Risky Business

The Folly of Short E-mail Retention Strategies

by Thomas Bookwalter, CEO FMDC

Why Companies Consider Short E-mail Retention Strategy

The motivation for considering a short retention policy for e-mails is based on the concern that there might be “something” in the e-mail files that would be damaging to the company (or possibly incriminating in regulatory investigations or litigation). Or it is driven by a desire to limit or control the size of individual email mailboxes on mail servers. One conclusion is that it is safer not to have the e-mails at all. One underlying notion seems to be that if the records are not in my e-mails they do not exist. Another is that if they are not in my archive I cannot deliver them and so become free of any liability. Nothing could be further from the truth.

E-mail Is NOT a Record Type

E-mail is not a record type. E-mail is a delivery system like FedEx or the US Postal Service. Retention rules are not based on the fact that e-mail was used to send or receive the message. Retention rules are based on the purpose, use or content of the message. Every company that uses e-mail uses e-mail to deliver records. If those same records were on paper and delivered by the US Postal Service, they would be retained. Even though they have been sent by e-mail, companies must retain those records for the same period of time a similar physical record would be retained. The courts have determined that the rules that govern the retention of the paper records also apply to e-mails. E-mails are used to:

  • File official documents with state and federal agencies
  • Share working papers on developing strategic plans and financial reports
  • Deal with product and service problems,
  • Gather customer information,
  • Negotiate, finalize and agree contracts,
  • Address employee healthcare, pension and disciplinary issues,
  • Receive job applications and resumes and offer employment, and
  • Inform customers and prospects about new products or opportunities

All of these records have specific regulatory requirements in spite of the fact that they were sent by e-mail.

The State of California Records Information Management Handbook says it most eloquently:

Retention and Scheduling Requirements

E-mail itself is not considered a record series or category. It is a means of transmission of messages or information. Like paper (mail) or microfilm, e-mail is the medium by which this type of record is transmitted. Just as an agency cannot schedule all paper or microfilm records together under a single retention period, an agency cannot simply schedule e-mail as a record series.

Retention or disposition of e-mail messages must be related to the information they contain or the purpose they serve. The content, transactional information, and any attachments associated with the message are considered a record (if they meet the agency’s record management plan criteria). The content of e-mail messages may vary considerably, and therefore, this content must be evaluated to determine the length of time the message must be retained.

One of the difficulties with e-mail is arbitrary size-limits on e-mail user “mail boxes” which require users to purge or archive files or be restricted in their use of the system until the mailboxes are kept below the size limit. This may contribute to improper deletion of e-mails that are records. Education of Information Technology professionals on the records implications and proper training of personnel can ensure good records management procedures are followed. Use of an electronic records keeping system also helps to manage this increasing source of records.

NOTE: Simply backing up the e-mail system onto tapes or other media or purging all messages after a set amount of time are not appropriate strategies for managing e-mail.1

The Problems That Short Retention Strategies Create

Often the intent of a short retention policy for e-mail is based on the need to manage mailbox sizes on mail servers. Periodically employees reach the mailbox size limits and are asked to “clean up” their mailboxes. Wanting to keep the emails for reference, employees move the mailboxes from the mail server mailbox to .pst or .nsf file on their laptop or desktop. Central systems do not backup these files. Central retrieval systems cannot search these files.

The problems that result are twofold. First if a company is in litigation according to the FRCP (Federal Rule of Civil Procedures):

  • Except in categories of proceedings specified in Rule 26(a)(1)(E), or to the extent otherwise stipulated or directed by order, a party must, without awaiting a discovery request, provide to other parties:
    • the name and, if known, the address and telephone number of each individual likely to have discoverable information that the disclosing party may use to support its claims or defenses, unless solely for impeachment, identifying the subjects of the information;.2

If the emails are on desktops and laptops, employee names should be provided and the relevant files on their desktops collected for submission in the case.

Second, if the mails are deleted and no copies remain within the company there are new risks.

  • In a 1988 case, the courts ruled that litigants were required to retain documents that they knew or should have known would become material at some point in the future.3
  • In 1995, the law is clear that data in computerized form is discoverable even if paper hard copies of the information have been produced…4
  • The third ruling establishes a clear obligation to preserve records “…spoliation is the destruction or material alteration of evidence or failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation”.5
  • In the fourth case, in light of a clear precedent for the obligation to preserve records a penalty was assessed because the company persistently ignored the requirement. ”A pattern of failing to prevent unauthorized destruction of electronic documents warranted a $1,000,000 file and court-ordered preservation measures.”6
  • Lastly, Sarbanes-Oxley Sections 802 and 1102 introduce felony penalties for record tampering. Section 802 adds a new definition of the crime of Obstruction of Justice. It reads:
    Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 10 years, or both.7
  • SOX Section 1102 creates an even broader obligation:
    • Whoever corruptly—
    • Alters, destroys, mutilates, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding; or
    • Otherwise obstructs, influences, or impedes any official proceeding, or attempts to do so;
    • Shall be fined under this title or imprisoned not more than 20 years, or both.8

The U.S. Securities and Exchange Commission reported that Banc of America Securities agreed to pay a $10 million civil penalty to settle alleged violations of recordkeeping and access requirements under federal securities laws. The SEC also censured the firm.9 Interestingly, the records had been retained for the required period, but not according to the exact requirements of the rules.

If a company strives to run an honest business, short e-mail retention strategies not only introduce new risk but also reduce the company’s abilities to manage its employee conduct and protect it if there are problems. Failure to properly manage e-mail and other records sends a signal to regulators, the public and the investment community that something might be amiss. The simple adage applies, “People respect what you inspect.”

The Law, the Regulators and the Court Are Clear

The courts are consistent in their opinions regarding e-mail retention:

  • E-mail is not a record type it is a delivery and storage method.
  • It is the content and use of the e-mail that determines its retention and management requirements.
  • Deleting e-mails or letting them “disappear” is regarded by the courts as “spoliation”, the destruction of records.
  • Under new laws it is a felony punishable by fines and imprisonment of up to 20 years to remove or let disappear records that should be retained.

E-mails Have a Life of Their Own

There is a common misconception that just because e-mails have been remove from one mail server that they are gone. First, every e-mail has a sender and at least one receiver, often more. Once people receive an e-mail, they often send it on to others, save it for personal reference or protection. Some send it off to a personal mailbox outside the company. Just because an e-mail has been deleted from the mail server does not ensure that it is gone. If that email is presented as evidence against a company, not only does the question of why the company has no copy arise, but how does the company prove that the e-mail has not been altered from the original.

The last place a company executive wants to see an email for the first time is as Exhibit A in pending litigation or on the front page of the local news.

The intent of a short retention strategy is to protect the enterprise. The truth is that a short retention strategy exposes the enterprise to more risk not less. By removing records, a company takes on the conduct of its employees as its own. By managing a tamper-proof archive, a company isolates the liability around the individual and not itself.

Short retention strategies for e-mails and other business documents are short sighted. Short retention strategies are Risky Business.

  • 1Electronic Records Management Handbook, California Records Information Management, ERM-S4 (pdf) p.5
  • 2Rule 26 Federal Rules of Civil Procedures, General Provisions Regarding Discovery; Duty of Disclosure
  • 3Lewy vs. Remington Arms Co., 836 Fed 1404 (8th Cir. 1988)
  • 4Anti-Monopoly, Inc. v. Hasbro, Inc 94 Civ 2120, 1995 WL 649934 (S.D.N.Y. 1995)
  • 5Silvestri v. General Motors Corp., 271 F.3d 583, 590 (4th Cir. 2001)
  • 6Prudential Co of America Sales Practices Litigation 169 F.R.D 598 (D.N.J. 1997)
  • 7Title 18, Section 1519 of the US Code
  • 8Title 18, Section 1520 of the US Code
  • 9(In re Banc of America Securities LLC, SEC, Admin. Proc. File No. 3-11425, 3/10/04).”
Copyright 2007 FMDC. All Rights Reserved.