Does your organization need a policy for managing retention and preservation of email? YES—even the smallest organizations are wise to invest the time and effort to craft such a policy.
Many lawyers will tell you, “I cannot guarantee that you will not be sued; the best I can do is put you in position to win if you are sued.” With changes in federal law regarding the use and exchange of electronic data in lawsuits, which became effective last year, a well-thought-out plan for managing retention of email, in advance of any suit, is a necessary element of that positioning. It is also good business.
Email has become an accepted way of doing business, communicating with friends and family, and sharing news, political views and just about any other type of information. In many workplaces, the personal use of business email is at least tacitly tolerated, if not officially condoned. Most employers are aware of the need for a policy governing email use and the need to make clear that employees have no expectation of privacy in email sent across the employer’s systems.
But many employers, large and small, have still not settled on a policy for retaining email. By default, retention decisions are often made by individual employees, resulting in a patchwork of inconsistent practices within an organization. Management often cannot concisely describe exactly what employees are doing or what is being retained. Storage space restrictions are often the only limitations. Storage gets cheaper every day, prompting some to simply buy more capacity, rather than analyzing what they are storing and why. Acquiring ever greater storage capacity avoids the issue rather than addressing it. An archiving solution will enable you to search and locate retained emails in the future, but does not address the question of whether they should even be retained.
One size does not fit all. Any policy must be specifically crafted to fit the organization, rather than simply taking a sample form and shoehorning it into place.
On one extreme, some organizations opt to retain everything. On the other, strict policies with short retention periods delete anything not specifically saved by end-users. Legal arguments can be made about the value of both approaches. Settling on an approach for your organization should be a business question, not just a legal consideration. Some organizations and types of emails may have specific retention requirements under state or federal law. Any policy should be reviewed for applicable legal requirements, but the driving concern should be “Does this policy benefit the business?” A policy on which employees are not properly trained, or which is not monitored and enforced, may be worse than having no policy at all when it comes to defending that policy in litigation.
What factors should you consider in designing a policy?
1. Business connection. Allowing employees reasonable personal use of email does not require retaining such email. Any retained email should, at a minimum, have a connection to the organization’s purpose and functions. Clearly personal email, if allowed, should be read and promptly deleted. Generic messages, such as “out of office” notices, inquiries regarding lunch plans, meeting requests and spam or electronic junk mail are similarly subject to deletion.
2. Legal requirements. Some emails may be subject to state or federal retention requirements. A “litigation hold,” requiring the retention of relevant email and other electronic data, arises when the organization is in litigation or becomes aware of the strong probability of litigation. Retention requirements may also arise without litigation. Sarbanes-Oxley, for example, requires retention of documents, including emails, related to an audit or the work of an audit committee. Emails created by government employees are often subject to state or federal record retention requirements. In private workplaces, emails may qualify as personnel/payroll records, investment advice, components of a contract or purchase order, or other document subject to retention requirements.
3. Burden and cost. At what point is it more cost-effective to retain everything than to implement a retention policy?
4. Ease of implementation. Is the policy designed in a way that the end-users will be able to understand and apply it with an acceptable level of training and support? Is compliance monitoring practical at a reasonable expense?
5. Retention period. Absent end-user intervention for preservation, how long will email be retained? Five years? One year? 90 days? Should different end-users or persons in designated departments or functions have different retention periods?
6. Guidelines for end-user retention. What emails should end-users be directed to retain? How and where are they retained? At a minimum, emails subject to legal requirements should be retained as required by law. Emails which pertain to a specific project or issue should be retained at least until that matter is concluded. End-users should be given specific guidelines for making these decisions, not simply told to retain anything they consider important. Just as importantly, clear procedures for retention must be specified. Whether emails are to be printed and filed as paper, archived, retained electronically or retained in some other manner, a procedure must be specified.
7. Attachments. Is an attachment to be retained in the same manner as the email to which it is attached? End-users should be given clear instructions on standards for preservation of such attachments and whether they are considered, for retention purposes, part of the email or a separate, independent document.
Consideration of these factors should reveal that generic policies are insufficient. A policy that fails to consider the specifics of the organization is doomed to ultimate failure. Drafting a proper retention plan will often require input from management, IT/IS, legal and document retention functions. Each has a role to play in crafting a policy that benefits and supports your organization’s goals and contributes to your success. IBI