Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that organisations should consider retaining the information for longer than six years in order to be able to appropriately respond to electronic disclosure, or e-discovery, requests stemming from disputes arising outside of the UK.
When two companies sue each other they have the right to ask for relevant documents from the other party in a process called discovery. When the documents are digital ones, such as emails or the contents of databases, the process is called e-discovery.
Birdsey said that companies that fail to store information for long enough can end up incurring significant costs in trying to recover backed-up files in order to comply with e-discovery obligations.
"In terms of retaining documents and having a policy which complies with the requirements of limitation periods, six years is the typical period for contract claims, but for an IT project, the project itself might take three, four, five or six years," Birdsey said. "Therefore it is preferable, particularly for IT companies, to be looking at implementing a policy that begins six years after the completion of the project or from a point at which it is a bit clearer that no claims have been made."
"Businesses which operate across the globe, for example telecommunications companies, need to consider that retention and disclosure requirements might be different in other jurisdictions, with the disclosure requirements in the US, which appear to be broader in many circumstances than those in the UK, being an example. It highlights that there is a need for a policy that complies with all countries and not just the UK," he added.
"The costs of specific disclosure and of retrieving and restoring of emails must also be taken into account," he said. "Accessing documents from backups is an issue I've seen in quite a few cases where the organisation has had a really short retention period and this has given rise to the costs of undertaking forensic work and the legal advice around restoring back ups. This is a particular issue where those backups are stored on tapes and not on servers."
"As important is having a systematic email management storage policy, for instance ensuring that everything is stored on a network and does not allow for users to store some things on their local PCs, some on memory sticks, others on Blackberrys and iPhones," said Birdsey. "It is important to have a coordinated and joined up email document retention policy that also takes into account the use of own devices, where permitted, making sure that those devices synchronise with the network and do not allow for stand alone storage. Of course, taxation and freedom of information compliance requirements must also be taken into consideration."
Cloud-based email management company Mimecast has published new research showing that businesses' email "archiving and retention policies" are "muddled and unclear". Mimecast said that the businesses may face exposure to litigation and compliance issues in areas such as data protection and the freedom of information (FOI) regime as a result.
Mimecast said that 26% of UK businesses "do not have a clear policy on retaining email at all", according to a survey of 500 IT managers based in the UK, US or South Africa. In the UK only 30% of businesses store archived emails for at least three years, according to the survey.
"Just one in four IT departments (27%) have an email retention policy designed to comply with industry regulations," Mimecast said its survey had revealed. "41 percent of UK businesses surveyed say their archiving policies are based on ‘internal best practice’ with no consideration given to industry or country specific regulations. Six percent of businesses admit to deciding their email retention policy around a ‘random future date’ with ‘no basis’."
Mimecast said that "many businesses are not confident that they would be able to identify all emails relating to a specific customer in a timely manner" and that "on average, it would take a UK business 12 working days to identify all emails relating to a potential litigation". A sixth of respondents (17%) from UK businesses admitted that they did not think their firms could comply with such an e-discovery request within a month.
Companies can help address the often burdensome rules around data protection and e-discovery within their IT policies, an expert said.
Construction law expert Andrew Shelling of Pinsent Masons, who has acted on large High Court disputes involving e-discovery issues, said that companies should operate policies that require their employees to store personal data in separate clearly labelled folders. This allows their IT department, and any appointed IT litigation support provider, to isolate these emails from the others and protect secure information, or to have deemed consent to disclose that which is not filed in a ‘personal’ folder, he said.
"Organisations can make their life so much easier if they have an IT policy in place which requires individuals to place personal information in private folders," Shelling said. "This folder, marked ‘personal’, could be excluded from the harvesting process, and is thus a further tool that can be used to reduce the volume of documents that need to be processed and reviewed."
"Of course, this would need to be agreed with the other side if possible, but in the context of e-discovery, taking such steps would be considered reasonable in most cases unless it can be demonstrated that there are likely to be documents of both relevance and significance contained within an employee’s ‘personal’ folder. Even then, disclosure of such folders is likely to be limited to individual employees rather than all custodians," Shelling added.
"Not only does this make the identification of relevant information easier, it also ensures that individuals' rights around their personal data are observed," he said.