This week, a lot of my coworkers across Penton Media, Windows IT Pro's parent company, are waking up to a new—and potentially shocking—reality. No, I'm not talking about changes or layoffs because of the poor economy. I'm talking about a huge volume of saved email messages that suddenly isn't there anymore due to the implementation of a comprehensive document-retention policy. The policy covers all company documents, but it's the rules regarding email that are going to be most difficult for people to adjust to.
The gist of Penton's new policy is that any email message older than six months will be automatically deleted—unless users move the message to one of a set of managed folders set up in Microsoft Office Outlook 2007 by the company's IT department. Each folder has a set time limit for retention, and only documents with specific legal or business requirements are allowed in those folders.
I recently spoke with members of Penton's legal department and IT department about the development and implementation of the new policy. Look for my interview with Ken Savoy and Ben Vargas of the Penton IT department in "Establishing an Email Retention Policy: The IT Perspective." And for some technical articles about setting up managed folders in Microsoft Exchange Server 2007 and other email retention and archiving issues, see the Related Reading section at the end of this article.
To get the legal perspective, I spoke to Elise Zealand, vice president and corporate counsel for Penton Media, who led the process for the policy's development. Elise spent ten years as a commercial litigator in New York before coming to Penton early in 2008.
Q: What was the situation at Penton before establishing the recent document-retention policy? What policies—if any—were in place?
A: There were some policies and procedures in place, and we were certainly very careful about enacting litigation holds when there was a potential claim or litigation. There were appropriate procedures in place to ensure that we retained data related to that litigation or claim. But with regard to email, we didn't have a system in place to manage email automatically. We left it to users to determine when emails would be discarded or retained.
Q: What's wrong with letting users decide what to keep? How does the company benefit by implementing a policy such as this?
A: When you have users who are longtime employees who are storing data in email for basically years on end, that's a cost problem and that's a litigation risk problem. So what we wanted to do was just to make sure that everybody would be on the same page, that they would understand that there were clearly defined rules about data that needed to be retained, and data that, if it's unnecessary, would be deleted within a specified period of time.
So we wanted to make sure that users were aware of statutory and legal obligations to keep their data. So, for example, with regard to accounting and finance records or employment data or contracts or drafts of contracts, we wanted to make sure that we retained certain records for an appropriate period of time.
Part of my job function in my prior life as a big-firm litigator was to help companies manage risk. One of the things that we always advised our clients was that they should have a strong document-retention policy in place. And you do that for several reasons. One is, in general, the cost of retaining data—unnecessary data—can be quite high just in terms of storage space electronically and in storing tapes offsite.
The other issue, and it's sort of the larger issue, is based on litigation risk and litigation expense. There were recently changes to the federal rules that require companies to engage in electronic discovery. Having been through electronic discovery in numerous lawsuits as an outside lawyer, I really got to know firsthand the expense and business interruption that that can create.
When you review electronic documents, basically you run a search, and both you and your adversary will agree on certain filters, certain parameters of the search. When you’re a lawyer, you really hope that your client has a good document-retention policy in place so that you're not searching through years and years of unrelated, unnecessary data.
And you're required, once you have a litigation in place, to preserve your data—to not delete any emails at all that relate to the subject matter of the lawsuit. That process of reviewing documents, electronic documents, can literally cost millions and tens of millions in a federal lawsuit because you have to have attorneys review the data to ensure that you're not producing anything that would constitute privileged information or confidential, proprietary information.
You also want to make sure, though, that you're retaining data that you must retain, either based on federal or state laws or regulations, or based on a litigation hold. You really need a process in place that protects the data that you must retain, that discards unnecessary data, and that ensures that we're not opening ourselves up to unwarranted expense and risk.
Q: How did you develop the policy for Penton? What resources did you consult?
A: We actually got some outside help just to make sure that we were appropriately covering our bases. So we used an outside law firm to give us some of the parameters with regard to accounting and finance, tax, employment, legal issues like contracts—just to make sure that we had a policy where we would have exceptions for automatic deletions for those kinds of documents.
So we used our outside lawyers as a resource. We went online—there's a group called the Corporate Legal Exchange and there are other online databases and associations that we use to sort of benchmark where we are compared to other companies of our size. And then as lawyers, we talked to peers. We talked to vendors of electronic discovery software to get a sense from them as to where they thought the appropriate parameters should be.
So we really reached out to lots of different sources. We looked back through our company's prior practices and procedures, and used all of those things to come up with a policy that would fit our needs but would also ensure that we were in compliance with applicable rules and regulations. I think we have a program that's going to be very comparable to companies of this size.
Q: How long did that process take?
A: I would say that we really seriously started the process probably in the fall, and it probably took from October/November until February to draft and implement the policy. And that was certainly with a lot of help and support from our IT department.
One of the things that we decided in creating a policy for our company was that we wanted it be as user-friendly as possible, and as simple as possible, because a policy that no one's using is going to be worthless. So we wanted to streamline the policy as much as we could while still keeping it effective for our purposes.