Email Retention - Does Your Firm Have a Policy?

From the May 2012 Issue.

Email has become a critical business tool not only as one of the primary means of communicating with clients but also for documenting decisions and business information in client files. With today's smart phones, tablets and remote access services via the Internet, email is universally accessible and its extreme ease of use makes it the primary communication tool for just about everyone. Unfortunately, email's benefits are a two edged sword as they can both improve a firm's effectiveness with enhanced collaboration, and can cause great embarrassment and financial loss in cases of litigation.

While most firms are aware that they should have and adhere to an email retention policy, the vast majority do not do so until after they have been the victim of a lawsuit, since email is usually one of the primary pieces of evidence targeted by opposing council. Surprisingly, many firms often feel that since they have limited the size of their personnel's email accounts that they have already addressed the retention issue, which is definitely not the case. So what does a firm need to do to tackle the issue?

The solution is to develop an email retention policy that is easy for firm personnel to understand and is well documented. While this is admittedly a very difficult thing to do, it is the responsibility of the firm to put in place tools that allow the email retention policy to be consistently applied across the firm including the implementation of a document management or archival solution. Firms should work with their legal council to develop a policy specific to their State and areas of practice. There are specific rules for managing email regarding HIPAA compliance, SEC, investment management, and financial institution type work that the firm may have to comply with, so it is imperative that the firm's policy incorporate those rules along within the overall policy.

One of the first steps is to creating a policy is to specifically identify what types of information employees are allowed to send via email. For instance, stating that sensitive, confidential documents should not be sent unless encrypted, or specifying that the firm's portal should be used for these documents instead, outlines boundaries for firm personnel. The policy should identify what constitutes acceptable business use for email and include specifications that prohibit inappropriate content or any item that could be deemed as harassment being sent in an email. The policy should also identify what would be construed as acceptable and unacceptable personal use of the firm's email accounts.

The policy should also specify how emails with an ongoing business purpose are to be archived and at what point any emails stored locally would be archived or erased. Some firms specify that email older than a certain age (we have seen the most common policies being between 30 and 180 days) will be automatically deleted. Firms without an archiving solution would also need to specify how files should be saved including the client folder, email file naming convention, and the disposition of email from their account.

The policy should also specify where email can be retained. Many firms utilize web-based email so that it can only be accessed by authorized personnel through a login process which the firm controls. The policy for these firms should consider disallowing saving emails personally and specifically prohibit email from being copied and stored locally on C:Drives (via a .PST file), as well as prohibiting copying emails to local storage media such as flash drives. If the firm allows email to be accessed or downloaded to personnel devices such as smart phones or tablets, the policy should state also clearly document the firm's rights to that information.