Don't delete that email! Why you must keep biz docs for 6 YEARS

Don't be caught out when lawyers knock on the IT dept door

Reducing security risks from open source software

Comment Companies should retain project emails and documents in a central repository for more than six years before considering deleting the information, an expert in resolving IT disputes has said.

Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that organisations should consider retaining the information for longer than six years in order to be able to appropriately respond to electronic disclosure, or e-discovery, requests stemming from disputes arising outside of the UK.

When two companies sue each other they have the right to ask for relevant documents from the other party in a process called discovery. When the documents are digital ones, such as emails or the contents of databases, the process is called e-discovery.

Birdsey said that companies that fail to store information for long enough can end up incurring significant costs in trying to recover backed-up files in order to comply with e-discovery obligations.

"In terms of retaining documents and having a policy which complies with the requirements of limitation periods, six years is the typical period for contract claims, but for an IT project, the project itself might take three, four, five or six years," Birdsey said. "Therefore it is preferable, particularly for IT companies, to be looking at implementing a policy that begins six years after the completion of the project or from a point at which it is a bit clearer that no claims have been made."

"Businesses which operate across the globe, for example telecommunications companies, need to consider that retention and disclosure requirements might be different in other jurisdictions, with the disclosure requirements in the US, which appear to be broader in many circumstances than those in the UK, being an example. It highlights that there is a need for a policy that complies with all countries and not just the UK," he added.

"The costs of specific disclosure and of retrieving and restoring of emails must also be taken into account," he said. "Accessing documents from backups is an issue I've seen in quite a few cases where the organisation has had a really short retention period and this has given rise to the costs of undertaking forensic work and the legal advice around restoring back ups. This is a particular issue where those backups are stored on tapes and not on servers."

"As important is having a systematic email management storage policy, for instance ensuring that everything is stored on a network and does not allow for users to store some things on their local PCs, some on memory sticks, others on Blackberrys and iPhones," said Birdsey. "It is important to have a coordinated and joined up email document retention policy that also takes into account the use of own devices, where permitted, making sure that those devices synchronise with the network and do not allow for stand alone storage. Of course, taxation and freedom of information compliance requirements must also be taken into consideration."

Cloud-based email management company Mimecast has published new research showing that businesses' email "archiving and retention policies" are "muddled and unclear". Mimecast said that the businesses may face exposure to litigation and compliance issues in areas such as data protection and the freedom of information (FOI) regime as a result.

One in four companies has no clear email backup plan

Mimecast said that 26 per cent of UK businesses "do not have a clear policy on retaining email at all", according to a survey of 500 IT managers based in the UK, US or South Africa. In the UK only 30 per cent of businesses store archived emails for at least three years, according to the survey.

"Just one in four IT departments (27 per cent) have an email retention policy designed to comply with industry regulations," Mimecast said its survey had revealed. "41 percent of UK businesses surveyed say their archiving policies are based on ‘internal best practice’ with no consideration given to industry or country specific regulations. Six percent of businesses admit to deciding their email retention policy around a ‘random future date’ with ‘no basis’."

Mimecast said that "many businesses are not confident that they would be able to identify all emails relating to a specific customer in a timely manner" and that "on average, it would take a UK business 12 working days to identify all emails relating to a potential litigation". A sixth of respondents (17 per cent) from UK businesses admitted that they did not think their firms could comply with such an e-discovery request within a month.

Companies can help address the often burdensome rules around data protection and e-discovery within their IT policies, an expert said.

Construction law expert Andrew Shelling of Pinsent Masons, who has acted on large High Court disputes involving e-discovery issues, said that companies should operate policies that require their employees to store personal data in separate clearly labelled folders. This allows their IT department, and any appointed IT litigation support provider, to isolate these emails from the others and protect secure information, or to have deemed consent to disclose that which is not filed in a ‘personal’ folder, he said.

"Organisations can make their life so much easier if they have an IT policy in place which requires individuals to place personal information in private folders," Shelling said. "This folder, marked ‘personal’, could be excluded from the harvesting process, and is thus a further tool that can be used to reduce the volume of documents that need to be processed and reviewed."

"Of course, this would need to be agreed with the other side if possible, but in the context of e-discovery, taking such steps would be considered reasonable in most cases unless it can be demonstrated that there are likely to be documents of both relevance and significance contained within an employee’s ‘personal’ folder. Even then, disclosure of such folders is likely to be limited to individual employees rather than all custodians," Shelling added.

"Not only does this make the identification of relevant information easier, it also ensures that individuals' rights around their personal data are observed," he said.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Eight steps to building an HP BladeSystem

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.