Slashdot Mirror
Are There Any Smart E-mail Retention Policies?
An anonymous reader writes "In an age of litigation and costly discovery obligations, many organizations are embracing policies which call for the forced purging of e-mail in an attempt to limit the organization's exposure to legal risk. I work for a large organization which is about to begin destroying all e-mail older than 180 days. Normally, I would just duck the house-cleaning by archiving my own e-mail to hard-drive or a network folder, but we are a Microsoft shop and the Exchange e-mail server is configured to deny all attempts to copy data to an off-line personal folder (.PST file). The organization's policy unhelpfully recommends that 'really important' e-mails be saved as Word documents. Is anybody doing this right? What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?"
Way to be a jerk. Slashdot isn't only about the latest iPhone release, or patent trolling. It's about everything technical, and this is good question.
if your orgs exchange server has their imap connector enabled, you can use a different client that doesn't follow the commands of the exchange server to pull emails, but it sounds to me like your org is smarter than that.
Don't break the law (or if you do don't tell your closest 20 associates about it) and don't worry about retention policies?
Don't do anything illegal, then the company doesn't have any thing to hide right?
I recall several big cases then went up because of someones 'little black book' in pencil and paper, so purging emails is really a waste of time anyway. Besides we could always plant emails we need on your server anyway.
They Live, We Sleep
Even if Ask Slashdot articles like this aren't "news for nerds", they're still (supposed to be) "stuff that matters" related to information technology.
Could you forward your emails to a personal account on one of the big three webmail providers? IANAL but it seems like that might limit the company's liability while allowing you to automatically archive your emails in a fully searchable format.
Way to be a jerk. Slashdot isn't only about the latest iPhone release, or patent trolling. It's about everything technical, and this is good question.
I'm a big fan of plain text email and copy and past really isn't all that time consuming if I were forced to save anything worth saving for longer than 180 days.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
The end result of all the bullshit lawyers try to shove on people who actually produce things for a living is the same. We route around it. This policy will cause people to use webmail, alternative email clients, IM, and other technologies to get on with getting work done, while the lawyers remain blissfully ignorant.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Print every email you get, I'm sure it won't effect your bonus.
Cheating, as the author suggests, is a bad idea. The company is doing this for a reason... to protect themselves from extra BS when they get sued.
If you don't want to have to go through that extra BS (believe me, you don't) and/or you don't want your company or yourself getting in even more legal trouble when they deny something exists (because it shouldn't according to their policy) when it really does (because you didn't follow the policy) then don't be an ass. Do what they tell you like a good little minion.
Seems like a highly annoying and unproductive policy you have there. Create a local pop3/smtp server, forward your emails there. Or.... forward them back to yourself and keep resetting the timestamp :)
Not trying to troll here (but posting AC just to be on the safe side), but really: What are they trying to hide with such a policy? If they're doing something illegal you should report them, not try to cover for them.
And I do hope you are joking.
Seriously.
Let the 180 day limit on email remain as 'someone elses problem'. How many times do you really need to get an email six months old? You'll end up with a cleaner, faster and less stressful mailbox.
Of course, there may be the odd email you need, so every week why not look at the oldest week's worth of mail in your mailbox, and anything you REALLY have to keep, just forward it to yourself. Then it will stay in your mailbox for another 180 days. But try to only forward the things that are vital.
Of course you may be able to forward to an offsite mail account, but I'm assuming that isn't allowed. No company is going to restrict you from forwarding emails to your own company account.
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
Destroying e-mail - something that used to be a good idea - can now be a crime even absent an active criminal investigation. For firms affected by Sarbanes-Oxley, you'd better comply with e-mail retention rules.
And for those of you libertarian-for-yourself, statist-for-big-companies types out there, this is what happens when the government pokes its nose into regulating business; they don't just make Microsoft's life miserable. All aspects of life and business will be intruded upon. That's just how Big Nanny works.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
It's not a good idea to go against your company policy, but most Outlook clients are usually configured to use cached Exchange mode to store a copy of all e-mails in a .OST file in your profile directory, so you likely already have a local backup of the e-mails you have stored on your Exchange server. Just look up an "OST to PST" converter on Google, and then you're all set. Surprised no one else caught this.
I have worked for companies with such a policy. Insane loss of productivity when all the history continually disappears.
It takes a huge legal risk to justify such a policy.
Are There Any Smart E-mail Retention Policies?
Retain (store) email just long enough to forward it on to the destination server.
The higher the technology, the sharper that two-edged sword.
Just to be devil's advocate, if that's their policy why fight it? You'll only be bringing trouble on to yourself. Say the company is sued at some point, and it's known that you archived emails against policy- don't you think there are numerous ways that could bite you on the ass?
I have no idea what you do, of course, but I would think six months is long enough for the emails to be obsolete. If not, well, you shouldn't be responsible for contents deleted in a routine purge.
If they're personal emails you need to save... I won't state the obvious.
I tend to see e-mail as something you use for temporary exchange of messages and tasks/information held therein, not something to be used to archive material.
I'd argue the company's policy isn't actually far wrong, surely anything over about 180 days is something that is more suited to permanent archiving anyway?
I'll admit when I was working in tech support and I had our corporate Microsoft keys e-mailed me I kept them in my personal folders for a couple of years but realistically I have to admit I think these would be better placed in an information repository suited to more permanent store of information.
The company does then of course run the risk of people storing data that puts them at legal risk in that information repository instead however!
I'm not sure though that there are many circumstances where an e-mail client needs to act as a long term information store. I find it's generally the case that if you need to store it for a long while, it'll almost certainly be something that others in your company will need access to should you get hit by a bus tomorrow and as such, maybe shared folders (with appropriate permissions) are a better choice than personal folders?
You left out something very important. Is your large company publicly traded in the US? If yes, it could be looking at violations of Sarbanes-Oxley if they really are purging (and not retaining) e-mail "in an attempt to limit the organization's exposure to legal risk."
But that is likely not the case. It is more likely the company is trying to limit the amount of data stored on its Exchange system. Adding storage and additional backup capacity is expensive. Implementing a policy that requires end users to keep the size of their mailboxes down does not work, because many people insist they need every bit of those six years of archived e-mail; people use e-mail as much for CYA as doing real business. So, this solution was selected. If it really is important, make the end users do some work to keep it and don't force the company to re architect its storage system to keep years of CYA and personal mail.
Any truly relevant information in emails would end up having to be transferred to another form of documentation. Most projects last more than 180 days; you can't just let information disappear that quickly. Makes a strong case for just using email as the information database. Except for the liability. For most, the cost of having to permute the information into other storage far outweighs the potential cost of liability. For a few high-profile organizations, the reverse is true. Create and apply policy accordingly. And if you do have an aggressive purge policy, well, we know you're trying to hide something.
That email belongs to the company, not you. As someone who accumulates 90% of his work stress from dealing with employee email usage atrocities (please don't email an mp3 mix cd image to 150 of your closest friends from your workstation, kthx), let me tell you what's wrong with your plan.
Its company property, governed by the policy in place for whatever reason, feel free to violate the policy if you don't want your job.
Not to mention what will happen if it comes to light that you are violating policy during a discovery proceedure, especially if it comes to light because you brilliantly decided to forward critical confidential company correspondence to somewhere like a Gmail account.
Brilliant. Really. Good luck finding a job after that.
The IT staff at my former employer saved copies of all email that went through the server... indefinitely. No, they didn't tell employees they were doing it. And yes, they had a search engine so they could do across the board searches of whatever terms seemed interesting at the time.
I find it interesting that different companies are going to different extremes. Some are limiting their exposure by trying to delete all mail and others are saving all mail in order to be able to comply with court orders (or perhaps just get a bit big brother-ish.
For a REALLY strange twist, the company I'm speaking of forced employees to maintain mailboxes under 100MB... while the server admins never deleted a single email that hit the server.
A couple of 30-somethings embark on the ultimate roadtrip
1. Don't.
Sweet, huh?
Two Dixie cups and a long piece of string. Just don't use your crayons.
thats what I would go for IMAP next would be pop3 if they have disabled both of those services which they would not usually...
then connect up Entourage on a mac and simply drag and drop alternatively evolution on a linux vmware
failing that simply forward all the mail to gmail or free email account that you can search in a instant... but no one know about...(if you are smart you will configure outlook to use the gmail (or free provider) as the sending email server so things dont go out through the exchange server alerting the admins there when they look at the traffic also make sure that you use the SSL to smtp out )
so what I am saying is there are ways around this unless your org monitors everything and even then they can easily fail
most of the time things like word documents will trip up in litigation so they should not be trying to burn everything what they are trying to do is appear to have a policy so the lawyers are satisfied....
silly but true and it's frankly dumb
regards
John Jones
A balance needs to be struck between the negatives of two strategies:
* Perpetual archiving of e-mail - wastes server disk space, increases tape backup volume, and (more notoriously) can leave "clues" that predatory litigators salivate over.
* Non-archival of e-mail - internal accusations and decisions can't be resolved, difficult to track decisions and their history, circumventable by printing the e-mail with headers.
The solution is as follows:
1. Digest only the final decisions of e-mails and the essential reasoning thereof, or make a digest of the decisions in a collaborative project wiki where buy-in from the stakeholders can be tracked.
2a. Upon project completion (ISO9000-type project gating), archive all project files, documentation and essential digest e-mails.
2b. Simultaneously destroy all other e-mails using secure forensically-unrecoverable techniques to prevent accidental recovery by thieves.
3. Any other e-mails regarding general architectural or administrative decisions which have implications for future development in the company should be digested, placed on a company wiki, and then the remainder securely destroyed.
Using this method, any questionable or potentially illegal decisions can be greatly avoided or reduced from a purely legal perspective while retaining sufficient information to continue operations and development. This policy won't end all legal issues, but the key is to have procedures that are centered around the guise of IT efficiency and operational simplicity to purposely dispel any other alleged intent by third parties that expressed or implies destruction of future evidence.
We have a backup once a month of every system in the organization including email servers that are kept forever. It may not retain every single email but it is still pretty good. Along with this, (we use Notes) I replicate my current database every hour from 8-5 to a local drive on my PC, as well as my Notes archive database every time I log in or out of my PC. I have became aware to a manager having access to everyone's email database, then deleting a email that could implicate him/herself or another manager. So I decide to keep local copies.
...then it shouldn't only be documented in an e-mail.
A lot of people use their inbox as a "safety blanket" for documenting things "I might need later." This is a bad idea for reasons other than data retention policies. Information rot can set in, and you'll have a copy of information that might not be up-to-date. This is especially problematic with documents, where you have no idea if the version in your inbox is the current version.
A good workaround (if your company allows it) is to have an internal wiki to publish "useful information" to as a shared, versioned source of knowledge. On such projects, I've noted most of our team feels much less reliant on e-mail as a store of knowledge.
"A strange game. The only winning move is not to play. How about a nice game of IMAP?"
I was under the impression that all company communications now had to be kept for at least 7 years in accordance with legislation introduced BECAUSE companies were destroying emails that proved illegal activities. Maybe the laws vary between countries more than I realised.
I don't know how often I've saved my own can by retrieving an email from someone denying one thing or another or if a project goes south due to additional requests. By demanding that all requests be in written form or in email, I can produce a paper trail of all the requirements for a given project. As developers, we do nothing unless we have an official request. This limits our responsibility when things go over budget or behind schedule.
Deleting emails when a project is over is not necessarily a good idea, either. Patterns of irrational and poorly thought out requests can be produced over a long time period and this can also be used to cover one's caboose or even to give priorities to scope creep during crunch time. If things are going slow and they want some feature added in, we might be more inclined to meet that request. But if we're facing hard deadlines, we can push back and make the requester decide which are the most important features to add.
Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.
Conformity is the jailer of freedom and enemy of growth. -JFK
If the information is important enough to keep around after six months then it should be documented either as a policy or white paper. It seems that what your organization is attempting to do is to limit email to functioning as a communications medium. They don't want your Exchange servers to be an information repository. I can see the logic in what they are doing. In all seriousness if you haven't acted on information in an email in six months it either wasn't that important, or you're not staying on top of your responsibility. If it is information that needs to be kept because it is integral to the functioning of your department then there are better places than email to keep that information.
My company has been doing this for years, but our policy is only 90 days. I do go ahead and copy any 'really important' emails into OpenOffice documents, but these are few and far between.
I find that the best way to get policies changed is to emphasize their faults. When my company started docking pay for not submitting a change request to reboot a broken production server, I basically started submitting change requests every time I had to take a shit. This policy hasn't changed yet, but I guarantee it will.
Let the emails get deleted. Don't go out of your way to save them if it isn't immediately obvious to do so. When my emails go missing and I need them, I let the management know 'the retention policy ate it'. Whether they like the excuse or not, it's a fact that the missing information is not my fault, and this will hold up in court if I ever have to sue for unlawful termination.
It's a job. I'm paid to do it. If I have to re-do work as a result of something like this, I'll get paid just as much the second time as I did the first. *shrug*
I've never used any Exchange-based junk, so this might be totally ridiculous, but what if you forward every incoming email to an address that you create for the purpose of archiving the stuff?
McCain/Palin '08. Now THAT's hope and change!
You are not in a position of decision making authority where you could veto this idea, or specify what the policy will be.
So explain the reason you care, exactly?
Get into a position where you make the decisions. Until then, don't waste your time worrying about this stuff.
-fb Everything not expressly forbidden is now mandatory.
Have the corporate lawyers tell you what you need to save.
That's the simple part for you
Save it. Not so easy, often, but there are plenty of tools. I'm not paid by anybody to market them to you.
If you're with a business that has clear legal needs to save electronic correspondence, I'm surprised you haven't already been getting the sales pitch. Or maybe your executive team has been.
deleting the extra space after periods so i can stay relevant, yeah.
If your company runs the "Outlook Web Access" service for Exchange (i.e. webmail), then simply run Evolution with the Exchange integration, and you can copy the emails to Evolutions's equivalent of a .PST file no problem; that's what I do.
Yes. I save them in notepad.
What?
I used to work for a company that decided to delete all email after 30 days. While I'm sure it made the lawyers happy, it made life difficult for anyone who was trying to actually do work. Email archives are important as a record of decisions, requirements, purchases, agreements with customers, and company policy directives. Sometimes people and corporations conveniently "forget" what they said months, or years, ago. If I can't keep it in my mailbox, I'm going to print it out and store it in a safe location.
Mea navis aericumbens anguillis abundat
Retention policies are generally set by counsel. If you violate that it's generally at your own risk.
This crap is standard at Intel Hellsburito. Important notes disappear after a few weeks. No one ever mentions this little fact until it's too late.
You need to consider what information is in these emails and what needs to be done with that information. Example, from my last job in a Helpdesk/IT Officer for a small business:
Email Type -> Where it goes
Request for help from IT -> Send to our helpdesk system
Serial number from supplier for appliction -> Save to our IT Auditing software, print out and file
Information on fixing a program -> Print out if needed soon, and copy information to our procedure manual folder on the network.
Look at your email more as an inbox and less of a filing system. If your upper management have taken this step, they may just decide one day (after something happens) to accidentally 'wipe' all email. If you work based on the assumption that will happen, you should be able to live with this rule.
Wait till your company gets sued by a patent troll and you had a string of messages showing you had or used the idea before they applied, and were thus the true inventor. Mail destroyed can cost company millions.
Wait until you need exculpatory evidence from that mail stream. That being destroyed also can cost your company plenty. Remind the legal dept. of this.
You don't know what is needed like this typically for a long time (years) but keep the mail because you know it is important in your record of your ideas or acts.
If nothing else can be done, select all and save mail to text, but that is not as good evidence as mail and may not fly in court.
Let your legal department beware.
These things have happened, to me and others.
Destroying this kind of information can be very costly in terms of establishing blame when something goes wrong too. (Someone promises particular functions in email, represents something, but blow the email away and you may have no evidence this was done.)
Only destroy stuff indicating wrongdoing...or better yet, don't do the wrongdoing in the first place. Also caution people not to send love letters or the like in email since it may come back to haunt them years later. This may save a lot of wasted time by workers...
The moronic IT persons are already saying crap like "the email belongs to the company, not you". Perhaps the computer on which I wrote them does, but *I* have written those emails, therefore they belong to me also.
I have always archived everything I wrote and every document I produced in my work on an external hard drive, that I took with me when I switched jobs. I have the first piece of email of my first job, 10 years ago. I have everything, but that's only for my personal use and reference. There is a value to me in archiving it. Nobody can prevent me from archiving emails that *I* wrote or received. Nobody. And nobody can force me to hand over those. I will destroy them if I have to.
Oh, and f^@k the IT people.
When I have spoken with lawyers, it usually takes a few months to get an answer. If the forged purge age is shorter than the time it takes the lawyers respond, then perhaps it's a ploy to avoid working.
important stuff should be sent as an attachment to email
put important stuff in a WP/Text file and file it
Document retention policies ought to follow the IRS document retention guidelines. 5 years at a minimum.
Avoiding liability under SOX by failing to report the improper operation of the corporation and destroying the evidence is a bad, bad idea.
I expect spoilation sanctions for any document destroyed before the IRS standards.
Are there any good retention policies out there? No. The good retention policy is to save what you need, delete what you don't. Which is not a policy at all.
What would I recommend for a corporation? Don't use e-mail at all. If you refuse to follow that advice, use a system that deletes on first read and cannot be used to create copies (harder than it seems).
There are several reasons for keeping mail. At the top of everyone's list is self-preservation. It's important to be able to prove that this or that decision was made for these reasons or that so-and-so really did tell you to do whatever. This is necessary because in the modern corporate ethos, the employees and shareholders take all the risks and senior management reaps all the gains. Everyone needs protection. But it probably won't help you.
Another, better, reason is the reason writing was invented in the first place: to recall past events and information not held in one's memory. This is where the "right policy" really shines. Unfortunately, anything worth keeping is also worth a subpoena when someone decides to fuck with you (or your company, but remember that companies do not suffer, their employees and shareholders suffer; if something you wrote, or kept, harms "the company" you can bet it will end up harming you a lot more). So short of obliterating most of the civil law on the books today, we're back to keeping nothing. You as an individual stand to lose your life (if you lose your job and are blackballed, you will die or wish you had). But as always most of the gains from saving mail accrue to senior management in the form of better corporate performance and higher pay. You have no personal incentive to save anything unless you are preparing for a wrongful termination lawsuit. In that case I hope you have printouts, because the mail your lawyer subpoenas probably won't be there no matter what any "policy" says.
Cynical? Sure I am. But that's just the way it goes. The wise employee does not commit to writing anything of any conceivable value or interest. If it's worth saying, it's worth saying in a hallway conversation. If it needs to be written down, be sure your name does not end up on it. Then you don't need to care what senior management is telling you to retain or purge. And if you need some piece of information you would have had if you'd saved everything, just wing it. You would not have received any incremental benefit from doing your job better and you're going to take the fall when things go wrong no matter what you do, so you might as well not bother. Get as much money out of them in the meantime as you can, and protect it from debasement by converting it into gold and silver. Then when the system inevitably flushes you out, you'll have something to survive on.
Being an employee is like buying bonds. In the best case, you get a small fixed income stream for a while. In the worst case, you get nothing. There is no upside. There is nothing to strive for or invest yourself in. But unlike the bond market, where you can buy CDSs, there is nothing you can do to protect yourself from your employer. Since you can't help yourself and have no incentive to help your employer, the best thing to do is muddle along, keep your head down, and do everything you can to avoid being noticed. Not bothering to write anything down is just one example of this approach. In this way you may survive until macroeconomic conditions inevitably make "painful decisions" necessary for senior management, better known as cancelling your employment and wishing you the best of luck somewhere else while cancelling dividends or buybacks (making those shares and options they insisted you accept as part of your compensation package worth dramatically less and fucking over the existing shareholders as well). But take comfort - your beloved senior managers are safe and secure no matter what happens; even if the company folds they took home enough in their first year of work to live on for life. Doesn't that make you feel better?
Calling a jerk, a jerk, is not trolling. Someone do this guy a favor and spend a mod point to put him back to positive.
Admittedly, this is a suggestion that only a large, committed organization can implement, but it is sane:
Drag email worthy of retention into an Enterprise Content Management (ECM) system.
You can find ECMs nowadays that are well integrated with your email client (and may even allow users to ignore that they are moving information out of Exchange). You can think of Exchange as merely a staging area for all incoming information; anything with long-term business value should be expected to end up in the ECM where it can be shared, portalized, linked to wikis or other knowledge management applications, filed by project or business area with related information in other content types, searched six ways to Sunday (Exchange is woeful at this), etc., etc.
If you're able to do this, then you shouldn't miss the other 95% (I'm pulling that figure out of the air), the dreck that's left behind in Exchange, when it's aged out and shredded.
If you're not able to do this, and you're trying to adapt your email repository as a long-term knowledge archive, at best you'll have an individual repository for yourself, not your team or your organization, that can't be easily shared or integrated with other related knowledge.
That's why you shouldn't mind the retention limits established in Exchange. As to why they should be established at all, consider that the organization has no business interest in maintaining a gigantic archive that is 95% worthless, poorly organized, poorly indexed, unsharable crap and that, if a legal discovery request ever does hit, will be an unbelievable burden to sift through. Plus, the retention deadline gives people an added incentive to move the valuable stuff into the valuable place.
Basically related to this, is the fact that Guidance Software has been pushing the federal rules for ediscovery and the safe harbor rule that protects corporate organizations when they employ a "policy" and practice of email destructions, however, they have failed miserably at this themselves. not only due they not have a retention policy, but they do not (did not) back up their email and have been burned over an eoe case. check out http://commonscold.typepad.com/eddupdate/2008/06/todd-v-guidance.html and the actual sanctions that are being imposed against them http://commonscold.typepad.com/eddupdate/files/Guidance.pdf even their own larry gill has posted to slashdot on privacy, he is one of the main defendendents in this case!!
Several enterprise content management systems (like LiveLink, that I hate) support almost transparent email integration. You could forward your mail to an "email folder", and let whatever records management module (and retention policy etc) take place.
I saw someone mention forward mail to wiki, that you can also do with LiveLink discussion boards (not an endorsement for LiveLInk).
Point is, moving it into an ECM brings it to whatever corporate records management has re policy and such.
/\/\icro/\/\uncher
Guidance Software? Talk about being hoisted on one's own petard! If I were plaintiff's counsel (IANAL), I'd fry them with their association with forensics and imply that it's awfully convenient that they "lost" incriminating email unrecoverably.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Using EMAIL for a file system is just ridiculous.....
It is even more insane to use it for document distribution....
"System of Record" should exist on a server.... All documents of significance should be posted on a server. Review should take place on the server.
If you receive an email that is significant, it should be posted to said server....
Mail with Document Attachments should be discouraged....
EMAIL should be declared a "personal opinion" and not reflecting the official view of the corporation/etc....
EMAIL Policy should state as such....
If these guys are scared of hanging onto their emails, they probably have something to be scared of, and it's not just discovery in the law case sense. It's discovery of actual crimes, and you're going to be an accessory to one sooner rather than later if you keep working there.
What part of "A well regulated militia" do you not understand?
Your inbox should have NEVER been used as a permanent store for your important email that you want to keep permanently or for longer than the company storage policy dictates. People just decided they would get lazy and do it that way since it usually works about 95% of the time.
I always cherry-pick important email from my personal accounts and print them and file them. A more technically savvy way of doing the same thing is exactly what the company is recommending; that is, save them as a .doc (print) and put them in a folder (file them). It is exactly the same thing you do with your important mail that you get from the postal service... I hear no whining about having to hold onto your tax returns instead of just reading them and chucking them in the bin.
Another alternative, depending on company firewall policy, is to setup a pop3 account from your personal ISP (separate from your main ISP email account), add it to your outlook profile at work in addition to your exchange user mailbox, and forward important email to that pop3 account where you will get near real-time confirmation that it arrived and is in an account that you control even if you are terminated.
Like many others have posted, I'm tired of having to deal with the problems from maintaining 2gb user mailbox quotas because employees are too incompetent to realize that when management tells me that *I* have to do more with less, that means I'm going to be passing all those efficiency creating decisions off on the largest scale possible, which is usually the entire company. If I'm forced to tighten my belt, the people using the systems I administer will be doing their part to assist, whining be damned.
Protector of Capitalist views,
Meorah
As an attorney who practices e-discovery, I can tell you that any company which implements the policy described above better hope to god they never find themselves embroiled in multi-state class action litigation. Sooner or later, they will run into a judge who views the destruction of evidence for the express purpose of avoiding liability as a bad thing and they will lose the case. A policy designed to protect the company from litigious plaintiffs will have the opposite result and create huge awards for the plaintiffs. If you work for a large company which has been sued in major litigation, you should probably assume that all of your e-mails will be read by an attorney at some point and write your e-mails accordingly.
First, companies wanted to (generally) make a big deal out of the idea that your email send/received in the workplace didn't really belong to you. It was COMPANY property, because you were using their hardware, bandwidth, and company time to write any outgoing messages.
But all of a sudden, they're expressing legal concerns that shouldn't even have come about if the mail was recognized as belonging to its recipients, vs. being of corporate-ownership.
(EG. You couldn't very well demand to view all the mail on a server to investigate something. You'd have to get permission to search the mail of each individual employee you believed was involved directly in whatever you were suing over, and you'd have to justify the intrusion into their privacy.)
The problem is that you have to mentally divorce the content from the channel. Emails with good content should be retained just like documents with good content -- and there's no reason why you should have to "digest" emails into documents just for the purpose of retaining them.
Emails fall into the standard "three R's" of record keeping. An email can be:
1. Records ...and you only need to keep the Records.
2. Reference
3. Rubbish
So, how do you separate the wheat from the chaff? That's where an EDRMS (Electronic Document & Records Management System) comes into play.
As an example, let's take a piece of Official Correspondence. You receive a request (be it email or a scanned-in letter, etc.). You then email a bunch of people to see how to respond to the request, and get all sorts of neat ideas. You then draft up a response, get some feedback, and then send out a final response.
Using an EDRMS, you can capture all of the above (Request, emails, drafts, response) in a single Correspondence Item.
This model of storing content "in context" with like content (to make a full story) can be applied to projects, policy-making, administration, ... pretty much everything.
Now that you have captured your record-worthy emails, the next step is disposal scheduling. Some records will need to be retained forever (e.g., outgoing CEO emails discussing policy); however, most will have shorter retention periods -- again depending on their CONTENT. (The organisations record keeping policy should cover retention periods.)
The content also drives the security. For example, a complaint about my manager to HR containing detailed examples of incompetence should be a record, but should not be viewable by everyone with access to the EDRMS.
What you do with your remaining emails (i.e., the reference and rubbish) is up to you, as there are no legal requirements to retain them for the long-term. ...at least that's what we do at my house...
You're a Microsoft shop, using Outlook and Exchange. Setting up a sane retention policy on top of that is nightmarish, especially for people whose business memory is stored in email. Data security isn't just protectng yourself from lawsuit issues, it also involves protecting your users from storage failures and database corruption. Exchange is notorious for these issues, and throwing more money and hardware and failover equipment at it doesn't solve the fundamental problem of corruption of years of work in the massive, massive files used by Exchange's storage mechanism.
If this is a big issue for you, switch immediately to a sane, IMAP based system that allows individual message storage and the application of external message management systems to ease backup, recovery, and organization of the material by the users. The PST files are an incredibly nasty way to store large, diverse filesets such as email. I've seen them imperil access and recover far too often.
Printscreen.
Your process would require about double the amount of time taken in the writing and responding to the original e-mails. Impractical.
Set Outlook to automatically forward messages to Gmail!
I am sorry as hell to put it like this but I have seen basically 80% of the responses stating that you should break the policy, ignore the policy, inane comments like "dont work for criminals" or that the legal team is stupid. .. from a personal perspective, Hell yeah I did not like it, I like to have all the emails I sent so I know I told my boss 8 months ago to go fly a kite or something about a topic and when he confronts me to say I did not warn him about something. Tough .. Those that make more than I made the decision and we have to implement it.
.exe files are listed in the host firewall and if you run one that is not approved, then cyber security pays you a visit. Everyone has approved software, and thunderbird, eudora, what ever are not approved. Since we only have IE, it is managed through AD to be forced through a proxy which does not allow any of the webmail sites. Why you ask? Well lets see - we have now fired four people since I have been with the company for sending private company info via webmail accounts to other customers to give them more money, etc.
Okay - having implemented one of these from being someone on a cyber security team, I know first hand what goes on behind the scenes and everything that goes on. Our company implemented one of these projects. 180 day retention for USER email boxes. If you need to keep something for retention purposes, you have a DL setup which does not have the same rules and a few team members have access to. Simple. If you need it after six months, every desktop has a PDF writer (free cute PDF) and they can print it and save it.
Now
So at my company - just so you know. All
So lets see, what else. Oh yes, all emails are scanned incoming and going out to validate compliance to corporate policies. So no "autoforward" rules in outlook to forward any mail you get to your gmail account (as well as all popular web and ISP accounts are blocked). Our company takes it as it is a place of business, not a place to deal with external distractions. You can call someone if you want to talk to them - just don't email them.
So why do you ask why we go to these extremes. We have to. Government regulations on our business. Several people have access to information that requires government clearances, and we get bent over a barrel when any of that goes out the door. Does it work? Yes. Do people like it? Well they have gotten used to it (we implemented it 4 years ago). The VP with 9Gb of mail was pretty pissed for a while, but realized his life was much easier.
Just to let you know - for those of your pansies saying to let it all go free and don't work for criminals, etc. A company is never the criminal, it is the people in the company that are the criminals. So restricting the people that are potential criminals removes that temptation and will allow you to do your job more effectively.
Last point, I know the next logical point most people bring up in this argument, which is hire better people if we are firing people that have done things wrong. Every person before they get hired has a criminal background check and over 80% of our company had at least "classified" level government clearance. So, the government trusts them, as well as they had the skills to get into the job, and the temperament to get along with the people at the company. They were still fired for doing something like selling one companies info, to another, even with all the things in place.
You cannot change human behavior, but you can try to circumvent it so that it is an overt act and then it is something they willingly did, and then you can throw the book at them for doing it because it was pre-meditated.
I am not an attorney but in a past life I was a computer consultant who did e-discovery for litigation plaintiffs attorneys. Although not in the field, its become my understanding that as of late it is actually required under recent Federal rules to retain your e-mail.
This is my sig.
I last worked for a Local City structure, and we had a very aggressive retention policy.
Everyone except management or higher, were to keep only 10 days worth of email in their inboxes, but we did allow people to move important emails into other folders for safe-keeping.
Management and higher officials, were required to save 30 days worth of email in their inboxes, but they could also put emails into other folders for safe-keeping.
The IT Dept., was required to do NIGHTLY backups, and send off-site the Friday Tapes, which would be kept at a undisclosed location by a private firm would that would keep 3 months of backups.
We also would keep a quarterly tape for each quarter so we could always recover emails from each quarter, and finally, a yearly backup, made from the quaterly tapes, so yes, we would have a complete years worth of emails for everyone. We were too keep the yearly email backups for eternity I think.
This was a pain in the a** to put all together and keep track of, but it also ensured we would be ready for ANY Public Records request that came our way, and they did about every week.
It's a lot different in the private sector, where you don't have to answer to Public Records Requests.
Can you just set up filters for any messages you want to save for more than 180 days, then forward them to an address you use to archive them? There are lots of emails I want to keep for more than 180 days, but not too many I need to respond to after that time, so I wouldn't care if they were actually in Exchange or not.
Forgive me if there's some kind of group policy that restricts doing something like this, but I've worked at some pretty large orgs and never run into it. I'm sure it runs counter to company policy in lots of places, but you seem to be trying to dodge that anyway.
For maximum convenience, lots of storage, and minimum privacy, just forward everything to gmail where you can search it.
Game... blouses.
and that dealing with email can only be a small part of your job, if you want to do your job well. How can you spend the additional time required to make the decision whether to save each new email message? Forget the legality, how the heck could you get any work done? And what psychic powers would be made available so that you would know, in advance, which emails were "important"? I mean, if I had the power to know in advance exactly which communication was going to someday be important, and which was not, then I think I might be able to finagle myself a job where I didn't need to worry about email retention policies.
Email is not all that different from old fashioned mail. Certainly, old fashioned mail appears to have changed, but in the days before email it was much like email. As such an email mailbox is not much different from a postage mailbox. Yet people store and organize mail in their mailbox. Could you imagine organizing your postal mail in such a fashion? It would be insane to store and organize bills and such in your mailbox. Much of the design and planning for email follows postal mail's design.
One problem is that email is electronic and packrats do not see the absurdity of keeping every single email (spam or otherwise). It is very common in corporate environments to see most users will well over 2 Gigs of mail. A person could not possibly need all of that, nor are the systems design to support that. If you follow the concept of mail, a person would insane to save every single postal mail they both send and receive, you would be overwhelmed with paper.
Just because you can does not mean you should.
It is out of laziness that people do this. Once the mail builds so high, they refuse to trim it down. There are certainly messages worth saving for long periods, but those should be rare and reduced over time.
Here is an example of how this store forever philosophy impacts companies. My systems mailbox store is over 50 Gigs for about 100 people (60% of which only have internal email). Ever try to back up 50 Gigs...daily. You cannot use ordinary backup means, which means it is costly. The cost to backup email, the cost to keep email running, and the cost to keep up with need would be greatly reduced if people managed their email.
There also need to be push back from IT. I worked at a different company that had a 8 GB Exchange IS. I ran a clean up routine that deleted only items in the "Deleted Items" folders that were more than 60 days old. That alone freed up 1.2 GB. Oddly 1 person complained. They actually were using Deleted Items as a storage folder. The only reason it should exist is to recover from an oops. I wanted to delete "Sent Item" items that were more than 2 years old, but my boss wanted to ask lawyers and set policy first. That would have freed several hundred MB. I have also helped abusers by archiving to PST and burning to CD. "Here you go, if you need your junk mail from 5 years ago it's on the CD (and not on my server)."
The purpose of the policy is to protect the company. This may be from litigation or from the cost of a fishing expedition -- think of the cost of having to pull everyone's every email *from backup*. Discovery permits the lawyers to go through your every backup because there just might be an email in there that proves their case and you might have deleted it.
If you have a policy that is generally followed that states when emails are deleted, you save yourself a lot of grief. But. You also need to have a process to stop this regular deletion if a court action is started or management has good reason to believe one is coming.
If you are in an environment where a six month old email saves you serious grief, it may be time to look for another job. I have been there and it always turns ugly. Being able to prove you are not at fault is not the same as proving you are right or to be trusted. Which is a drag, but nonetheless the case.
A good retention policy balances the business needs for retaining emails (which usually does not take CYA into account), regulations (like SOX and PCI and GLBA), and technology costs and efficiencies. A bad one picks a number out of a hat and flails. If the policy doesn't make sense, you could politely ask whether you could please have an exception. Policies are supposed to include exception processes.
Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.
I disagree.
Once you remove email from the mail server, you loose quite a bit of it's (informational) value.
* the header information is lost.
That includes information like:
* when
* from who
* who else got the email
* the text and attachments tend to get separated
* you tend to loose the ability to view the emails in various useful ways.
eg: threaded view, so you can view an entire 'conversation'
Any system that doesn't loose this information is effectively a mail server (probably without the ability to send / receive emails), so why bother with another system?
In my opinion, an email server is the appropriate place to store emails. Anything else is a very poor second best.
NB. A lot of document management software can search / index you mail server, so it is logically part of your document system. You can sometimes 'import' emails directly into these systems, but that tends to be slow and clunky (last time I tried it, it was), and really doesn't achieve anything useful.
Ever stop to think
I recently came out of a bankrupt company, e-mail was critical in a variety of cases including disputes with the liquidators, the records saved us many, many dollars.
21 day mail retention and a 30 Meg mailbox size. It is great for booking holidays because after the first 21 consecutive days, it doesn't matter how much longer you are gone because the volume of email will never really get that much greater.
I assume you cannot use File -> Import/Export? That lets you send stuff to a PST file. You could also enable cached Exchange mode. That will cause your OST file to contain a copy of the email on the server. Just back that up every 180 days.
My honest approach is to get more and more people to cut the "do this" messages out of e-mail and walk their sorry ass down to someone's office. Most people take just as long, or procrastinate in sending, work laidened e-mails.
I'm to the point as a 2nd rung IT guy that if my boss has something for me there is my open door policy, otherwise don't bitch when an e-mail goes unread.
Also, I just don't send anything of substance via e-mail any longer. If it has to be said, it is "when are you in your office next?".
Understandably not ideal for a lot of people, but eventually the liability of e-mail is going to outweigh its usefulness, just like open web browsers are about to.
It's IO. If you don't use a database driven e-mail program, large inboxes hit the disk really hard. Thus you need major IO to have large quotas. We have this problem at work currently. We run sendmail for a number of reasons, the main one being that we got e-mail waaaaaaay back in the day when it was pretty much it. Regardless, we are still on it and thus IO is a significant problem in terms of large inbox quotas. We need to move to a database driven solution, but such a move isn't easy and isn't free and thus we are still working on it. So at this point, we have quotas on inboxes not because we can't buy more storage, but because we don't want to overload our NAS.
Because they keep the idiots in line who don't know how to manage e-mail inboxes, and think they need a fucking email from 7 years ago that's just a damn out of office reply, and end up with 12 gig PST files, and then they bitch at IT when their e-mail runs like shit. In case you couldn't tell, this is the bullshit I deal with on a daily basis. But not for long.
We're switching to Exchange, and are going to have a 1GB limit with a 50MB cap on the named folders (Inbox, Sent, Deleted, etc...because it slows everything down when they get big). We're also getting a document management system that integrates pretty seamlessly with Outlook, for them to send stuff they need. Oh, the most effective restriction when their e-mail hits the cap...don't allow them to send anything :-) That way they don't lose any e-mails, but they get it down to size in one hell of a hurry.
Restricting by dates is pretty annoying. There are some things you will need to reference again, especically in our organization where our products are usually purchased anually (Awards/Trophies/Plaques). But keeping a size limit is very reasonable, especially with an easy-to-use archiving solution.
As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
I'm not entirely sure of obligations(legal etc.) but here is a product that might just help you: Mail Manager
Disc: I work there.
Easy enough - setup a rule to forward a copy of each email in and out to your gmail account, and then perm-delete it from your sent items...sure, they can recover from the backups, etc...but if nothing else, least you have copies of all email...
I'm a fan of keeping every email.
I've got everything since October 2003.
How different is the email from a phone call? For one thing, the other business you are dealing with will have a copy, do you want them to have the only copy? Personally I run an empty inbox (actually an empty PST file would be more accurate). I forward to a procmail robot on a file server which permanently archives to the job folder. If I really wanted to keep something though, I'd print to a pdf creator (one that looks like a windows printer). Seems the nicest way to minimise the workload and to maximise the continuity of appearance.
One thing you tech folks probably already realize - it is very difficult to permanently delete e-mails. Sure, if they are sent between two people, its not so hard. Most e-mails, however, have multiple recipients, cc:, blind cc:, ect... The only way to really complete this task would be formatting the hard drives or storage media of every computer which touched the e-mail. Good luck in that endeavor. If the e-mails which were erased have relevant discoverable information, god help the company that "destroys" that evidence. This applies more to larger companies where more custodians exist (anyone whose computer contains relevant documents).
our email retention policy is 30 days, and drives are searched for exported files.
Generally, your own emails will never exhonerate you. This is because they are under your control, so even if you write something like "and please make you do your _best_ to make the ferabulator safe" in an email, the people suing you will just claim it's a trick and point to other evidence. On the other hand, it's very difficult for you to disclaim your own emails which work against you.
Here's an example.
A company made ant poision, but the federal regulatory agency made them take it off the market.
Their law firm recommended that they appeal the agency's decision in court, so they did. They lost. The law firm recommended that they appeal to a higher court, so they did. They lost. The law firm recommended that they appeal to the U.S. Supreme Court. The company sent a fax telling the law firm not to do it. The law firm appealed to the Supreme Court anyway. They lost.
Doing that, they ran up bills of $400,000. The ant poison company refused to pay. The law firm sued for the bill.
To prove their case, the company had to find the fax machine's printed confirmation, to prove they sent the fax. They couldn't find it. They lost. They had to pay the law firm.
(This is my quick recollection from a Wall Street Journal story.)
Admittedly this is about a fax, not an email, but the principle should be the same. If they had a copy of an email saying, "To confirm our conversation today, we don't want you to appeal any farther," they would have won the case.
So yeah, there are some emails you should save forever, particularly CYA emails.
Hire people with character and stop doing crooked shit. I think such communication should be kept forever. It's a record of the truth, after all.
How many cases have there been where email evidence was used out of context or misinterpreted by the courts/jury so that the innocent got hurt?
;).
;).
How many cases have there been where email evidence was used to nail the guilty bastards?
So tell me, is it really a good thing for emails to be deleted?
What does it tell you about the company? It has lots of guilty bastards? Do you want to continue working in such a company? They could blame _YOU_ for something and if you're innocent where's the evidence to protect you? If you're keeping your evidence against company policy have a nice day
As for personal emails, I try to keep most personal emails. Hard disk space is cheap, so why bother taking the time to figure out whether an email is important or not?
You might not even want to bother deleting spam - some people keep a store of spam so that they can test/tune antispam systems/filters.
Lastly, I think many people do work with projects that last more than 6 months. Sometimes your memory might fail, sometimes your boss's memory might fail, sometimes your colleagues forget.
And sometimes when people ask the same questions it's convenient to just dig out the reply/explanation and resend it (email programs should have a decent and fast search - kmail is too slow). If it keeps happening maybe you put it in a FAQ somewhere and then you might add a link to it
I work for an engineering firm in Australia, and our policy is to keep ALL emails for 7 years, with no exceptions.
The only people that can search back through the archives are the owner of the mailbox, and IT.
We get requests from HR from time to time, little else to do but follow their direction.
...they delete all emails after 90 days only.
Often this means that emails are deleted faster than projects complete; it's really not fun.
Frankly, examine your work-processes. E-Mail is not a general filing system, or a task-management system, or anything else that would require you to keep stuff around forever. In fact, doing so is - according to my observation - the #1 reason why most people can't use mail productively.
A tiny fraction of mails actually needs to be kept around for a long time, and I have a folder for those. It's on the order of 0.01% of the total volume. If I had to export that in some format, be it word, .txt or whatever, it would be a tiny hassle.
For everything else, I'd be happy to get the stuff I haven't needed for the past six months automatically deleted, because the chance is 99.99% that I won't need it anymore, anyways, and looking through the pile to check for things that I might still need takes away my valuable time.
Assorted stuff I do sometimes: Lemuria.org
http://www.zantaz.com/ "The spectrum of Autonomy ZANTAZ solutions includes: Aungate Real-Time Policy which monitors information in place and applies policies by understanding the meaning and context of information; ZANTAZ Enterprise Archive Solution (EAS), the first of its kind, combining all information sources into a single, massively scalable archive; Aungate Investigator & Early Case Assessment (ECA) applying advanced analytics to determine the merits of a case prior to eDiscovery; Introspect, redefining EDD, review and production by allowing rapid eDiscovery to be run seamlessly across all information sources including operational systems and archives."
Forward the mails to a gmail account (lotso st0rage) for the sole purpose of archiving them?? (probably just copy/paste to text files is simpler).
-- tonybaldwin.me
If only all lawyers bought the webelfetzer and took a shower, the world would be a better place.
Maybe lawyers will sue all electricity companys because its FACT that it kills.
Or that all alcohol sales should be banned because it can KILL.
Liberty freedom are no1, not dicks in suits.
Perhaps this will encourage the users to send any information of long term importance as attachments, turning the email text into cover letters.
Assuming you can still send, receive, and save attachments. If you can't even attach, put the document on a shared folder and put a link in the email.
Then email retention could be reduced to something like 48 hours after reading.
that policy they were talking about will probably dis-able cut&paste over the surface of your eMail
as far as text eMail goes, I'd second your motion if we could just get eMail programmers to handle text properly: discard and single CR-LF sequences and treat multiple CR-LF sequences as paragraph break.
I've been very happy to see HTML become the standard for eMail now, except -- I don't like getting messages that look like they are written in crayon or that have some much glitter they look like bad advertising
Comment removed based on user account deletion
Hi. Use a product like FileNet Email Manager. Note that this is *NOT* and archive tool...it's a management tool that is designed to store/save your IMPORTANT emails and not the junk like "hey let's do lunch" emails. Using a tool like this IN ADDITION to your 180 day Nuke policy is great...Email Manager saves all the important emails and your 180-day policy nukes all the junk ones. It's a great tool and works with Exchange. http://www-306.ibm.com/software/data/content-management/filenet-email-manager/features.html?S_CMP=rnav Enjoy! -Fred
It's not unreasonable in such a litigious society.
In a litigious society, wouldn't it be best to save all of your email, so you can use it to protect yourself in court?
If you're deleting all your email, then the only evidence that will come out in court will be from the people suing you.
Many times the most damning evidence is your own email. ( "Fred, the folks in accounting say that delays in production will cost more than the wrongful death lawsuits. So forget about re-designing the gas tank." ) Your own email can be used to prove things like knowledge and intent, which can greatly increase your liability.
The best way is to have an official policy that email is deleted as soon as is reasonable, probably just a few months. But have an unofficial policy that all email is saved forever.
One guy buys disks with cash and makes copies after hours and stores them off site. ( This guy is probably a corporate officer with lots of stock options. )
Then, when you are sued, you can have your lawyer look at the email and decide if it helps your cause or hurts it. If it hurts, you destroy the disks - which is easy since they never officially existed. If it helps, you 'accidentally' find an old disk that someone 'forgot' to destroy.
My policy is read the damned email then delete it. If it has something important in it, I put it in my calendar or contacts or I do what the email is requiring to be done. Is that really hard? People who hoard email aren't half as important as they think they are.
What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?
Here's a completely unrealistic thought: Stop breaking the law. Fire everyone who sends email suggesting that the company break the law.
I know, I know - no company of any reasonable size can really be expected to not break the law. Well, that either means the laws are too strict, or that hiring scofflaws has become acceptable as long as they bring cashflow in the door, or the competition are all breaking the law and so you have to in order to stay alive. (I'd say it's some of all three) So, tell me: How much effort does your company make to get the laws fixed, or to change the attitude that nothing is wrong if it makes money (aka sociopathy/psychopathy), or to make the competition stop breaking the law? What is your company doing to save our nation from this problem?
It's not their job? Bullshit. If they want to operate in my nation, share in the staggering abundance that we are capable of achieving, they better goddam well start thinking that advancing the nation is part of their core mission. Show a little respect for the environment that makes it possible for them to operate. I'm not telling them which way to solve the problem, that's for the company to decide - but they can't just abdicate the responsibility. We are losing the nation and it is the fault of this "it's not my problem" attitude. Fuck that.
OK, I admit it - I'm being a little facetious; but isn't there a bigger problem here than figuring out how to make sure you don't get caught? Isn't there some sense to what I just said? We've got to start somewhere; we're losing it.
Stop-Prism.org: Opt Out of Surveillance
As for the business case issue, many other posters have it right as well. Be sure this is something you want to do, as it can work for or against you later. If you have any personal email coming in via work, start changing email addresses as well.
You missed the point -- I'm not saying that an email server isn't the appropriate place to store email. I'm saying that email isn't the appropriate place to publish and transfer data that will be needed for a long period of time.
Conformity is the jailer of freedom and enemy of growth. -JFK
My company set up exactly the same email retention policy about 6 months ago. I either drag/drop the emails into a temp desktop folder until I get time to file them where they need to go. I also set up rules that forward a copy of any incoming AND outgoing mail to a special gmail account, which I then sync to my windows machine at home..I often remote desktop into my machine at home because i know its going to be much faster to search.
In any case, having old email around saves us 10x more than it would hurt us.
One of the problems with e-mail is that employees can have casual conversations about something that can later be taken out of context. For example, two engineers talk about a procedure that is really stupid and doesn't mean anything. Five years later, lawyers perform a "discovery" and find "evidence" that engineers didn't take procedures seriously. Now they can sue. The problem with saving some of your e-mail is that the lawyers can claim that you deleted incriminating e-mail and only saved e-mail that proved your side of the story. The answer to that is have a consistent policy where all e-mail is deleted after some time. 180 days seems awfully short, 1 year seems more appropriate, but I guess it depends on what kind of business you are in.
A policy such as this is likely to be interpreted as willful destruction of potential evidence in a jury trial. A purge policy should be (sound like it is) based on storage, not legal issues. If the decision hasn't been run past the lawyers, you should refuse to carry it out on the basis that you are not certain it is legal.
If I were an supervisor working at the company, giving annual reviews of my subordinates, I would need to be able to access emails to demonstrate their performance. Otherwise it would be hard to give a good raise to my best employees and warnings to my poor performers.
How often do they intend to do the purges? A shorter retention span necessitates a more frequent purge = greater cost.
The US government have made it clear that we have no inalienable rights; any we do not defend vigorously will be taken.
Have you looked at Postini? Slick approach and leverages Google's search capabilities. PST's can be both imported and exported and messages deleted on your mail server can be archived indefinitely on Postini. Very handy stuff.
prefers longer storage, and
Denial/TeflonDefense ( so long as those judging buy the teflon ) prefers short-purging.
NOW *my* preference becomes clear!
( thx, btw, for giving me this insight :)
Caveat: IANAL, but I used to work as a consultant for a company that helped with retention policies and the like. From what I recall, just deciding to delete all email over 180 days does not comprise a decent retention policy. I believe you are expected to keep all emails that contain data related to the conduct of your business for a reasonable period of time, and sometimes (depending on the industry) for specific periods of time.
There is a short summary for small businesses here:
http://www.nfib.com/object/IO_21047.html
You for sure and certain want to read through the Sarbanes-Oxley legislation if you are in the US:
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
Yes, deleting your email after a fixed period of time and consistently following that practice can be considered an Email Retention policy, but the one point I recall hearing hammered home was that "30/60/90 is not a retention policy" (referring to stages of retaining emails). If I recall correctly the consensus was that email should be retained for varying lengths of time based on the importance of the contents and that some mail should be kept indefinitely depending on legislation and subject matter.
If you get hit with a lawsuit and during the discovery phase of the trial are unable to produce critical email because you had a policy of just deleting it after X days, the Judge may tend to favor the other side on the assumption that you did so deliberately. You should really consult with a legal firm that specializes in crafting suitable retention policies rather than just adopting a blanket policy like that. In my unqualified opinion, just adopting a blanket policy of deleting all email content, regardless of content, after X days might imply to a judge that your company really didn't give it adequate thought and the relatively short period might imply that you thought email might contain incriminating content you preferred to hide. Remember that the company who sues you will most likely retain those emails longer than you, giving the impression you were nervous about the email's content when you deleted it.
If a company corresponds with another company via email, and in the course of doing so uses an email message to reach a business agreement, that email is I believe considered a legal document. If you go ahead and do the work but are unable to produce the agreement to do so down the road, you might end up unpaid at the least. If things go badly you might end up liable for damages etc. Business email should not be casually deleted. Your retention policy should, I believe, differentiate between unimportant email that doesn't deal with business matters, moderately important stuff that you might want to retain, and important correspondence that you will want to keep until long after its relevant.
Here is the company I was associated with. I am sure they are not the only ones you can talk to, but they might be a good place to start:
http://www.cohasset.com/
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
It's hard enough to ensure that your servers get backed up, I manage multiple corperate networks and I don't backup any of the workstations on any of them. None of my network users have the ability to view the local hard drives, they can't save to them, there is no caching on the outlook clients, ALL profile information is not only setup with roaming, but uses folder redirection, I don't have to worry about out of sync systems in regards to roaming profiles and there is never any personal (or company sensitive) information on a computer.
If a computer malfunctions or starts acting up with this method I can swap it out quickly or just initiate a reload from a stored image on the network. Infact, as a policy, ALL of my workstations are reloaded with a new image once per year to ensure that all workstations are running the current versions of programs and that any fixes are implemented across the whole company.
I can't imagion having to actually take into consideration what users may have stored locally. Screw that.
+++ATH0 NO CARRIER
Email Rule #1: Never put anything in email that you don't want somebody else's lawyer holding up in court.
Email retention policies are an attempt to mitigate the damage caused by a violation of Email Rule # 1
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
copy and past really isn't all that time consuming
Actually it kinda is if you consider that the original poster stated that his employer used Exchange. That means he's using Outlook or Entourage as his mail reader (by necessity) and when you cut & paste from those apps you don't get the e-mail headers, only the body text. An archived e-mail without Sender, Date, Subject, and Recipient is nearly useless.
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
If your company's servers support IMAP, then you could try out this new service I discovered a few weeks back called YippieMove. It let you copy all emails to Gmail. IT might not like that idea but...
Now that is something new.
If there is something important in an email you document it somewhere else where you are following up a project or regular relationship and move the email out of the way.
email was not designed for this in all honestly.
IANAL but write like a drunk one.
Don't use retention, get rid of it and make that your policy.
It's the cheapest and safest way to deal with email.
You should have a contract for anything truly important.
The Kruger Dunning explains most post on
This is in one of my areas of practice and you raise a valid point. As a beginning: 1) 6 months seems a bit short for all emails. 2) If your company is smart enough to control PSTs, then it is possible the email is being archived according to a valid records retention schedule or they really have other legitimate reasons for taking an aggressive approach to email deletion. On the other hand, simply leaving it up to employees to convert "important emails" into word documents would not likely protect them in court as a clear-cut and reasonable policy that was consistently enforced company-wide. Nobody has given you a clear-cut best practices because it doesn't exist otherwise you could probably buy it at Walmart or at least find a reasonable download. This is because every organization's policy must be reasonable considering the legal, business and technology that is available to them in their particular industry. So different industries have different standards and rules to follow. The worst flaw in your company's Email Retention Policy, as you describe it, is what happens when a government or official investigation is started, or a lawsuit is brought by or against your company? Now a legal hold must be placed on the email...and your word documents so nothing can be deleted or altered....wonder if they will have the storage space and tools necessary to deal with holding all potentially discoverable emails for 3-5 years...instead of 6 months???
If "large organization" means a publicly listed company or subsidiary then you may want to draw your management's attention to SOX data retention requirements, and the potential criminal penalties for data destruction.
Some links:
- http://digg.com/security/E_Mail_Retention_Sarbanes_Oxley_White_Paper
- http://www.creditworthy.com/3jm/articles/cw90507.html
- http://www.soxfirst.com/50226711/email_retention_the_legal_chernobyl.php
Even if you don't have to be SOX compliant there are various other laws and precedents (see the last link) that should make you want to KEEP e-mail records rather than destroying them, unless you are actively and purposefully involved in criminal activity.
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
If you're VBA (or vbscript) savvy, it's a fairly trivial exercise to write a macro to save off a copy of every incoming and outgoing email as a file on your hard drive. There are quite a few examples on the web, which I'm sure you can google.
Only then can you escape the rigors of the Exchange Server limitations.
--- He advocated thrift and hard work and disapproved of loose women who turned him down. ---
As the size of e-mail archives swells, corporations can take steps to manage and reduce the volume of what they retain. --Ben http://hack-igations.blogspot.com/2008/04/reducing-volume-of-e-mail-archives.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
Select All, Drag to a folder in explorer. folder now contains a bunch of msg files that can be read by outlook.
Email transmissions often are considered to be "records" of an organization. Thus, they are subject to that organization's compliance requirements.....regulatory, statutory, and are subject court-related discovery requirements. Merely deleting emails based on age is... how might one put it... "stupid, stupid, stupid" and can often lead to some rather unpleasant consequences in court. I'd recommend that you refer whoever the misguided souls who developed this policy might be to ARMA International (http://www.arma.org) where they can learn a bit more about how emails should be "declared" to be records or determined not to be records, and then retained according to that organization's records retention requirements. doug