Assembling an effective Exchange data retention policy

From an article by Kevin Beaver, CISSP at

Data retention is one of those unsexy areas of IT management that we know needs to be addressed but would rather ignore. Besides, that’s what your legal team is for, right?

Well, not really. And unfortunately, data retention is not something you can avoid. There are real ramifications if your business doesn’t properly retain and protect email messages, especially once there’s notice of a lawsuit. In addition, you can also create unnecessary business risks by holding onto Exchange email too long.

Data retention policy dos and don’ts
Exchange data retention is a science, not an art. You must have a clear and concise idea of what your business is willing to take on. Otherwise, you run the risk of increased liability, spoiled evidence and numerous other negative side effects when lawyers get involved.

Some companies think it’s as simple as saying, “We’re saving all email indefinitely” or “We should try to save what’s needed, and then delete everything else after a year or so.” It’s not.

Another common gaffe is when in-house legal counsel downloads a template off the Web and pulls a random retention time out of the air. Some people mistakenly think that this is enough for an effective data retention policy.

The entire article can be read here

10 Clues Corporate Counsel Should Take to Heart about eDiscovery

The following content was inspired by an article in Law Technology News in Oct 2009 by Tom O’Connor titled “Top 10 EDD Tips for General Counsel”.

  1. Read the Rules: Read the Federal Rules of Civil Procedure or at least the amendments passed in December of 2006. For most of you, the days of farming out all discovery preparation is quickly disappearing. You are going to be responsible to not lose the case against you in the first couple of weeks by screwing up the discovery process. Come on…you made it through law school and read (?) all those books as well as you probably have suffered through your share of mind numbing IP applications. The FRCP is not as bad as that. I also recommend taking a look at the Electronic Discovery Reference Model (EDRM), a great site for in-depth learning of the eDiscovery process.
  2. Learn from Others: Case decisions are a great place to learn what others assumed or tied and didn’t work. They are also a great place to determine Judge’s opinions and judicial thinking. There are many great blogs and websites. The one site I look at every day is Electronic Discovery Law which consistently has great write ups and analysis on current and past cases. I have been constantly amazed over the years to see how little corporate counsels pay attention to current legal actions. If nothing else, some of these decisions have a great deal of humorous revelations in them and will give you a chance to make fun of others. Another great organization to look at for information and leadership in the discovery process is the Sedona Conference organization.
  3. Understand the Terms: No, eDiscovery is not an electronic dating service; early case assessment (ECA) is not a process to determine if a case of wine in your basement has gained in value and “PST” is not a juvenile texting shortcut for “Please Stop Texting”. Knowing the legal terms is expected, generally knowing technical terms such as “Giga Byte” and “Thumb Drive” will be helpful and just might impress the Judge.
  4. Understand Where the Corporate ESI Could be Stored: Understanding all the places ESI could exist is the first step in lowering your risk in litigation. After you understand where all the ESI could exist, and it could be thousands of places that have little or no central control, limit the number of locations that ESI can be stored. This will lower your cost of collection a huge amount.
  5. Talk to your IT department: Take the key individuals in your IT department out once in a while, maybe to your club. This will impress the propeller heads enough so that the next time you incorrectly reverse sync your Blackberry and blow all your contacts out of your outlook, they might actually fix it quickly. You might also learn some other stuff that would be helpful like the fact that they are keeping backup tapes around for years (if you don’t know why this is a problem, you didn’t take the prerequisite to this class).
  6. Acknowledge (and work with) your Records Managers: They’re not bad people, just misunderstood. I have heard Records Managers often referred to as “Blue Hairs”. This is an obvious reference to the stereotype that all records managers are “mature” women. I won’t lie to you; this is sometimes true in certain industries but not everywhere. The Records Management department can be an important ally in your understanding of eDiscovery problems and ways to fix those problems. They are also important in the next clue.
  7. Create a Usable Records Management Policy and Schedule: I walked into a large company several years ago on a consulting engagement and asked them for their records retention schedule. After about a day and a half I was given a 212 page document that was full of record types and retention periods, all in 8 point type. When I asked them if they really thought every employee actually followed this schedule, they answered “absolutely” and they met it. After interviewing 40 or so employees I found that 34 on them didn’t know the company had a retention schedule and the other 6 employees just regularly kept everything for ever. Having a records retention policy and schedule is the first step in controlling your ESI. The idea is to manage and control it; not keep everything forever. A word of caution; a retention schedule that is not enforced is worse than not having one at all.
  8. Create a Litigation Hold Policy and Test It: Creating a litigation hold policy before you experience litigation should not be a revelation to anyone even though I know for a fact it is for many.  It just makes sense that being able to effectively stop the destruction of potentially responsive ESI would lower your risk of spoliation. A common sense next step would be to test it. A litigation hold policy that doesn’t work will not usually impress the Judge.
  9. Train Your Employees: Train your employees on the records retention policy and schedule as well as the litigation hold policy. Remember the example above in the “Create a Usable Records Retention Policy and Schedule” topic. Having a policy and not telling your employees about it will not get you an invitation to the next Mensa gathering. Employees should be trained regularly and asked to sign a document that says they understand the training.
  10. Automate Where You Can: The bigger your organization, the harder it will be to do things manually. I know “archive” is a dirty word to most legal types but the term archive does not mean save everything for ever. It is a way to manage your ESI so that it is eventually deleted. Put ESI management systems in place that will help you meet your legal, regulatory and business requirements.


Its time to address this expectation from records managers that all records are created equal…They’re not.

How many pieces of paper a day does the average employee create or receive? For me its zero. Now, how many electronic documents, spreadsheets, email, attachments, instant messages, etc. does the average employee create or receive per day? In my case its hundreds of objects and 30-100 MB per day.

I work with customers all the time that try to use a very detailed retention schedule they created for hardcopy documents with their electronic records. They instruct their employees to classify each email etc. based on the retention schedule with little thought given to how long this directive will take each employee. They throw the policy over the fence and because few openly refuse to use it, assume it is working.

In records management we have a 5 second rule: if it takes an employee more than 5 seconds to classify a document, they will either attach the longest retetion period to it or delete it immediatly. I worked with a large bank that had a 290 page retention schedule that employees were suppose to consult for every record including emails. Every employy I interviewed either didn’t know the schedule existed or they classified everything as infinite retention period. Hardly a usefule system.

Companies not under a federal or state regulatory retentio requirements need to get a little more realistic about electronic record retention policies. Usually “high water mark” retention policies are the way to go. Assign retention based on department or function such as “2 years” for everyone on Finance. Many companies spend way to much time and expense trying to not keep the “lets go to lunch” types of emails for example. Why not keep them, they take up little room and are not detremental.

Lets just get more realistic about records management.