United States: The Basics Of Defensible Deletion - What Every GC Needs To Know About E-Mail

Data is expensive.  Just take a look at your firm's information technology budget if there is any doubt.  And, that's just the tip of the iceberg.  Think of how much you spend each year on producing data in response to subpoenas or through the e-discovery process in litigation.  Not to mention the risks presented by smoking gun e-mails lingering in your system, and the potential exposure you face if you delete data improperly - just ask Samsung, which bought itself an adverse jury instruction in a high-stakes patent litigation against Apple when it was found to have consciously disregarded its obligation to retain relevant e-mails.

The intersection of law and technology is enough to make your head spin, so let me try to simplify things a bit.  Your goal ... fewer e-mails.

You'll never convince your organization to send fewer e-mails, so don't even try.  But, you would be astounded to know how many copies of those e-mails are clogging up your servers and being processed over and over again in the e-discovery process. You can achieve significant cost savings and avoid risk just by keeping fewer copies and establishing a defensible deletion protocol once an e-mail has reached the end of its life cycle within your organization.

You can't reduce the volume of e-mails that your organization keeps unless you understand where the e-mails end up.  Servers.  Archives.  PST files.  Backup tapes.  Local hard drives.  You don't have to get a degree in information technology, but you do have to work with your IT group to understand where e-mails go once they're sent or received.  Think of the e-mails as water.  You're looking for the buckets that hold the water after it's done dripping through the system.

You'll need to keep the e-mail consistent with your data retention policy, but you don't need 35 copies.  Start from the end of the information life cycle and work your way backward to reduce the number of duplicate copies floating around your system.  Don't ask me how, your IT folks will know.

There's a lot that goes into a data retention policy - mapping legal requirements onto information technology.  The most important thing, however, is having one.  Rule 37 of the Federal Rules prohibits sanctions "for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system".  So, have a policy and stick to it. 

Litigants run into trouble when they fail to suspend data deletion after they have reason to believe that the data will be relevant to litigation.  Whatever your system does, you need to be able to press pause.  Just ask Samsung.

There's obviously a lot more to it, but these few basics will help you get started asking the right questions and bringing the right people together within your organization. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.