We’ll be at Compliance Week National 2024 in Washington, D.C., April 2-4. Learn more or schedule a time to meet with us at the show here.

#Article

Avoiding an E-discovery Nightmare in a Workplace Investigation


Avoiding an E-discovery Nightmare in a Workplace Investigation

An effective email retention policy can help you sleep easier, knowing you have what you need and not what you don’t.

Posted by on

In the age of electronic communication most people find it impossible to go a day without email. In the workplace email is a valuable tool, not just for communication, but also for recording information and exchanges. But dangers lurk in the deep recesses of servers that store all that communication, and in the case of a workplace investigation what is and isn’t there can come back to haunt a company that hasn’t taken the right steps to preserve and delete.

Knowing what and how to delete electronic communication is critical, yet many companies don’t have a clue. The answer lies in an Email Retention Policy: a document that describes the company’s guidelines for retaining and destroying emails.

What's in an ERP?

An Email Retention Policy typically includes:

  • a retention schedule for employees to easily integrate into their routines
  • a set timeframe for how long emails will be stored
  • explicit directions for what information should be kept and what information should be destroyed.
  •  information about the way in which the data is kept and where.

An effective Email Retention Policy must be easy to understand, so that employees will have no problems implementing it.

Why You Need an ERP

The Email Retention Policy defines which data needs to be preserved and for how long: Some companies face industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), SEC, Sarbanes Oxley (SOX), and Gramm-Leach-Bliley Act (GLBA), that require them to retain electronic data for a certain period.

In addition to regulatory compliance, certain data might be important for the company and must be retained for internal reasons.

Why Delete Data?

The Email Retention Policy also defines which data does not need to be retained. If certain data is not important the company does not want to store this data. The reason for this is two-fold:

  1. Storing data costs money and can slow down systems. A mail server was not designed as a storage system; it was designed as a communication system. Mail servers that have large message stores are slower to search through, backup and restore. It does not make sense to suffer these consequences for data that is not important.
  2. The more data you have, the longer an eDiscovery search will take on a court order and the more costly it will be. If a US company faces a lawsuit, they will need to comply with the eDiscovery rules from the Federal Rules of Civil Procedure (FRCP). Although according to the FRCP it is up to the company to decide for how long to store data, there must be a clear retention policy in place that states which data is retained, for how long and by what means. It is important that these guidelines are adhered to, so that if any destroyed data is ever requested as evidence, the company is able to prove that it was destroyed according to company guidelines, and not to cover up evidence.

Litigation Hold

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

The Email Retention Policy also covers what needs to be done during a litigation hold. When a company is involved in a lawsuit, it must place any relevant data on a litigation hold; in other words, the company may not destroy any data that might be relevant to the case. It is important that the company has developed ways in which a possible litigation hold can be ensured.

Set It, but Don’t Forget It

Unfortunately Email Retention Policies are far from set-it-and-forget-it programs. Compliance regulations constantly change and implementation problems may arise at any time.

Although it might be daunting to create an Email Retention Policy, don’t be discouraged. Create an email retention team involving members from IT, Legal, Compliance and Human Resources and start by documenting the company’s retention needs and requirements. Once the email retention requirements are clear, discuss how these can be achieved. This will usually be a combination of employee guidelines as well as implementing an email archiving solution.

Taking the time to ensure you have an effective Email Retention Policy will save you hours of sleep lost to worrying about the monsters lurking on your servers.