Problem solve Get help with specific problems with your technologies, process and projects.

Legal rules of e-mail storage

This report offers a few glimpses into the legal dos and don'ts of e-mail retention.

For better or worse, today's IT administrators have become the keepers of their company's valued e-mail and electronic data assets. This can bring its own brand of administrative and legal headaches along with it.

In fact, analysts who advise on the legal requirements of e-mail retention have some news for administrators who believe effective and frequent data backups are the key to protecting their company from impending disaster. This report offers a few glimpses into the legal dos and don'ts of e-mail retention.

Are routine data backups a panacea or a recipe for disaster?

Administrators might be surprised to hear Donald Skupsky's claim that it's "totally wrong and inappropriate" to save everything. Skupsky is the president of the Denver, Colo.-based Information Requirements Clearinghouse and author of several books, including "Legal Requirements for Information Technology Systems."

According to Skupsky, keeping backups of all company data for long periods of time is a sure recipe for legal disaster. "I'm very fearful of the backup process in an organization where you keep everything forever," he said. "In litigation, that's a disaster for an organization. Keeping everything is a huge discovery expense."

Some legal tips on e-mail retention
What's a harried Exchange administrator to do about the legal issues surrounding e-mail and electronic data retention? Donald Skupsky and Randolph Kahn have several tips to get you started:
  1. Meet and start developing simple rules. IT managers or administrators most familiar with the company's e-mail or data systems should meet with other company personnel (auditors, records management personnel, corporate attorney, company e-mail users, etc.). All parties can then agree on what constitutes a record, the appropriate retention rules for valuable electronic records, and where they should be stored.

    "Setting a universal rule [about what you'll keep] is a good start," said Skupsky. Kahn recommends establishing even simple retention rules to start with. Examples: The e-mail sender is responsible for keeping e-mail that's a record. If an e-mail isn't a record, the sender or recipient must dispose of it by a certain timeframe.

  2. Adhere to a 30-day rule. Skupsky recommends keeping your data on a 30-day cycle and recycling your backup tapes every 30 days. He also recommends removing e-mail from the server each 30 days. "This forces users to determine whether or not an e-mail is a record," he said.
  3. Broaden your e-mail management policies. According to Skupsky, the most common practice of limiting the physical size of a mailbox is not a retention rule. "It's a stop-gap measure, because users then remove right and left," he said. Kahn maintains doing some extra work up-front to develop retention rules and train people in how to use them will mean less storage space problems down the road for the administrator. "Determine what the rules should be now," said Kahn. "Then, implement the right policy, teach the right policy and manage it."

Skupsky gives the example of a recent legal case where he was called as an expert witness. Because the company in question had stored its past year's worth of e-mail on tape, it was subsequently required to restore 400+ backup tapes and provide the court with all resulting data -- at considerable time and expense to itself.

As the latest Enron lawsuits attest, companies must carefully weigh which electronic data they keep for posterity versus which data they purge from their systems, and should figure it out well before they run into potential legal troubles.

Chicago, Ill.-based Attorney Randolph Kahn agrees. "You can't keep everything," he said. "But, in complying with business and legal needs, you need to make some decisions about the content of your e-mail messages." Kahn is an advisor to the ePolicy Institute who specializes in legal and risk issues related to electronic records. He consults with corporations to develop e-mail policies and retention rules associated with a company's e-mails.

Kahn shared the outcome of a recent court case, Applied Telematics, Inc. v. Sprint, which puts a different spin on the backup issue. A technologist at the defendant's company had routinely recycled his data backup tapes when he ran out of space. When the lawsuit was filed, someone at the company failed to inform the technologist to suspend his current backup activities of overwriting older tapes until the court case had concluded. The result? The defendant's company was hit with a destruction of evidence charge. "If you have a policy that says your retention is 30 days, 60 days or 5 years, and your company is served with a lawsuit, you need to suspend destruction of data pending the outcome of the case," said Kahn.

Is your e-mail message a legal record, and where should it be stored?

Navigating such murky legal waters of electronic data storage can be tough. The first thing both Kahn and Skupsky maintain is that companies need to decide when an e-mail message constitutes a record. "E-mail is not a record by itself. It's a tool of communication that may contain items that are records of the company," said Skupsky. "But, you ultimately decide what's a record."

Kahn makes the point that e-mail a few years back was often viewed as the electronic equivalent of 'While You Were Out' pink slips that could be easily discarded. "Today, business happens by e-mail," he said. "And e-mail may be company records."

Both point to such legal records as contracts, patent-related communications and even purchasing change orders that can be modified through the use of informal e-mail messages. Such e-mail exchanges may then become part of a company's important contract records.

Determining what is and isn't a record may involve checking into legal requirements for record-keeping at the federal, state and local levels. It can also involve planning sessions with your company's bean counters and corporate attorneys, and training end users to retain e-mail items that are records, while discarding the rest.

Once you identify what's a record in your organization, you are then faced with the task of deciding where best to store it. Skupsky maintains an e-mail system is not the best choice. "An e-mail system isn't a record-keeping system," he said. Kahn concurs, saying, "The idea of keeping this massive stuff in an e-mail system is the worst of all possible worlds. It's all there, but you can't find it when you need it."

Skupsky points to e-mail system shortcomings such as the fact that e-mail doesn't allow you to categorize different types of records easily, it's not shared easily on a corporate network, it can get wiped out, etc. He also mentions that when someone leaves a company, the e-mail they kept may never be found or identified as an important legal record.

Unfortunately, Skupsky also acknowledges that more robust electronic document management systems don't really exist today for proper records retention. This puts the loyal IT administrator in something of a dilemma. Thankfully, both Skupsky and Kahn maintain there are still positive steps an IT administrator can take. This story's sidebar offers a few helpful e-mail retention tips.

In the meantime, it couldn't hurt systems administrators of the future to learn more about records management. After all, someone's got to shoulder the responsibilities as chief custodians of their company's data. By default, IT seems in the best spot to take on the job. "Technology departments have to begin to develop records management knowledge and rules, and apply them to all electronic systems," said Kahn. "They are the keeper of the electronic information asset. At the end of the day, they need to know a little about the law."

About the author: Michele Hope is the senior site editor of She can be reached directly via e-mail.

Additional Resources:

For more information, go to the Information Requirements Clearinghouse Web site.

Learn more about e-policies, including horror stories of electronic policies gone awry from the ePolicy Institute.

Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.