How to Formulate an Effective Email Retention Strategy

By Allen Bernard

(Back to article)

With so many high-profile court cases revolving around it and so many government regulations scrutinizing it and so many people depending on it to do their jobs, putting together an email retention (and destruction) policy that mollifies all these groups is becoming increasingly complicated.

On the bright side—outside of whatever regulations that pertain to your industry—you can have any email retention and preservation policy you want. In fact the U.S. Supreme Court in the U.S. v. Arthur Anderson said, basically, just that in 2005.

On the not-so-bright-side, if you don't take into account not only the governmental bodies (Congress, SEC, NASD, etc.) that can tell you what and what not to do with your internal information, you could end up doing jail time.

Perhaps worse, however, is if you don't take into account the needs, wants and desires of your internal customers (e.g., your employees, legal department, and IT staff) you could end up dreading the day you decided to become a CIO (or at least the guy who has to report to the CIO).

"One of our opening premises is that as long as you meet external regulatory requirements around preservation of email," said Gartner's Matt Cain, "your email retention policy can be anything. But it needs to consistent, it need to be consistently enforced, it needs to auditable and it needs to have continuous education wrapped around it."

So, what this means in practical terms is you don't have to keep any email any longer than you want to so long as you don't run afoul of the regulators. But say you do have a zero-day preservation policy for email? Chances are your employees who depend on it to do their jobs, make deals, and remember their meetings won't be very happy starting each day with a blank slate.

Nor will your CFO, when he or she realizes the phone bill just increased ten-fold because no one is using email anymore.

On the hand, as many companies are doing today, you save every email indefinitely, your IT staff may not be very happy because of the heavy burden it may put on them to manage such a massive and quickly growing store of information.

Also, according to Cain, who has been an email analyst for 15 years, your legal department may come down on you since they would like to see all emails deleted sooner rather than later. Discovery is an expensive proposition for most companies and, therefore, less information to sift through is better, and cheaper.

But this is, of course, complicated once again by outside forces. If your company finds itself facing a lawsuit for whatever reason regarding whatever, you, as the CIO, have to be able to stop all destruction of relevant emails the day you learn of the litigation.

This means you have to have a policy in place that is flexible enough to account for all your constituents but also rigorous enough that it can be enforced from on-high without their consent.

"There's no doubt that email, right now, is right at the fulcrum of litigation," said David Isom, co-chair of Greenberg Traurig's national e-Discovery & e-Retention Practice group. "Once a lawsuit is actually filed, that is the very latest date at which that obligation arises. Now, the question is, before then, when does that duty arise and under what circumstances?"

The courts say the duty to retain certain, unregulated email, arises when a reasonable person should reasonably foresee litigation that would make certain people's emails relevant.

"The question is not when you actually subjectively believed there was going to be litigation but when, objectively, you should have been on notice," said Isom.

In other words, yet another fly in the ointment.

So, here you are, 643 words in and no clear picture of how to formulate an email retention policy that will a) keep you out of jail, b) keep you in your job c) keep everyone happy (including the regulators). Well, don't be surprised if no one else in the company is very far ahead of you—especially the people you should turn to first, said Gartner's Cain—your legal department.

"My sense is legal is just as confused as anybody else and it takes some real elbow-grease to actually make a definitive policy."

The good news, if there is any at this point, is the vendors are stepping up to help. One such vendor, Zantaz, has products that will, once you have come up with it, automate your policy and make the enforcement of that policy automatable as well.

One suggestion the firm pushes is to have no local storage of email. This may seem odd, but if you have a bunch of email saved in a bunch of different places, then trying to destroy it all when the times comes will be futile. And, for example, if a plaintiff finds this out or you don't tell the court that the email in question could exist on a PC somewhere, then you might end up like Morgan Stanley—with a $1.45 billion judgment against it.

If all emails are stored on a NAS, for example, then managing them becomes much easier, said Joe Romanowski, Zantaz's vice president of Product Strategy.

"It really comes down to your legal counsel and what you want to retain and how long you want to retain it," he said. "And the big point here is once it's destroyed, make sure it's destroyed."

And that's really the long and short of it. You don't have to do anything with email retention the government doesn't tell you to do, but if you don't do what works for the employees of your firm, then you probably won't either—at least not for long.