Keeping your organization’s email retention policy current is as important as establishing the document retention policy in the first place. Shifts in state and federal law, regulatory refinements, and advancing technology are just a few of the external influences that require regular oversight to remain in compliance. Internally, system modernization, employee turnover, and changes in organizational structure provide sufficient rationale for updating, testing, and refreshing your organization’s email retention policy.
Regardless of where the need arises, close coordination with key stakeholders will help you address and resolve specific challenges, ultimately leading to a thorough understanding of how the policy’s solutions play out for your organization.
As the amount of data being produced continues to increase, more organizations are moving their email to the cloud – which poses its own eDiscovery challenges.
The considerations for establishing and maintaining your organization’s email retention policy are: business needs, legal requirements, organizational culture, approaches to retention policies, litigation holds, automation, and implementation.
1. Business Needs
Fundamental to the creation of any email retention policy is the need to answer basic questions about an organization’s records:
- Defining what constitutes a “record”;
- Listing and categorizing record types;
- Documenting how long the business requires that each type be retained and for what reason.
As a corollary, the organization should track how accessible records must remain over time, which drives the form in which documents will be stored. A consideration of “what constitutes a record” will likely compel the conclusion that many emails will never become records at all and thus will not require an email retention policy.
2. Legal and Regulatory Requirements
The laws and regulations that govern the organization’s activities will determine retention periods for many record types. Federal laws such as Sarbanes-Oxley and Gramm-Leach-Bliley, as well as Agency regulations (SEC, FTC, etc.) impose specific record retention requirements. Each of these provisions sanctions hefty penalties for noncompliance, in addition to the reputational damage done to your organization. For example:
- Sarbanes-Oxley Act of 2002 (SOX) imposes significant fines and/or up to 20 years in prison for whomever “knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter.…”
- Gramm-Leach-Bliley Act (GLBA) regulates financial institutions and their affiliates and is enforced by a handful of federal agencies (CFPB, FTC, etc.). Like SOX, penalties for noncompliance may include imprisonment and fines ranging from several thousand dollars to more than $1 million.
- HIPAA (Health Insurance Portability and Accountability Act) ensures that patient records (including patient correspondence) are protected from the public domain. Noncompliance may lead to severe consequences, including civil fines of up to $25,000 per year and criminal penalties yielding $250,000 fines and up to 10 years in prison.
- SEC Rule 17a-4 requires securities broker-dealers to archive all electronic data, email, and correspondence “in an easily accessible manner” in “write once, read many” (WORM) format. Significant fines, penalties, and formal censure await those found not in compliance with these complex rules.
State laws such as wage and hour laws are sources of retention requirements. Legal retention requirements may be indirectly implied from other sources such as statutes of limitation. Internal business considerations will also create legal retention needs, but in general, it’s typically a good idea to retain important documents and communications for at least 7 years depending upon the industry standard and specific circumstances. This policy applies to email, voicemail, and text messages, among others.
Companies that take great pains to protect sensitive trade secret information may retain emails for a certain period so that a dedicated security unit can scan emails for suspicious content. In addition, the importance of electronic discovery and the amended Federal Rules of Civil Procedure have demonstrated that retention policies will be influenced and shaped by case law.
3. Organizational Culture
An organization’s culture and habits inform the creation of its email retention policy. The policy’s creators should understand how its simplicity, coupled with regular communication, helps to generate the necessary cooperation and support of department managers and their employees. Conduct 1:1 meetings with department heads to gather their insights as the policy is being developed. Explain how the retention policy benefits the entire organization, including her/his department.
Some employees intentionally subvert the policy’s best efforts by believing their needs supersede those of the email retention policy; they may even develop work-arounds to circumvent it. Such strategies include, for example, saving emails in a .pst file format, printing emails to .pdf and saving them to another location, or even amending the email’s date to evade the retention policy’s deletion schedule parameters.
If employees are accustomed to complete freedom in retaining and organizing emails and other electronic documents, an email retention policy that curbs that freedom may initially be unpopular. This is where getting the manager’s buy-in may prove particularly helpful.
Policies that require a change in existing behavior are best implemented by bringing in members of key groups (i.e., Legal, IT, HR, and business unit stakeholders) to help develop and roll out the new policy. It may even be necessary to incorporate technical safeguards to mitigate the workarounds I mentioned earlier.
4. Approaches to Scope and Length of Electronic Record Retention
Record retention literature describes several approaches to email and electronic record retention. Although an organization may elect to keep forever all electronically stored information, including email, there is no legal obligation to do so. The Supreme Court endorsed this principle in Arthur Andersen LLP v. United States (2005) 544 U.S. 696, albeit too late to help Arthur Andersen.
Organizations impose electronic retention limits for two cost-related reasons:
- To reduce the storage costs, and
- To reduce the cost and risk in litigation of handling large volumes of electronic information.
Storage costs are known and predictable; eDiscovery costs are notoriously unpredictable. Organizations that retain all emails may be required to identify, collect, process and review email that legally could have been discarded. Your organization’s email retention policy should reflect and support the business’ overall strategy.
Some experts suggest writing a policy that imposes strict retention timelines, with each document’s deletion scheduled according to its date of creation. If automated, this purely objective policy standard requires little or no employee interaction; if not, though, the process could easily become an unwieldy burden that risks noncompliance.
Though more complex, a system of email categorization may empower employees to retain important emails. Categories may be defined broadly – e.g., “general business purposes” – or narrowly, based on vendor or department. Commentators recommend that such a policy feature an education program for employees to guide the most appropriate categorization structure.
Many organizations set aside a specific time of year, often in conjunction with “Spring Cleaning” activities or “Arbor Day” celebrations, for employees to scour their inboxes and file folders to eliminate unnecessary email and documents.
One important caveat to this and all record retention practices: review your retention policy with your Legal Department or outside counsel. Deletion of documents subject to a litigation hold or other preservation notice can lead to significant adverse consequences for your organization.
5. Litigation Holds
A key feature of a corporate email retention policy is an organization’s ability to efficiently and quickly impose a legal hold in the event of a claim or lawsuit. Case law has established that a duty arises to preserve documents when a complaint is received or when litigation is probable. Organizations may suspend automated email deletion programs or the recycling of back-up media until a decision is made about what documents and information must be retained, and possibly for the duration of the litigation.
Amended Federal Rule of Civil Procedure 37(e)contains a safe harbor provision that protects a party if information is discarded, destroyed, or overwritten as a result of “the routine, good-faith operation of an electronic information system.” However, once a party is on notice that information must be preserved, the safe harbor provision does not apply.
Organizations increasingly turn to automation to help facilitate their email record retention policies. Many organizations allow employees the freedom to accumulate an unlimited volume of emails and files with no controls on categorization, management, or deletion. Some use automated features already available in existing programs to control retention, such as the mailbox size limits.
An organization may take a more significant step into automation by investing in an email archiving program. Before purchasing a major application, an organization should assess its current capabilities to determine what leveraging of additional infrastructure is possible. Two large-scale automation options are worth noting: The “matter centric” document management system and the email archiving system.
Organizations contemplating such an investment should consider instituting a request for proposal (RFP) process in which a team of individuals (internal and possibly external) views demos, interviews vendors, asks about data management training, collects important information through a survey, and makes a supported recommendation to management.
Document management systems have long been used to organize and categorize documents. More up-to-date versions of these software applications operate directly in an email program such as Outlook and allow for rapid categorization and “bucketing” of emails into folders specified by the organization. Another highly automated but expensive option is the email archiving solution, in which emails are housed in the vendor’s archiving program, and the employee sees only a link to that email.
One advantage of this solution is that a single individual can manage litigation holds and run keyword searching directly in the program. A disadvantage of such programs is that they are often enthusiastically embraced as a way to alleviate “bloat” in the email system before the organization takes the initial step of asking why the “bloat” exists in the first place. In other words, treating the symptom, but not the underlying problem.
Creating an enterprise-wide email retention policy is an important undertaking, especially in this Information Age. Enhance the odds of your organization’s successful implementation by following these best practices:
- Put it in writing. Your email retention policy should be in writing and available to everyone within your organization. Consider asking all employees and vendors to confirm their review and acceptance of the policy’s requirements.
- Keep it simple. A straightforward, easy-to-follow policy will be received as less burdensome to the rank-and-file. Policies and process requirements that complicate their lives will be met with skepticism – even resistance or rebellion – and far less likely to succeed.
- Communicate the plan and the rollout. Seek the assistance of HR and Marketing to help craft and deliver the message. Make sure your email retention policy has the backing of executive leadership, whose visible support will demonstrate that the policy has toplevel endorsement.
- Be patient. Workplace change can be extremely upsetting to some. Take the time to ask questions, gather feedback, and incorporate employee insights into the policy’s rollout. The investment of time and patience will yield substantial dividends in employee buy-in and engagement downstream.
- Consider rolling out the email retention policy incrementally, for example, by implementing a pilot project in a single department, working out the kinks, and then expanding the policy more broadly.
- Review your policy with leaders in the C-suite, HR, IT, and legal counsel to ensure it aligns and supports your business strategy, organizational culture, technical capabilities, and compliance requirements.