Re: 30 Day Email Retention Policy

My company instituted a similar policy a few years ago. You had to agree to a policy if you created electronic copies elsewhere you would violate the terms of your employee agreement. Printing out a copy was the only "authorized" means of keeping email. No electronic copy outside of the server version.

The policy quietly disappeared a few months after being launched, and an email archiving solution that keeps all emails in an offline storage vault but still accessible from your email client appeared at the same time with far less fanfare than the original policy did.

Methinks someone high up enough gave the IT group a dressing down over the short sighted and poorly researched implementation of the initial policy. It is not practical to carry on a business without providing staff to access to their own email history. You may improve your position in regards to a lawsuit but that matters little if you begin bleeding business due to lack of easy access to information required to perform your job. To the matter of susceptibility to a hack the message should be to the IT group to find better security solutions beyond preventing access to company info through the brute force method of destroying them.

Re: 30 Day Email Retention Policy

I thought the purpose was to keep data safe from hackers. This sentence from you indicates a very different rationale behind the decision.

Re: 30 Day Email Retention Policy

That's what I was thinking as well.

I thought most companies keep traces of email specifically to support themselves if they get involved in litigation - either prosecuting or defending.

Deleting all evidence of company communications implies there is something to hide.

Hackers are an entirely different issue.

I'm curious - how big is the company that is doing this Secam?

Re: 30 Day Email Retention Policy

We are a company of 10,000 worldwide. One of our clients who just implemented a similar policy is fortune 500. I suspect there are many more that I don't know about, and many companies that will move in this direction in the future.

The two main reasons for moving in this direction was to prevent the damage of a hack. Employees don't have to be writing bad things in order for you to be hurt. The second reason was the amount of time that we were spending in collecting emails for lawsuits. These could be cases that directly involved us, or cases where we were a third party.

No company can consider their email safe. If you are targeted by a hacker your email will become public. This is less of a concern if you're a local company, but when you are a larger multinational, this can become a real problem.

If you assume that your company is target worthy, and you therefore approach corporate email as something that will become public, you may look at a policy with a 30 day or a one year retention policy so as to limit the damage.

Re: 30 Day Email Retention Policy

Those were all the same reasons our company w. 100,000 people worldwide put it in place. The impact to the ability to conduct business caused it be cancelled. In effect it was a crude, easy way out that did not take into consideration the information staff need access to in a timely manner to conduct business. There was no point worrying about hackers if your business is going down the tubes due an inability to provide customers what they need.

In it;s place a more secure means of storing email beyond the retention period was implemented (e.g. higher cost) that allowed staff to continue to have access to their historical communication as needed.

Re: 30 Day Email Retention Policy

For most of the 30+ years of my working career I've been in IT. The majority of that time I've been a consultant in one form or another, mainly with databases.

Long ago I gave up trying to count the number of very stupid quick decisions that were put into place without much thought or the use of common sense. Decisions that just didn't get "thought through".

And often the quick decision turned out to cause more problems than what it was designed to fix.

If someone (i.e. a hacker) wants something bad enough, they will find a way to get it. Dropping emails after thirty days is not the solution. If a hacker wanted to target you, and knew of the thirty day limit, they would simply start grabbing emails on a daily basis and store them until they had enough to do what they wanted to do. It's not like there is physical effort involved here. They simply write a different piece of code.

And as for the lawsuit… good luck with the thirty day excuse in court.

Re: 30 Day Email Retention Policy

I'm sure every company with a corporate messaging system such as Exchange, will have daily / weekly / monthly backups of their messaging database. Regardless of a retention policy, there will be a backup if the sh*t hits the fan and old email is required.

Not to create a political debate, but when the provincial Liberals "deleted" email pertaining to the gas electric generating plant fiasco , that had to have been pure bunk / lie. I will never believe that senior goverment email is not backed up and re-obtainable. I just cite this as an example, no mudslinging intended.

Re: 30 Day Email Retention Policy

The more I think about this, the more it strikes me that any deletion policy that requires the quick destruction of any and all emails may run afoul of various statutory obligations. The attached article highlights just some of those obligations: http://www.nortonrosefulbright.com/f...32kb-44197.pdf.

Re: 30 Day Email Retention Policy

Well, I'm not a lawyer, but the only mention of retaining emails in this document is in regard to civil litigation, where a company cannot destroy emails once a lawsuit has been initiated.

Re: 30 Day Email Retention Policy

as mentioned my DIL is a buyer for one of Canada's largest retailers.
They delete casual inter office email chatter weekly. They kept all related business email for 10 years for their own protection, and earned a clean bill of health from a recent IR audit.

Re: 30 Day Email Retention Policy

Have not had time to read the entire link but in general those retention policies related to corporate records. Records are typically defined in a corporate record retention policy and usually pertain to specific documents that are classified as such. Generally email does not fall into that category. While an email may have a corporate record attached or communication relating to a corporate record it normally does not count as the record itself.

Deleting emails versus deleting records such as invoices, contracts, financial statements is not the same. You can stay in compliance by retaining the source records without retaining all of the email communications where copies of those records were sent and commented on as is my understanding.

That said, I am not a lawyer and could easily be partially or wholly incorrect.

I do believe this logic is part of the rationale to delete emails and still state one is in compliance with record retention policies.

I also do understand if a civil suit is launched then all email that is subject to discovery from the time the suit is launched must be preserved. Not sure if that goes back in time to a requirement to preserve emails from before a legal action is formally launched.

Re: 30 Day Email Retention Policy

The law is more nuanced. The retention obligation does not arise only in regard to litigation that has actually been initiated, but also to litigation that may be reasonably anticipated. If you can reasonably tell its coming, and you destroy all records relating to the subject matter of the anticipated suit, then a court is not likely to look too kindly upon you. As for statutory obligations for retention, you may be right. I don't know enough about the ins and outs of the various provincial and federal statutes that might impose on a corporation obligations to retain emails for specific purposes. That's why the corporation's lawyers should be closely involved in crafting any such destruction protocol.