E-Discovery and the Auto-Deletion of Emails

Some email programs automatically delete old emails after a fixed time. Most come with a function that allows the owner of the system to set up a time after which old emails are automatically deleted (unless they have been moved to particular storage folders, probably). This function seems useful to avoid clutter. It’s like a record destruction schedule.

Is there a standard time at which such auto-delete functions should be set, or should there be? What’s a safe time, legally as well as practically? It is clear enough that without such a function, some people (most?) would never get around to deleting their old emails, and the system would require a lot of storage. Is the setting up of an auto-delete system any different from setting up a record destruction schedule for any other record, paper or electronic?

What happens when an operation (business or government) runs into a situation of probable or actual litigation, such that the principles of (electronic) discovery would require a ‘litigation hold’ on relevant records? Should auto-delete on the email system be turned off? Is there a way of turning such functions off for particular users or particular subjects? (My office mail now deletes my Sent Mail after two months – a practice instituted perhaps a year ago without any notice to users so far as I know) – but does not delete my Inbox ever.)

Is this any different from instructing the record managers (assuming a big enough organization that such people exist) to hold off from destroying other records on the normal schedule for the same reasons?

Do you know of a good guide to such practices, beyond the general level of the Sedona Principles? Would the best practices vary according to the limitation periods of the relevant jurisdictions? I can’t think of a reason to distinguish emails from any other records, except for the automation feature on their deletion, which is a practical hazard not a justification for a legal difference.

What do you advise?

Retweet information »

Comments

  1. Good topic John. Thank you.

    I think the important questions are: (1) Where do you put the e-mails that need to be stored as a formal record of communication? and (2) How good are you at actually making sure that they get put there?

    The model I’m familiar with is one in which individual custodians are charged with a duty to separate transitory e-mails from e-mails that need to be retained because they have ongoing value – i.e. that need to become records. Individuals with this duty become responsible for putting e-mails in some central repository, ideally one with a structure that is recognized in a formal records classification plan.

    The duty imposed on individuals is an important one, but imposing it often involves major behavioral change. I know of an organization that implemented a two-year “purge period” when it launched a new document management system instead of managing this change head on. I don’t get too prescriptive around these matters because they are typically driven by business and not legal considerations, but I like three months and a strong up-front effort to manage the required change in behavior. Two years seems like a license to neglect the duty to classify, and if individuals don’t classify well, money spent on central storage systems won’t generate the desired return.

    A period shorter than three months raises risks that are well-illustrated by the American case, Broccoli v. Echostar Communications Corp. It tells a story about a company that breached a duty to preserve because its e-mail system was set to purge e-mails after 21 days. The company didn’t implement a litigation hold in time and transitory e-mails relevant to a sexual harassment claim were irretrievably lost. So if you have a really short period, you also better have a sensitive litigation hold trigger and be very good at implementing litigation holds.

    Finally, and I know Dominic Jaar has made this point elsewhere, but I agree that limitation periods are generally irrelevant to the purge period determination. Assuming that transitory e-mails are neither likely to contain helpful nor hurtful evidence in most organizations, they can and should be dumped well short of any potentially relevant limitation period in my view. Dominic has noted his disagreement with cases that suggest a retention period must correspond with a relevant limitation period to be reasonable. I also join him on this point, at least when the content of the records at issue can be reasonably be characterized as neutral (i.e. neither helpful nor hurtful).

    Thanks again John. Looking forward to getting back to these issues in our e-mail presentation in the new year.

    Dan

  2. Per our offline excchange:

    Email janitors are becoming standards in many organizations where IT was tired of being asked to increase employees’ inbox size (that reminds you of someone, huh?)… However, using similar technologies without a defined information management framework and a document management system is the equivalent, 20 years ago, of an organization wiping clean the office of its employees every week and recycling everything that was not properly filed, while not providing a filing cabinet to its employees…

    Accordingly, and for the following reasons, I can’t agree with you that such a solution is “like a record destruction schedule”. The janitor focuses on the format (email) whereas a record retention schedule must target “records”, i.e. document types (contract, proceeding, filing, correspondence, waybill, etc.) and be technology neutral. Therefore, there is no such thing as a “safe time, legally as well as practically” for emails, or any other e-format for that matter. Such periods exist for document types and are based on the applicable laws, best practices but also, and most importantly, on the business needs of each organization.

    Practically speaking, what I have seen in many organizations who didn’t have an information management framework (policies, procedures and technology) and who were using janitors, is an explosion of client-based (on the employee’s computer as opposed to the organizations’ server) archives, i.e. personal folders created by the users to keep everything before the janitor could delete it. Yes, those same infamous PSTs (for Outlook users) which increase the price of e-discovery! Furthermore, IMHO, feeling the need to implement such a drastic solution without the proper framework is an admission that no reasonable effort was made to educate employees and to provide them with the tools they need to comply with the applicable laws…

    ARMA and the General Counsel Roundtable have a couple of interesting whitepapers on the topic but most of them provide general principles and conclude on a lawyerly answer to the issue: each organization is different and a record retention schedule should be custom-built.

    With respect to limitation periods [this could be the topic of a thesis], while I know there is Canadian and US case law that states they should be the minimum periods of retention, I beg to defer. I think this conclusion came from a first erroneous decision (I have yet to find) which confused the period during which a party can exercise its right and its capacity to prove its allegations. In other words, the fact that I possess information which could theoretically be useful or necessary to a third party who might sue me eventually (or even me!) should not create any obligation to preserve. In fact, this is the rationale behind one of the Sedona Principles (and Sedona Canada Principles), and by extension behind the rules of civil procedure in many jurisdictions: “As soon as litigation is reasonably anticipated, parties must consider their obligation to take reasonable and good faith steps to preserve potentially relevant electronically stored information. [P3]” A contrario, unless a specific provision requires one to retain a record, there is no general obligation, based on limitation periods, to keep any record which is not useful to an organization.

    As you seem to be alluding to in your last paragraph, I am tempted to ask: Are storage-related issues, mainly monetary in nature, valid justifications not to retain what must be retained by law? Could an a priori proportionality argument be made for not retaining such records? Or, as I firmly believe, is information management a normal cost of doing business in the age of information?

    DISCLOSURE: I MAKE A LIVING DEVELOPING SUCH POLICIES AND HELPING ORGANIZATIONS TAKE CONTROL OF THEIR MOST VALUABLE ASSET, INFORMATION, BY DEVELOPING PROCESSES AND IMPLEMENTING TECHNOLOGIES. HOWEVER, MY OPINION WAS MADE WELL BEFORE I EVEN HAD THE BRILLIANT IDEA OF STARTING SUCH A BUSINESS AND MAY EVEN HAVE NEEN ITS INSPIRATION… :-)

    Dj)

  3. All good points Dominic and Dan. I would only like to add that deleting e-mail is easy but erasing it forever is rather complicated.

    The main problem is this:

    * Is your company large enough to maintain its own e-mail servers or do they rely on a third party, such as Google or the ISP?
    – Even if your company maintains its own e-mail servers, presumably much of the e-mail that is sent and received is to recipients outside of your company. In other words, someone else has a copy of the e-mail (both sent to you and received from you).
    – If your company relies on a third party (Google/ISP), they maintain back-ups that will contain your e-mails, which will include the e-mails sent only to recipients within your company. Your IT department will not have access to these backups. A court however, can order production of them. Do not be fooled into thinking that because you can’t see the message in your Google/Yahoo/Hotmail/ISP trash bin anymore that it is gone forever.

    In short, the majority of the e-mail that is sent and received these days is outside of your company’s control. This is not to say that you should not have a policy of deletion. I would simply not put much faith into those policies and procedures to win the day for you in court. If there is a smoking gun document (e-mail) out there, it still exists and will be found. The goal therefore is not to make it hard to find, but rather not to create it in the first place.

    ^GC

  4. The last line of the previous comment is very good advice, and the rest of it is technically accurate so far as I know. But I think that courts are very reluctant to make a party search through and produce backup versions of e-documents unless there is very good evidence that there is something relevant there that is not likely to show up otherwise. This reluctance is likely to be even stronger when the backup material is in the hands of a third party, possibly mixed in with backup of all that party’s other customers. The request will get even less sympathy unless the effort of doing the search is proportionate to what is at stake in the case.

    So yes, this stuff is out there, but it’s unlikely to have to be gone after except in extreme cases.

    Any experienced e-discoverers have a different view?

  5. While it may be quite true that a copy of a deleted e-mail exists somewhere, and that a party might be able to find, retrieve and restore it, that’s not to say that the party who deleted it has an obligation to produce it (though they may have an obligation to disclose it, since it was formerly in their possession).

    If the email was deleted in accordance with a reasonable retention/destruction policy, and was not subject to a legal hold, then one can argue that the email is no longer in the possession, control or power of the “custodian.” By the way, the auto deletion of emails – if the deletion actually operates on the server as well as the client, can never be “reasonable” because, as the other comments point out, it is too indiscriminate. retention periods are based on document taxonomies. I would think that a typical “auto-delete” program is used to clean up local email boxes, not server email stores.

    One can also argue that the effort to find, retrieve and restore a deleted email from the servers of a third party could be disproportionate (depending on what the email supposedly proves, how important it is and what’s at stake in the litigation). I would also look at the privacy issues and how the third party would propose to sever the relevant from the irrelevant – technically difficult, say if backup tapes are involved.

    Finally, the Sedona Canada Principles provide guidance here – in the normal situation, a party need not take steps to preserve deleted ESI, let alone produce it.

    MF