希望访问中文页面? 请点此(简体中文版)  

Posted on: June 26, 2013

in Blog

7 Factors to Consider Before Creating an Email Retention Policy

Corporate Email Retention Policy

Even after a document retention policy has been implemented, an executive may ask a lawyer, “What should I do about email?” A number of years ago I was asked to advise a client what factors it should consider regarding email retention. 

As the amount of data being produced continues to increase, more organizations are moving their email to the cloud - which poses it's own eDiscovery challenges. Download this white paper for a closer look at email residing in the cloud and eDiscovery collection options.

The considerations are the same today as they were when I first advised this client. They are: business needs, legal requirements, organizational culture, approaches to retention policies, litigation holds, automation, and implementation.

1. Business Needs

Fundamental to the creation of any electronic record retention program is the need to answer basic questions about an organization’s records: 

  1. Defining what constitutes a “record”; 
  2. Listing and categorizing record types; 
  3. Documenting how long the business requires that each type be retained and for what reason. 

As a corollary, the organization should track how accessible records must remain over time, which drives the form in which documents will be stored. A consideration of question one will likely compel the conclusion that many emails will never become records at all and thus will not require an email retention policy.

2. Legal and Regulatory Requirements

The laws and regulations that govern the organization’s activities will determine retention periods for many record types. Federal laws such Sarbanes-Oxley, Gramm Leach Bliley, IRS and SEC rules impose specific record retention requirements. State laws such as wage and hour laws are sources of retention requirements. Legal retention requirements may be indirectly implied from other sources such as statutes of limitation. Internal business considerations will also create legal retention needs. 

For example, companies that take great pains to protect sensitive trade secret information may retain emails for a certain period so that a dedicated security unit can scan emails for suspicious content. In addition, the importance of electronic discovery and the amended Federal Rules of Civil Procedure have demonstrated that retention policies will be influenced and shaped by case law.

3. Organizational Culture

An organization’s culture and habits inform the creation of an email retention policy. The creators of a policy should understand employees’ existing practices. If employees are accustomed to complete freedom in retaining and organizing emails and other electronic documents, an email retention policy that curbs that freedom may initially be unpopular. 

Policies that require a change in existing behavior are best implemented by making key groups such as Legal, IT, HR and business units stakeholders in the process of establishing a new policy. Some commentators also advise rolling out the email retention policy incrementally, for example, by implementing a pilot project in a single department such as HR.

4. Approaches to Scope and Length of Electronic Record Retention

Record retention literature describes a number of approaches to email and electronic record retention. Although an organization may elect to keep forever all electronically stored information, including email, there is no legal obligation to do so. The Supreme Court endorsed this principle in Arthur Andersen LLP v. United States, 544 U.S. 696, albeit too late to help Arthur Andersen.

Organizations impose electronic retention limits for two cost-related reasons: 

  1. To reduce the storage costs, and to 
  2. Reduce the cost and risk in litigation of handling large volumes of electronic information. 

Storage costs are known and predictable; eDiscovery costs are notoriously unpredictable. Organizations that retain all emails may be required to identify, collect, process and review email that legally could have been discarded.

Many organizations implement limits on email retention such as limits on mailbox size and automated deletions. Organizations that adopt automated email deletion may combine that feature with an education program for employees and empowerment of employees to elect to retain important emails. An organization may also limit the amount of email storage space allotted to each employee within their corporate email retention policy.

5. Litigation Holds

A key feature of a corporate email retention policy is an organization’s ability to efficiently and quickly impose a legal hold in the event of a claim or lawsuit. Case law has established that a duty arises to preserve documents when a complaint is received or when litigation is probable. Organizations may suspend automated email deletion programs or the recycling of back-up media until a decision is made about what documents and information must be retained, and possibly for the duration of the litigation. 

Amended Federal Rule of Civil Procedure 37(e) contains a “safe harbor” provision which protects a party in the event that information is discarded, destroyed or overwritten as a result of “the routine, good-faith operation of an electronic information system.” However, once a party is on notice that information must be preserved, the safe harbor provision does not apply.

6. Automation

Organizations increasingly turn to automation in developing an email record retention policy. Many organizations allow employees the freedom to accumulate an unlimited volume of emails and files with no controls on categorization, management or deletion. Some organizations use automated features already available in existing programs to control retention such as the mailbox size limits mentioned above.

An organization may take a more significant step into automation by investing in an email archiving program. Before purchasing a major application, an organization should assess its current capabilities to determine what leveraging of additional infrastructure is possible. Two large-scale automation options are worth noting: The “matter centric” document management system and the email archiving system.

Organizations considering these options should consider conducting a request for proposal (RFP) process in which a team of individuals (internal and possibly external) views demos, interviews vendors, inquire about data management training, collects important information through a survey, and makes a supported recommendation to management.

Document management systems have long been used to organize and categorize documents. More up-to-date versions of these software applications operate directly in an email program such as Outlook and allow for rapid categorization and “bucketing” of emails into folders specified by the organization. Another highly automated but expensive option is the email archiving solution, in which emails are housed in the vendor’s archiving program, and the employee sees only a link to that email. 

One advantage of this solution is that a single individual can manage litigation holds and run keyword searching directly in the program. A disadvantage of such programs is that they are often enthusiastically embraced as a way to alleviate “bloat” in the email system before the organization takes the initial step of asking why the “bloat” exists in the first place.

7. Implementation

The creation of an corporate email retention policy is an important undertaking. That said, it need not be overwhelming or overly complicated. If such policies are not scalable in terms of scope and detail, organizations will not adopt them. Ideally, such an email retention policy should be created by a group of interested stakeholders. It should have the avowed support of management. 

The policy should be in writing, and should be connected to other policies relating to desktop computing and the use of organization assets such as PCs and mobile devices. It should be issued by a senior officer and should be rolled out with an announcement and accompanied by training. Going forward, the policy should be subject to audit, and employees should be held accountable for compliance. There should be ongoing education, eDiscovery training, and resources, including a contact to whom questions can be directed, or even a dedicated email box.

Discover More:

Discover More Categories

D4 Weekly eDiscovery Outlook

Power your eDiscovery intellect with our weekly newsletter.