What do baseball cards and egg salad have in common?
Making sense? No? Don’t worry, we’ll get there.
Those who collected baseball cards as children often have stories about the cards they threw out which were years later discovered to be worth thousands. If only they’d held onto that precious rookie card, back before slugger was famous and still had that cool mustache…
Meanwhile, anyone who’s kept leftover egg salad in the fridge for a few days too long knows that it requires a HAZMAT team and EPA oversight to safely extract from the kitchen. Holding on to egg salad past it’s time is a huge liability – is it worth taking the risk if you don’t have to?
So it is with e-mail – specifically, the retention of it at the enterprise level. If e-mail retention is too short, you risk losing conversations which prove valuable to the business: discussions regarding contracts, client information, proprietary data, and – perhaps most importantly – messages vital to legal proceedings. Losing that 6-year old written agreement regarding a now-contentious contract will hurt as much as tossing out that valuable rookie card.
If retention is too long, then not only do you take up valuable storage to hold it all – but it becomes a risk. What if unauthorized users gain access to old company e-mail and misuse it? Like the decrepit egg salad, keeping e-mail simply for the sake of keeping it with no point or purpose can present a major liability.
No single retention approach is meant to apply across-the-board; the key is to apply the right retention to the right messages. Which messages should stay?Which should be disposed? After what lengths of time? Jonathan Lampe of the InfoSec Institute has released a solid list of his top 5 e-mail retention best practices designed to answer some of these questions and balance out the risks with requirements:
1. Start with Regulatory Minimums.
Your email retention policy should begin by listing the various regulations your company is subject to and the relevant document retention requirements involved with each regulation.
2. Segment as Necessary to Avoid Keeping Everything for the Legal Maximum.
…Recommended retention periods vary widely even within highly regulated industries. With that in mind, it often pays to segment different types or uses of email into different retention periods to avoid subjecting your entire online email store to the maximum email retention period.
3. Draft a Real Policy…But Don’t Include What You Won’t Enforce.
A written policy, approved by legal counsel and senior management, will give you the requirements and authority to implement all the IT, security and process controls you need.
4. Price Preferred Solution and Alternatives By Duration and Segment.
To price an appropriate solution, you would restate your requirements based on number of users, expected volume of email and expected rate of growth.
5. Once You Draft Your Policy, Include Legal Before the Executives.
The main reason legal should be included as soon as you have a draft is that two of the best practices listed above (regulatory minimums and viability of segmentation) are really legal’s call – not yours! …A second reason to include legal before your executives is that you want to present a unified front (as IT and legal) on your maximum retention limits… The final reason you want to include legal early is that their calls may force you to reprice the options you laid out before you talked to them, and may cause you to take some options off the table.
The excerpts above are highly abbreviated, so I strongly recommend that you check out the full article. E-mail retention is an issue that easily flies under the radar, so take a moment to familiarize yourself with the risks and benefits of different policies and how they can enhance your compliance environment.