Slashdot Mirror
Are There Any Smart E-mail Retention Policies?
An anonymous reader writes "In an age of litigation and costly discovery obligations, many organizations are embracing policies which call for the forced purging of e-mail in an attempt to limit the organization's exposure to legal risk. I work for a large organization which is about to begin destroying all e-mail older than 180 days. Normally, I would just duck the house-cleaning by archiving my own e-mail to hard-drive or a network folder, but we are a Microsoft shop and the Exchange e-mail server is configured to deny all attempts to copy data to an off-line personal folder (.PST file). The organization's policy unhelpfully recommends that 'really important' e-mails be saved as Word documents. Is anybody doing this right? What do Slashdot readers suggest for a large company that needs to balance legal risks against the daily information and communication needs of its staff?"
Way to be a jerk. Slashdot isn't only about the latest iPhone release, or patent trolling. It's about everything technical, and this is good question.
if your orgs exchange server has their imap connector enabled, you can use a different client that doesn't follow the commands of the exchange server to pull emails, but it sounds to me like your org is smarter than that.
Even if Ask Slashdot articles like this aren't "news for nerds", they're still (supposed to be) "stuff that matters" related to information technology.
Way to be a jerk. Slashdot isn't only about the latest iPhone release, or patent trolling. It's about everything technical, and this is good question.
I'm a big fan of plain text email and copy and past really isn't all that time consuming if I were forced to save anything worth saving for longer than 180 days.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
The end result of all the bullshit lawyers try to shove on people who actually produce things for a living is the same. We route around it. This policy will cause people to use webmail, alternative email clients, IM, and other technologies to get on with getting work done, while the lawyers remain blissfully ignorant.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Print every email you get, I'm sure it won't effect your bonus.
Cheating, as the author suggests, is a bad idea. The company is doing this for a reason... to protect themselves from extra BS when they get sued.
If you don't want to have to go through that extra BS (believe me, you don't) and/or you don't want your company or yourself getting in even more legal trouble when they deny something exists (because it shouldn't according to their policy) when it really does (because you didn't follow the policy) then don't be an ass. Do what they tell you like a good little minion.
Worked really well for Media Defender.
It isn't just about breaking the law. Someone sends an email to a coworker, telling them "I suppose that if someone is using our Webelfetzer 1000 while hopping up and down on one foot in the shower, they might slip, and bang their head," and then a year later someone is using a Webelfetzer 1000 while hopping up and down on one foot in the shower, and they slip and bang their head, and sue, and their lawyer finds the old email, and screams: "See! You knew this was a threat, and you didn't warn anybody!" and then doubles the damages they're asking for.
Seriously.
Let the 180 day limit on email remain as 'someone elses problem'. How many times do you really need to get an email six months old? You'll end up with a cleaner, faster and less stressful mailbox.
Of course, there may be the odd email you need, so every week why not look at the oldest week's worth of mail in your mailbox, and anything you REALLY have to keep, just forward it to yourself. Then it will stay in your mailbox for another 180 days. But try to only forward the things that are vital.
Of course you may be able to forward to an offsite mail account, but I'm assuming that isn't allowed. No company is going to restrict you from forwarding emails to your own company account.
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
Destroying e-mail - something that used to be a good idea - can now be a crime even absent an active criminal investigation. For firms affected by Sarbanes-Oxley, you'd better comply with e-mail retention rules.
And for those of you libertarian-for-yourself, statist-for-big-companies types out there, this is what happens when the government pokes its nose into regulating business; they don't just make Microsoft's life miserable. All aspects of life and business will be intruded upon. That's just how Big Nanny works.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
Are There Any Smart E-mail Retention Policies?
Retain (store) email just long enough to forward it on to the destination server.
The higher the technology, the sharper that two-edged sword.
I tend to see e-mail as something you use for temporary exchange of messages and tasks/information held therein, not something to be used to archive material.
I'd argue the company's policy isn't actually far wrong, surely anything over about 180 days is something that is more suited to permanent archiving anyway?
I'll admit when I was working in tech support and I had our corporate Microsoft keys e-mailed me I kept them in my personal folders for a couple of years but realistically I have to admit I think these would be better placed in an information repository suited to more permanent store of information.
The company does then of course run the risk of people storing data that puts them at legal risk in that information repository instead however!
I'm not sure though that there are many circumstances where an e-mail client needs to act as a long term information store. I find it's generally the case that if you need to store it for a long while, it'll almost certainly be something that others in your company will need access to should you get hit by a bus tomorrow and as such, maybe shared folders (with appropriate permissions) are a better choice than personal folders?
You left out something very important. Is your large company publicly traded in the US? If yes, it could be looking at violations of Sarbanes-Oxley if they really are purging (and not retaining) e-mail "in an attempt to limit the organization's exposure to legal risk."
But that is likely not the case. It is more likely the company is trying to limit the amount of data stored on its Exchange system. Adding storage and additional backup capacity is expensive. Implementing a policy that requires end users to keep the size of their mailboxes down does not work, because many people insist they need every bit of those six years of archived e-mail; people use e-mail as much for CYA as doing real business. So, this solution was selected. If it really is important, make the end users do some work to keep it and don't force the company to re architect its storage system to keep years of CYA and personal mail.
That email belongs to the company, not you. As someone who accumulates 90% of his work stress from dealing with employee email usage atrocities (please don't email an mp3 mix cd image to 150 of your closest friends from your workstation, kthx), let me tell you what's wrong with your plan.
Its company property, governed by the policy in place for whatever reason, feel free to violate the policy if you don't want your job.
Not to mention what will happen if it comes to light that you are violating policy during a discovery proceedure, especially if it comes to light because you brilliantly decided to forward critical confidential company correspondence to somewhere like a Gmail account.
Brilliant. Really. Good luck finding a job after that.
The IT staff at my former employer saved copies of all email that went through the server... indefinitely. No, they didn't tell employees they were doing it. And yes, they had a search engine so they could do across the board searches of whatever terms seemed interesting at the time.
I find it interesting that different companies are going to different extremes. Some are limiting their exposure by trying to delete all mail and others are saving all mail in order to be able to comply with court orders (or perhaps just get a bit big brother-ish.
For a REALLY strange twist, the company I'm speaking of forced employees to maintain mailboxes under 100MB... while the server admins never deleted a single email that hit the server.
A couple of 30-somethings embark on the ultimate roadtrip
A balance needs to be struck between the negatives of two strategies:
* Perpetual archiving of e-mail - wastes server disk space, increases tape backup volume, and (more notoriously) can leave "clues" that predatory litigators salivate over.
* Non-archival of e-mail - internal accusations and decisions can't be resolved, difficult to track decisions and their history, circumventable by printing the e-mail with headers.
The solution is as follows:
1. Digest only the final decisions of e-mails and the essential reasoning thereof, or make a digest of the decisions in a collaborative project wiki where buy-in from the stakeholders can be tracked.
2a. Upon project completion (ISO9000-type project gating), archive all project files, documentation and essential digest e-mails.
2b. Simultaneously destroy all other e-mails using secure forensically-unrecoverable techniques to prevent accidental recovery by thieves.
3. Any other e-mails regarding general architectural or administrative decisions which have implications for future development in the company should be digested, placed on a company wiki, and then the remainder securely destroyed.
Using this method, any questionable or potentially illegal decisions can be greatly avoided or reduced from a purely legal perspective while retaining sufficient information to continue operations and development. This policy won't end all legal issues, but the key is to have procedures that are centered around the guise of IT efficiency and operational simplicity to purposely dispel any other alleged intent by third parties that expressed or implies destruction of future evidence.
I don't know how often I've saved my own can by retrieving an email from someone denying one thing or another or if a project goes south due to additional requests. By demanding that all requests be in written form or in email, I can produce a paper trail of all the requirements for a given project. As developers, we do nothing unless we have an official request. This limits our responsibility when things go over budget or behind schedule.
Deleting emails when a project is over is not necessarily a good idea, either. Patterns of irrational and poorly thought out requests can be produced over a long time period and this can also be used to cover one's caboose or even to give priorities to scope creep during crunch time. If things are going slow and they want some feature added in, we might be more inclined to meet that request. But if we're facing hard deadlines, we can push back and make the requester decide which are the most important features to add.
Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.
Conformity is the jailer of freedom and enemy of growth. -JFK
If the information is important enough to keep around after six months then it should be documented either as a policy or white paper. It seems that what your organization is attempting to do is to limit email to functioning as a communications medium. They don't want your Exchange servers to be an information repository. I can see the logic in what they are doing. In all seriousness if you haven't acted on information in an email in six months it either wasn't that important, or you're not staying on top of your responsibility. If it is information that needs to be kept because it is integral to the functioning of your department then there are better places than email to keep that information.
My company has been doing this for years, but our policy is only 90 days. I do go ahead and copy any 'really important' emails into OpenOffice documents, but these are few and far between.
I find that the best way to get policies changed is to emphasize their faults. When my company started docking pay for not submitting a change request to reboot a broken production server, I basically started submitting change requests every time I had to take a shit. This policy hasn't changed yet, but I guarantee it will.
Let the emails get deleted. Don't go out of your way to save them if it isn't immediately obvious to do so. When my emails go missing and I need them, I let the management know 'the retention policy ate it'. Whether they like the excuse or not, it's a fact that the missing information is not my fault, and this will hold up in court if I ever have to sue for unlawful termination.
It's a job. I'm paid to do it. If I have to re-do work as a result of something like this, I'll get paid just as much the second time as I did the first. *shrug*
'Information that might help an opponent'
and
'Information that might help a coworker, ally, employer'
are both likely to be present in those e-mails.
Only the first of these excites fear, uncertainty, doubt and
only the first is being carefully considered by the policymakers
in this case. They're deluded. Don't buy stock, and keep
your resume updated.
Yes. I save them in notepad.
What?
Violations of company policy are not criminal offenses.
Mea navis aericumbens anguillis abundat
Are there any good retention policies out there? No. The good retention policy is to save what you need, delete what you don't. Which is not a policy at all.
What would I recommend for a corporation? Don't use e-mail at all. If you refuse to follow that advice, use a system that deletes on first read and cannot be used to create copies (harder than it seems).
There are several reasons for keeping mail. At the top of everyone's list is self-preservation. It's important to be able to prove that this or that decision was made for these reasons or that so-and-so really did tell you to do whatever. This is necessary because in the modern corporate ethos, the employees and shareholders take all the risks and senior management reaps all the gains. Everyone needs protection. But it probably won't help you.
Another, better, reason is the reason writing was invented in the first place: to recall past events and information not held in one's memory. This is where the "right policy" really shines. Unfortunately, anything worth keeping is also worth a subpoena when someone decides to fuck with you (or your company, but remember that companies do not suffer, their employees and shareholders suffer; if something you wrote, or kept, harms "the company" you can bet it will end up harming you a lot more). So short of obliterating most of the civil law on the books today, we're back to keeping nothing. You as an individual stand to lose your life (if you lose your job and are blackballed, you will die or wish you had). But as always most of the gains from saving mail accrue to senior management in the form of better corporate performance and higher pay. You have no personal incentive to save anything unless you are preparing for a wrongful termination lawsuit. In that case I hope you have printouts, because the mail your lawyer subpoenas probably won't be there no matter what any "policy" says.
Cynical? Sure I am. But that's just the way it goes. The wise employee does not commit to writing anything of any conceivable value or interest. If it's worth saying, it's worth saying in a hallway conversation. If it needs to be written down, be sure your name does not end up on it. Then you don't need to care what senior management is telling you to retain or purge. And if you need some piece of information you would have had if you'd saved everything, just wing it. You would not have received any incremental benefit from doing your job better and you're going to take the fall when things go wrong no matter what you do, so you might as well not bother. Get as much money out of them in the meantime as you can, and protect it from debasement by converting it into gold and silver. Then when the system inevitably flushes you out, you'll have something to survive on.
Being an employee is like buying bonds. In the best case, you get a small fixed income stream for a while. In the worst case, you get nothing. There is no upside. There is nothing to strive for or invest yourself in. But unlike the bond market, where you can buy CDSs, there is nothing you can do to protect yourself from your employer. Since you can't help yourself and have no incentive to help your employer, the best thing to do is muddle along, keep your head down, and do everything you can to avoid being noticed. Not bothering to write anything down is just one example of this approach. In this way you may survive until macroeconomic conditions inevitably make "painful decisions" necessary for senior management, better known as cancelling your employment and wishing you the best of luck somewhere else while cancelling dividends or buybacks (making those shares and options they insisted you accept as part of your compensation package worth dramatically less and fucking over the existing shareholders as well). But take comfort - your beloved senior managers are safe and secure no matter what happens; even if the company folds they took home enough in their first year of work to live on for life. Doesn't that make you feel better?
As an attorney who practices e-discovery, I can tell you that any company which implements the policy described above better hope to god they never find themselves embroiled in multi-state class action litigation. Sooner or later, they will run into a judge who views the destruction of evidence for the express purpose of avoiding liability as a bad thing and they will lose the case. A policy designed to protect the company from litigious plaintiffs will have the opposite result and create huge awards for the plaintiffs. If you work for a large company which has been sued in major litigation, you should probably assume that all of your e-mails will be read by an attorney at some point and write your e-mails accordingly.
My company gets a lot of material for jobs via email. The email gets printed out and attached to a carbonless job form. The details from the email are written on the job form (plus extra details we need to do the job). When the job is done, this paper monstrosity is sent to billing, including the email. On top of this we want to search the details of the job, so we scan the docket into the computer after the job is done. We scan the email as well. So what started out as 8KB of text ends up as 300KB-800KB of images, with a lot of extra work in between. Never underestimate to power of business to create work.
I am sorry as hell to put it like this but I have seen basically 80% of the responses stating that you should break the policy, ignore the policy, inane comments like "dont work for criminals" or that the legal team is stupid. .. from a personal perspective, Hell yeah I did not like it, I like to have all the emails I sent so I know I told my boss 8 months ago to go fly a kite or something about a topic and when he confronts me to say I did not warn him about something. Tough .. Those that make more than I made the decision and we have to implement it.
.exe files are listed in the host firewall and if you run one that is not approved, then cyber security pays you a visit. Everyone has approved software, and thunderbird, eudora, what ever are not approved. Since we only have IE, it is managed through AD to be forced through a proxy which does not allow any of the webmail sites. Why you ask? Well lets see - we have now fired four people since I have been with the company for sending private company info via webmail accounts to other customers to give them more money, etc.
Okay - having implemented one of these from being someone on a cyber security team, I know first hand what goes on behind the scenes and everything that goes on. Our company implemented one of these projects. 180 day retention for USER email boxes. If you need to keep something for retention purposes, you have a DL setup which does not have the same rules and a few team members have access to. Simple. If you need it after six months, every desktop has a PDF writer (free cute PDF) and they can print it and save it.
Now
So at my company - just so you know. All
So lets see, what else. Oh yes, all emails are scanned incoming and going out to validate compliance to corporate policies. So no "autoforward" rules in outlook to forward any mail you get to your gmail account (as well as all popular web and ISP accounts are blocked). Our company takes it as it is a place of business, not a place to deal with external distractions. You can call someone if you want to talk to them - just don't email them.
So why do you ask why we go to these extremes. We have to. Government regulations on our business. Several people have access to information that requires government clearances, and we get bent over a barrel when any of that goes out the door. Does it work? Yes. Do people like it? Well they have gotten used to it (we implemented it 4 years ago). The VP with 9Gb of mail was pretty pissed for a while, but realized his life was much easier.
Just to let you know - for those of your pansies saying to let it all go free and don't work for criminals, etc. A company is never the criminal, it is the people in the company that are the criminals. So restricting the people that are potential criminals removes that temptation and will allow you to do your job more effectively.
Last point, I know the next logical point most people bring up in this argument, which is hire better people if we are firing people that have done things wrong. Every person before they get hired has a criminal background check and over 80% of our company had at least "classified" level government clearance. So, the government trusts them, as well as they had the skills to get into the job, and the temperament to get along with the people at the company. They were still fired for doing something like selling one companies info, to another, even with all the things in place.
You cannot change human behavior, but you can try to circumvent it so that it is an overt act and then it is something they willingly did, and then you can throw the book at them for doing it because it was pre-meditated.
The purpose of the policy is to protect the company. This may be from litigation or from the cost of a fishing expedition -- think of the cost of having to pull everyone's every email *from backup*. Discovery permits the lawyers to go through your every backup because there just might be an email in there that proves their case and you might have deleted it.
If you have a policy that is generally followed that states when emails are deleted, you save yourself a lot of grief. But. You also need to have a process to stop this regular deletion if a court action is started or management has good reason to believe one is coming.
If you are in an environment where a six month old email saves you serious grief, it may be time to look for another job. I have been there and it always turns ugly. Being able to prove you are not at fault is not the same as proving you are right or to be trusted. Which is a drag, but nonetheless the case.
A good retention policy balances the business needs for retaining emails (which usually does not take CYA into account), regulations (like SOX and PCI and GLBA), and technology costs and efficiencies. A bad one picks a number out of a hat and flails. If the policy doesn't make sense, you could politely ask whether you could please have an exception. Policies are supposed to include exception processes.
Email != a document repository. If you need to keep something, print as a PDF or store it somewhere more appropriate.
I disagree.
Once you remove email from the mail server, you loose quite a bit of it's (informational) value.
* the header information is lost.
That includes information like:
* when
* from who
* who else got the email
* the text and attachments tend to get separated
* you tend to loose the ability to view the emails in various useful ways.
eg: threaded view, so you can view an entire 'conversation'
Any system that doesn't loose this information is effectively a mail server (probably without the ability to send / receive emails), so why bother with another system?
In my opinion, an email server is the appropriate place to store emails. Anything else is a very poor second best.
NB. A lot of document management software can search / index you mail server, so it is logically part of your document system. You can sometimes 'import' emails directly into these systems, but that tends to be slow and clunky (last time I tried it, it was), and really doesn't achieve anything useful.
Ever stop to think
I recently came out of a bankrupt company, e-mail was critical in a variety of cases including disputes with the liquidators, the records saved us many, many dollars.
21 day mail retention and a 30 Meg mailbox size. It is great for booking holidays because after the first 21 consecutive days, it doesn't matter how much longer you are gone because the volume of email will never really get that much greater.
And that all works great until your company discovers what you are doing during an audit for Sarbanes Oxley or HIPAA :-)
It's IO. If you don't use a database driven e-mail program, large inboxes hit the disk really hard. Thus you need major IO to have large quotas. We have this problem at work currently. We run sendmail for a number of reasons, the main one being that we got e-mail waaaaaaay back in the day when it was pretty much it. Regardless, we are still on it and thus IO is a significant problem in terms of large inbox quotas. We need to move to a database driven solution, but such a move isn't easy and isn't free and thus we are still working on it. So at this point, we have quotas on inboxes not because we can't buy more storage, but because we don't want to overload our NAS.
Here's an example.
A company made ant poision, but the federal regulatory agency made them take it off the market.
Their law firm recommended that they appeal the agency's decision in court, so they did. They lost. The law firm recommended that they appeal to a higher court, so they did. They lost. The law firm recommended that they appeal to the U.S. Supreme Court. The company sent a fax telling the law firm not to do it. The law firm appealed to the Supreme Court anyway. They lost.
Doing that, they ran up bills of $400,000. The ant poison company refused to pay. The law firm sued for the bill.
To prove their case, the company had to find the fax machine's printed confirmation, to prove they sent the fax. They couldn't find it. They lost. They had to pay the law firm.
(This is my quick recollection from a Wall Street Journal story.)
Admittedly this is about a fax, not an email, but the principle should be the same. If they had a copy of an email saying, "To confirm our conversation today, we don't want you to appeal any farther," they would have won the case.
So yeah, there are some emails you should save forever, particularly CYA emails.
How many cases have there been where email evidence was used out of context or misinterpreted by the courts/jury so that the innocent got hurt?
;).
;).
How many cases have there been where email evidence was used to nail the guilty bastards?
So tell me, is it really a good thing for emails to be deleted?
What does it tell you about the company? It has lots of guilty bastards? Do you want to continue working in such a company? They could blame _YOU_ for something and if you're innocent where's the evidence to protect you? If you're keeping your evidence against company policy have a nice day
As for personal emails, I try to keep most personal emails. Hard disk space is cheap, so why bother taking the time to figure out whether an email is important or not?
You might not even want to bother deleting spam - some people keep a store of spam so that they can test/tune antispam systems/filters.
Lastly, I think many people do work with projects that last more than 6 months. Sometimes your memory might fail, sometimes your boss's memory might fail, sometimes your colleagues forget.
And sometimes when people ask the same questions it's convenient to just dig out the reply/explanation and resend it (email programs should have a decent and fast search - kmail is too slow). If it keeps happening maybe you put it in a FAQ somewhere and then you might add a link to it
Frankly, examine your work-processes. E-Mail is not a general filing system, or a task-management system, or anything else that would require you to keep stuff around forever. In fact, doing so is - according to my observation - the #1 reason why most people can't use mail productively.
A tiny fraction of mails actually needs to be kept around for a long time, and I have a folder for those. It's on the order of 0.01% of the total volume. If I had to export that in some format, be it word, .txt or whatever, it would be a tiny hassle.
For everything else, I'd be happy to get the stuff I haven't needed for the past six months automatically deleted, because the chance is 99.99% that I won't need it anymore, anyways, and looking through the pile to check for things that I might still need takes away my valuable time.
Assorted stuff I do sometimes: Lemuria.org
It's not unreasonable in such a litigious society.
In a litigious society, wouldn't it be best to save all of your email, so you can use it to protect yourself in court?
If you're deleting all your email, then the only evidence that will come out in court will be from the people suing you.
Many times the most damning evidence is your own email. ( "Fred, the folks in accounting say that delays in production will cost more than the wrongful death lawsuits. So forget about re-designing the gas tank." ) Your own email can be used to prove things like knowledge and intent, which can greatly increase your liability.
The best way is to have an official policy that email is deleted as soon as is reasonable, probably just a few months. But have an unofficial policy that all email is saved forever.
One guy buys disks with cash and makes copies after hours and stores them off site. ( This guy is probably a corporate officer with lots of stock options. )
Then, when you are sued, you can have your lawyer look at the email and decide if it helps your cause or hurts it. If it hurts, you destroy the disks - which is easy since they never officially existed. If it helps, you 'accidentally' find an old disk that someone 'forgot' to destroy.
My policy is read the damned email then delete it. If it has something important in it, I put it in my calendar or contacts or I do what the email is requiring to be done. Is that really hard? People who hoard email aren't half as important as they think they are.
At least in that example, the problem is that it isn't the product that is harmful, the act of hopping on one foot in the shower is. If that original email were real it would probably have been a joke about how safe the product is, and not an admission of a dangerous design flaw.
We hope your rules and wisdom choke you / Now we are one in everlasting peace