« Medical and Education Record Retention and Purge Policy | Main | EMail | Non-Disclosure Agreement Case »

September 24, 2008


Feed You can follow this conversation by subscribing to the comment feed for this post.


Wow... where to start?

Okay, disagree COMPLETELY on what happened in the Enron/AA case, especially when it comes to what AA did. You're right that AA had an RM Policy, but the problem isn't their application of the policy, it's WHEN they chose to apply it. Had they followed the policy and destroyed the supporting audit records 5 years after completion of the audits, they would have been destroyed in compliance with the retention schedule and policy, IN THE NORMAL COURSE OF BUSINESS.

Instead, once AA got wind of a legal action, Ms. Temple (who wasn't the hero in this case, but actually the villain) sent out a memo urging AA's managers to "follow the retention policy" and ensure information was appropriately destroyed. Now, it COULD be argued (but I doubt successfully) that she was misinterpreted and that managers should have known that she meant to follow policy in the course of business, but if others HAD understood this, some of the changes to the FRCP wouldn't have been enacted following this landmark case.

There was no 'deliberation"; AA contacted a recycling company and a shredding company and sent out TONS of paper (literally- as I recall it exceeded 5500 pounds)to be destroyed en masse. You're right this backlog of records "demanded decisions", but those decisions should have been made years beforehand. Someone had made a conscious decision to continue retaining the paper far beyond it's required retention and pay for costly office space to house it, and when that happened, they should have been aware that it wasn't regularly accessed, what it represented, how old it was, and that based on that information it could have been destroyed.

As for the Broccoli case, that's only one in a myriad of cases where decisions made to apply a "time or volume based retention" decision without consideration of content and existing retention polices has bit an organization. Merrill Lynch (et al), Zubulake vs UBS Warburg, DOJ vs Microsoft, Linnen vs AHRobbins, and many others are prime examples of ignorance not being an excuse.

If the e-mails had been properly categorized and retention periods set at the time of receipt or creation, none of this would have been an issue. If the litigation hold was required, it could have easily been applied against the repository of categorized records.

Even if the practice of "role and rule based" categorization had been used (as discussed in another blog thread), much of this could be done in an automated manner, avoiding the requirement of item by item decision-making.

I disagree that 'very generous...retention of electronic records' is a prudent course of action for an organization. If you do research into the requirements for records management, decisions are to be made regardless of media, form, or format. To make decisions based on the medium in which the records exist only results in an inconsistent application of retention policies, which results in the entire practice being called into question in the event of a legal action.

Larry Medina

Benjamin Wright

Larry: As I digest your argument and wait for others to chime in, I wish to thank you for posting such an interesting and substantive comment. --Ben

Benjamin Wright

As fuel for the conversation, I point to the Norwalk Community College case I have discussed previously. The court punished Norwalk for failing to retain e-mail related to a sexual harassment allegation. The court said Norwalk should have implemented a "litigation hold" when police investigated the allegation (well before a lawsuit was filed). But it is very difficult for a enterprise like a community college to figure out – at the time in question -- that it needs to implement a sophisticated beast called a litigation hold. I therefore hypothesize that the best reaction to modern cases is to be much more generous in the retention of e-messages. -Ben

David Gaynon

I would just like to second what Larry Medina has posted above. The problem with Enron/Arthur Anderson was the desire and intention of key individuals to destroy evidence that they knew was relevant to an open legal matter. In this particular case there was an existing document that described a records management policy but this policy was not followed and the lack of enforcement was common knowledge. Key managers tried to use this document as a cover to violate their duty to preserve evidence.

In other cases firms have lacked the infrastructure to implement, monitor and track compliance with legal holds. Rather than lengthening retention periods firms need to look at ways in which they can strengthen their regime for compliance with ESI preservation. Tools that allow preservation in place as well as legal hold software need to be seriously considered.

Finally, I would suggest that speculation about future litigation is not a reasonable way of establishing retention requirements. In such cases speculation about future litigation is different than being receipt of notice of anticipated litigation. In the latter case a party has a reason to anticipate litigation.

For example -- it is possible that Mr. Wright may at some point in the future be a defendant in a malpractice case. Does that mean that he needs to preserve every thing indefinitely just in case such a suit is brought. I do not think that this is what the law requires. At least I hope not.

Rebecca Conner

"The court said Norwalk should have implemented a 'litigation hold'when police investigated the allegation (well before a lawsuit was filed). But it is very difficult for a enterprise like a community college to figure out – at the time in question -- that it needs to implement a sophisticated beast called a litigation hold."

Actually, it should not have been difficult to implement the litigation hold in the Norwalk case. The sexual harrassment allegations were ongoing - the case was still open. Whether or not a lawsuit had been filed, the allegations had not yet been fully examined and/or dismissed. As the teacher in question was employed by the college at the time in question, the college still was responsible for retaining the records in question. Organizations should apply litigations holds where there is litigation or the possibility of litigation - which is not a stretch of the imagination in the slightest when there had not yet been even a ruling on the allegations in question. In this case, there was clear error on the part of the college for wiping the teacher's hard drive, and the college should have known better.

None of this has anything to do with the retention period of the records. The college improperly destroyed records it should have retained, because it should have known it needed them. But proper application of retention periods should remain separate from application of litigation holds. If an organization applies both correctly, then it is in far betteer shape than if it just lengthens retention periods across the board to account for not applying any litigation holds.

Benjamin Wright

Thanks to David and Rebecca for their good comments. Over time, I hope to explore all these comments in more depth.

Meanwhile, here's another in the cavalcade of cases punishing organizations for stingy e-mail retention: Disability Rights Council of Greater Wash. v. Washington Metro. Area Transit. The case shows it's easy to direct employees to evaluate e-mails one-by-one and then save certain of them in the "litigation hold" category. But the danger is that employees often don't follow such directions competently. --Ben

Benjamin Wright

To continue the discussion about deleting e-mail records too soon, I have a new post about Philip Morris spoliation case.

J Raftery

Until an absolute rule is put into place, there is no answer to the e-mail retention riddle. Courts will use non-compliance by company employees as rationale to support a decision that the court wants to make - regardless of how robust the company retention policy actually is. The best practice is to have a blanket rule - period - and stick to the rule. If a company has a steadfast policy that all e-mail records will be deleted within four months and no digital archive is kept past that period, a Court cannot say that the company was not properly complying with its e-discovery request so long as the company produces the four months of email records.

To date, the cases that have been addressed by the courts are those where there was reason to believe that the email records in question would be needed in anticipation of future litigation and the company did not comply or outright ignored its obligation to maintain those emails. For example, in the Norwalk case, the school was on notice of the claim and therefore should have recognized from that point forward that everything relating to the claim should be kept – in addition to those emails already residing on the system. Similarly, the Washington Metro case involved instructions to executive staff members asking them to identify and preserve those emails that may be necessary to respond to a litigation matter. However, because of the sheer volume of daily emails received by many executives, this is asking a great deal. The obvious issue was captured many years ago in one of the first mantras of the computer age:

To err is human.

Unfortunately, company IT departments cannot hand hold every employee to ensure that s/he is complying with the storage and deletion policies. Additionally, in a digital world, asking executives to make a snap judgment as to whether an email is a “record” or “non-record” is burdensome. Executives forced to comply with such a policy will simply move everything to the “record” container.

The additional issue involves the concept of a “litigation hold.” Under the Federal Rules of Evidence, information is relevant to a matter if it has “any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.” Usually discovery and particular e-discovery is authorized even if the discovery would otherwise be inadmissible if it could lead to relevant information in the case. So, if a company policy requires its employees to make these snap judgments as to the relevancy of their email, the company has effectively asked the employees to stand in the shoes of a judge and make a VERY subjective decision - which is a mistake. Therefore, the conservative approach would be to save everything.

However, saving everything can also be an issue. In large national and multi-national companies, there is a constant threat of litigation or anticipated litigation. A “hold everything” policy in such a company would be as effective as having no retention policy whatsoever. So we are back to asking the employees to identify those emails that are relevant for purposes of the litigation which, as recognized in the Washington Metro case, is not reliable.

Ultimately an absolute rule must be established to provide guidance to companies regarding electronic discovery. Once the bright line is drawn in the sand, the issue will be removed from the subjectivity of the legal process. Besides, statutes such as Sarbanes Oxley and a number of other statutes have their own retention rules, for which most companies already have certain compliance and retention measures in place. Lastly, any company engaged in extensive business deals that does not otherwise archive those transactions is practicing bad business and likely deserves any penalty it might incur as a result of those practices.

However, until such time as an absolute rule is established, I follow the long line of bloggers and other learned professionals that say, make a rule and stick to it. By establishing a reasonable company retention policy and recognizing the need for a legal hold where applicable a company will be in the best position to defend itself in any litigation.

Snap judgments and unreasonable retention policies simply provide tools for your adversary.

Benjamin Wright

My thanks to J Raftery and others for their good comments above. In reply to the comments, I wish to contribute more support for my argument that wise firms will tilt toward keeping more ample records. Please see my new post on how Congress changed obstruction of justice law in the wake of the Arthur Andersen case. --Ben

Alan Winchester

I think the inquiry should not so much be about how long to keep emails, but first whether the subject of the email is a scheduled business records subject to the retention schedule established by the organization, like the acceptance of a contract or whether it is an un-scheduled communication not subject to any retention schedule like an invitation to a birthday party in the cafeteria. The mere fact that the information was communicated by email is like assigning a retention schedule based upon the type of envelope a paper letter or contract was wrapped in before being sent.

To answer this question, organizations should also look to how they handle emails. Some companies require emails that rise to the status of a scheduled business record be copied into a Share Point portal or the like and other allow them to be kept in Exchange or Notes. If they are in the first category it may be appropriate to deem any emails not ported into a document management system as being unscheduled and hence delete them after 90 days. If an organization handles the retention of scheduled emails in the email server, then they might have to develop a more complex retention scheme for ESI stored in that repository. Therefore, I think it would be wrong to take a one size fits all solution to this issue - especially as emails are increasingly becoming the official business record of key transactions - either by design or inattention on the part of record managers.

Benjamin Wright

Further to the good conversation in this thread, I have a new post arguing that records management should break from the past and treat e-mail differently from the way it historically treated paper. --Ben

Benjamin Wright

Diligent readers will want to see the latest discussion of the make-a-decision style of records management. --Ben

The comments to this entry are closed.

Wright's Online SANS Education

Jackson County Case Study

IT Administrators


  • Follow benjaminwright on Twitter

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo


  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training


  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog


Become a Fan

Find More on This Blog