Email Retention Management – What’s Your Policy?

Email Retention Management -The Good, The Bad, The Ugly, and Somewhere in The Middle

Having done this for a long time, I had heard every interesting variation of email retention management policies out there. But today takes the cake for the most convoluted policy.

Typically clients want to fully protect themselves in event of litigation, HR issues, vendor disputes, etc. So, all previous emails are captured, and going forward, a copy of every email is automatically sent to the archive. If someone deletes an email either by accident or on purpose, there is a true and exact copy in the archive.

There are several cases where organizations depended on backup tapes and they were overwritten or had become corrupt; those tapes are just a snapshot in time as to what was in the email server. Whether it be an individual or legal person searching, you can find all the emails you need if you have to.

Some clients are paranoid about past emails lurking so they clean up the emails first, then pull what they have into the archive. Other accounts are so worried that they capture all data going forward knowing that past emails could be lost but they are covered from when they implement the software.

I have one account that uses an alternative approach to email retention management, they only capture historical and real-time data when a sniff of litigation is coming to take the user out of the picture from deleting evidence. They have a huge company so I will assume there methodology is defensible.

We are working on a new methodology where users can decide what to keep in the archive but syncing this with Exchange or reconciling what is in others mailboxes can be a challenge. Imagine 40 people were on an email and 38 users all categorize it differently.

This is a full document management system at that point and most users these days get 100-200 emails a day so taking the time to organize them can be very time consuming and prone to error. Regardless, we try to cater to our client’s needs and are building whatever methods people want for managing information.

Security Nightmare

Today I heard a new twist: this one account wants all traces of anyone who received an email destroyed. If I sent the email then I should have the ability to delete all copies in the archive. OK, the bigger question is why? What’s going down here?

Its like that silly recall function in email, most likely the user has already read the message by the time the recall is sent so it’s a moot point then. What if I dragged that email into the PST personal archive on my laptop for safekeeping?

What if someone forwarded it on? What if I received an email and copied a paragraph of text and wrote a new email? How on earth could any system be that smart to track them down and delete them?

For that matter what if I received an email and really wanted to keep it so I printed it out or forwarded it outside to my yahoo account? I could also have taken a screenshot of the email with my phone for safekeeping. This is a security nightmare and not an easy problem to resolve. At this point it has nothing to do with software but more about people and processes.

The real question is why even have an archive at that point? The email that might protect you today might destroy you tomorrow. At the end of the day the conversation typically comes back to just saving everything sans a simple date based retention like 7 years or honestly educating end users that this isn’t their personal email.

It’s the company email regardless of what they would like to believe. Don’t put stupid things in your company email. You never know what you might find. Any traffic that goes through corporate servers or on their network it’s up for dibs.

I suggest you ask 10 lawyers their opinion on email retention and you’ll most likely get 12 responses.IT folks, good luck, you have a challenging job trying to explain these things to the smart lawyers!!!!