Legal Benefits of a Defined Retention Policy: Lessons from a Road Trip

As someone involved in product development and delivery, I had the rare privilege of going on site to assist and train a customer in the deployment and use of Sherpa products as part of a professional services engagement. But, as is typically the case with such situations, it turned into a forum for exchanging ideas and an opportunity to share some of the lessons we’ve learned from our past experiences in order to help a customer as they formulate a plan to implement their corporate policies.

The Client

This particular client is a fairly large, geographically distributed organization with about one-third of the users predominantly on the road in a relatively unregulated, but highly litigious, industry. They have been grappling for the past several years with formulating a meaningful (but more importantly, enforceable) email retention policy. This particular organization shares similarities with other companies we have worked with in that they face similar operational struggles. I wanted to use this forum to share some of these challenges as well as blueprints of their proposed solutions, in the hopes that it will inspire and benefit other IT organizations confronted with similar situations.

The Issues

The ordeal began about five years ago with problems encountered during a litigation, as they usually do. After experiencing difficulties in locating and retrieving pertinent corporate emails and several months of deliberations with the IT department, the company’s legal department decided to implement a policy to capture and centrally store all corporate email. Exchange journaling was enabled, and a third-party archiving solution was deployed to store and manage the journaled email messages. This started out as a viable solution, providing centralized control over all corporate email and ready-access to find relevant emails when required. However, as per the legal department’s decree, no email was to ever be deleted.  Thereafter, with no explicit retention period defined for the archived emails, the archive storage naturally exploded; this turned the project into a major management headache, while also making it cumbersome for users to access their archived email.

Re-evaluating the situation, the organization decided that journaling was not the ideal solution; it was soon disabled, and a new round of discussions began. It was ultimately determined that users, armed with certain guidelines, would be tasked with manually identifying emails that met corporate record guidelines, and all other email would be purged from the system. Although the potential of such a corporate policy to survive a judge’s scrutiny during litigation sounds questionable, Sherpa has found in our experience and research that courts do look favorably on organizations that have clearly defined information retention policies, with an enforcement process in place.

In this particular situation however, the practical implications being considered are daunting. Theoretically, this seemed plausible –after all, users should know and understand what constitutes corporate record, and the suggested guidelines that would help them in this effort. In practice however, several aspects of the implementation of this policy were extremely cumbersome, the least of which was requiring the end users to individually review several years’ worth of their email.

For starters, this calls for the return of several years of archived journal data back into the user’s mailboxes. Over the years, as in most organizations, users (especially those who spend most time on the road) were encouraged to maintain local PST caches of email. This new policy requires the re-import of all  data back into the users’ mailboxes to end PST use. Once all the data is returned to users’ Exchange mailboxes, users will be required to review all of their email, manually tagging corporate records (which will be retained indefinitely). All other email will be given a three-year retention period before being purged. The organization had settled on using Exchange 2010’s Message Records Management (MRM) to enforce these retention policies. Preventing further use of PST files is probably the only simple task in this implementation – done through the deployment of the read-only PST registry key to all users’ computers.

The Solution

Thankfully, there are a few areas here in which Sherpa Software is able to help. The organization is currently in the deployment/testing phase of using Mail Attender for Exchange to import the local PST data from users’ machines back into their respective mailboxes. As described in this article on importing PST files, Mail Attender’s automated, flexible and efficient method of extracting data from desktop PST files and transferring them to a server repository significantly eases all potential burdens of an otherwise extremely painstaking process.

When it became clear during the discussions on-site –  that following the import of the PST data, users would have to manually review all their imported messages and tag relevant ones as corporate records – Sherpa Software offered the addition of a feature to Mail Attender. This feature now offers Mail Attenderthe ability to, based on pre-defined criteria, automatically assign an MRM tag to a message, prior to importing it into an Exchange mailbox. This same new feature could also be used to automatically tag email already in a users’ mailbox in Exchange, and also to any newly received email. Although this automatic tagging does not preclude a user from manually reviewing and modifying a tag, it should save the organization countless hours of manpower, while also limiting the potential for human error in the enforcement of this retention policy.

One final note from this exercise, following the implementation of this email retention policy – the IT department is  tasked with finding a way to enforce a similar retention policy on files stored on network shares and in SharePoint. Sherpa’s Attender Online is a solution tailor-made for this type of corporate policy – a powerful framework that offers a unique ability to enforce a consistent records management policy across multiple silos of data from a single interface.

Hopefully, there are several helpful lessons in this article. One I would like to highlight in closing is that beyond offering information governance products and services, Sherpa Software is available to consult and develop customized solutions to help you in solving your information governance challenges.

[hs_action id=”4086″]

Leave a Reply

Your email address will not be published. Required fields are marked *