Don't delete that email! Why you must keep biz docs for 6 YEARS

Don't be caught out when lawyers knock on the IT dept door

Combat fraud and increase customer satisfaction

Comment Companies should retain project emails and documents in a central repository for more than six years before considering deleting the information, an expert in resolving IT disputes has said.

Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that organisations should consider retaining the information for longer than six years in order to be able to appropriately respond to electronic disclosure, or e-discovery, requests stemming from disputes arising outside of the UK.

When two companies sue each other they have the right to ask for relevant documents from the other party in a process called discovery. When the documents are digital ones, such as emails or the contents of databases, the process is called e-discovery.

Birdsey said that companies that fail to store information for long enough can end up incurring significant costs in trying to recover backed-up files in order to comply with e-discovery obligations.

"In terms of retaining documents and having a policy which complies with the requirements of limitation periods, six years is the typical period for contract claims, but for an IT project, the project itself might take three, four, five or six years," Birdsey said. "Therefore it is preferable, particularly for IT companies, to be looking at implementing a policy that begins six years after the completion of the project or from a point at which it is a bit clearer that no claims have been made."

"Businesses which operate across the globe, for example telecommunications companies, need to consider that retention and disclosure requirements might be different in other jurisdictions, with the disclosure requirements in the US, which appear to be broader in many circumstances than those in the UK, being an example. It highlights that there is a need for a policy that complies with all countries and not just the UK," he added.

"The costs of specific disclosure and of retrieving and restoring of emails must also be taken into account," he said. "Accessing documents from backups is an issue I've seen in quite a few cases where the organisation has had a really short retention period and this has given rise to the costs of undertaking forensic work and the legal advice around restoring back ups. This is a particular issue where those backups are stored on tapes and not on servers."

"As important is having a systematic email management storage policy, for instance ensuring that everything is stored on a network and does not allow for users to store some things on their local PCs, some on memory sticks, others on Blackberrys and iPhones," said Birdsey. "It is important to have a coordinated and joined up email document retention policy that also takes into account the use of own devices, where permitted, making sure that those devices synchronise with the network and do not allow for stand alone storage. Of course, taxation and freedom of information compliance requirements must also be taken into consideration."

Cloud-based email management company Mimecast has published new research showing that businesses' email "archiving and retention policies" are "muddled and unclear". Mimecast said that the businesses may face exposure to litigation and compliance issues in areas such as data protection and the freedom of information (FOI) regime as a result.

One in four companies has no clear email backup plan

Mimecast said that 26 per cent of UK businesses "do not have a clear policy on retaining email at all", according to a survey of 500 IT managers based in the UK, US or South Africa. In the UK only 30 per cent of businesses store archived emails for at least three years, according to the survey.

"Just one in four IT departments (27 per cent) have an email retention policy designed to comply with industry regulations," Mimecast said its survey had revealed. "41 percent of UK businesses surveyed say their archiving policies are based on ‘internal best practice’ with no consideration given to industry or country specific regulations. Six percent of businesses admit to deciding their email retention policy around a ‘random future date’ with ‘no basis’."

Mimecast said that "many businesses are not confident that they would be able to identify all emails relating to a specific customer in a timely manner" and that "on average, it would take a UK business 12 working days to identify all emails relating to a potential litigation". A sixth of respondents (17 per cent) from UK businesses admitted that they did not think their firms could comply with such an e-discovery request within a month.

Companies can help address the often burdensome rules around data protection and e-discovery within their IT policies, an expert said.

Construction law expert Andrew Shelling of Pinsent Masons, who has acted on large High Court disputes involving e-discovery issues, said that companies should operate policies that require their employees to store personal data in separate clearly labelled folders. This allows their IT department, and any appointed IT litigation support provider, to isolate these emails from the others and protect secure information, or to have deemed consent to disclose that which is not filed in a ‘personal’ folder, he said.

"Organisations can make their life so much easier if they have an IT policy in place which requires individuals to place personal information in private folders," Shelling said. "This folder, marked ‘personal’, could be excluded from the harvesting process, and is thus a further tool that can be used to reduce the volume of documents that need to be processed and reviewed."

"Of course, this would need to be agreed with the other side if possible, but in the context of e-discovery, taking such steps would be considered reasonable in most cases unless it can be demonstrated that there are likely to be documents of both relevance and significance contained within an employee’s ‘personal’ folder. Even then, disclosure of such folders is likely to be limited to individual employees rather than all custodians," Shelling added.

"Not only does this make the identification of relevant information easier, it also ensures that individuals' rights around their personal data are observed," he said.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction


Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.