Be ready for electronic discovery with a records retention policy

Email retention is a very simple task both for you in IT and the rest of your organization. I recently wrote an article for SearchCompliance.com entitled "Electronic discovery critical to health of company, IT organization," wherein I mentioned a company that was fined $2.75 million for improper email handling. This had nothing to do with its archiving strategy or reproduction of email records. The company simply did not handle its email processing properly.

What's happening in today's court system when it comes to compliance violations is a transposition of guilt and innocence. I constantly tell my clients that it's not good enough anymore to just do the right thing; you must be able to prove that you're doing the right thing. Once you establish your intent is pure, you're literally 80% out of compliance harm's way.

Start with a records retention policy

Your company absolutely must have a records retention policy. Note that I didn't say email retention policy, because an email is just one of many ways a record can be created. This is important to understand: It's not email, per se, that drives retention consideration -- it's about what's in the email.

If your company does not have a record retention policy, then I recommend you have an off-site with all the stakeholders and figure it out immediately. If you get caught with a legal problem and you have no email retention policy in place, you're as good as guilty.

With policy in hand, your next step is to create a policy database to manage and record things. In your policy data...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Tips Business Model for Information Security: Security right the first time Effective compliance document management in five days FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing New evaluation criteria for Web application security scanners Priorities for your sound regulatory compliance management policy Data loss prevention technology matures but is still no cure-all Threat management for information systems relies on categorization HIPAA-covered entities' first step should be a quality assurance plan Discovery of data breach under HITECH raises big compliance questions Data retention and compliance software Data loss prevention technology matures but is still no cure-all Record locator service a step to health information exchange Discovery process puts onus on electronic records management tools Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk Podcast: New Massachusetts data protection law mandates IT compliance How State Farm saves millions on electronic data discovery Hacked dental school server compromises 300,000 Data center virtualization: Four steps to compliance Google amends log retention rules, privacy advocates respond E-discovery and compliance IT compliance: FAQs about IT operations, regulations and standards Effective compliance document management in five days Data loss prevention technology matures but is still no cure-all Discovery of data breach under HITECH raises big compliance questions The Web of social media and compliance: Online privacy regulations The Web of social media and compliance: The ECPA and online privacy The Web of social media and compliance: Online privacy policy U.S., EU personal data protection laws make e-discovery risky Data security: The missing piece of e-discovery (but not for long) E-discover the gaps in your information management process

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Electronic Communications Privacy Act (ECPA)  (SearchCompliance.com) enterprise document management  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

base, you'll need to capture the following attributes:

• Policy version and date: Anytime the policy changes for any reason, a new record needs to go into your database so you can review what the policy was at any point in time.
• Document type: The document type will drive the retention and destruction properties. This is a general term, and may end up being two or three fields depending on your company's organization. Examples would be research, projects, financial and medical records.
• Retention period: How long documents of this type should be retained. Once again, it's up to your company to decide how many phases of retention (i.e. on-site, off-site, etc.) records need to go through.
• The policy: You should have a scanned image of the policy available in your database in case there's any confusion.

Building the email retention system

How you handle your non-email records (instant messages, typed documents, etc.) is beyond the scope of this article; however, be aware that it's just as important as your email retention system. Let's focus for now on building your system for email retention.

A good email retention system does four things:

• Captures every email and stores it in an immutable state.
• Indexes the contents of every email so that it can be researched effectively.
• Retains every email for exactly the period of time required (as dictated by its document type), then obliterates it and every trace that it existed.
• Has an "in case of emergency" switch that completely disables the obliteration functionality mentioned above.

Sounds easy enough, right? Good -- don't overcomplicate things. Start with a write-once, read-only database (similar to the old-style CDs). Centralize your email traffic and send everything to this database. The database needs to store every email in two forms. First, scan the email into an image for permanency, then hyper-index the contents as any Internet search engine would. This handles the first two bullets.

Metadata in the email should convey what document type we're dealing with, which will tell us what the retention period should be. With this information, stamp every single email with a "destroy on" date. On this date, blast this email to pieces unless the "in case of emergency" switch has been activated. Ensure your email system is airtight and that there are no copies of this email floating around anywhere (i.e., in personal folders). Be very serious about destruction. Having incriminating email available can get you into more trouble than not having it available

The "in case of emergency" switch is mandatory in case of a litigation hold. This is the trump card of email retention. If your legal department issues a litigation hold, all email traffic must be retained no matter what, until the litigation hold is lifted. That $2.7 million fine I referenced earlier was imposed because a litigation hold was issued and the company continued to delete emails. In the court's eyes, it was an admission of guilt.

It's not hard to build a good email retention system. It starts with a policy and finishes with good IT architecture. Start today by creating or revisiting your existing email retention policy. The benefits will far outweigh the few days it will take to get things going.

John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy. For more information, visit www.excellentmanagementsystems.com.

Rate this Tip To rate tips, you must be a member of SearchCompliance.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.