If you are in business online you must have an email retention policy (ERP), and your email archive must follow it (email archive meaning the storage of your email). If you either send or receive email in the course of business (and you probably do if you’re reading this) then it’s imperative to have a written email retention policy, which includes your email archiving policy. And at least as important, you need to follow it religiously.
Why You Need an Email Retention Policy
One of the main reasons that you need to have an email retention policy is that if you are ever on the receiving end of a demand for discovery (i.e. a legal demand to produce documents or other evidence), and if you are ever party to a lawsuit or even a witness in a lawsuit you will be served with such a demand, that demand will include a demand that you produce “any and all email related to the matter” or “any and all email to or from so-and-so” and you must to be able to either produce the email requested, or be able to point to a sound written email retention policy that explains why you no longer have it.
For that reason it is critical that a business have a written email retention policy, and that the policy be scrupulously followed.
What Your Email Retention Policy Should Be
Here’s the good news: generally speaking, what that email retention policy should be matters less than that it be carried out consistently. So, for example, your office’s email retention policy may be that all email is to be archived for three years, and then deleted, or it may be that all email is to be deleted one year from when it was last responded to. It almost doesn’t matter what your email retention policy is (subject to state and Federal laws, of course) so long as it is carried out and applied consistently to all email. Of course, if your email pertains to matters that are governed by other retention rules and regulations, such as the IRS’ document retention rules, you need to take that into account also.
This is also true for all other documents: you need a document retention policy that is clearly spelled out and followed (such as, for example, all documents are kept for seven years and then destroyed), but email is by far the most problematic because people tend to treat email more casually, and to delete it willy-nilly. Then when you get into litigation you will often be asked to produce all of your email records for a certain time period. Now, if your email retention policy is such that all of the email for that period has been deleted under your email retention policy – a policy which has been consistently applied all along – then the Court will not blame you for not being able to produce that email (although keep in mind that other parties to those email conversations may still be able to produce it).
As NetSec (which stands for ‘network security’) explains, “In the event of a legal dispute, compliance audit, or employment tribunal, emails will need to be produced. The failure to produce emails when required by regulators can result in several financial penalties and the consequences of not producing email data when required to do so by the courts can be devastating.”
What Happens if You Don’t Have an Email Retention Policy
If you don’t have a clearly stated email retention policy, and the email being sought through discovery just happens to have been deleted and be unavailable, you could face serious trouble. Conversely, you don’t want to find yourself in the situation where the email requested does exist, but you really wish that it didn’t exist, and you now can’t delete it without facing contempt of court charges, or worse, for failing to produce it.
Nearly all of the worst case scenarios would be the result of not having a carefully spelled-out and consistently followed email retention policy. In that case, if the business owner does not have the email requested, the Court may believe that the business owner willfully destroyed the email rather than produce it, and may apply any number of legal sanctions, including (but not limited to) applying a presumption that the missing document must have contained information which would prove their opponent’s case, levying heavy financial sanctions, or, even, dismissing the case or finding in summary judgement for the other side.
In fact, we are personally aware of a case where the sanction for deleted material was so severe that it led to the other party winning and putting the deleting party out of business (the winner acquired them). While this is an extreme case, and the deleted material wasn’t in an email, the principle is the same.
And the key to avoiding this is to have in place a clear, and consistently applied, email retention and archiving policy. Again, what that policy is is almost secondary – what’s important is that you follow it to the letter. Then, if you are called upon to produce email, it’s ok to say “we don’t have it because our policy is to delete all email after such-and-such a time”, so long as that really is your policy and you can show that you have been following it consistently since it was put into place (and that it was put into place before the start of the litigation).
What’s not ok is to say “we don’t have it because we deleted it” when you didn’t do it pursuant to a written policy, and when you may even still have other emails from that era still in your system or archived somewhere else.
So run, don’t walk, to review your company’s email retention and email archiving policy, and if you don’t have one, for goodness sake get one in place. And then follow it.