Accusations that a top aide to Boston Mayor Thomas Menino has routinely deleted emails in violation of state law have tripped up the mayor's quest for a fifth term. The Massachusetts public records law requires municipal employees to keep emails for two years, regardless of "informational or evidential value." There is also evidence that a judge warned the mayor about deleted emails last year, when it was discovered that employees in one agency were told to delete emails due to a lack of data storage space. The agency then bought email backup software but did not develop an email retention policy, according to the article in The Boston Globe.
In this case, defenders contend the aide's practice of moving emails to his trash and emptying his recycle bin daily, or "double-deleting," is consistent with the habits of a highly organized person. The aide assumed the emails were being backed up by City Hall servers.
The city does have an email archiving system, which automatically archives emails after they have been in a user's inbox for 90 days, according to the mayor's press secretary, Dot Joyce. If the emails do not remain in the inbox for 90 days, the burden is on the users to archive the emails themselves, Joyce said.
As the computers are being seized and an independent computer forensics specialist hired to try to retrieve the emails, the flap should serve as another reminder to CIOs that email retention is serious business, said attorney Edwin Larkin.
"Here you have an aide who is said not to be aware that he is required to maintain even irrelevant email for at least two years under the mistaken assumption that it is being backed up in the ether by the IT department. That is something that happens relatively commonly," said Larkin, a litigation partner at Venable LLP in New York.
"The takeaway for CIOs is that you need to make sure employees are aware of the email retention policy and they abide by it," Larkin said. "Point two is that CIOs need to let people know that if you don't work within that policy, you run the risk of losing data."
Retaining email is thus a matter of disaster recovery and regulatory compliance, including compliance with the so-called e-discovery laws in the Federal Rules of Civil Procedure. And if organizations are faced with an e-discovery request in litigation or for compliance purposes, retrieval from backup can get expensive.
"Now they have to go to these backups, figure out which one has the data they need, and restore it. A good archive system can save them a lot of money and a lot of time," said Bill Pray, an analyst at Midvale, Utah-based Burton Group Inc. (See sidebar.)
Creating an email retention policy
Before developing an email archiving strategy, a CIO should review which regulatory and legal regulations apply to his organization and then start building a policy. That means sitting down with the legal team, auditors and stakeholders from business units such as human resources and finance who are intimately familiar with legal requirements in their specialty.
"Build legitimate polices based on your business purposes, your litigation readiness requirements, your compliance auditing requirements and your information lifecycle management," Pray said.
Another key is creating a unilateral policy, without exceptions. One story on email archiving strategies tells the story of a CIO who ran into trouble when granting exceptions to some executives who didn't like the purge cycle of the company policy.
Burton's advice for creating an email retention policy is that it should address the following:
- Email usage: Definitions of what constitutes abuse and proper use of the organization's email services.
- Archiving and retention: Identification of what content will be saved, where it will be saved and for how long.
- Legal readiness: Who, during a compliance audit or legal action, will be in charge of the information and how procedures will be communicated to the involved parties.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer