Don't delete that email! Why you must keep biz docs for 6 YEARS

Don't be caught out when lawyers knock on the IT dept door

Secure remote control for conventional and virtual desktops

Comment Companies should retain project emails and documents in a central repository for more than six years before considering deleting the information, an expert in resolving IT disputes has said.

Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that organisations should consider retaining the information for longer than six years in order to be able to appropriately respond to electronic disclosure, or e-discovery, requests stemming from disputes arising outside of the UK.

When two companies sue each other they have the right to ask for relevant documents from the other party in a process called discovery. When the documents are digital ones, such as emails or the contents of databases, the process is called e-discovery.

Birdsey said that companies that fail to store information for long enough can end up incurring significant costs in trying to recover backed-up files in order to comply with e-discovery obligations.

"In terms of retaining documents and having a policy which complies with the requirements of limitation periods, six years is the typical period for contract claims, but for an IT project, the project itself might take three, four, five or six years," Birdsey said. "Therefore it is preferable, particularly for IT companies, to be looking at implementing a policy that begins six years after the completion of the project or from a point at which it is a bit clearer that no claims have been made."

"Businesses which operate across the globe, for example telecommunications companies, need to consider that retention and disclosure requirements might be different in other jurisdictions, with the disclosure requirements in the US, which appear to be broader in many circumstances than those in the UK, being an example. It highlights that there is a need for a policy that complies with all countries and not just the UK," he added.

"The costs of specific disclosure and of retrieving and restoring of emails must also be taken into account," he said. "Accessing documents from backups is an issue I've seen in quite a few cases where the organisation has had a really short retention period and this has given rise to the costs of undertaking forensic work and the legal advice around restoring back ups. This is a particular issue where those backups are stored on tapes and not on servers."

"As important is having a systematic email management storage policy, for instance ensuring that everything is stored on a network and does not allow for users to store some things on their local PCs, some on memory sticks, others on Blackberrys and iPhones," said Birdsey. "It is important to have a coordinated and joined up email document retention policy that also takes into account the use of own devices, where permitted, making sure that those devices synchronise with the network and do not allow for stand alone storage. Of course, taxation and freedom of information compliance requirements must also be taken into consideration."

Cloud-based email management company Mimecast has published new research showing that businesses' email "archiving and retention policies" are "muddled and unclear". Mimecast said that the businesses may face exposure to litigation and compliance issues in areas such as data protection and the freedom of information (FOI) regime as a result.

One in four companies has no clear email backup plan

Mimecast said that 26 per cent of UK businesses "do not have a clear policy on retaining email at all", according to a survey of 500 IT managers based in the UK, US or South Africa. In the UK only 30 per cent of businesses store archived emails for at least three years, according to the survey.

"Just one in four IT departments (27 per cent) have an email retention policy designed to comply with industry regulations," Mimecast said its survey had revealed. "41 percent of UK businesses surveyed say their archiving policies are based on ‘internal best practice’ with no consideration given to industry or country specific regulations. Six percent of businesses admit to deciding their email retention policy around a ‘random future date’ with ‘no basis’."

Mimecast said that "many businesses are not confident that they would be able to identify all emails relating to a specific customer in a timely manner" and that "on average, it would take a UK business 12 working days to identify all emails relating to a potential litigation". A sixth of respondents (17 per cent) from UK businesses admitted that they did not think their firms could comply with such an e-discovery request within a month.

Companies can help address the often burdensome rules around data protection and e-discovery within their IT policies, an expert said.

Construction law expert Andrew Shelling of Pinsent Masons, who has acted on large High Court disputes involving e-discovery issues, said that companies should operate policies that require their employees to store personal data in separate clearly labelled folders. This allows their IT department, and any appointed IT litigation support provider, to isolate these emails from the others and protect secure information, or to have deemed consent to disclose that which is not filed in a ‘personal’ folder, he said.

"Organisations can make their life so much easier if they have an IT policy in place which requires individuals to place personal information in private folders," Shelling said. "This folder, marked ‘personal’, could be excluded from the harvesting process, and is thus a further tool that can be used to reduce the volume of documents that need to be processed and reviewed."

"Of course, this would need to be agreed with the other side if possible, but in the context of e-discovery, taking such steps would be considered reasonable in most cases unless it can be demonstrated that there are likely to be documents of both relevance and significance contained within an employee’s ‘personal’ folder. Even then, disclosure of such folders is likely to be limited to individual employees rather than all custodians," Shelling added.

"Not only does this make the identification of relevant information easier, it also ensures that individuals' rights around their personal data are observed," he said.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.