Slashdot Mirror
Are There Any Smart E-mail Retention Policies?
An anonymous reader writes "In an age of litigation and costly discovery obligations, many organizations are embracing policies which call for the forced purging of e-mail in an attempt to limit the organization's exposure to legal risk. I work for a large organization which is about to begin destroying all e-mail older than 180 days. Normally, I would just duck the house-cleaning by archiving my own e-mail to hard-drive or a network folder, but we are a Microsoft shop and the Exchange e-mail server is configured to deny all attempts to copy data to an off-line personal folder (.PST file). The organization's policy unhelpfully recommends that 'really important' e-mails be saved as Word documents. Is anybody doing this right? What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?"
Way to be a jerk. Slashdot isn't only about the latest iPhone release, or patent trolling. It's about everything technical, and this is good question.
if your orgs exchange server has their imap connector enabled, you can use a different client that doesn't follow the commands of the exchange server to pull emails, but it sounds to me like your org is smarter than that.
Don't do anything illegal, then the company doesn't have any thing to hide right?
I recall several big cases then went up because of someones 'little black book' in pencil and paper, so purging emails is really a waste of time anyway. Besides we could always plant emails we need on your server anyway.
They Live, We Sleep
Even if Ask Slashdot articles like this aren't "news for nerds", they're still (supposed to be) "stuff that matters" related to information technology.
Could you forward your emails to a personal account on one of the big three webmail providers? IANAL but it seems like that might limit the company's liability while allowing you to automatically archive your emails in a fully searchable format.
Way to be a jerk. Slashdot isn't only about the latest iPhone release, or patent trolling. It's about everything technical, and this is good question.
I'm a big fan of plain text email and copy and past really isn't all that time consuming if I were forced to save anything worth saving for longer than 180 days.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
The end result of all the bullshit lawyers try to shove on people who actually produce things for a living is the same. We route around it. This policy will cause people to use webmail, alternative email clients, IM, and other technologies to get on with getting work done, while the lawyers remain blissfully ignorant.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Print every email you get, I'm sure it won't effect your bonus.
Cheating, as the author suggests, is a bad idea. The company is doing this for a reason... to protect themselves from extra BS when they get sued.
If you don't want to have to go through that extra BS (believe me, you don't) and/or you don't want your company or yourself getting in even more legal trouble when they deny something exists (because it shouldn't according to their policy) when it really does (because you didn't follow the policy) then don't be an ass. Do what they tell you like a good little minion.
Seems like a highly annoying and unproductive policy you have there. Create a local pop3/smtp server, forward your emails there. Or.... forward them back to yourself and keep resetting the timestamp :)
It isn't just about breaking the law. Someone sends an email to a coworker, telling them "I suppose that if someone is using our Webelfetzer 1000 while hopping up and down on one foot in the shower, they might slip, and bang their head," and then a year later someone is using a Webelfetzer 1000 while hopping up and down on one foot in the shower, and they slip and bang their head, and sue, and their lawyer finds the old email, and screams: "See! You knew this was a threat, and you didn't warn anybody!" and then doubles the damages they're asking for.
And I do hope you are joking.
Seriously.
Let the 180 day limit on email remain as 'someone elses problem'. How many times do you really need to get an email six months old? You'll end up with a cleaner, faster and less stressful mailbox.
Of course, there may be the odd email you need, so every week why not look at the oldest week's worth of mail in your mailbox, and anything you REALLY have to keep, just forward it to yourself. Then it will stay in your mailbox for another 180 days. But try to only forward the things that are vital.
Of course you may be able to forward to an offsite mail account, but I'm assuming that isn't allowed. No company is going to restrict you from forwarding emails to your own company account.
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
Destroying e-mail - something that used to be a good idea - can now be a crime even absent an active criminal investigation. For firms affected by Sarbanes-Oxley, you'd better comply with e-mail retention rules.
And for those of you libertarian-for-yourself, statist-for-big-companies types out there, this is what happens when the government pokes its nose into regulating business; they don't just make Microsoft's life miserable. All aspects of life and business will be intruded upon. That's just how Big Nanny works.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
They're not necessarily doing anything criminal; they might just be trying to protect themselves from discovery obligations in a civil suit. You don't have to be doing something wrong to get sued. Why make your opponent's job easier by keeping information which might help their case?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Are There Any Smart E-mail Retention Policies?
Retain (store) email just long enough to forward it on to the destination server.
The higher the technology, the sharper that two-edged sword.
I tend to see e-mail as something you use for temporary exchange of messages and tasks/information held therein, not something to be used to archive material.
I'd argue the company's policy isn't actually far wrong, surely anything over about 180 days is something that is more suited to permanent archiving anyway?
I'll admit when I was working in tech support and I had our corporate Microsoft keys e-mailed me I kept them in my personal folders for a couple of years but realistically I have to admit I think these would be better placed in an information repository suited to more permanent store of information.
The company does then of course run the risk of people storing data that puts them at legal risk in that information repository instead however!
I'm not sure though that there are many circumstances where an e-mail client needs to act as a long term information store. I find it's generally the case that if you need to store it for a long while, it'll almost certainly be something that others in your company will need access to should you get hit by a bus tomorrow and as such, maybe shared folders (with appropriate permissions) are a better choice than personal folders?
You left out something very important. Is your large company publicly traded in the US? If yes, it could be looking at violations of Sarbanes-Oxley if they really are purging (and not retaining) e-mail "in an attempt to limit the organization's exposure to legal risk."
But that is likely not the case. It is more likely the company is trying to limit the amount of data stored on its Exchange system. Adding storage and additional backup capacity is expensive. Implementing a policy that requires end users to keep the size of their mailboxes down does not work, because many people insist they need every bit of those six years of archived e-mail; people use e-mail as much for CYA as doing real business. So, this solution was selected. If it really is important, make the end users do some work to keep it and don't force the company to re architect its storage system to keep years of CYA and personal mail.
That email belongs to the company, not you. As someone who accumulates 90% of his work stress from dealing with employee email usage atrocities (please don't email an mp3 mix cd image to 150 of your closest friends from your workstation, kthx), let me tell you what's wrong with your plan.
Its company property, governed by the policy in place for whatever reason, feel free to violate the policy if you don't want your job.
Not to mention what will happen if it comes to light that you are violating policy during a discovery proceedure, especially if it comes to light because you brilliantly decided to forward critical confidential company correspondence to somewhere like a Gmail account.
Brilliant. Really. Good luck finding a job after that.
The IT staff at my former employer saved copies of all email that went through the server... indefinitely. No, they didn't tell employees they were doing it. And yes, they had a search engine so they could do across the board searches of whatever terms seemed interesting at the time.
I find it interesting that different companies are going to different extremes. Some are limiting their exposure by trying to delete all mail and others are saving all mail in order to be able to comply with court orders (or perhaps just get a bit big brother-ish.
For a REALLY strange twist, the company I'm speaking of forced employees to maintain mailboxes under 100MB... while the server admins never deleted a single email that hit the server.
A couple of 30-somethings embark on the ultimate roadtrip
1. Don't.
Sweet, huh?
Two Dixie cups and a long piece of string. Just don't use your crayons.
thats what I would go for IMAP next would be pop3 if they have disabled both of those services which they would not usually...
then connect up Entourage on a mac and simply drag and drop alternatively evolution on a linux vmware
failing that simply forward all the mail to gmail or free email account that you can search in a instant... but no one know about...(if you are smart you will configure outlook to use the gmail (or free provider) as the sending email server so things dont go out through the exchange server alerting the admins there when they look at the traffic also make sure that you use the SSL to smtp out )
so what I am saying is there are ways around this unless your org monitors everything and even then they can easily fail
most of the time things like word documents will trip up in litigation so they should not be trying to burn everything what they are trying to do is appear to have a policy so the lawyers are satisfied....
silly but true and it's frankly dumb
regards
John Jones
A balance needs to be struck between the negatives of two strategies:
* Perpetual archiving of e-mail - wastes server disk space, increases tape backup volume, and (more notoriously) can leave "clues" that predatory litigators salivate over.
* Non-archival of e-mail - internal accusations and decisions can't be resolved, difficult to track decisions and their history, circumventable by printing the e-mail with headers.
The solution is as follows:
1. Digest only the final decisions of e-mails and the essential reasoning thereof, or make a digest of the decisions in a collaborative project wiki where buy-in from the stakeholders can be tracked.
2a. Upon project completion (ISO9000-type project gating), archive all project files, documentation and essential digest e-mails.
2b. Simultaneously destroy all other e-mails using secure forensically-unrecoverable techniques to prevent accidental recovery by thieves.
3. Any other e-mails regarding general architectural or administrative decisions which have implications for future development in the company should be digested, placed on a company wiki, and then the remainder securely destroyed.
Using this method, any questionable or potentially illegal decisions can be greatly avoided or reduced from a purely legal perspective while retaining sufficient information to continue operations and development. This policy won't end all legal issues, but the key is to have procedures that are centered around the guise of IT efficiency and operational simplicity to purposely dispel any other alleged intent by third parties that expressed or implies destruction of future evidence.
1. Relocate your company to another country with better laws and without the "Sue! Sue! Sue!" culture. ...
2.
3. Probably less profit, the taxes are likely to be higher than the USA.
...then it shouldn't only be documented in an e-mail.
A lot of people use their inbox as a "safety blanket" for documenting things "I might need later." This is a bad idea for reasons other than data retention policies. Information rot can set in, and you'll have a copy of information that might not be up-to-date. This is especially problematic with documents, where you have no idea if the version in your inbox is the current version.
A good workaround (if your company allows it) is to have an internal wiki to publish "useful information" to as a shared, versioned source of knowledge. On such projects, I've noted most of our team feels much less reliant on e-mail as a store of knowledge.
"A strange game. The only winning move is not to play. How about a nice game of IMAP?"
I don't know how often I've saved my own can by retrieving an email from someone denying one thing or another or if a project goes south due to additional requests. By demanding that all requests be in written form or in email, I can produce a paper trail of all the requirements for a given project. As developers, we do nothing unless we have an official request. This limits our responsibility when things go over budget or behind schedule.
Deleting emails when a project is over is not necessarily a good idea, either. Patterns of irrational and poorly thought out requests can be produced over a long time period and this can also be used to cover one's caboose or even to give priorities to scope creep during crunch time. If things are going slow and they want some feature added in, we might be more inclined to meet that request. But if we're facing hard deadlines, we can push back and make the requester decide which are the most important features to add.
Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.
Conformity is the jailer of freedom and enemy of growth. -JFK
If the information is important enough to keep around after six months then it should be documented either as a policy or white paper. It seems that what your organization is attempting to do is to limit email to functioning as a communications medium. They don't want your Exchange servers to be an information repository. I can see the logic in what they are doing. In all seriousness if you haven't acted on information in an email in six months it either wasn't that important, or you're not staying on top of your responsibility. If it is information that needs to be kept because it is integral to the functioning of your department then there are better places than email to keep that information.
My company has been doing this for years, but our policy is only 90 days. I do go ahead and copy any 'really important' emails into OpenOffice documents, but these are few and far between.
I find that the best way to get policies changed is to emphasize their faults. When my company started docking pay for not submitting a change request to reboot a broken production server, I basically started submitting change requests every time I had to take a shit. This policy hasn't changed yet, but I guarantee it will.
Let the emails get deleted. Don't go out of your way to save them if it isn't immediately obvious to do so. When my emails go missing and I need them, I let the management know 'the retention policy ate it'. Whether they like the excuse or not, it's a fact that the missing information is not my fault, and this will hold up in court if I ever have to sue for unlawful termination.
It's a job. I'm paid to do it. If I have to re-do work as a result of something like this, I'll get paid just as much the second time as I did the first. *shrug*
I've never used any Exchange-based junk, so this might be totally ridiculous, but what if you forward every incoming email to an address that you create for the purpose of archiving the stuff?
McCain/Palin '08. Now THAT's hope and change!
You are not in a position of decision making authority where you could veto this idea, or specify what the policy will be.
So explain the reason you care, exactly?
Get into a position where you make the decisions. Until then, don't waste your time worrying about this stuff.
-fb Everything not expressly forbidden is now mandatory.
Have the corporate lawyers tell you what you need to save.
That's the simple part for you
Save it. Not so easy, often, but there are plenty of tools. I'm not paid by anybody to market them to you.
If you're with a business that has clear legal needs to save electronic correspondence, I'm surprised you haven't already been getting the sales pitch. Or maybe your executive team has been.
deleting the extra space after periods so i can stay relevant, yeah.
'Information that might help an opponent'
and
'Information that might help a coworker, ally, employer'
are both likely to be present in those e-mails.
Only the first of these excites fear, uncertainty, doubt and
only the first is being carefully considered by the policymakers
in this case. They're deluded. Don't buy stock, and keep
your resume updated.
Yes. I save them in notepad.
What?
Retention policies are generally set by counsel. If you violate that it's generally at your own risk.
Is it also safe to assume that, if a company introduces policies relating to harassment, there must be endemic harassment in the company?
Just because a company is afraid of lawsuits doesn't mean they're guilty.
You need to consider what information is in these emails and what needs to be done with that information. Example, from my last job in a Helpdesk/IT Officer for a small business:
Email Type -> Where it goes
Request for help from IT -> Send to our helpdesk system
Serial number from supplier for appliction -> Save to our IT Auditing software, print out and file
Information on fixing a program -> Print out if needed soon, and copy information to our procedure manual folder on the network.
Look at your email more as an inbox and less of a filing system. If your upper management have taken this step, they may just decide one day (after something happens) to accidentally 'wipe' all email. If you work based on the assumption that will happen, you should be able to live with this rule.
Document retention policies ought to follow the IRS document retention guidelines. 5 years at a minimum.
Avoiding liability under SOX by failing to report the improper operation of the corporation and destroying the evidence is a bad, bad idea.
I expect spoilation sanctions for any document destroyed before the IRS standards.
Are there any good retention policies out there? No. The good retention policy is to save what you need, delete what you don't. Which is not a policy at all.
What would I recommend for a corporation? Don't use e-mail at all. If you refuse to follow that advice, use a system that deletes on first read and cannot be used to create copies (harder than it seems).
There are several reasons for keeping mail. At the top of everyone's list is self-preservation. It's important to be able to prove that this or that decision was made for these reasons or that so-and-so really did tell you to do whatever. This is necessary because in the modern corporate ethos, the employees and shareholders take all the risks and senior management reaps all the gains. Everyone needs protection. But it probably won't help you.
Another, better, reason is the reason writing was invented in the first place: to recall past events and information not held in one's memory. This is where the "right policy" really shines. Unfortunately, anything worth keeping is also worth a subpoena when someone decides to fuck with you (or your company, but remember that companies do not suffer, their employees and shareholders suffer; if something you wrote, or kept, harms "the company" you can bet it will end up harming you a lot more). So short of obliterating most of the civil law on the books today, we're back to keeping nothing. You as an individual stand to lose your life (if you lose your job and are blackballed, you will die or wish you had). But as always most of the gains from saving mail accrue to senior management in the form of better corporate performance and higher pay. You have no personal incentive to save anything unless you are preparing for a wrongful termination lawsuit. In that case I hope you have printouts, because the mail your lawyer subpoenas probably won't be there no matter what any "policy" says.
Cynical? Sure I am. But that's just the way it goes. The wise employee does not commit to writing anything of any conceivable value or interest. If it's worth saying, it's worth saying in a hallway conversation. If it needs to be written down, be sure your name does not end up on it. Then you don't need to care what senior management is telling you to retain or purge. And if you need some piece of information you would have had if you'd saved everything, just wing it. You would not have received any incremental benefit from doing your job better and you're going to take the fall when things go wrong no matter what you do, so you might as well not bother. Get as much money out of them in the meantime as you can, and protect it from debasement by converting it into gold and silver. Then when the system inevitably flushes you out, you'll have something to survive on.
Being an employee is like buying bonds. In the best case, you get a small fixed income stream for a while. In the worst case, you get nothing. There is no upside. There is nothing to strive for or invest yourself in. But unlike the bond market, where you can buy CDSs, there is nothing you can do to protect yourself from your employer. Since you can't help yourself and have no incentive to help your employer, the best thing to do is muddle along, keep your head down, and do everything you can to avoid being noticed. Not bothering to write anything down is just one example of this approach. In this way you may survive until macroeconomic conditions inevitably make "painful decisions" necessary for senior management, better known as cancelling your employment and wishing you the best of luck somewhere else while cancelling dividends or buybacks (making those shares and options they insisted you accept as part of your compensation package worth dramatically less and fucking over the existing shareholders as well). But take comfort - your beloved senior managers are safe and secure no matter what happens; even if the company folds they took home enough in their first year of work to live on for life. Doesn't that make you feel better?
Calling a jerk, a jerk, is not trolling. Someone do this guy a favor and spend a mod point to put him back to positive.
I know you don't care, but if someone high up wrote that email, it indicates that the use of the webelfetzer 1000 in the shower while hopping up and down on one foot was foreseeable. And that's the whole damned POINT. Otherwise, you sue the company and lose. Ok, i'm going to go back to studying for the bar, but you've got it ass backwards. [as an aside: treble damages, not double damages, and your factual scenario would not support them]
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
Actually, given the reactive nature of typical organizations, I'd say that's a safe bet.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Admittedly, this is a suggestion that only a large, committed organization can implement, but it is sane:
Drag email worthy of retention into an Enterprise Content Management (ECM) system.
You can find ECMs nowadays that are well integrated with your email client (and may even allow users to ignore that they are moving information out of Exchange). You can think of Exchange as merely a staging area for all incoming information; anything with long-term business value should be expected to end up in the ECM where it can be shared, portalized, linked to wikis or other knowledge management applications, filed by project or business area with related information in other content types, searched six ways to Sunday (Exchange is woeful at this), etc., etc.
If you're able to do this, then you shouldn't miss the other 95% (I'm pulling that figure out of the air), the dreck that's left behind in Exchange, when it's aged out and shredded.
If you're not able to do this, and you're trying to adapt your email repository as a long-term knowledge archive, at best you'll have an individual repository for yourself, not your team or your organization, that can't be easily shared or integrated with other related knowledge.
That's why you shouldn't mind the retention limits established in Exchange. As to why they should be established at all, consider that the organization has no business interest in maintaining a gigantic archive that is 95% worthless, poorly organized, poorly indexed, unsharable crap and that, if a legal discovery request ever does hit, will be an unbelievable burden to sift through. Plus, the retention deadline gives people an added incentive to move the valuable stuff into the valuable place.
The moronic IT persons are already saying crap like "the email belongs to the company, not you". Perhaps the computer on which I wrote them does, but *I* have written those emails, therefore they belong to me also.
That depends entirely upon the terms of your employment: sad but true (note: IANAL). If you have a contract governing your employment, I'd suggest you look at it and get legal help interpreting it, if need be.
Oh, and f^@k the IT people.
You're perfectly welcome to return to your previous life of using pen and paper, the (POTS) telephone, postal mail, and trying to get a date in person. Let me know how that all works out for you.
Basically related to this, is the fact that Guidance Software has been pushing the federal rules for ediscovery and the safe harbor rule that protects corporate organizations when they employ a "policy" and practice of email destructions, however, they have failed miserably at this themselves. not only due they not have a retention policy, but they do not (did not) back up their email and have been burned over an eoe case. check out http://commonscold.typepad.com/eddupdate/2008/06/todd-v-guidance.html and the actual sanctions that are being imposed against them http://commonscold.typepad.com/eddupdate/files/Guidance.pdf even their own larry gill has posted to slashdot on privacy, he is one of the main defendendents in this case!!
Several enterprise content management systems (like LiveLink, that I hate) support almost transparent email integration. You could forward your mail to an "email folder", and let whatever records management module (and retention policy etc) take place.
I saw someone mention forward mail to wiki, that you can also do with LiveLink discussion boards (not an endorsement for LiveLInk).
Point is, moving it into an ECM brings it to whatever corporate records management has re policy and such.
/\/\icro/\/\uncher
Guidance Software? Talk about being hoisted on one's own petard! If I were plaintiff's counsel (IANAL), I'd fry them with their association with forensics and imply that it's awfully convenient that they "lost" incriminating email unrecoverably.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Your inbox should have NEVER been used as a permanent store for your important email that you want to keep permanently or for longer than the company storage policy dictates. People just decided they would get lazy and do it that way since it usually works about 95% of the time.
I always cherry-pick important email from my personal accounts and print them and file them. A more technically savvy way of doing the same thing is exactly what the company is recommending; that is, save them as a .doc (print) and put them in a folder (file them). It is exactly the same thing you do with your important mail that you get from the postal service... I hear no whining about having to hold onto your tax returns instead of just reading them and chucking them in the bin.
Another alternative, depending on company firewall policy, is to setup a pop3 account from your personal ISP (separate from your main ISP email account), add it to your outlook profile at work in addition to your exchange user mailbox, and forward important email to that pop3 account where you will get near real-time confirmation that it arrived and is in an account that you control even if you are terminated.
Like many others have posted, I'm tired of having to deal with the problems from maintaining 2gb user mailbox quotas because employees are too incompetent to realize that when management tells me that *I* have to do more with less, that means I'm going to be passing all those efficiency creating decisions off on the largest scale possible, which is usually the entire company. If I'm forced to tighten my belt, the people using the systems I administer will be doing their part to assist, whining be damned.
Protector of Capitalist views,
Meorah
As an attorney who practices e-discovery, I can tell you that any company which implements the policy described above better hope to god they never find themselves embroiled in multi-state class action litigation. Sooner or later, they will run into a judge who views the destruction of evidence for the express purpose of avoiding liability as a bad thing and they will lose the case. A policy designed to protect the company from litigious plaintiffs will have the opposite result and create huge awards for the plaintiffs. If you work for a large company which has been sued in major litigation, you should probably assume that all of your e-mails will be read by an attorney at some point and write your e-mails accordingly.
2 Days left... Quit reading slashdot and do more MBE questions.
First, companies wanted to (generally) make a big deal out of the idea that your email send/received in the workplace didn't really belong to you. It was COMPANY property, because you were using their hardware, bandwidth, and company time to write any outgoing messages.
But all of a sudden, they're expressing legal concerns that shouldn't even have come about if the mail was recognized as belonging to its recipients, vs. being of corporate-ownership.
(EG. You couldn't very well demand to view all the mail on a server to investigate something. You'd have to get permission to search the mail of each individual employee you believed was involved directly in whatever you were suing over, and you'd have to justify the intrusion into their privacy.)
"While I'm sure it made the lawyers happy, it made life difficult for anyone who was trying to actually do work."
This is the part I can't get. How is deleting mail making difficult to do the work? It might result into your work being ineffective but how is it that you can't do the work?
Let's see the stupidest scenario I can come to: ...
-Please, can you e-mail me a price list I'll need in fortyfive days?
-Of course.
(fortyfive days after that)
-OK, so let's see the price list. Damn retention policy! It's deleted. Now, I'll have to re-schedule the job to be run in fortyfive days from now!
-Please, can you e-mail me a price list I'll need in fortyfive days?
-Of course
See? Nothing stops you for doing the work you are being paid for. At most, the policy avoids you to be an effective worker but since you are not on a decision-making position it's not up to you to decide how you should expend your payed-by-the-company time nor how. If you feel your company's policy is nuts, you certainly should point this up to your managers and ask them for the proper way to do the job; if it still so, time to polish your resume and look for a new job, but do not break the policies stablished for those that sign your paychecks.
You're a Microsoft shop, using Outlook and Exchange. Setting up a sane retention policy on top of that is nightmarish, especially for people whose business memory is stored in email. Data security isn't just protectng yourself from lawsuit issues, it also involves protecting your users from storage failures and database corruption. Exchange is notorious for these issues, and throwing more money and hardware and failover equipment at it doesn't solve the fundamental problem of corruption of years of work in the massive, massive files used by Exchange's storage mechanism.
If this is a big issue for you, switch immediately to a sane, IMAP based system that allows individual message storage and the application of external message management systems to ease backup, recovery, and organization of the material by the users. The PST files are an incredibly nasty way to store large, diverse filesets such as email. I've seen them imperil access and recover far too often.
Printscreen.
Your process would require about double the amount of time taken in the writing and responding to the original e-mails. Impractical.
Set Outlook to automatically forward messages to Gmail!
I am sorry as hell to put it like this but I have seen basically 80% of the responses stating that you should break the policy, ignore the policy, inane comments like "dont work for criminals" or that the legal team is stupid. .. from a personal perspective, Hell yeah I did not like it, I like to have all the emails I sent so I know I told my boss 8 months ago to go fly a kite or something about a topic and when he confronts me to say I did not warn him about something. Tough .. Those that make more than I made the decision and we have to implement it.
.exe files are listed in the host firewall and if you run one that is not approved, then cyber security pays you a visit. Everyone has approved software, and thunderbird, eudora, what ever are not approved. Since we only have IE, it is managed through AD to be forced through a proxy which does not allow any of the webmail sites. Why you ask? Well lets see - we have now fired four people since I have been with the company for sending private company info via webmail accounts to other customers to give them more money, etc.
Okay - having implemented one of these from being someone on a cyber security team, I know first hand what goes on behind the scenes and everything that goes on. Our company implemented one of these projects. 180 day retention for USER email boxes. If you need to keep something for retention purposes, you have a DL setup which does not have the same rules and a few team members have access to. Simple. If you need it after six months, every desktop has a PDF writer (free cute PDF) and they can print it and save it.
Now
So at my company - just so you know. All
So lets see, what else. Oh yes, all emails are scanned incoming and going out to validate compliance to corporate policies. So no "autoforward" rules in outlook to forward any mail you get to your gmail account (as well as all popular web and ISP accounts are blocked). Our company takes it as it is a place of business, not a place to deal with external distractions. You can call someone if you want to talk to them - just don't email them.
So why do you ask why we go to these extremes. We have to. Government regulations on our business. Several people have access to information that requires government clearances, and we get bent over a barrel when any of that goes out the door. Does it work? Yes. Do people like it? Well they have gotten used to it (we implemented it 4 years ago). The VP with 9Gb of mail was pretty pissed for a while, but realized his life was much easier.
Just to let you know - for those of your pansies saying to let it all go free and don't work for criminals, etc. A company is never the criminal, it is the people in the company that are the criminals. So restricting the people that are potential criminals removes that temptation and will allow you to do your job more effectively.
Last point, I know the next logical point most people bring up in this argument, which is hire better people if we are firing people that have done things wrong. Every person before they get hired has a criminal background check and over 80% of our company had at least "classified" level government clearance. So, the government trusts them, as well as they had the skills to get into the job, and the temperament to get along with the people at the company. They were still fired for doing something like selling one companies info, to another, even with all the things in place.
You cannot change human behavior, but you can try to circumvent it so that it is an overt act and then it is something they willingly did, and then you can throw the book at them for doing it because it was pre-meditated.
I am not an attorney but in a past life I was a computer consultant who did e-discovery for litigation plaintiffs attorneys. Although not in the field, its become my understanding that as of late it is actually required under recent Federal rules to retain your e-mail.
This is my sig.
Email retention and documentation retention are different with some similarities. The document retention policy is the be all, end all of SOX compliance policies (I am sure, not certain) In this particular case, I assume that their email retention policy is to protect mail server storage capacity, with the individual's obligation to save important emails as a word doc to comply with the uber records/document retention policy.
I last worked for a Local City structure, and we had a very aggressive retention policy.
Everyone except management or higher, were to keep only 10 days worth of email in their inboxes, but we did allow people to move important emails into other folders for safe-keeping.
Management and higher officials, were required to save 30 days worth of email in their inboxes, but they could also put emails into other folders for safe-keeping.
The IT Dept., was required to do NIGHTLY backups, and send off-site the Friday Tapes, which would be kept at a undisclosed location by a private firm would that would keep 3 months of backups.
We also would keep a quarterly tape for each quarter so we could always recover emails from each quarter, and finally, a yearly backup, made from the quaterly tapes, so yes, we would have a complete years worth of emails for everyone. We were too keep the yearly email backups for eternity I think.
This was a pain in the a** to put all together and keep track of, but it also ensured we would be ready for ANY Public Records request that came our way, and they did about every week.
It's a lot different in the private sector, where you don't have to answer to Public Records Requests.
Can you just set up filters for any messages you want to save for more than 180 days, then forward them to an address you use to archive them? There are lots of emails I want to keep for more than 180 days, but not too many I need to respond to after that time, so I wouldn't care if they were actually in Exchange or not.
Forgive me if there's some kind of group policy that restricts doing something like this, but I've worked at some pretty large orgs and never run into it. I'm sure it runs counter to company policy in lots of places, but you seem to be trying to dodge that anyway.
For maximum convenience, lots of storage, and minimum privacy, just forward everything to gmail where you can search it.
Game... blouses.
and that dealing with email can only be a small part of your job, if you want to do your job well. How can you spend the additional time required to make the decision whether to save each new email message? Forget the legality, how the heck could you get any work done? And what psychic powers would be made available so that you would know, in advance, which emails were "important"? I mean, if I had the power to know in advance exactly which communication was going to someday be important, and which was not, then I think I might be able to finagle myself a job where I didn't need to worry about email retention policies.
The purpose of the policy is to protect the company. This may be from litigation or from the cost of a fishing expedition -- think of the cost of having to pull everyone's every email *from backup*. Discovery permits the lawyers to go through your every backup because there just might be an email in there that proves their case and you might have deleted it.
If you have a policy that is generally followed that states when emails are deleted, you save yourself a lot of grief. But. You also need to have a process to stop this regular deletion if a court action is started or management has good reason to believe one is coming.
If you are in an environment where a six month old email saves you serious grief, it may be time to look for another job. I have been there and it always turns ugly. Being able to prove you are not at fault is not the same as proving you are right or to be trusted. Which is a drag, but nonetheless the case.
A good retention policy balances the business needs for retaining emails (which usually does not take CYA into account), regulations (like SOX and PCI and GLBA), and technology costs and efficiencies. A bad one picks a number out of a hat and flails. If the policy doesn't make sense, you could politely ask whether you could please have an exception. Policies are supposed to include exception processes.
Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.
I disagree.
Once you remove email from the mail server, you loose quite a bit of it's (informational) value.
* the header information is lost.
That includes information like:
* when
* from who
* who else got the email
* the text and attachments tend to get separated
* you tend to loose the ability to view the emails in various useful ways.
eg: threaded view, so you can view an entire 'conversation'
Any system that doesn't loose this information is effectively a mail server (probably without the ability to send / receive emails), so why bother with another system?
In my opinion, an email server is the appropriate place to store emails. Anything else is a very poor second best.
NB. A lot of document management software can search / index you mail server, so it is logically part of your document system. You can sometimes 'import' emails directly into these systems, but that tends to be slow and clunky (last time I tried it, it was), and really doesn't achieve anything useful.
Ever stop to think
I recently came out of a bankrupt company, e-mail was critical in a variety of cases including disputes with the liquidators, the records saved us many, many dollars.
21 day mail retention and a 30 Meg mailbox size. It is great for booking holidays because after the first 21 consecutive days, it doesn't matter how much longer you are gone because the volume of email will never really get that much greater.
1. Accept that regulations like Sarbanes Oxley, HIPAA, PCI, etc exist because too many businesses lost their moral compass, and the government had to step in to protect itself, consumers, and the economy.
2. Comply with the above regulations because it is the ethical thing to do.
It's IO. If you don't use a database driven e-mail program, large inboxes hit the disk really hard. Thus you need major IO to have large quotas. We have this problem at work currently. We run sendmail for a number of reasons, the main one being that we got e-mail waaaaaaay back in the day when it was pretty much it. Regardless, we are still on it and thus IO is a significant problem in terms of large inbox quotas. We need to move to a database driven solution, but such a move isn't easy and isn't free and thus we are still working on it. So at this point, we have quotas on inboxes not because we can't buy more storage, but because we don't want to overload our NAS.
Because they keep the idiots in line who don't know how to manage e-mail inboxes, and think they need a fucking email from 7 years ago that's just a damn out of office reply, and end up with 12 gig PST files, and then they bitch at IT when their e-mail runs like shit. In case you couldn't tell, this is the bullshit I deal with on a daily basis. But not for long.
We're switching to Exchange, and are going to have a 1GB limit with a 50MB cap on the named folders (Inbox, Sent, Deleted, etc...because it slows everything down when they get big). We're also getting a document management system that integrates pretty seamlessly with Outlook, for them to send stuff they need. Oh, the most effective restriction when their e-mail hits the cap...don't allow them to send anything :-) That way they don't lose any e-mails, but they get it down to size in one hell of a hurry.
Restricting by dates is pretty annoying. There are some things you will need to reference again, especically in our organization where our products are usually purchased anually (Awards/Trophies/Plaques). But keeping a size limit is very reasonable, especially with an easy-to-use archiving solution.
As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
But if I delete an email from my system, how are you ever going to prove that it existed?
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
How different is the email from a phone call? For one thing, the other business you are dealing with will have a copy, do you want them to have the only copy? Personally I run an empty inbox (actually an empty PST file would be more accurate). I forward to a procmail robot on a file server which permanently archives to the job folder. If I really wanted to keep something though, I'd print to a pdf creator (one that looks like a windows printer). Seems the nicest way to minimise the workload and to maximise the continuity of appearance.
I share your view, if I write something it belongs to me, same goes for anything that has been addressed to me.
If I receive an email then that email belongs to me and Ill do what I want with it.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
One thing you tech folks probably already realize - it is very difficult to permanently delete e-mails. Sure, if they are sent between two people, its not so hard. Most e-mails, however, have multiple recipients, cc:, blind cc:, ect... The only way to really complete this task would be formatting the hard drives or storage media of every computer which touched the e-mail. Good luck in that endeavor. If the e-mails which were erased have relevant discoverable information, god help the company that "destroys" that evidence. This applies more to larger companies where more custodians exist (anyone whose computer contains relevant documents).
Here's an example.
A company made ant poision, but the federal regulatory agency made them take it off the market.
Their law firm recommended that they appeal the agency's decision in court, so they did. They lost. The law firm recommended that they appeal to a higher court, so they did. They lost. The law firm recommended that they appeal to the U.S. Supreme Court. The company sent a fax telling the law firm not to do it. The law firm appealed to the Supreme Court anyway. They lost.
Doing that, they ran up bills of $400,000. The ant poison company refused to pay. The law firm sued for the bill.
To prove their case, the company had to find the fax machine's printed confirmation, to prove they sent the fax. They couldn't find it. They lost. They had to pay the law firm.
(This is my quick recollection from a Wall Street Journal story.)
Admittedly this is about a fax, not an email, but the principle should be the same. If they had a copy of an email saying, "To confirm our conversation today, we don't want you to appeal any farther," they would have won the case.
So yeah, there are some emails you should save forever, particularly CYA emails.
What's wrong with that? If you did know/suspect your product could reasonably be expected to hurt someone, and you don't do anything about it, you SHOULD go to jail (or have a honking fine imposed on you, or whatever.)
(Where the line gets drawn for definitions of "reasonable", how litigious your local society is, the sizeof() damages awarded and suchlike are merely implementation details.)
Everything I needed to know about life, I learnt from Blake's Seven
How many cases have there been where email evidence was used out of context or misinterpreted by the courts/jury so that the innocent got hurt?
;).
;).
How many cases have there been where email evidence was used to nail the guilty bastards?
So tell me, is it really a good thing for emails to be deleted?
What does it tell you about the company? It has lots of guilty bastards? Do you want to continue working in such a company? They could blame _YOU_ for something and if you're innocent where's the evidence to protect you? If you're keeping your evidence against company policy have a nice day
As for personal emails, I try to keep most personal emails. Hard disk space is cheap, so why bother taking the time to figure out whether an email is important or not?
You might not even want to bother deleting spam - some people keep a store of spam so that they can test/tune antispam systems/filters.
Lastly, I think many people do work with projects that last more than 6 months. Sometimes your memory might fail, sometimes your boss's memory might fail, sometimes your colleagues forget.
And sometimes when people ask the same questions it's convenient to just dig out the reply/explanation and resend it (email programs should have a decent and fast search - kmail is too slow). If it keeps happening maybe you put it in a FAQ somewhere and then you might add a link to it
Frankly, examine your work-processes. E-Mail is not a general filing system, or a task-management system, or anything else that would require you to keep stuff around forever. In fact, doing so is - according to my observation - the #1 reason why most people can't use mail productively.
A tiny fraction of mails actually needs to be kept around for a long time, and I have a folder for those. It's on the order of 0.01% of the total volume. If I had to export that in some format, be it word, .txt or whatever, it would be a tiny hassle.
For everything else, I'd be happy to get the stuff I haven't needed for the past six months automatically deleted, because the chance is 99.99% that I won't need it anymore, anyways, and looking through the pile to check for things that I might still need takes away my valuable time.
Assorted stuff I do sometimes: Lemuria.org
http://www.zantaz.com/ "The spectrum of Autonomy ZANTAZ solutions includes: Aungate Real-Time Policy which monitors information in place and applies policies by understanding the meaning and context of information; ZANTAZ Enterprise Archive Solution (EAS), the first of its kind, combining all information sources into a single, massively scalable archive; Aungate Investigator & Early Case Assessment (ECA) applying advanced analytics to determine the merits of a case prior to eDiscovery; Introspect, redefining EDD, review and production by allowing rapid eDiscovery to be run seamlessly across all information sources including operational systems and archives."
Forward the mails to a gmail account (lotso st0rage) for the sole purpose of archiving them?? (probably just copy/paste to text files is simpler).
-- tonybaldwin.me
If only all lawyers bought the webelfetzer and took a shower, the world would be a better place.
Maybe lawyers will sue all electricity companys because its FACT that it kills.
Or that all alcohol sales should be banned because it can KILL.
Liberty freedom are no1, not dicks in suits.
Perhaps this will encourage the users to send any information of long term importance as attachments, turning the email text into cover letters.
Assuming you can still send, receive, and save attachments. If you can't even attach, put the document on a shared folder and put a link in the email.
Then email retention could be reduced to something like 48 hours after reading.
Here's a better example, and one which would have happened if my company deleted emails (which they don't):
- Help, I have a problem! It is xyz
Lots of discussion back and forth to get exact details
- Okay, I now understand the problem and I'll put the fix will be in the next release version I build (due about 45 days from now)
- Thanks, I'll wait for the update
45 days later
- Hey, the problem is still here after the update!
- Oh dear! Because my email server has deleted all of our previous correspondence, you'll have to give me ALL the details again!
As I said, thankfully that doesn't happen since we don't delete emails, but I often find myself referencing emails MONTHS after the fact, even when I originally never had any expectation to be looking at them again (so you can't really say, "if it was important, back it up", because I simply DON'T KNOW what's important until it crops up again)
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan
Comment removed based on user account deletion
Hi. Use a product like FileNet Email Manager. Note that this is *NOT* and archive tool...it's a management tool that is designed to store/save your IMPORTANT emails and not the junk like "hey let's do lunch" emails. Using a tool like this IN ADDITION to your 180 day Nuke policy is great...Email Manager saves all the important emails and your 180-day policy nukes all the junk ones. It's a great tool and works with Exchange. http://www-306.ibm.com/software/data/content-management/filenet-email-manager/features.html?S_CMP=rnav Enjoy! -Fred
It's not unreasonable in such a litigious society.
In a litigious society, wouldn't it be best to save all of your email, so you can use it to protect yourself in court?
If you're deleting all your email, then the only evidence that will come out in court will be from the people suing you.
Many times the most damning evidence is your own email. ( "Fred, the folks in accounting say that delays in production will cost more than the wrongful death lawsuits. So forget about re-designing the gas tank." ) Your own email can be used to prove things like knowledge and intent, which can greatly increase your liability.
The best way is to have an official policy that email is deleted as soon as is reasonable, probably just a few months. But have an unofficial policy that all email is saved forever.
One guy buys disks with cash and makes copies after hours and stores them off site. ( This guy is probably a corporate officer with lots of stock options. )
Then, when you are sued, you can have your lawyer look at the email and decide if it helps your cause or hurts it. If it hurts, you destroy the disks - which is easy since they never officially existed. If it helps, you 'accidentally' find an old disk that someone 'forgot' to destroy.
"If you think I'm going to sacrifice myself on the altar of blind obedience to authority, you are naive."
Yeah, sure, it's much better to be sacrificed yourself on the altar of the "but I did it for the good of the company" when it's discovered you are breaking company policies on a bad day.
"Here's a better example, and one which would have happened if my company deleted emails (which they don't):"
Yours is quite a different situation. I by no means am saying deleting so much useful e-mail is intelligent nor it should be a "company policy" but that *if* that's the policy there's no good, neither immediate nor long term on breaking it (on the short term you are exposing yourself to be fired; on the long term, since everything seems to be working as expected, it must be that the policy was a good one, opening the door for the next stupid policy to be pushed from management).
My policy is read the damned email then delete it. If it has something important in it, I put it in my calendar or contacts or I do what the email is requiring to be done. Is that really hard? People who hoard email aren't half as important as they think they are.
2. Comply with the above regulations because it is the ethical thing to do.
Changing my password every 60 days instead of every 90 days is ethical???
What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?
Here's a completely unrealistic thought: Stop breaking the law. Fire everyone who sends email suggesting that the company break the law.
I know, I know - no company of any reasonable size can really be expected to not break the law. Well, that either means the laws are too strict, or that hiring scofflaws has become acceptable as long as they bring cashflow in the door, or the competition are all breaking the law and so you have to in order to stay alive. (I'd say it's some of all three) So, tell me: How much effort does your company make to get the laws fixed, or to change the attitude that nothing is wrong if it makes money (aka sociopathy/psychopathy), or to make the competition stop breaking the law? What is your company doing to save our nation from this problem?
It's not their job? Bullshit. If they want to operate in my nation, share in the staggering abundance that we are capable of achieving, they better goddam well start thinking that advancing the nation is part of their core mission. Show a little respect for the environment that makes it possible for them to operate. I'm not telling them which way to solve the problem, that's for the company to decide - but they can't just abdicate the responsibility. We are losing the nation and it is the fault of this "it's not my problem" attitude. Fuck that.
OK, I admit it - I'm being a little facetious; but isn't there a bigger problem here than figuring out how to make sure you don't get caught? Isn't there some sense to what I just said? We've got to start somewhere; we're losing it.
Stop-Prism.org: Opt Out of Surveillance
As for the business case issue, many other posters have it right as well. Be sure this is something you want to do, as it can work for or against you later. If you have any personal email coming in via work, start changing email addresses as well.
You missed the point -- I'm not saying that an email server isn't the appropriate place to store email. I'm saying that email isn't the appropriate place to publish and transfer data that will be needed for a long period of time.
Conformity is the jailer of freedom and enemy of growth. -JFK
My company set up exactly the same email retention policy about 6 months ago. I either drag/drop the emails into a temp desktop folder until I get time to file them where they need to go. I also set up rules that forward a copy of any incoming AND outgoing mail to a special gmail account, which I then sync to my windows machine at home..I often remote desktop into my machine at home because i know its going to be much faster to search.
In any case, having old email around saves us 10x more than it would hurt us.
Information on problems that need to be fixed should be stored in a bug/request tracker, which would not only allow you to reference it later, but also give access to other people so that they can do it, and keep the other person updated on what's happening.
It'll also make it a lot easier to be able to say "actually, that won't go into the next release, because we've already got more work then we can do. here, look at this report to verify it if you like"
On the grounds that you think that it's your e-mail, because you wrote it, I assume you also believe that anything you produce during work time is also yours.
So, why not just go straight to the client and ask if they want it at a discounted rate for working direct with you, and you'll get them off having to pay your employer, because the product is yours anyway.
One of the problems with e-mail is that employees can have casual conversations about something that can later be taken out of context. For example, two engineers talk about a procedure that is really stupid and doesn't mean anything. Five years later, lawyers perform a "discovery" and find "evidence" that engineers didn't take procedures seriously. Now they can sue. The problem with saving some of your e-mail is that the lawyers can claim that you deleted incriminating e-mail and only saved e-mail that proved your side of the story. The answer to that is have a consistent policy where all e-mail is deleted after some time. 180 days seems awfully short, 1 year seems more appropriate, but I guess it depends on what kind of business you are in.
A policy such as this is likely to be interpreted as willful destruction of potential evidence in a jury trial. A purge policy should be (sound like it is) based on storage, not legal issues. If the decision hasn't been run past the lawyers, you should refuse to carry it out on the basis that you are not certain it is legal.
If I were an supervisor working at the company, giving annual reviews of my subordinates, I would need to be able to access emails to demonstrate their performance. Otherwise it would be hard to give a good raise to my best employees and warnings to my poor performers.
How often do they intend to do the purges? A shorter retention span necessitates a more frequent purge = greater cost.
The US government have made it clear that we have no inalienable rights; any we do not defend vigorously will be taken.
Caveat: IANAL, but I used to work as a consultant for a company that helped with retention policies and the like. From what I recall, just deciding to delete all email over 180 days does not comprise a decent retention policy. I believe you are expected to keep all emails that contain data related to the conduct of your business for a reasonable period of time, and sometimes (depending on the industry) for specific periods of time.
There is a short summary for small businesses here:
http://www.nfib.com/object/IO_21047.html
You for sure and certain want to read through the Sarbanes-Oxley legislation if you are in the US:
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
Yes, deleting your email after a fixed period of time and consistently following that practice can be considered an Email Retention policy, but the one point I recall hearing hammered home was that "30/60/90 is not a retention policy" (referring to stages of retaining emails). If I recall correctly the consensus was that email should be retained for varying lengths of time based on the importance of the contents and that some mail should be kept indefinitely depending on legislation and subject matter.
If you get hit with a lawsuit and during the discovery phase of the trial are unable to produce critical email because you had a policy of just deleting it after X days, the Judge may tend to favor the other side on the assumption that you did so deliberately. You should really consult with a legal firm that specializes in crafting suitable retention policies rather than just adopting a blanket policy like that. In my unqualified opinion, just adopting a blanket policy of deleting all email content, regardless of content, after X days might imply to a judge that your company really didn't give it adequate thought and the relatively short period might imply that you thought email might contain incriminating content you preferred to hide. Remember that the company who sues you will most likely retain those emails longer than you, giving the impression you were nervous about the email's content when you deleted it.
If a company corresponds with another company via email, and in the course of doing so uses an email message to reach a business agreement, that email is I believe considered a legal document. If you go ahead and do the work but are unable to produce the agreement to do so down the road, you might end up unpaid at the least. If things go badly you might end up liable for damages etc. Business email should not be casually deleted. Your retention policy should, I believe, differentiate between unimportant email that doesn't deal with business matters, moderately important stuff that you might want to retain, and important correspondence that you will want to keep until long after its relevant.
Here is the company I was associated with. I am sure they are not the only ones you can talk to, but they might be a good place to start:
http://www.cohasset.com/
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
avging 75% on barbri studysmart qs. am more worried about ny essays and ny multiple choice. MPT will be a breeze. (and just picked up a PMBR book today) -- blue or red? (these are old pre-lawsuit pmbr)
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
It's hard enough to ensure that your servers get backed up, I manage multiple corperate networks and I don't backup any of the workstations on any of them. None of my network users have the ability to view the local hard drives, they can't save to them, there is no caching on the outlook clients, ALL profile information is not only setup with roaming, but uses folder redirection, I don't have to worry about out of sync systems in regards to roaming profiles and there is never any personal (or company sensitive) information on a computer.
If a computer malfunctions or starts acting up with this method I can swap it out quickly or just initiate a reload from a stored image on the network. Infact, as a policy, ALL of my workstations are reloaded with a new image once per year to ensure that all workstations are running the current versions of programs and that any fixes are implemented across the whole company.
I can't imagion having to actually take into consideration what users may have stored locally. Screw that.
+++ATH0 NO CARRIER
At least in that example, the problem is that it isn't the product that is harmful, the act of hopping on one foot in the shower is. If that original email were real it would probably have been a joke about how safe the product is, and not an admission of a dangerous design flaw.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
Email Rule #1: Never put anything in email that you don't want somebody else's lawyer holding up in court.
Email retention policies are an attempt to mitigate the damage caused by a violation of Email Rule # 1
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
copy and past really isn't all that time consuming
Actually it kinda is if you consider that the original poster stated that his employer used Exchange. That means he's using Outlook or Entourage as his mail reader (by necessity) and when you cut & paste from those apps you don't get the e-mail headers, only the body text. An archived e-mail without Sender, Date, Subject, and Recipient is nearly useless.
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
Now that is something new.
If there is something important in an email you document it somewhere else where you are following up a project or regular relationship and move the email out of the way.
email was not designed for this in all honestly.
IANAL but write like a drunk one.
I know you don't care, but if someone high up wrote that email, it indicates that the use of the webelfetzer 1000 in the shower while hopping up and down on one foot was foreseeable.
Unless they intended the example of using it in the shower while hopping on one foot as an absurdity to indicate that consumer injury won't happen.
Legal reasoning like you present is why we have the incredibly stupid warnings on everything like "Kill'em Dead Rat Poison...CAUTION: harmful if swallowed".
Don't use retention, get rid of it and make that your policy.
It's the cheapest and safest way to deal with email.
You should have a contract for anything truly important.
The Kruger Dunning explains most post on
Changing my password every 60 days instead of every 90 days is ethical???
Following the regulations because they are law is ethical business practice. I am not debating the studies for and against the IT security policies outlined in any of these agreements, including the debate over password complexity, length, and maximum age.
I realize that you have never read a single treatise on Tort law and are just pulling things out of your ass; I am attempting to explain to you how strict products liability works. In your now-revised hypo, then no, they couldn't use the email as to liability. If the email said "gee, the only way someone could EVER get hurt was if they did this ridiculously absurd and IMPOSSIBLE thing" and the thing was indeed absurd, they wouldn't recover. But otherwise, the injury WAS foreseeable. Your hypo just changed. If you'd like, I can try to explain this to you offline, but considering I've actually gone to law school and you're already giving me the "legal reasoning like you present is blah blah blah." Just because you don't understand 500 years of common law doesn't mean it's wrong.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
This is in one of my areas of practice and you raise a valid point. As a beginning: 1) 6 months seems a bit short for all emails. 2) If your company is smart enough to control PSTs, then it is possible the email is being archived according to a valid records retention schedule or they really have other legitimate reasons for taking an aggressive approach to email deletion. On the other hand, simply leaving it up to employees to convert "important emails" into word documents would not likely protect them in court as a clear-cut and reasonable policy that was consistently enforced company-wide. Nobody has given you a clear-cut best practices because it doesn't exist otherwise you could probably buy it at Walmart or at least find a reasonable download. This is because every organization's policy must be reasonable considering the legal, business and technology that is available to them in their particular industry. So different industries have different standards and rules to follow. The worst flaw in your company's Email Retention Policy, as you describe it, is what happens when a government or official investigation is started, or a lawsuit is brought by or against your company? Now a legal hold must be placed on the email...and your word documents so nothing can be deleted or altered....wonder if they will have the storage space and tools necessary to deal with holding all potentially discoverable emails for 3-5 years...instead of 6 months???
If "large organization" means a publicly listed company or subsidiary then you may want to draw your management's attention to SOX data retention requirements, and the potential criminal penalties for data destruction.
Some links:
- http://digg.com/security/E_Mail_Retention_Sarbanes_Oxley_White_Paper
- http://www.creditworthy.com/3jm/articles/cw90507.html
- http://www.soxfirst.com/50226711/email_retention_the_legal_chernobyl.php
Even if you don't have to be SOX compliant there are various other laws and precedents (see the last link) that should make you want to KEEP e-mail records rather than destroying them, unless you are actively and purposefully involved in criminal activity.
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
How about government butting out of how I log into my computer.? That would be ethical.
If you're VBA (or vbscript) savvy, it's a fairly trivial exercise to write a macro to save off a copy of every incoming and outgoing email as a file on your hard drive. There are quite a few examples on the web, which I'm sure you can google.
Actually, you have little if any idea what I have or have not studied. Note that my "revised" hypo did not add or subtract any presented evidence whatsoever, it is simply a perfectly reasonable interpretation of exactly what you presented. That is, I changed only the conjecture. Given that hopping about in the shower is one of the things our parents warn us about as young children (right up there with talking to strangers and jumping down the stairs), I'd say my interpretation is the more justifiable one.
If you found an email outlining that the use of the webelfetzer might lead an otherwise reasonable person to hop about in the shower, you might have something worthwhile.
Otherwise, proper legal reasoning would be that the webelfetzer 1000 was only incidentally involved in the incident since hopping on one foot in the shower while encumbered with any random object (or even unencumbered) is a well known invitation to injury. Before you say that's for the court to work out, consider that litigation is never cheap and the courts really have better things to spend time and money on.
The foreseeability of human stupidity should not make a legal claim, only the forseeability of a reasonable person's behaviour and expectations. After all, I can well imagine idiots doing all sorts of things no reasonable person would do and I'm cynical (read experienced) enough to feel certain that somewhere in the world some id10t has actually done most of them. I can think of way more such stupidities than would fit in a set of encyclopedias. Such "gems" might include cracking walnuts with the butt of a gun, trimming hedges with a lawnmower (that really happened!), cleaning earwax with an awl, attempting to shoot stuck lugnuts off (also happened), attempting to resolve knee pain by shooting it (again, real), etc.
I am all too aware that that's not how law is practiced in the U.S. today.
I do find it somewhat amusing that you would castigate a studied layman for presenting an opinion on common law given that it was derived from the administration of law by studied laymen. That is, in the history of law, the specialist educated specifically in the practice of law (professional lawyers) is a relatively recent invention.
Given that you're likely a recent graduate of law school, you have a lot of theoretical knowledge fresh in your mind, but it's worth considering that anyone who has ever been involved in running a business probably has far more PRACTICAL knowledge of the law and it's effects than you do.
You have confused strict product liability with negligence. If the suit sounds in strict product liability, then the email will screw the company. [The plaintiff still has to make a prima facia case for strict liability.] If the suit sounds in negligence, it won't make one bit of difference if the email existed or not. Negligence suits will depend on the reasonableness of the id10t's behavior. [Assuming you're in a contributory negligence jurisdiction rather than a comparative negligence one] Under Strict Products liability, all foreseeable behavior -- no matter how unreasonable -- must be dealt with. Nevermind that strict products liability will be nearly impossible to get unless the webelfetzer was defective in the first place. The point is, that email will screw the company if in fact the product was defective, i.e. company loses if the email says "I know that under these conditions our product will break because of a defect in our manufacturing process, but no one would ever be stupid enough to do that" -- and then someone IS stupid enough to do that.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
Only then can you escape the rigors of the Exchange Server limitations.
--- He advocated thrift and hard work and disapproved of loose women who turned him down. ---
If the suit sounds in strict product liability, then the email will screw the company.
Unless the product is a pogo stick that claims never to slip or some sort of helmet claiming to eliminate the possibility of injury or some similarly unlikely product, then even trying to show a case for strict liability is ethically unjustifiable. Again, I realize that's not how current practice works in the U.S.
That is exactly the problem. While there are good cases for strict liability out there, there are far too many that are way "out there" but nevertheless cost many thousands to defend against and sometimes result in crazy damages being awarded.
What I and the OP were getting at is that a policy of deleting old emails may be based on not giving some (too common) lawyers enough excuse to waste everyone's time and money trying to turn a moment of stupidity into winning the lottery rather than on ducking out of a legitimate liability.
I am expanding upon that point with the idea that the patently silly warnings on common products is also a result of the abuse of strict liability.
While I am sympathetic to the idea that strict liability places the social burden (more or less) on those better able to bear it, but it is subject to high levels of abuse and also has a tendency to place the burden on smaller companies that cannot bear it at all. It also tends to reward stupidity far too often. All of this is much more appropriately addressed by a social welfare system.
In English common law we have this marvellous word "reasonable". If your legal system is fucked, that's tough, but you really think the answer to a system that can make anyone a criminal is to have everyone ACT like a criminal?? Only in America.
Everything I needed to know about life, I learnt from Blake's Seven
Your first statement conflates false advertising and express warranty with strict liability. If a company says "our product does x" but it doesn't in fact, do X, they may be liable. (Example: Our product is microwave safe. You put it in the microwave. It blows up. Company is going to lose)
Strict liability is when there is an actual defect in the product itself, i.e. a structural weakness or improper design. In those instances (when you've made a mistake in the construction/design of a product that a "reasonable manufacturer" should not have made) you are held liable so long as the use was foreseeable. Foreseeability includes accidents etc. So for things like a mower blade detaching when the mower is lifted to trim a hedge, the same blade would also detach if -- for example -- the user tripped while mowing the lawn and pulled the mower onto it's side. Generally, when you see people that have done stupid things getting compensated, it's because there is a similar non-stupid use of the product in which the same defect will cause an injury. [We do not wait for the non-stupid use to actually HAPPEN if the stupid use occurs first] Is this a better explanation?
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
I'm not sure how that relates in any way to my comment.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
As the size of e-mail archives swells, corporations can take steps to manage and reduce the volume of what they retain. --Ben http://hack-igations.blogspot.com/2008/04/reducing-volume-of-e-mail-archives.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
Select All, Drag to a folder in explorer. folder now contains a bunch of msg files that can be read by outlook.
Email transmissions often are considered to be "records" of an organization. Thus, they are subject to that organization's compliance requirements.....regulatory, statutory, and are subject court-related discovery requirements. Merely deleting emails based on age is... how might one put it... "stupid, stupid, stupid" and can often lead to some rather unpleasant consequences in court. I'd recommend that you refer whoever the misguided souls who developed this policy might be to ARMA International (http://www.arma.org) where they can learn a bit more about how emails should be "declared" to be records or determined not to be records, and then retained according to that organization's records retention requirements. doug
The confusion there was probably just my engineer's perspective. If a product won't do what it's supposed to do, it is a design or manufacturing flaw. The distinction between that and marketing claiming something the designers never considered would be hard for a potential plaintiff to know until you get into discovery.
I was presuming that the product would have been designed (perhaps badly) for the advertised capabilities.
The initial confusion is still the unlikelihood that any sort of design flaw in any product might actually contribute to a slip and fall while hopping in the shower in any relevant way. I named the very few (difficult to imagine) possible ways.
That is, the imagined id10t was hopping about in the shower while holding an object. The most reasonable conclusion would be that doing that while holding any object at all (or even no object) would have been the same slip, fall, and consequent injury. That's why we shouldn't hop around in the shower!
The only way I can imagine the manufacturer being in any way ethically responsible would be if they somehow said or did something that would lead a reasonable person to believe their product would make hopping in the shower safe.
If the product malfunctioned and delivered an electric shock (for example) to the plaintiff causing his fall and it should reasonably be expected to be safe to operate when wet and being jostled, it would be a different matter, but that requires several assumptions not presented in the original scenario.
To get more concrete, if the device was a hermetically sealed led shake light, no number of humorous comments about crazy and stupid activities one might (but obviously shouldn't) partake in while holding the device (including jumping in the shower to shake it, using a high voltage transmission wire as a tightrope at night, convincing a lion to swallow it so he'll glow in the dark, etc) should ethically be construed as reasonably foreseeing the injury. Such jokes would abound if safety questions were asked of the engineers (since it's just a flashlight and being sealed, isn't even as "hazardous" as a regular flashlight). A prudent company might well want those joke emails to go away exactly to avoid having to go to court and have a very expensive version of our conversation in front of a judge. If they do so, I would consider the measure perfectly ethical and would find the need to do so a sad reality.
Generally, when you see people that have done stupid things getting compensated, it's because there is a similar non-stupid use of the product in which the same defect will cause an injury. [We do not wait for the non-stupid use to actually HAPPEN if the stupid use occurs first] Is this a better explanation?
Generally, yes. However, not always, and you don't have to be found liable to lose in court. Just going at all is expensive.