Don't delete that email! Why you must keep biz docs for 6 YEARS
Don't be caught out when lawyers knock on the IT dept door
Comment Companies should retain project emails and documents in a central repository for more than six years before considering deleting the information, an expert in resolving IT disputes has said.
Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that organisations should consider retaining the information for longer than six years in order to be able to appropriately respond to electronic disclosure, or e-discovery, requests stemming from disputes arising outside of the UK.
When two companies sue each other they have the right to ask for relevant documents from the other party in a process called discovery. When the documents are digital ones, such as emails or the contents of databases, the process is called e-discovery.
Birdsey said that companies that fail to store information for long enough can end up incurring significant costs in trying to recover backed-up files in order to comply with e-discovery obligations.
"In terms of retaining documents and having a policy which complies with the requirements of limitation periods, six years is the typical period for contract claims, but for an IT project, the project itself might take three, four, five or six years," Birdsey said. "Therefore it is preferable, particularly for IT companies, to be looking at implementing a policy that begins six years after the completion of the project or from a point at which it is a bit clearer that no claims have been made."
"Businesses which operate across the globe, for example telecommunications companies, need to consider that retention and disclosure requirements might be different in other jurisdictions, with the disclosure requirements in the US, which appear to be broader in many circumstances than those in the UK, being an example. It highlights that there is a need for a policy that complies with all countries and not just the UK," he added.
"The costs of specific disclosure and of retrieving and restoring of emails must also be taken into account," he said. "Accessing documents from backups is an issue I've seen in quite a few cases where the organisation has had a really short retention period and this has given rise to the costs of undertaking forensic work and the legal advice around restoring back ups. This is a particular issue where those backups are stored on tapes and not on servers."
"As important is having a systematic email management storage policy, for instance ensuring that everything is stored on a network and does not allow for users to store some things on their local PCs, some on memory sticks, others on Blackberrys and iPhones," said Birdsey. "It is important to have a coordinated and joined up email document retention policy that also takes into account the use of own devices, where permitted, making sure that those devices synchronise with the network and do not allow for stand alone storage. Of course, taxation and freedom of information compliance requirements must also be taken into consideration."
Cloud-based email management company Mimecast has published new research showing that businesses' email "archiving and retention policies" are "muddled and unclear". Mimecast said that the businesses may face exposure to litigation and compliance issues in areas such as data protection and the freedom of information (FOI) regime as a result.
One in four companies has no clear email backup plan
Mimecast said that 26 per cent of UK businesses "do not have a clear policy on retaining email at all", according to a survey of 500 IT managers based in the UK, US or South Africa. In the UK only 30 per cent of businesses store archived emails for at least three years, according to the survey.
"Just one in four IT departments (27 per cent) have an email retention policy designed to comply with industry regulations," Mimecast said its survey had revealed. "41 percent of UK businesses surveyed say their archiving policies are based on ‘internal best practice’ with no consideration given to industry or country specific regulations. Six percent of businesses admit to deciding their email retention policy around a ‘random future date’ with ‘no basis’."
Mimecast said that "many businesses are not confident that they would be able to identify all emails relating to a specific customer in a timely manner" and that "on average, it would take a UK business 12 working days to identify all emails relating to a potential litigation". A sixth of respondents (17 per cent) from UK businesses admitted that they did not think their firms could comply with such an e-discovery request within a month.
Companies can help address the often burdensome rules around data protection and e-discovery within their IT policies, an expert said.
Construction law expert Andrew Shelling of Pinsent Masons, who has acted on large High Court disputes involving e-discovery issues, said that companies should operate policies that require their employees to store personal data in separate clearly labelled folders. This allows their IT department, and any appointed IT litigation support provider, to isolate these emails from the others and protect secure information, or to have deemed consent to disclose that which is not filed in a ‘personal’ folder, he said.
"Organisations can make their life so much easier if they have an IT policy in place which requires individuals to place personal information in private folders," Shelling said. "This folder, marked ‘personal’, could be excluded from the harvesting process, and is thus a further tool that can be used to reduce the volume of documents that need to be processed and reviewed."
"Of course, this would need to be agreed with the other side if possible, but in the context of e-discovery, taking such steps would be considered reasonable in most cases unless it can be demonstrated that there are likely to be documents of both relevance and significance contained within an employee’s ‘personal’ folder. Even then, disclosure of such folders is likely to be limited to individual employees rather than all custodians," Shelling added.
"Not only does this make the identification of relevant information easier, it also ensures that individuals' rights around their personal data are observed," he said.
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Oh look another FOSS argument
But yet again, it's a straw man.
See, if you knew anything about how Exchange or Outlook worked you wouldn't have said this. And if you had any kind of corporate experience, you definitely wouldn't have said this.
The version of Exchange that created the mailbox is irrelevant. You can migrate all your old mailboxes up to the latest version with little hassle, and Microsoft will support you for this. There's even provision in the licensing agreements for it. So if you have to stand up a 2000 Exchange and a 2003 to recover an old mailbox from tape, not a problem. I still work migration projects where this is the case. Tapes are stored for a decade or more, since nobody ever throws things away.
As for Outlook, do you think corporate bosses care that much about support? I'm on site where Office 2003 is still in use. So that's your argument blown out of the water.
As for "some suppliers don't support their software running in virtual environments (other than their own...)" MS were supporting their stuff in VMWare and Citrix for years. So your "subtle" dig here is without merit also.
If you want to argue against proprietary standards, you are better off aiming at "Document Management" systems, which usually lock customers in for life since there is no easy way to export information for use in another competing system.
This is an odd article as it misses a number of important points:
-- There's no obligation to store email for seven years or any other time. There ARE obligations for different times for different things -- payroll, contracts...
-- There's no magic cutoff at seven years. If you're holding information that's ten years old, and it's relevant, the court can order you to discover it
-- Filing system documents are just as vulnerable as email to being produced in 'discovery'
The proper approach is
-- A clear policy which is appropriate for your business (so it covers stuff you keep indefinitely, and a cut-off date for things you don't want) and isn't just wriggling to avoid legal obligations
-- Implementation of your policy -- IE you actually DO delete stuff older than eighteen months. Crucial.
-- Implementation of a 'legal hold' so stuff which is being discovered at month 17 won't be deleted before it can be produced.
Unless you can actually delete (from archive and tapes) and retain for legal holds, I would say that you're better off keeping everything, and cataloguing your tapes REALLY carefully.
I think I will just stick to storing invoices for 7 years - like HMRC request. I see no legal obligation to store emails or other communication for such a long period, and if its not here then I simply cannot hand it over can I?
Such a shame...