Local County Government Compliance with State Standards
Records managers at Travis County, Texas, are publicly debating how to draft retention policy for the e-mail of over 4000 users. The county is subject to many confusing state directives and standards on records retention.
1. Continue the status quo, where each employee stores, deletes and/or categorizes e-mail without clear, modern guidance from management on how this should be done. Under this approach, some employees store a lot, and some store less. Some print “important” e-mails and place them in a file cabinet; others do not.
2. Train each employee to rigorously review each e-mail and decide its retention status (i.e., destroy quickly; OR place in category X so it can be retained for a certain period; OR place in category Y so it can be retained for a different period; and so on). New technology, such as artificial intelligence, may be on the horizon to facilitate this option.
This is what I have previously called the make-a-decision style of e-mail records management. The Travis officials call this the bucket approach . . . each e-mail fits into a bucket (i.e., a category to which are assigned rules for retention, destruction and so on) and a way must be found to put the e-mail into the right bucket. The officials note that some learned commenters have advocated the bucket approach, but the officials have appealed to the commenters to bring forward a good example of the bucket approach working in practice. See video at the bottom of blog post.
3. Keep all e-mail “indefinitely” (spam excluded). Related to option #3 is what Broberg & Malone call the haystack approach to e-mail records management. Rather than trying to place each e-mail into category X or Y so it can be found and managed as though it were a sheet of paper, the haystack approach simply keeps copious volumes of e-mail and then relies on search engines to find particular e-mails when they are needed, such as for e-discovery or an investigation.
Here’s my initial input to Broberg and Malone.
First, option #3 could be implemented in many different ways. It should be understood as not a single option, but a large family of options, with many flavors and nuances.
Second, I have previously voiced skepticism about option #2.
Third, I recently witnessed a large institution wrestle with the same topics. It knew that, like Travis County, its present condition was option #1. The e-mail system deleted each e-mail within 90 days, unless the user (such as an inventor) took effort to store it specially, such as in a folder. Its present e-mail usage had created and was continuing to create, vast heaps of records. The internal audit department argued that all this stuff, stored according to user discretion, contained important material. Copies were spread around (rather haphazardly) on servers, desktops, laptops, BlackBerries and Androids. Those e-mails, and the data contained therein, included:
* assets of the enterprise (contracts, negotiations, representations, internal controls, intellectual property, delegations of authority)
* evidence that is and will be relevant to present and future investigations (lawsuits, e-discovery, corruption audits, fraud allegations, false pretenses, whistleblower complaints, retaliation complaints, misappropriation of funds, misallocation of funds probes, hostile work environment claims, etc.)
* sensitive information such as trade secrets, other intellectual property and personally identifiable (private) information
Internal audit argued that this scattered corpus of stuff needs to be managed, measured, controlled and secured. For privacy and other reasons, audit trails need to be kept to show who looked at which archives and when.
Further, argued internal audit, as the years go by, decisions about how long to keep this or that can change on account of matters like future litigation hold and changes in law (or changes in records management philosophy). In other words, the institution might initially set an e-mail for seven-year retention, but later learn it should be retained for 10 years. The institution needs a way to find the e-mail so it can be moved to the longer retention period.
E-mail, concluded internal audit, needs to be managed under a centralized archive appliance. In other words, all e-mail (excluding spam and the like) needs to be copied into a archiving system control by the institution, not individual employees. (Employees might still keep their own copies of e-mails at their discretion, but centralized archival ensures that the institution gets a copy of everything.)
Centralized e-mail archiving is largely a departure away from Travis County’s option #1, and it's not option #2.
So precisely how long should an enterprise keep email records? There is no universally-correct answer. I have led in-house workshops to address this question at numerous, diverse enterprises. The outcome of these workshops has varied, depending on many factors, including corporate culture.
In my experience, the best email retention policy is one that is developed by collaboration of the various stakeholder departments in the enterprise (legal, IT, HR, operations et al.). Normally, these different stakeholders will start with different positions on what the policy should say. But, in my experience, after the stakeholders have talked through the issues, they tend to compromise their positions and coalesce into a policy that is unique to the enterprise.
Mr. Wright is senior instructor for the SANS Institute, where he teaches its 5-day course on the law of e-discovery, electronic records, data privacy and computer investigations.