LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	E-mail Record Policy, Control, Security and Retention
From:	pakurilecz <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Sun, 1 Mar 2009 23:32:30 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (1 lines)

to access the full posting and its links use this link

http://shrinkster.com/14w1

Sent to you by pakurilecz via Google Reader: E-mail Record Policy,
Control, Security and Retention via Electronic Data Records Law | How
to Win E-Discovery by Benjamin Wright on 2/12/09
Local County Government Compliance with State Standards

Records managers at Travis County, Texas, are publicly debating how to
draft retention policy for the e-mail of over 4000 users. The county is
subject to many confusing state directives and standards on records
retention.

The Travis officials (Steven Broberg and Shawn Malone) have assembled a
web site and blog to explain the issues and solicit public input. The
officials outline three options, roughly being:

1. Continue the status quo, where each employee stores, deletes and/or
categorizes e-mail without clear, modern guidance from management on
how this should be done. Under this approach, some employees store a
lot, and some store less. Some print “important” e-mails and place them
in a file cabinet; others do not. . . .

2. Train each employee to rigorously review each e-mail and decide its
retention status (i.e., destroy quickly; OR place in category X so it
can be retained for a certain period; OR place in category Y so it can
be retained for a different period; and so on). New technology, such as
artificial intelligence, may be on the horizon to facilitate this
option. This is what I have previously called the make-a-decision style
of e-mail records management. The Travis officials call this the bucket
approach . . . each e-mail fits into a bucket (i.e., a category to
which are assigned rules for retention, destruction and so on) and a
way must be found to put the e-mail into the right bucket. The
officials note that some learned commenters have advocated the bucket
approach, but the officials have appealed to the commenters to bring
forward a good example of the bucket approach working in practice. See
video at the bottom of blog post.

3. Keep all e-mail “indefinitely” (spam excluded). Related to option #3
is what Broberg & Malone call the haystack approach to e-mail records
management. Rather than trying to place each e-mail into category X or
Y so it can be found and managed as though it were a sheet of paper,
the haystack approach simply keeps copious volumes of e-mail and then
relies on search engines to find particular e-mails when they are
needed, such as for e-discovery or an investigation.

Here’s my initial input.

First, option #3 could be implemented in many different ways. It should
be understood as not a single option, but a large family of options,
with many flavors and nuances.

Second, I have previously voiced skepticism about option #2.

Third, I recently witnessed a large institution wrestle with the same
topics. It knew that, like Travis County, its present condition was
option #1. The e-mail system deleted each e-mail within 90 days, unless
the user took effort to store it specially, such as in a folder. Its
present e-mail usage had created and was continuing to create, vast
heaps of records. The internal audit department argued that all this
stuff, stored according to user discretion, contained important
material. Copies were spread around (rather haphazardly) on servers,
desktops, laptops and BlackBerries. Those e-mails, and the data
contained therein, included:

* assets of the enterprise (contracts, negotiations, representations,
internal controls, delegations of authority)

* evidence that is and will be relevant to present and future
investigations (lawsuits, e-discovery, fraud allegations, hostile work
environment claims, etc.)

* sensitive information such as trade secrets, other intellectual
property and personally identifiable (private) information

Internal audit argued that this scattered corpus of stuff needs to be
managed, measured, controlled and secured. For privacy and other
reasons, audit trails need to be kept to show who looked at which
archives and when.

Further, argued internal audit, as the years go by, decisions about how
long to keep this or that can change on account of matters like future
litigation hold and changes in law (or changes in records management
philosophy). In other words, the institution might initially set an
e-mail for seven-year retention, but later learn it should be retained
for 10 years. The institution needs a way to find the e-mail so it can
be moved to the longer retention period.

E-mail, concluded internal audit, needs to be managed under a
centralized archive appliance. In other words, all e-mail (excluding
spam and the like) needs to be copied into a archiving system control
by the institution, not individual employees. (Employees might still
keep their own copies of e-mails at their discretion, but centralized
archival ensures that the institution gets a copy of everything.)

Centralized e-mail archiving is largely a departure away from Travis
County’s option #1, and it's not option #2.

–Benjamin Wright

Mr. Wright is an advisor to Messaging Architects.

Things you can do from here:
- Subscribe to Electronic Data Records Law | How to Win E-Discovery
using Google Reader
- Get started using Google Reader to easily keep up with all your
favorite sites

ATOM RSS1 RSS2

LISTSERV.IGGURU.US