Establishing an Email Retention Policy: The Legal Perspective

Penton Media's corporate counsel talks about the need for a company policy regulating email retention—and deletion—and discusses how the company's recently implemented plan was developed in collaboration with the IT department.

B. K. Winstead

March 4, 2009

16 Min Read
ITPro Today logo in a gray background | ITPro Today

This week, a lot of my coworkers across Penton Media, Windows IT Pro's parent company, are waking up to a new—and potentially shocking—reality. No, I'm not talking about changes or layoffs because of the poor economy. I'm talking about a huge volume of saved email messages that suddenly isn't there anymore due to the implementation of a comprehensive document-retention policy. The policy covers all company documents, but it's the rules regarding email that are going to be most difficult for people to adjust to.

The gist of Penton's new policy is that any email message older than six months will be automatically deleted—unless users move the message to one of a set of managed folders set up in Microsoft Office Outlook 2007 by the company's IT department. Each folder has a set time limit for retention, and only documents with specific legal or business requirements are allowed in those folders.

I recently spoke with members of Penton's legal department and IT department about the development and implementation of the new policy. Look for my interview with Ken Savoy and Ben Vargas of the Penton IT department in "Establishing an Email Retention Policy: The IT Perspective." And for some technical articles about setting up managed folders in Microsoft Exchange Server 2007 and other email retention and archiving issues, see the Related Reading section at the end of this article.

To get the legal perspective, I spoke to Elise Zealand, vice president and corporate counsel for Penton Media, who led the process for the policy's development. Elise spent ten years as a commercial litigator in New York before coming to Penton early in 2008.

Q: What was the situation at Penton before establishing the recent document-retention policy? What policies—if any—were in place?

A: There were some policies and procedures in place, and we were certainly very careful about enacting litigation holds when there was a potential claim or litigation. There were appropriate procedures in place to ensure that we retained data related to that litigation or claim. But with regard to email, we didn't have a system in place to manage email automatically. We left it to users to determine when emails would be discarded or retained.

Q: What's wrong with letting users decide what to keep? How does the company benefit by implementing a policy such as this?

A: When you have users who are longtime employees who are storing data in email for basically years on end, that's a cost problem and that's a litigation risk problem. So what we wanted to do was just to make sure that everybody would be on the same page, that they would understand that there were clearly defined rules about data that needed to be retained, and data that, if it's unnecessary, would be deleted within a specified period of time.

So we wanted to make sure that users were aware of statutory and legal obligations to keep their data. So, for example, with regard to accounting and finance records or employment data or contracts or drafts of contracts, we wanted to make sure that we retained certain records for an appropriate period of time.

Part of my job function in my prior life as a big-firm litigator was to help companies manage risk. One of the things that we always advised our clients was that they should have a strong document-retention policy in place. And you do that for several reasons. One is, in general, the cost of retaining data—unnecessary data—can be quite high just in terms of storage space electronically and in storing tapes offsite.

The other issue, and it's sort of the larger issue, is based on litigation risk and litigation expense. There were recently changes to the federal rules that require companies to engage in electronic discovery. Having been through electronic discovery in numerous lawsuits as an outside lawyer, I really got to know firsthand the expense and business interruption that that can create.

When you review electronic documents, basically you run a search, and both you and your adversary will agree on certain filters, certain parameters of the search. When you’re a lawyer, you really hope that your client has a good document-retention policy in place so that you're not searching through years and years of unrelated, unnecessary data.

And you're required, once you have a litigation in place, to preserve your data—to not delete any emails at all that relate to the subject matter of the lawsuit. That process of reviewing documents, electronic documents, can literally cost millions and tens of millions in a federal lawsuit because you have to have attorneys review the data to ensure that you're not producing anything that would constitute privileged information or confidential, proprietary information.

You also want to make sure, though, that you're retaining data that you must retain, either based on federal or state laws or regulations, or based on a litigation hold. You really need a process in place that protects the data that you must retain, that discards unnecessary data, and that ensures that we're not opening ourselves up to unwarranted expense and risk.

Q: How did you develop the policy for Penton? What resources did you consult?

A: We actually got some outside help just to make sure that we were appropriately covering our bases. So we used an outside law firm to give us some of the parameters with regard to accounting and finance, tax, employment, legal issues like contracts—just to make sure that we had a policy where we would have exceptions for automatic deletions for those kinds of documents.

So we used our outside lawyers as a resource. We went online—there's a group called the Corporate Legal Exchange and there are other online databases and associations that we use to sort of benchmark where we are compared to other companies of our size. And then as lawyers, we talked to peers. We talked to vendors of electronic discovery software to get a sense from them as to where they thought the appropriate parameters should be.

So we really reached out to lots of different sources. We looked back through our company's prior practices and procedures, and used all of those things to come up with a policy that would fit our needs but would also ensure that we were in compliance with applicable rules and regulations. I think we have a program that's going to be very comparable to companies of this size.

Q: How long did that process take?

A: I would say that we really seriously started the process probably in the fall, and it probably took from October/November until February to draft and implement the policy. And that was certainly with a lot of help and support from our IT department.

One of the things that we decided in creating a policy for our company was that we wanted it be as user-friendly as possible, and as simple as possible, because a policy that no one's using is going to be worthless. So we wanted to streamline the policy as much as we could while still keeping it effective for our purposes.

Q: The policy states that the default hold period for email is six months, but other types of documents can be held for up to two years. Why is there a distinction between email and other documents?

A: The bottom line is that most of the data that comes into a company now is on email. So the vast amount of data that we have is electronic data, which also means that the greatest amount of waste is probably going to be on electronic data.

I think people generally tend to retain email for a longer period of time than they do for their hardcopy documents because there's a limit to physical space and I think that people are sort of loath to create complicated filing systems for their hardcopy documents, whereas it’s really easy to create files online and to store emails within your Inbox and subfolders, which is what we found most of our employees tended to do.

So email was a big focus. There's a tension because you want to make sure that critical data is retained no matter what, and we wanted to keep the rules fairly simple for email because we know that people are responding and reacting quickly.

We tried to make the distinction so that it would be easier for people to follow the rules with regard to email, but we also wanted to make sure that emails were being purged and cleaned out appropriately because that's the data that we tend to keep around and the majority of the data is noncritical data. So that's why email is a little trickier than hardcopy documents, and that may not have been the case years ago.

Q: Many organizations take a conservative approach to email retention and archive everything, but Penton's policy puts the responsibility on each employee to move required messages to the appropriate retention folder. What are the training issues and other implications of such a policy?

A: We wanted to have a policy that was fairly aggressive—basically, the default rule is that your emails disappear in six months unless you are proactive in moving them into one of these exceptions folders, and the exceptions folders are very, very narrowly defined. There really has to be a legitimate business need or a legitimate legal or regulatory need for us to maintain that data. Otherwise the data goes.

The cost of sifting through that volume of data is enormous. In cases where we don't have insurance coverage for attorney fees and costs, you could be looking at spending tens of millions of dollars on discovery in a lawsuit. It really hinders our ability to prosecute claims where we feel that there's been some business injury to Penton, or to be very aggressive in defending ourselves in a court action because we're afraid of the amount of attorney fees and costs that we would incur by having this massive amount of data reviewed and produced.

Definitely, I think there are greater risks to maintaining unnecessary data, but when you're going to be aggressive about deleting emails within a certain timeframe, and when the message to your company is that we do not retain unnecessary data, there does need to be quite a lot of training and information around the areas where we must keep critical data. In the areas that we're most concerned about, the personnel are very well trained about maintaining critical data. Within the business units where you're not accustomed to having to really sort through your information and decide what's critical and what's not—that's going to be painful in the short term as we learn to do that as a company.

We're saying that emails must be deleted and that documents should only be maintained for a certain period of time, but we're allowing documents to be moved onto a network folder or a shared folder. We're not just saying that all data will disappear. We just want people to be smart about how they're managing their data, and to be conscious and aware of it.

Q: Are you confident employees will save what they're required to?

A: I really have very little doubt that we won't save what we need to save. As far as really, truly deleting unnecessary stuff, I think that this policy will take us half of the way there or more, I hope. And having an automatic deletion function on email is very, very helpful—that goes a long way. And then we will be auditing the managed folders just to make sure that we don’t have users who are just moving everything in their Inbox into the managed folders.

Q: How much did you work with the IT department to establish the policy and to set up things such as managed folders or other technical points of the implementation?

A: In doing something like this, first you have your period of development of the policy where you're doing research, you're looking at other companies, you're talking to your IT department to decide how we're best going to implement this. Once I had a draft policy in place, then I went back to the IT department, gave them the policy, had them review it, got their feedback, and then we really designed the implementation of the policy together. And it's been a work-in-progress. We've been tweaking it. Even after the rollout of the policy, we've had to make some changes.

And then you implement the policy. You go through the training and communications with the company. There's constant interaction between legal and IT to talk about how it's going, what's the messaging from our Help desk. And then we send out communications as needed to our employee base so that they're on top of things.

And the employees certainly have been interacting with us, and based on their concerns, we have made some changes to the policy. So for example, we were not going to have an exception folder for ordinary business communications that didn't relate to one of the specific required exceptions. But we found that we have business cycles for certain products and certain projects that are longer than the six months that email Inbox rule would allow. Some people really need to have active emails for a little bit longer than that, so we created an 18-month exception folder for those very limited circumstances where you have a show cycle or a product cycle or an editorial cycle that's going to be longer than six months. So that'll help alleviate some of the problems we had in the field. And we hope that that will be used judiciously and not misused. But we'll see.

I'll say this: We have a phenomenal IT department at Penton, so this has been a very collaborative effort from the very beginning. Legal and IT have been on the same page through every step of the process. And of course when it comes to the technical capabilities and limitation of our systems, I'm going to defer to the IT department. And they've gone to extraordinary lengths to make this policy happen. I think the sort of constant communication between legal and IT has been critical.

Q: Whose responsibility will it be to audit the managed folders to ensure users are using them correctly?

A: If we're going to conduct an audit, we'll do it together. We'll talk about the parameters of the audit together—that will be something legal and IT discuss before it's implemented. And then, although IT would have the technical responsibility to perform the audit, because I don't have that capacity, we would sort of create the audit parameters together.

It's been a real partnership between legal and IT as we've gone through this. The Help desk has been involved every step of the way because they're on the front line answering questions. I shoot them questions by email every day, they shoot me questions, we talk about it over the phone. And we just try to make sure we're constantly giving employees the same message.

I think that kind of collaborative effort or spirit between legal and IT is vital to having this kind of policy be successfully implemented.

Like I said, employees are going to have to go through the pain of a change in the way that they do business and manage their data. But once this painful period of implementation is over, it's going to be much better for our company.

Q: Do you think employees will come around to see the benefits of the policy?

A: Yes. It's a hassle to constantly be going sifting through data. It will become automatic. You'll save the things that must be saved, and the rest of it, let it go—it's just junk. And I'm probably one of the worst offenders. I still haven't cleaned out my Inbox, but I will.

But also, this is a time for businesses to think about their own best practices. You know—is it best practice to maintain all of your sales data on email? Probably not. It's time to think about other ways of managing our data. Data is critical to our company, so it should be one of the highest priorities. So this is really forcing people, I think, to do things in a better, more efficient way, but it does come with the pain of change.

Q: Do you think that companies in general are doing a good job with document retention?

A: This policy is really an attempt to be proactive—to ensure that we're not going to be one of the companies that's spending tens of millions of dollars in attorneys' fees. But having been a litigator for ten years, I have numerous stories of clients who didn't implement a policy until after they learned the hard way. I myself have managed teams of temporary attorneys at law firms who are working in shifts so that there's almost 24-hours a day of reviewing time for federal court litigation and for justice department investigations that cost the client tens of millions of dollars. And it's wasteful, and it's a business interruption for the client. And it happens over and over again.

It's something that should be on every inhouse lawyer's radar, but I think because the change can be difficult to implement, there's a lot of pushback from employees. And so you really need to have an executive team that's supportive, which we certainly had, and an IT department that's not only supportive but has the capacity and the capability to get it done, which we have. So I was lucky—we had the perfect complement of factors to get this done fairly quickly.

But I could tell you many horror stories. I can't give you the names of clients, but I've worked on many investigations and many litigations where the tab for the review of documents was astronomical.

Q: Any last words for IT pros on what they need to know or should be doing with records retention?

A: I think that in companies where there isn't an inhouse legal department, they can certainly be proactive in talking with their executive team about the need for a policy like this. They should focus on the benefits to the company in terms of cost-savings and risk management. Maybe it's not a burden that should fall on IT, but it really may be on them in the first instance to start talking to their executive committee about the need for a program like this.

If they have an inhouse legal department, then being good partners with the legal department—that's everything. If you partner with legal, and you have an open flow of communication, and you're being supportive of each other, then you'll get through creating and implementing a policy like this one.

Related Reading:

For more articles about email retention with Microsoft Exchange Server 2007:

For articles about email archiving:

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like