From an article by Kevin Beaver, CISSP at Searchexchange.techtarget.com
Data retention is one of those unsexy areas of IT management that we know needs to be addressed but would rather ignore. Besides, that’s what your legal team is for, right?
Well, not really. And unfortunately, data retention is not something you can avoid. There are real ramifications if your business doesn’t properly retain and protect email messages, especially once there’s notice of a lawsuit. In addition, you can also create unnecessary business risks by holding onto Exchange email too long.
Data retention policy dos and don’ts
Exchange data retention is a science, not an art. You must have a clear and concise idea of what your business is willing to take on. Otherwise, you run the risk of increased liability, spoiled evidence and numerous other negative side effects when lawyers get involved.
Some companies think it’s as simple as saying, “We’re saving all email indefinitely” or “We should try to save what’s needed, and then delete everything else after a year or so.” It’s not.
Another common gaffe is when in-house legal counsel downloads a template off the Web and pulls a random retention time out of the air. Some people mistakenly think that this is enough for an effective data retention policy.