Article

For CIOs, email deletion scandal shows need for email retention policy

Linda Tucci, Executive Editor

Here in Boston, an email retention policy -- or a lack thereof -- is the juiciest news in town, as an email deletion scandal rocks City Hall in the face of next week's mayoral primary.

    Requires Free Membership to View

More on email retention
E-discovery rules double-edged sword for CIOs

Email and messaging management

Email archiving strategies: Five best practices

Accusations that a top aide to Boston Mayor Thomas Menino has routinely deleted emails in violation of state law have tripped up the mayor's quest for a fifth term. The Massachusetts public records law requires municipal employees to keep emails for two years, regardless of "informational or evidential value." There is also evidence that a judge warned the mayor about deleted emails last year, when it was discovered that employees in one agency were told to delete emails due to a lack of data storage space. The agency then bought email backup software but did not develop an email retention policy, according to the article in The Boston Globe.

In this case, defenders contend the aide's practice of moving emails to his trash and emptying his recycle bin daily, or "double-deleting," is consistent with the habits of a highly organized person. The aide assumed the emails were being backed up by City Hall servers.

The city does have an email archiving system, which automatically archives emails after they have been in a user's inbox for 90 days, according to the mayor's press secretary, Dot Joyce. If the emails do not remain in the inbox for 90 days, the burden is on the users to archive the emails themselves, Joyce said.

As the computers are being seized and an independent computer forensics specialist hired to try to retrieve the emails, the flap should serve as another reminder to CIOs that email retention is serious business, said attorney Edwin Larkin.

Choosing an email archiving system
The landscape for email archiving systems is maturing and changing, says Burton Group, as large technology providers like Hewlett-Packard Co., IBM and Microsoft jump in with solutions. The following four types of vendors provide some archiving capabilities:
  • The various messaging services that manage security and email hygiene.
  • The big storage vendors.
  • Enterprise content management vendors.
  • The point solutions vendors.

"What we see in the future is a convergence in that space, maybe some acquisitions, to try to provide solid, one-size complete solutions within one vendor," Pray said.

Buyer beware figures large here. In a report published last September, former Forrester Research Inc. analyst Jo Maitland (now a TechTarget editor) said that many of the tools out there were created for big financial services companies dealing with scads of compliance regulations.

"Much of the functionality is overkill," she warned. Smart companies will "right-size the infrastructure, walk through e-discovery scenarios ahead of time, consider archiving other data types besides just email … [to] manage the archive for the long term."

"Here you have an aide who is said not to be aware that he is required to maintain even irrelevant email for at least two years under the mistaken assumption that it is being backed up in the ether by the IT department. That is something that happens relatively commonly," said Larkin, a litigation partner at Venable LLP in New York.

"The takeaway for CIOs is that you need to make sure employees are aware of the email retention policy and they abide by it," Larkin said. "Point two is that CIOs need to let people know that if you don't work within that policy, you run the risk of losing data."

Retaining email is thus a matter of disaster recovery and regulatory compliance, including compliance with the so-called e-discovery laws in the Federal Rules of Civil Procedure. And if organizations are faced with an e-discovery request in litigation or for compliance purposes, retrieval from backup can get expensive.

"Now they have to go to these backups, figure out which one has the data they need, and restore it. A good archive system can save them a lot of money and a lot of time," said Bill Pray, an analyst at Midvale, Utah-based Burton Group Inc. (See sidebar.)

Creating an email retention policy

Before developing an email archiving strategy, a CIO should review which regulatory and legal regulations apply to his organization and then start building a policy. That means sitting down with the legal team, auditors and stakeholders from business units such as human resources and finance who are intimately familiar with legal requirements in their specialty.

"Build legitimate polices based on your business purposes, your litigation readiness requirements, your compliance auditing requirements and your information lifecycle management," Pray said.

Another key is creating a unilateral policy, without exceptions. One story on email archiving strategies tells the story of a CIO who ran into trouble when granting exceptions to some executives who didn't like the purge cycle of the company policy.

Burton's advice for creating an email retention policy is that it should address the following:

  • Email usage: Definitions of what constitutes abuse and proper use of the organization's email services.
  • Archiving and retention: Identification of what content will be saved, where it will be saved and for how long.
  • Legal readiness: Who, during a compliance audit or legal action, will be in charge of the information and how procedures will be communicated to the involved parties.

 

Let us know what you think about the story; email: Linda Tucci, Senior News Writer


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: