E-mail Retention Policy
One of the greatest risks of e-mail use is that electronically stored data, which includes e-mail, is generally discoverable in lawsuits. In federal courts, for example, Federal Rules of Civil Procedure (F.R.C.P.) 34(a) which permits the discovery of documents and usable data compilations, has been defined to include electronic documents and, specifically, e-mail. Compliance with e-mail discovery is mandatory and can be extremely costly even when no damaging content is discovered.
Companies with lengthy e-mail retention periods or no policies at all will be particularly good targets. Therefore, an e-mail use and retention policy has become a necessary part of a risk-management program and the creation of an action plan for the implementation and enforcement of such a policy is imperative.
This article offers a sample e-mail policy that contains the basic concepts, including a recommended period of e-mail retention.
While many companies already have a policy governing the retention of paper documents, such a policy is unlikely to address the issues specific to electronic messages. For example, a paper document retention policy probably contains a retention period that is too long for electronic messages, and it is unlikely to address automated enforcement and e-mail discovery compliance, which are only relevant in the electronic realm. Many e-mail users are unaware that deleted e-mail messages may be recoverable and are likely to be discoverable. The risks inherent with e-mail are compounded because messages are often sent to multiple parties.
E-mail policies must be based on four basic concepts. First, e-mail should be used solely for business purposes. Second, if the company owns it’s e-mail systems and properly notifies its employees, it has the right to monitor and access e-mail messages, passwords notwithstanding. Third, companies should prohibit certain types of e-mail. Finally, policy violators should be subject to disciplinary action up to and including termination.
E-mail retention policies and risk management can help reduce the risks of e-mail messages leading to liability.
The primary questions in designing a compliance plan are the issues of retention periods and compliance methods. First, companies need retention periods long enough to gain policy compliance and short enough to meaningfully reduce risk.
In developing an e-mail retention policy, you must examine the internal systems, understand how employees use e-mail, and evaluate how employees manage e-mail space. The following is a sample of e-mail policy:
This document sets forth Newscorps (hereinafter referred to as the “Company”) policy regarding access to, monitoring, disclosure, and proper use of the Company’s internal and external electronic mail systems (“mail systems”), messages, and attachments sent or received by employees, contractors, and consultants (collectively, “users”). It also includes the Company’s rules on the retention and destruction of electronic mail messages (“messages”), and attachments.
- The use of the mail systems is not private. The Company may access, monitor, read, disclose, and delete messages at any time and for any reason without advance notice to the employee. This includes creating, sending, receiving, and storing messages to or from any internal or external source. The use of passwords or personal/custom named e-mail folders does not make such messages private.
- All messages must be consistent with the Company’s policies and procedures of ethical conduct, safety, compliance with applicable laws, and proper business practices. The mail systems may only be used for authorized Company business purposes. It is a violation of this policy to use the mail systems for any prohibited use contained on the “prohibited use list.” (For example, it is common to prohibit chain mail, offensive jokes, personal e-mail messages, solicitations of employment, running a personal business, etc.)
- This policy supercedes all other Company policies with regard to accessing, monitoring, disclosing, and properly using mail systems and messages. This policy is not meant to be exhaustive. Additional rules, procedures, and guidelines regarding the use of mail systems and the treatment of messages may be set forth in other Company policies and documents. In the event of an inconsistency, however, this policy shall govern to the extent that the issue falls within the scope of this policy.
III Password Access Control.
- Each user is responsible for changing his or her password on a regular basis to help prevent unauthorized use of his/her user I.D.
- Mail systems administrators and corporate security may change, bypass or disable a user’s password or other security mechanisms at any time without permission of or advanced notice to the user.
IV Message Storage, Retention, and Deletion.
Unless expressly instructed by authorized Company management, messages in user’s mailboxes may not be stored or retained electronically for more than ninety (90) days from the date of receipt. Messages older than ninety (90) days may be automatically deleted by the Company without advance warning. Users are prohibited from automatically sending, copying, or forwarding messages outside of their mailbox.
V Policy Violations.
Employee users who violate this policy are subject to immediate discipline up to and including termination. Other users (for example, contractors) are subject to revocation of mail, system access, and use privileges without notice and other actions permitted by law, subject to any applicable agreement or other applicable legal obligation, law, or regulation to the contrary.
VI Policy Changes.
The Company reserves the right to change this policy at any time without prior notice.
Given the litigious culture in the United States, it is not likely a matter of whether a company will ever suffer the ill-effects of e-mail discovery, but when. E-mail discovery is becoming more common. It may soon be as common as paper discovery. The possibility of e-mail-based lawsuits and the corresponding bad publicity should be enough to make companies enforcing a policy for e-mail use and retention. Having such a policy will not prevent liability, but it will make responding to e-mail discovery less onerous and less expensive.
Provided as an educational service by John Raymond Dunham, III, Esq..
This publication is intended to serve you. If you would like certain topics covered, or have any questions or comments, you are invited to contact Mr. Dunham at: 941.951.1800, Ext. 250, Facsimile: 941.366.1603, E-Mail: firstname.lastname@example.org, Web site: www.jrdlaw.com or write him at LUTZ, BOBO, TELFAIR, DUNHAM & GABEL, Two North Tamiami Trail, Sarasota, FL 34236.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered and report on issues and developments in the law. It is not intended as legal advice, and should not be relied upon without consulting an attorney.