Understanding Email Retention

Email retention has long been a sore spot for many organizations and has been known to cause heartburn for both IT and legal personnel.  This has been an issue for quite some time, but a recent conversation with an organization I’ve worked with in Chicago for many years recently brought this up: they are still trying to define email retention – two years later. Why?  Because the business wants to keep everything, but legal wants to keep nothing.

With some of the tools available in Office 365, email retention is easy to implement.  Some confusion around what retention means from a legal standpoint is where things start to get confusing.  To further the confusion, the retention discussion bifurcates into two conversations: expiration and archival. 

Expiration

The expiration side of the conversation is typically discussed when the retention of documentation can cause liability concerns.  Case in point, I worked with a firm that was getting sued for $1.2 million. In a “keep everything” environment, all documentation and email associated with the case was part of the discovery.  Documentation that was retained well beyond any required retention period was produced, causing an unfavorable position for the firm. 

The point is that we need to expire/eliminate any data that is beyond retention periods. Not doing so can cause exposure to liability.

Archival

The archival side of the conversation concerns businesses keeping all email within the retention time period, whether the end-user flagged messages for deletion or not.  This concern may apply when trying to piece together a timeline and prove/disprove content sent to or from an employee.  Office 365 comes with the ability to do this via In-Place Holds.  If you have requirements for Archival of conversations like this, it will be important to have a plan in place to accommodate this.

Legal retention and email

Email is typically considered a transitory communication medium, which means that it is used to interact and share ideas with others on a subject, but isn’t used as a permanent repository, especially for legal documents and instruments. 

I’ve heard many times “We need to keep [insert legal document here] for 2 years”.   That’s certainly true, but I am sure that legal document will be residing on some kind of storage system, SharePoint, file server, or printed page filed away in some box in the basement – email shouldn’t be the repository for storing these documents.  Another point to consider as we utilize email to collaborate, iterations of that legal document referred to in the example above are not typically subject to those same retention requirements, and probably would be an excellent candidate for deletion – sooner rather than later.

Conclusion

There are some caveats to all of this.  There are some regulations (e.g. FINRA 4510 /4511/SEC 17a-3&4) that require certain communications to be retained no matter what the medium or document.  This not only impacts email, but potentially other messaging applications such as Skype for Business.  Office 365 has the capabilities to fulfill this requirement, but the parameters should be well thought out before configuring them.

Additionally, Microsoft uses some similar terminology with message handling.  Mailbox archive and online archive are conversations that have different meaning and implications.

No matter what compliance requirement, a retention strategy should be well thought out and fit the needs of the organization.  Office 365 has the capabilities to help with message expiration, retention and archival. These capabilities can be automated and some power can also be left with the end-user to help classify documents that may need extended retention requirements.

Office 365 has an extensive number of features and functionality that can be beneficial to your organization.  Many companies, unfortunately, only use a fraction of them due to lack of awareness or confusion about how they work.  If you would like to learn more, contact us at info@peters.com.  We are happy to help!

By | 2019-01-02T13:48:13+00:00 January 8th, 2019|Security Solutions|0 Comments

About the Author:

As the Information Security Architect at Peters & Associates, Thomas Johnson (TJ) is responsible for providing security and compliance leadership. This includes such areas as vendor management, disaster recovery, business continuity, data protection, security products, budgeting and risk management. He has over 25 years of experience in security and technology and has extensive compliance related expertise in banking and healthcare. TJ holds many security related certifications as well as a Master’s Degree in Information Technology Management with a specialization in Information Security from the Illinois Institute of Technology in Technology. TJ focuses on Security Leadership, Risk Management, Information Security Assessments, Compliance Management and DR / BCP.

Leave A Comment