Business-related records, including e-mail, must be managed throughout their lifecycles according to logical and reasonable policies. Often, laws and regulations mandate the structure of these policies and procedures. There are no significant differences between paper- and electronic-based documents in that they may not arbitrarily be preserved or destroyed. They tell the story of the organization and how it conducts its business, including information that lawyers might have the right to review and introduce at court. There are circumstances where deletion of e-mail may be perfectly legitimate or it may be impossible to do, depending on circumstances. In e-mail deletion, there is no way to be absolutely certain that all copies have been destroyed, because an e-mail can be forwarded to many different accounts, stored in backup media, relocated to other e-mail accounts outside the organization, or made an attachment to another e-mail. The organization is clearly responsible for the maintenance and organization of e-mail records. Failure to implement safeguards and legal compliance invites censure from legal and regulatory bodies and may result in enormous search costs if retrieval is legally demanded.
Organizations functioning in highly regulated areas such as healthcare, securities, commercial aviation, government, and utilities are at risk. Due in part to specific laws and regulations, these firms typically meet their industry's requirements for document retention and destruction. Accordingly, businesses are regulated in what they must do relative to information indexing, auditing, information retrieval, etc. Regulations direct relevant industries to develop and enforce policies mandating the retention of all e-mail for future compliance auditing purposes.
Depending on the legal and regulatory requirements, there is no good reason to retain e-mail indefinitely. One of the most important elements of successful policy development is the existence of an electronic document creation, use, transmission, retention, and destruction policy. The present is a good time to implement one. Currently, many prominent organizations do not have a policy detailing how employees must categorize paper- and electronic-based documents, storage, and destruction schedule.
Document Retention
Backing up all e-mail and electronic documents is tantamount to recording all telephone calls. If there is no good reason to do so, there are many compelling reasons not to do so. If an organization is the subject of a civil suit or criminal investigations initiated, every e-mail message that is stored will be subject to production and subsequent review. In essence, this means every flippant remark, every sarcastic message, every mistakenly routed e-mail will be subject to legal scrutiny and subsequent judgment.
Organizations should ask themselves if they are using e-mail to document decisions. If so, are those messages intermingled with less formal, potentially risky e-mail that could sway legal decisions? Are there policies about e-mail destruction? What is the duration of e-mail storage? What is the method of destruction? Is the destruction method thorough? Is it possible that destroyed records might be forensically restored?
How many startling revelations were made as a result of e-mail being introduced in antitrust proceedings as a result of a software developer's employees retaining their e-mail? Organizations seeing these legal difficulties have become more cautious about retaining e-mail. If you want to reduce potential risks, but are uncomfortable about deleting your e-mail messages, shoot for a compromise. Many organizations have policies to destroy e-mail backup media after 30 days. One month of retention enables the employer to retrieve data in the event of a system crash, but only a small number of stored documents are in the system awaiting exposure to legal demands for their production.
Depending on the personnel and systems architecture, an organization may back up e-mail on a daily, weekly, or monthly basis. It is wise to err on the side of caution; the longer you retain electronic documents, the greater the risk surrounding it. So, given the risks in retaining e-mail, why do so many companies insist on backing up all their electronic correspondence? Simple; senior managers want to maintain formal records of all business discussions and decisions. Sometimes they are lazy or insecure about business processes. Others are naïve about the risks associated with retaining electronic messages.
It is a matter of education. Managers in charge of backing up data are not aware of the legal exposures attached to these backed-up files and think they are merely doing their jobs. They have been careful to ensure that regardless of the type of system or computer crash, data is not lost and users can return to their online business with a minimum of delay. Consequently, systems administrators are directed to err on the side of caution and retain electronic communications far longer than necessary.
Subscribe to:
Posts (Atom)
Popular Posts
-
Often crisis responders will initiate a crisis notification through a verbal briefing. As such, it is imperative that a clear and accurate ...
-
Nessus is a popular open-source scanner for organizations that choose not to spend the money on other proprietary products. There are s...
-
Incident and problem management processes are intended to handle problems that are raised through the service desk as well as responses t...
-
The composition of the crisis and incident response teams should reflect the personnel required to analyze and deal with any events, fro...
-
Being able to classify and categorize different types of releases into release models allows one to determine the types of governance and ...
-
The IMP should be designed to follow some simple principles in order to be most effective. The plan should reflect the nature of the bus...
-
The inability to effectively gather and share information is a frequent management failure during many crisis events both within the incide...
-
The passive analysis approach has several advantages: The analyzer does not interact with the network to discover hosts and their r...
-
Many healthcare organizations confuse emergency operations planning with preparedness. In fact, developing an emergency operations plan (...
-
Each company will define the composition and structure of its own crisis response group dependent on the nature, size, and scope of the ...