Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are There Any Smart E-mail Retention Policies?

Posted by timothy on from the don't-use-email-any-more dept.

An anonymous reader writes "In an age of litigation and costly discovery obligations, many organizations are embracing policies which call for the forced purging of e-mail in an attempt to limit the organization's exposure to legal risk. I work for a large organization which is about to begin destroying all e-mail older than 180 days. Normally, I would just duck the house-cleaning by archiving my own e-mail to hard-drive or a network folder, but we are a Microsoft shop and the Exchange e-mail server is configured to deny all attempts to copy data to an off-line personal folder (.PST file). The organization's policy unhelpfully recommends that 'really important' e-mails be saved as Word documents. Is anybody doing this right? What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?"

39 of 367 comments (clear)

  1. Stuff that matters by tepples · · Score: 2, Insightful

    Even if Ask Slashdot articles like this aren't "news for nerds", they're still (supposed to be) "stuff that matters" related to information technology.

  2. adaptation by Lord+Ender · · Score: 3, Insightful

    The end result of all the bullshit lawyers try to shove on people who actually produce things for a living is the same. We route around it. This policy will cause people to use webmail, alternative email clients, IM, and other technologies to get on with getting work done, while the lawyers remain blissfully ignorant.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  3. Cheating is a bad idea by SoapBox17 · · Score: 5, Insightful

    Cheating, as the author suggests, is a bad idea. The company is doing this for a reason... to protect themselves from extra BS when they get sued.

    If you don't want to have to go through that extra BS (believe me, you don't) and/or you don't want your company or yourself getting in even more legal trouble when they deny something exists (because it shouldn't according to their policy) when it really does (because you didn't follow the policy) then don't be an ass. Do what they tell you like a good little minion.

    1. Re:Cheating is a bad idea by Boricle · · Score: 5, Insightful

      Here is the thing I don't understand...

      This is a double edged sword.

      It is nice that you won't have incriminating emails around so that people can find them during discovery.

      but what happens when you need those same emails that are over 180 days old that would have EXONERATED you?

      I guess you just have to say... "oh well, sorry, we don't have a copy of the [warning/caution/acceptance] that puts us in the clear..., I guess we're screwed".

    2. Re:Cheating is a bad idea by radarjd · · Score: 4, Insightful

      but what happens when you need those same emails that are over 180 days old that would have EXONERATED you?

      I guess you just have to say... "oh well, sorry, we don't have a copy of the [warning/caution/acceptance] that puts us in the clear..., I guess we're screwed".

      It's a fair question, and one I've certainly struggled with. Ultimately, you have to come up with a balancing of the possibilities. On one hand is the possibility that an email over 180 days exonerates you and on the other is an email over 180 days old that sends your executives to prison. The calculation may be that it's harder for someone to prove you guilty, than to be forced to prove yourself innocent. Apparently the balance for this company is at 180 days. That's a bit short for my taste, but that's what this company has decided.

    3. Re:Cheating is a bad idea by Vengie · · Score: 4, Insightful

      This is why some investment banks save everything. They create a rebuttable presumption that if they don't have it, it doesn't exist. (Often helpful when the other side alleges there is a "smoking gun")

      --
      When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
    4. Re:Cheating is a bad idea by thsths · · Score: 4, Insightful

      > but what happens when you need those same emails that are over 180 days old that would have EXONERATED you?

      Well, obviously this company has decided that old emails are much more likely to work against them, and this even overrides the loss of productivity due to important emails going missing etc. I really wonder what kind of business this company is in, and what their business strategy is :-(

      Or maybe it is just one CEO that knows something funny went on, and now he/she is trying to destroy the evidence whatever the cost.

  4. Re:Don't break the law... by Don+Sample · · Score: 4, Insightful

    It isn't just about breaking the law. Someone sends an email to a coworker, telling them "I suppose that if someone is using our Webelfetzer 1000 while hopping up and down on one foot in the shower, they might slip, and bang their head," and then a year later someone is using a Webelfetzer 1000 while hopping up and down on one foot in the shower, and they slip and bang their head, and sue, and their lawyer finds the old email, and screams: "See! You knew this was a threat, and you didn't warn anybody!" and then doubles the damages they're asking for.

  5. Let it be deleted by jolyonr · · Score: 3, Insightful

    Seriously.

    Let the 180 day limit on email remain as 'someone elses problem'. How many times do you really need to get an email six months old? You'll end up with a cleaner, faster and less stressful mailbox.
     
    Of course, there may be the odd email you need, so every week why not look at the oldest week's worth of mail in your mailbox, and anything you REALLY have to keep, just forward it to yourself. Then it will stay in your mailbox for another 180 days. But try to only forward the things that are vital.
     
    Of course you may be able to forward to an offsite mail account, but I'm assuming that isn't allowed. No company is going to restrict you from forwarding emails to your own company account.
     
    Jolyon

    --


    Please read my Canon EOS tech blog at http://www.everyothershot.com
    1. Re:Let it be deleted by jd · · Score: 5, Insightful

      I often find I need e-mails that are 10-15 years old. I haven't retained everything over that time, but what I've retained is both interesting and useful. Frivolous emails are certainly deletable. But the non-frivolous stuff? That leaves a lot of stuff whose value does not deprecate with time. In the end, knowledge is its own currency, and those who choose to throw that currency away simply make themselves poorer.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re:Let it be deleted by shawn(at)fsu · · Score: 2, Insightful

      I save emails for the same reasons I would save regular mail. If I think it's something that I will need later to CMA then I'm saving it. I should imagine that saving the whole email and not just the text will lend credibility to my side if someone tries to say they never sent/received "that" email.

      Since I don't what will come back up 5 years from now I tend to save all of it.

      --
      500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
    3. Re:Let it be deleted by barzok · · Score: 4, Insightful

      How many times do you really need to get an email six months old?

      It's saved my ass more than once. There are few things more satisfying than having a project manager start an email tirade against you because she thinks you didn't tell her about a change that needed to be made later in the year, and being able to forward that old email to her and tell her "yes, I did tell you about it, I even sent you the documentation for it way back when."

  6. Not a bad idea? by Xest · · Score: 3, Insightful

    I tend to see e-mail as something you use for temporary exchange of messages and tasks/information held therein, not something to be used to archive material.

    I'd argue the company's policy isn't actually far wrong, surely anything over about 180 days is something that is more suited to permanent archiving anyway?

    I'll admit when I was working in tech support and I had our corporate Microsoft keys e-mailed me I kept them in my personal folders for a couple of years but realistically I have to admit I think these would be better placed in an information repository suited to more permanent store of information.

    The company does then of course run the risk of people storing data that puts them at legal risk in that information repository instead however!

    I'm not sure though that there are many circumstances where an e-mail client needs to act as a long term information store. I find it's generally the case that if you need to store it for a long while, it'll almost certainly be something that others in your company will need access to should you get hit by a bus tomorrow and as such, maybe shared folders (with appropriate permissions) are a better choice than personal folders?

  7. Sarbanes-Oxley Question by toxic666 · · Score: 3, Insightful

    You left out something very important. Is your large company publicly traded in the US? If yes, it could be looking at violations of Sarbanes-Oxley if they really are purging (and not retaining) e-mail "in an attempt to limit the organization's exposure to legal risk."

    But that is likely not the case. It is more likely the company is trying to limit the amount of data stored on its Exchange system. Adding storage and additional backup capacity is expensive. Implementing a policy that requires end users to keep the size of their mailboxes down does not work, because many people insist they need every bit of those six years of archived e-mail; people use e-mail as much for CYA as doing real business. So, this solution was selected. If it really is important, make the end users do some work to keep it and don't force the company to re architect its storage system to keep years of CYA and personal mail.

  8. Your email? Excuse me?? by st0rmshad0w · · Score: 5, Insightful

    That email belongs to the company, not you. As someone who accumulates 90% of his work stress from dealing with employee email usage atrocities (please don't email an mp3 mix cd image to 150 of your closest friends from your workstation, kthx), let me tell you what's wrong with your plan.

    Its company property, governed by the policy in place for whatever reason, feel free to violate the policy if you don't want your job.

    Not to mention what will happen if it comes to light that you are violating policy during a discovery proceedure, especially if it comes to light because you brilliantly decided to forward critical confidential company correspondence to somewhere like a Gmail account.

    Brilliant. Really. Good luck finding a job after that.

    1. Re:Your email? Excuse me?? by mschuyler · · Score: 2, Insightful

      Ha ha not funny. I had to laugh at this. A few years ago I was still mapping drives. I had the "H" (Home) actually-network drive for everyone mapped to one of my servers (huge drives, the server was named Moby Fred) which allowed me to backup everyone's stuff every day pretty nicely on autopilot at night. Also, if someone's box failed I could swap it out with a standard install and not worry about their saved stuff being lost 'cept for maybe bookmarks too bad eat shit. But my nightly backups started to fail. They needed another tape all of a sudden where I was in the 50% used category the week before--plenty of leeway, or so I thought.

      Turns out one employee decided to 'archive' all his MP3s onto the H: drive and nearly filled the thing up. This was actually kind of work-related (He was the music librarian).

      I had a VERY short, emotional, and poignant conversation with him (I was so very pissed!), whereupon the problem suddenly disappeared.

      --
      How about a moderation of -1 pedantic.
  9. If you need it for more than 180 days... by Anonymous Coward · · Score: 1, Insightful

    ...then it shouldn't only be documented in an e-mail.

    A lot of people use their inbox as a "safety blanket" for documenting things "I might need later." This is a bad idea for reasons other than data retention policies. Information rot can set in, and you'll have a copy of information that might not be up-to-date. This is especially problematic with documents, where you have no idea if the version in your inbox is the current version.

    A good workaround (if your company allows it) is to have an internal wiki to publish "useful information" to as a shared, versioned source of knowledge. On such projects, I've noted most of our team feels much less reliant on e-mail as a store of knowledge.

  10. It's not just the company you protect by empesey · · Score: 5, Insightful

    I don't know how often I've saved my own can by retrieving an email from someone denying one thing or another or if a project goes south due to additional requests. By demanding that all requests be in written form or in email, I can produce a paper trail of all the requirements for a given project. As developers, we do nothing unless we have an official request. This limits our responsibility when things go over budget or behind schedule.

    Deleting emails when a project is over is not necessarily a good idea, either. Patterns of irrational and poorly thought out requests can be produced over a long time period and this can also be used to cover one's caboose or even to give priorities to scope creep during crunch time. If things are going slow and they want some feature added in, we might be more inclined to meet that request. But if we're facing hard deadlines, we can push back and make the requester decide which are the most important features to add.

  11. Doesn't belong there. by duffbeer703 · · Score: 4, Insightful

    Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
    1. Re:Doesn't belong there. by acvh · · Score: 3, Insightful

      Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.

      Perhaps in your parochial world. I'm on assignment in a company that uses Lotus Notes as it is intended to be used, and email is just one more document in a database that is accessible through many views, some of which are not a mail box. Works quite well.

      On my last assignment the company routed EVERY email to an archive database, on the advice of their lawyers (not in house, real lawyers).

    2. Re:Doesn't belong there. by binaryspiral · · Score: 2, Insightful

      Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.

      I couldn't agree more. If you got interesting or useful data - make a wiki, use sharepoint, or get it somewhere that will make it useful.

    3. Re:Doesn't belong there. by Anonymous Coward · · Score: 1, Insightful

      don't you think companies like Altria Group, Microsoft, Raytheon, and on have some serious needs for internal lawyers?

      My guess is that those are the real kind. Someone who reflects the ethics of their employer.

  12. Go with the flow by dave562 · · Score: 3, Insightful

    If the information is important enough to keep around after six months then it should be documented either as a policy or white paper. It seems that what your organization is attempting to do is to limit email to functioning as a communications medium. They don't want your Exchange servers to be an information repository. I can see the logic in what they are doing. In all seriousness if you haven't acted on information in an email in six months it either wasn't that important, or you're not staying on top of your responsibility. If it is information that needs to be kept because it is integral to the functioning of your department then there are better places than email to keep that information.

  13. Blame the policy... by PhearoX · · Score: 2, Insightful

    My company has been doing this for years, but our policy is only 90 days. I do go ahead and copy any 'really important' emails into OpenOffice documents, but these are few and far between.

    I find that the best way to get policies changed is to emphasize their faults. When my company started docking pay for not submitting a change request to reboot a broken production server, I basically started submitting change requests every time I had to take a shit. This policy hasn't changed yet, but I guarantee it will.

    Let the emails get deleted. Don't go out of your way to save them if it isn't immediately obvious to do so. When my emails go missing and I need them, I let the management know 'the retention policy ate it'. Whether they like the excuse or not, it's a fact that the missing information is not my fault, and this will hold up in court if I ever have to sue for unlawful termination.

    It's a job. I'm paid to do it. If I have to re-do work as a result of something like this, I'll get paid just as much the second time as I did the first. *shrug*

  14. Re:What are they trying to hide? by whit3 · · Score: 2, Insightful

    'Information that might help an opponent'
    and
    'Information that might help a coworker, ally, employer'
    are both likely to be present in those e-mails.
    Only the first of these excites fear, uncertainty, doubt and
    only the first is being carefully considered by the policymakers
    in this case. They're deluded. Don't buy stock, and keep
    your resume updated.

  15. Re:You'd better comply with Sarbanes-Oxley by Anonymous Coward · · Score: 5, Insightful

    Destroying e-mail - something that used to be a good idea - can now be a crime even absent an active criminal investigation.

    Unless the email is destroyed on an ongoing basis as part of a clear and documented policy, which makes it perfectly legal.

    Sounds exactly like this "ask slashdot" question.

  16. Re:Look !! This is not NEWS !! by Kneo24 · · Score: 1, Insightful

    Calling a jerk, a jerk, is not trolling. Someone do this guy a favor and spend a mod point to put him back to positive.

  17. Re:Don't break the law... by Vengie · · Score: 1, Insightful

    I know you don't care, but if someone high up wrote that email, it indicates that the use of the webelfetzer 1000 in the shower while hopping up and down on one foot was foreseeable. And that's the whole damned POINT. Otherwise, you sue the company and lose. Ok, i'm going to go back to studying for the bar, but you've got it ass backwards. [as an aside: treble damages, not double damages, and your factual scenario would not support them]

    --
    When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
  18. Horrible policy by agpc · · Score: 5, Insightful

    As an attorney who practices e-discovery, I can tell you that any company which implements the policy described above better hope to god they never find themselves embroiled in multi-state class action litigation. Sooner or later, they will run into a judge who views the destruction of evidence for the express purpose of avoiding liability as a bad thing and they will lose the case. A policy designed to protect the company from litigious plaintiffs will have the opposite result and create huge awards for the plaintiffs. If you work for a large company which has been sued in major litigation, you should probably assume that all of your e-mails will be read by an attorney at some point and write your e-mails accordingly.

    1. Re:Horrible policy by kanweg · · Score: 2, Insightful

      "A pissed off judge might decide to rule against every objection, pleading, or motion the defendant makes throughout the rest of the trial. "

      Must be fun to live in a country with such a legal system.

      Bert

  19. I find it all rather interesting, really .... by King_TJ · · Score: 1, Insightful

    First, companies wanted to (generally) make a big deal out of the idea that your email send/received in the workplace didn't really belong to you. It was COMPANY property, because you were using their hardware, bandwidth, and company time to write any outgoing messages.

    But all of a sudden, they're expressing legal concerns that shouldn't even have come about if the mail was recognized as belonging to its recipients, vs. being of corporate-ownership.

    (EG. You couldn't very well demand to view all the mail on a server to investigate something. You'd have to get permission to search the mail of each individual employee you believed was involved directly in whatever you were suing over, and you'd have to justify the intrusion into their privacy.)

  20. How About Not Screwing Anybody Over? by bratwiz · · Score: 1, Insightful

    What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?"

    How about not doing anything illegal, immoral or questionable in the first place. Then you wouldn't have to cover anything up 180 days later.

    Just a thought.

  21. Re:You'd better comply with Sarbanes-Oxley by Fireshadow · · Score: 4, Insightful

    Bring in a lawyer and ask about Sarbanes Oxley, the changes to federal e discovery requirements and your industry specific requirements. Computerworld had a good article about the changes to federal e-discovery here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001219 For an example, the FAA has the opinion that copies of all written communications to them should be maintained in the format it was sent. So, a fax would be held on to and an email to them would not be deleted.

    "The organization's policy unhelpfully recommends that 'really important' e-mails be saved as Word documents." By that logic, any disgruntled ex-employee can create a Word document with outlandish claims. Then claim it's a copy of an email. Your organization's written policy just opened that avenue of legal attack.

    You said large company. Why not capture and archive all e-mail messages -- incoming, outgoing and internal? This approach provides the strongest assurance that all relevant e-mail messages are being captured. It will help increase the confidence of internal and external auditors and regulatory authorities in the integrity of the resulting audit trail. If not, then you do run the risk of a judge impsing a fine because you could not produce evidence.

    --
    "It's one thing to talk about the poetry of machines. Quite another to listen to it for yourself."
  22. Re:Doesn't belong there. - I disagree by baileydau · · Score: 3, Insightful

    Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.

    I disagree.

    Once you remove email from the mail server, you loose quite a bit of it's (informational) value.
        * the header information is lost.
                That includes information like:
                      * when
                      * from who
                      * who else got the email
        * the text and attachments tend to get separated
        * you tend to loose the ability to view the emails in various useful ways.
              eg: threaded view, so you can view an entire 'conversation'
    Any system that doesn't loose this information is effectively a mail server (probably without the ability to send / receive emails), so why bother with another system?

    In my opinion, an email server is the appropriate place to store emails. Anything else is a very poor second best.

    NB. A lot of document management software can search / index you mail server, so it is logically part of your document system. You can sometimes 'import' emails directly into these systems, but that tends to be slow and clunky (last time I tried it, it was), and really doesn't achieve anything useful.

    --
    Ever stop to think ... and forget to start again?
  23. Absolutely... by raftpeople · · Score: 2, Insightful

    I recently came out of a bankrupt company, e-mail was critical in a variety of cases including disputes with the liquidators, the records saved us many, many dollars.

  24. Re:really ? by MikeB0Lton · · Score: 2, Insightful

    And that all works great until your company discovers what you are doing during an audit for Sarbanes Oxley or HIPAA :-)

  25. Storage isn't the issue sometimes by Sycraft-fu · · Score: 2, Insightful

    It's IO. If you don't use a database driven e-mail program, large inboxes hit the disk really hard. Thus you need major IO to have large quotas. We have this problem at work currently. We run sendmail for a number of reasons, the main one being that we got e-mail waaaaaaay back in the day when it was pretty much it. Regardless, we are still on it and thus IO is a significant problem in terms of large inbox quotas. We need to move to a database driven solution, but such a move isn't easy and isn't free and thus we are still working on it. So at this point, we have quotas on inboxes not because we can't buy more storage, but because we don't want to overload our NAS.

  26. Re:imap? by TheLink · · Score: 2, Insightful

    Ah but maybe the company intends to do things that are worse than what people normally sue them for.

    So overall it would be a net gain for such companies.

    Alternatively:

    Maybe the company has such crappy lawyers that they allow the court to see emails out of context.

    Or maybe the courts and juries are so crap that they'd take some email rant like "I'm going to kill and bury X" more literally than the writer meant.

    Either way it's not a good sign.

    It's never a good sign if people don't want to keep the truth around, or can't handle the truth, or don't bother to determine the truth.

    --
  27. Re:Don't break the law... by amRadioHed · · Score: 2, Insightful

    At least in that example, the problem is that it isn't the product that is harmful, the act of hopping on one foot in the shower is. If that original email were real it would probably have been a joke about how safe the product is, and not an admission of a dangerous design flaw.

    --
    We hope your rules and wisdom choke you / Now we are one in everlasting peace