From an article by Kevin Beaver, CISSP at Searchexchange.techtarget.com
Data retention is one of those unsexy areas of IT management that we know needs to be addressed but would rather ignore. Besides, that’s what your legal team is for, right?
Well, not really. And unfortunately, data retention is not something you can avoid. There are real ramifications if your business doesn’t properly retain and protect email messages, especially once there’s notice of a lawsuit. In addition, you can also create unnecessary business risks by holding onto Exchange email too long.
Data retention policy dos and don’ts
Exchange data retention is a science, not an art. You must have a clear and concise idea of what your business is willing to take on. Otherwise, you run the risk of increased liability, spoiled evidence and numerous other negative side effects when lawyers get involved.
Some companies think it’s as simple as saying, “We’re saving all email indefinitely” or “We should try to save what’s needed, and then delete everything else after a year or so.” It’s not.
Another common gaffe is when in-house legal counsel downloads a template off the Web and pulls a random retention time out of the air. Some people mistakenly think that this is enough for an effective data retention policy.
eDiscovery101 
Great point Bill, just a little FYI, Nancy Flynn’s book ‘The e-POLICY Handbook’ is a great source for any organization to use to help them determine what rules and best practices they should adopt. It also has case studies that will drive home the point of what happens if you are not properly prepared to face an EI (electronic information) request.
Mike Soulie
Thanks Mike. I had not heard of Nancy’s book, but will be sure to get a copy. Thanks again