'It is hard to believe that with all that's been written about compliance legislation in recent years, a political aide in a major city's administration would not know a little something about the rules of email retention. However, if another cautionary tale is needed on the subject, just look at the brewing political scandal in Boston:
Secretary of State William F. Galvin's office has ordered the city of Boston to immediately secure City Hall computers and hire an independent computer forensics expert to retrieve emails that were improperly deleted by Mayor Thomas M. Menino's top policy aide….
The public records law requires municipal employees to save electronic correspondence for at least two years, even if the contents are of “no informational or evidential value.†Penalties include fines of up to $500 or prison sentences of up to one year.
Apparently, the aide in question believed that despite his routine deletion of emails and trash-emptying at the end of each day, the emails would still be backed up by city servers. The message for Business Leaders should be that you can never assume too much on the part of your organization's users, no matter what their role or status.
In addition to having a clearly-stated email retention policy and requiring some sort of acknowledgement from users that they've read and understood it, it is also necessary to review the configuration of servers, backup procedures, and archiving programs to make sure that all reasonable technical measures have been taken to safeguard the organization's data from improper deletion and employee cluelessness.
A data retention policy is the first step in helping protect an organization's data and avoid financial, civil and criminal penalties that increasingly accompany poor data management practices. Local, state, federal and international laws and industry regulations not only specify the types of data organizations and businesses must retain, legislation and industry guidelines also dictate how long specific types of data must be maintained and even the manner in which the data is to be stored. But legal considerations aren't the only reason to develop and implement strong data retention practices.
Data retention policies
Data retention policies form an important foundation for helping manage an organization's data. In addition to paper documentation, corporations increasingly are creating and relying upon large streams of electronic information that often aren't cataloged or stored in traditional filing systems. Capturing customer correspondence, accounting records, financial and sales data, electronic communications and other digital business information is critical in helping ensure organization's not only remain in compliance with legislative requirements and industry regulations, but also that organization's possess sufficient data backups necessary for recovering from catastrophes. Without strong data retention policies, organizations may find it impossible to resume operations following a disaster.
Developing an effective data retention policy requires dedicated research and the assistance of a qualified legal representative. The varied and bewildering number of local, state, federal and international laws, combined with numerous industry restrictions, essentially requires that you work closely with legal counsel to ensure compliance with all laws, regulations and requirements applicable to your organization. For example, the Health Insurance Portability and Accounting Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002 and Securities and Exchange Commission rules 17a-3 and 17a-4 all place restrictions on the manner in which data is retained.
Whether you're responsible for fulfilling information technology responsibilities for a publicly traded company, a nonprofit, an educational institution, a medical facility, a financial services firm, a small business, a private partnership or even a franchise operation, a number of data retention restrictions likely apply to your business. From customer and client data to patient records, organizations face an increasing number of data retention requirements. The following are the types of information, records and data that should be covered by every organization's data retention policy:
Electronic communications
Business, client, agent and supplier correspondence
Documents
Spreadsheets
Databases
Customer records
Employee records
Supplier and partner information
Transactional data
Contracts
Sales, invoice and billing information
Accounting, banking, finance, earnings and tax data
Health care, medical and patient information
Student and educational data
Other data produced and collected in fulfilling business activities
All data retention policies should describe the types of data the organization must retain, the length of time the data should be stored and the format in which such data should be stored. Easily overlooked, another element data retention policies should cover is instructions describing which organization representatives are authorized to delete data. In addition, data retention policies should state that a specific information technology staff member should be responsible for confirming all organization data is properly destroyed before disposing of organization equipment.
The policy should clearly describe those individuals and employees covered by the policy, as well as the procedures that are to be followed in the event of a breach. Effective data retention policies must also describe the penalties that result from violations and require all covered parties to sign documentation attesting they understand the policy and pledge to uphold its tenets.
Policies must also state clearly that no organization officer, employee or other representative is to modify, delete or destroy any data in violation of local, state, federal, international or industry regulation.
Once such policies are drafted, implemented and signed, an organization's work is just beginning. Information technology departments must lead the effort of policing the policy. Only policies that are actively monitored and enforced prove successful.
Just implementing a policy doesn't ensure an organization's data retention practices change. Instead, the organization must work to ensure new routines, practices and systems are adopted to make proper data retention procedures habitual as opposed to exceptional.
Riskof Unmanaged Email & Instant Messaging
According to a recent survey, 65 percent of companies lack e-mail retention policies. Only 54 percent of the corporations surveyed conduct any kind of formal e-mail policy training. One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation.
If you need some reasons why not having an e-mail retention policy is a bad idea, just keep reading.
Baseline magazine ran a piece about companies who found out the hard way that not retaining data can hit the bottom line and hit it hard. From the piece:
Philip Morris USA was ordered by a U.S. District Court judge in Washington, D.C., to pay $2.75 million in fines when it came out during federal tobacco litigation in 2004 that 11 managers didn't save printouts of their e-mail messages, as per company policy. As an added punishment, those managers were barred from testifying at trial, according to the order from U.S. District Court Judge Gladys Kessler.
The investment bank Morgan Stanley repeatedly failed to turn over data related to a fraud suit brought in 2005 by Coleman Holdings Inc., the owner of camping gear maker Coleman Co., according to an order written by the judge in the case, Elizabeth T. Maass. One of Morgan Stanley's technology workers concealed knowledge of 1,423 backup tapes, later found in Brooklyn, N.Y., when he certified that the bank had produced all its evidence, according to court documents. At least three other times, the judge said, the bank lost or mislaid backup tapes. Maass read a three-page statement to the jury detailing the missteps-which included overwriting e-mails and using flawed search software that hampered searches of Lotus Notes messages. She told the jury to assume the bank acted with “malice or evil intent†unless it could prove otherwise.
Morgan Stanley lost the case, big: The jury awarded Coleman $1.6 billion.
Nancy Flynn, founder and executive director of The ePolicy Institute, stresses, “Employers should look at e-mail and litigation in terms of not if we someday have our employee e-mail subpoenaed but when we have our employee e-mail subpoenaed.â€
Compliance regulations
With compliance regulations such as HIPAA and Sarbanes-Oxley, and SEC and NYSE regulations in the financial services arena, companies have to be extra vigilant regarding e-mail risks; they must be able to prove that they've taken appropriate measures to retain e-mail and IMs as stipulated by the applicable regulations. According to Flynn, “Regulatory commissions, such as the SEC, have issued six- and seven-figure fines to companies who are unable to turn over e-mail records that should have been retained.â€
Workplace lawsuits
Companies also have to be on the lookout for e-mail that could be used in a workplace lawsuit. According to Flynn, what most companies don't realize “is the fact that e-mail and instant messages are a primary source of evidence in court cases. They are the electronic equivalent of DNA evidence.â€And like it or not, there is such a thing called “vicarious liability,†which means that an employer can typically be held responsible for the actions of its employees. Flynn acknowledges that there is “no such thing as a 100 percent risk-free e-mail environment.†You can't, for example, completely control what employee A says to employee B in an instant message. But if employee B decides to sue your company for being a hostile work environment on the basis of employee A's e-mail, you need to be able to prove to the court that you took appropriate measures to prevent the action at the front of the lawsuit.
These measures are what Flynn calls the three E's of e-mail risk management:
Establish a written policy (for e-mail and IM usage, content, and retention).
Educate your workforce (â€And that's everyone from the summer intern to the CIOâ€).
Enforce your policies.
Your policy should include details about e-mail and IM usage and content, and retention policies, and you should take strong steps to educate your workforce with presentations.
When asked about how companies can go about enforcing policies, Flynn replied, “You use discipline–up to and including termination–for anyone who violates the policy.â€
If an employer practices proactive risk management such as the ones in the steps above, a court is less likely to hold it responsible for actions named in a lawsuit.
Don't forget Instant Messaging
Flynn notes that many companies don't know that retention and content policies should apply also to instant messaging, which is, “just turbo-charged e-mail. We know that only 11 percent of companies have installed software to control and manage their employees' IM use while about 78 percent of employees are IMing at the office. It's a time bomb waiting to go off.†Flynn says there is a huge misconception out there that IM is not a written business record and that you can say anything you want. “Users think that once you close your window, the message is gone, but that's not true. Even if you're not retaining the message, the person you're chatting with might be. Also, it's an enormous security issue if your employees are transmitting IMs on business issues. These messages are transmitted via the public Internet. They could include customers' social security numbers and important account information.†Employers need to find out what the business presence of IM is in their workplace and how it is used.
So what's the holdup?
One of the reasons companies hesitate to create and enforce retention policies is cost–cost of software, cost of personnel needed to manage it, etc. But Flynn says that that cost is minimal compared to paying a six-figure settlement. Also, a lawsuit can result in embarrassing headlines and loss of credibility for a company. “There have even been cases in which companies' stock valuation has dropped because of inappropriate e-mail use that has been reported by the media.â€
Bottom Line for Business Leaders
One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. Creating an effective e-mail retention policy should be at the top of your agenda