Clever is as clever does with avoiding e-discovery

When it comes to discovery requests, limited data retention sounds good in theory but may not be in practice

For years, I've been the sort to tell folks how to ensure they meet regulatory compliance for their organizations through the use of archiving tools, journaling all email, and placing mailboxes on litigation hold. Keeping up to date on regulations like Sarbanes-Oxley, PCI, and HIPAA has been a huge part of the modern Exchange admins' daily concern. But does it have to be?

I ask the question because I spent some time last week at the Microsoft TechEd conference with high-profile, large organizations that offered an alternative I -- and perhaps you -- hadn't considered. At one dinner event, a tech exec at a well-known provider of television and audio services mentioned that his company doesn't worry excessively about regulatory compliance, although it sends out nearly 1 billion emails a year.

[ The sleeper technology and products at TechEd 2013. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]

I had to ask what was his secret. He replied that the company's legal department advised establishing a written policy that said all email beyond a certain period of time (30 days, 45 days, 90 days) would be deleted from the system. In addition, backups would be retained for a brief period of time (15, 30, or 45 days perhaps). The idea was simple: If the policy clearly indicates the time frame for retention, that is all the company is legally responsible for producing in the event of an e-discovery request. You cannot produce what you don't have. If people moved their data to PST mail archives, making it discoverable, the consequences and burden were on them.

Mind-blowing? It was for me. But this company was not alone. I met many people who say that having such a deletion policy eliminates their stress over the data retention and discovery process. Obviously, this isn't possible in all business cases or applicable laws, so you have to consult with your legal team to determine if it's even possible in your case. For example, health care and other industries have retention requirements that don't apply to other businesses.

Julian Martin, vice president of strategic alliances at Mimecast, which offers a cloud-based archive/discovery tool, denounced this deletion-policy thinking as a mistake. In the case of that TV provider, Martin said to imagine if a competitor sued it aggressively -- a common enough occurrence in that business. If one company has no email discovery due to its policy and the other has every email sent and received, which has the stronger case? In that scenario, the company with no extensive retention in place wouldn't even know what the attacker has on record until it's too late. A compelling point worth considering -- after all, we live in a world of excessive litigation.

Whatever your data retention policy, make sure you have the best tools in place to retain and discover your saved emails, voicemails, and so on. Whatever your policy claims to retain -- the types of data and retention periods -- obligates you to provide such data for such periods in the event of litigation.

Remember that both personal information stored on business-connected devices (such as company PCs and smartphones) and any information stored on personal devices (such as home PCs and personal mobile devices) that are used for work can be be subject to discovery. BYOD, work-at-home, and the like need to be part of your discovery policy and education as well.

This story, "Clever is as clever does with avoiding e-discovery," was originally published at Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at For the latest business technology news, follow on Twitter.


Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform