s better for you and your opposition to have a copy of this stuff rather than just your opposition.