Email retention is low-hanging fruit for IT, so it's surprising how often I see it done wrong. When done properly, email retention as part of a comprehensive records retention policy can prevent potential compliance problems. When done wrong, however, it can cost your company millions of dollars.
Email retention is a very simple task both for you in IT and the rest of your organization. I recently wrote an article for SearchCompliance.com entitled "Electronic discovery critical to health of company, IT organization," wherein I mentioned a company that was fined $2.75 million for improper email handling. This had nothing to do with its archiving strategy or reproduction of email records. The company simply did not handle its email processing properly.
What's happening in today's court system when it comes to compliance violations is a transposition of guilt and innocence. I constantly tell my clients that it's not good enough anymore to just do the right thing; you must be able to prove that you're doing the right thing. Once you establish your intent is pure, you're literally 80% out of compliance harm's way.
Start with a records retention policy
Your company absolutely must have a records retention policy. Note that I didn't say email retention policy, because an email is just one of many ways a record can be created. This is important to understand: It's not email, per se, that drives retention consideration -- it's about what's in the email.
If your company does not have a record retention policy, then I recommend you have an off-site with all the stakeholders and figure it out immediately. If you get caught with a legal problem and you have no email retention policy in place, you're as good as guilty.
With policy in hand, your next step is to create a policy database to manage and record things. In your policy database, you'll need to capture the following attributes:
- Policy version and date: Anytime the policy changes for any reason, a new record needs
to go into your database so you can review what the policy was at any point in time.
- Document type: The document type will drive the retention and destruction properties.
This is a general term, and may end up being two or three fields depending on your company's
organization. Examples would be research, projects, financial and medical records.
- Retention period: How long documents of this type should be retained. Once again, it's
up to your company to decide how many phases of retention (i.e. on-site, off-site, etc.) records
need to go through.
- The policy: You should have a scanned image of the policy available in your database in case there's any confusion.
Building the email retention system
How you handle your non-email records (instant messages, typed documents, etc.) is beyond the scope of this article; however, be aware that it's just as important as your email retention system. Let's focus for now on building your system for email retention.
A good email retention system does four things:
- Captures every email and stores it in an immutable state.
- Indexes the contents of every email so that it can be researched effectively.
- Retains every email for exactly the period of time required (as dictated by its document type), then obliterates it and every trace that it existed.
- Has an "in case of emergency" switch that completely disables the obliteration functionality mentioned above.
Sounds easy enough, right? Good -- don't overcomplicate things. Start with a write-once, read-only database (similar to the old-style CDs). Centralize your email traffic and send everything to this database. The database needs to store every email in two forms. First, scan the email into an image for permanency, then hyper-index the contents as any Internet search engine would. This handles the first two bullets.
If you get caught with a legal problem and you have no email retention policy in place, you're as good as guilty.
Metadata in the email should convey what document type we're dealing with, which will tell us what the retention period should be. With this information, stamp every single email with a "destroy on" date. On this date, blast this email to pieces unless the "in case of emergency" switch has been activated. Ensure your email system is airtight and that there are no copies of this email floating around anywhere (i.e., in personal folders). Be very serious about destruction. Having incriminating email available can get you into more trouble than not having it available
The "in case of emergency" switch is mandatory in case of a litigation hold. This is the trump card of email retention. If your legal department issues a litigation hold, all email traffic must be retained no matter what, until the litigation hold is lifted. That $2.7 million fine I referenced earlier was imposed because a litigation hold was issued and the company continued to delete emails. In the court's eyes, it was an admission of guilt.
It's not hard to build a good email retention system. It starts with a policy and finishes with good IT architecture. Start today by creating or revisiting your existing email retention policy. The benefits will far outweigh the few days it will take to get things going.
John Weathington is president and CEO of Excellent Management Systems Inc., a San
Francisco-based management consultancy. For more information, visit www.excellentmanagementsystems.com.
This was first published in September 2009