Beware the unmanaged risk of e-mail and IM

One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. Here are some of the sad outcomes of such lawsuits and what you can do to avoid one with your company.

According to a recent survey, 65 percent of companies lack e-mail retention policies. Only 54 percent of the corporations surveyed conduct any kind of formal e-mail policy training. One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation.

If you need some reasons why not having an e-mail retention policy is a bad idea, just keep reading.

Baseline magazine ran a piece about companies who found out the hard way that not retaining data can hit the bottom line and hit it hard. From the piece:

Philip Morris USA was ordered by a U.S. District Court judge in Washington, D.C., to pay $2.75 million in fines when it came out during federal tobacco litigation in 2004 that 11 managers didn't save printouts of their e-mail messages, as per company policy. As an added punishment, those managers were barred from testifying at trial, according to the order from U.S. District Court Judge Gladys Kessler.

The investment bank Morgan Stanley repeatedly failed to turn over data related to a fraud suit brought in 2005 by Coleman Holdings Inc., the owner of camping gear maker Coleman Co., according to an order written by the judge in the case, Elizabeth T. Maass. One of Morgan Stanley's technology workers concealed knowledge of 1,423 backup tapes, later found in Brooklyn, N.Y., when he certified that the bank had produced all its evidence, according to court documents. At least three other times, the judge said, the bank lost or mislaid backup tapes. Maass read a three-page statement to the jury detailing the missteps-which included overwriting e-mails and using flawed search software that hampered searches of Lotus Notes messages. She told the jury to assume the bank acted with "malice or evil intent" unless it could prove otherwise.

Morgan Stanley lost the case, big: The jury awarded Coleman $1.6 billion.

Nancy Flynn, founder and executive director of The ePolicy Institute, stresses, "Employers should look at e-mail and litigation in terms of not if we someday have our employee e-mail subpoenaed but when we have our employee e-mail subpoenaed."

Compliance regulations

With compliance regulations such as HIPAA and Sarbanes-Oxley, and SEC and NYSE regulations in the financial services arena, companies have to be extra vigilant regarding e-mail risks; they must be able to prove that they've taken appropriate measures to retain e-mail and IMs as stipulated by the applicable regulations. According to Flynn, "Regulatory commissions, such as the SEC, have issued six- and seven-figure fines to companies who are unable to turn over e-mail records that should have been retained."

Workplace lawsuits

Companies also have to be on the lookout for e-mail that could be used in a workplace lawsuit. According to Flynn, what most companies don't realize "is the fact that e-mail and instant messages are a primary source of evidence in court cases. They are the electronic equivalent of DNA evidence."And like it or not, there is such a thing called "vicarious liability," which means that an employer can typically be held responsible for the actions of its employees. Flynn acknowledges that there is "no such thing as a 100 percent risk-free e-mail environment." You can't, for example, completely control what employee A says to employee B in an instant message. But if employee B decides to sue your company for being a hostile work environment on the basis of employee A's e-mail, you need to be able to prove to the court that you took appropriate measures to prevent the action at the front of the lawsuit.

These measures are what Flynn calls the three E's of e-mail risk management:

  • Establish a written policy (for e-mail and IM usage, content, and retention).
  • Educate your workforce ("And that's everyone from the summer intern to the CIO").
  • Enforce your policies.

Your policy should include details about e-mail and IM usage and content, and retention policies, and you should take strong steps to educate your workforce with presentations.

When asked about how companies can go about enforcing policies, Flynn replied, "You use discipline--up to and including termination--for anyone who violates the policy."

If an employer practices proactive risk management such as the ones in the steps above, a court is less likely to hold it responsible for actions named in a lawsuit.

Don't forget IM

Flynn notes that many companies don't know that retention and content policies should apply also to instant messaging, which is, "just turbo-charged e-mail. We know that only 11 percent of companies have installed software to control and manage their employees' IM use while about 78 percent of employees are IMing at the office. It's a time bomb waiting to go off." Flynn says there is a huge misconception out there that IM is not a written business record and that you can say anything you want. "Users think that once you close your window, the message is gone, but that's not true. Even if you're not retaining the message, the person you're chatting with might be. Also, it's an enormous security issue if your employees are transmitting IMs on business issues. These messages are transmitted via the public Internet. They could include customers' social security numbers and important account information." Employers need to find out what the business presence of IM is in their workplace and how it is used.

So what's the holdup?

One of the reasons companies hesitate to create and enforce retention policies is cost--cost of software, cost of personnel needed to manage it, etc. But Flynn says that that cost is minimal compared to paying a six-figure settlement. Also, a lawsuit can result in embarrassing headlines and loss of credibility for a company. "There have even been cases in which companies' stock valuation has dropped because of inappropriate e-mail use that has been reported by the media."

Bottom Line for IT Leaders

One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. Creating an effective e-mail retention policy should be at the top of your agenda.


Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.


...made me look up our policy and read it. I don't recall seeing before, so it could be my first glance of it. It basically says, if I understand it correctly (I'm not a lawyer and this IS a legal document), that it is the employe's duty to keep its files and communication. But it does not state the how, where, when of it. It also states that it is a part of "the condition of employment" which basically means that I can be fired for not doing it (even though I have no idea how). This is an interesting issue that I will bring to my bosses attention, in writing. And you can bet that I will keep those communication preciously. TCB


I think the biggest problem with e-mail retention policies is that no one knows if we should have a policy to purge e-mail after a certain time span; or if we should have a policy to retain e-mail for a least a certain duration. Knowing the answer to this would help a lot. I sense the author of this article didn't know the answer either, as all the sentences that might have provided that answer were carefully worded to not imply which way the policy should work. Everywhere I have worked has policies about the content and use of e-mail; but none have known what to do about retention.


If you are in a regulated/monitored industry, there will probably be some guidelines stated that you can use to begin drafting the policy. You could also refer to current case law to see what the courts have generally required in this area. If your company doesn't fall under the compliance umbrella, there are different ways to come to deciding how long to retain e-mail: 1). How much critical business is conducted through e-mail? The more important e-mail is to your business, the longer you should retain messages. 2). What is your retention policy on other file types? 3). How much can you spend on storage (both on and off site)? 4). What does your e-mail volume look like? There are other questions, but from my experiences, those 4 tend to be the major decision drivers. Ideally, the e-mail policy would be decided by bringing together the head of IT, a member of HR, a member of the legal team (or whomever represents the firm in legal matters) and a member of the finance team.


We use an archive product that captures every sent and received email. The burden is on the user, based on training they are given and the "content" of the email, to move that email to a pre-created folder in Outlook. Each folder has a certain retention schedule set on it for how long the email will be stored. Anything that isn't put in one of those folders is automatically deleted after 90 days. The problem is getting staff to take the time to make a decision on whether the email is a record, then moving it into the proper folder. It's a pain, takes time, but is our new policy.


Myself, HR, the VP/Pres, plus our legal team all muddled over this issue just last year. We don't fall under SOX or HIPAA so we have to look at general state/federal laws. Even our lawyers could not give us a clear definition of what would appease the laws/courts. Based on the wording of the law we came to the conclusion that it is stating exactly what the author is saying, literally! Have a written policy and stick to it. We wrote a new policy and it states that we don't retain anything for more than 30 days. There, that's our policy, and we're sticking to it. Until the people who create and enforce these laws can determine what constitutes compliance, what's a company to do? I do plan to extend the retention policy shortly once I have more technology and staff resources but that will be for our own benefit when dealing with customer and product issues.


I've had to help supply information as parts of two lawsuits. Total PITA!! Management definitely needs to know what is required by the various regulatory statutes, as well as look into what is typically requested in the course of a trial (which sometimes differs from the regulations). Going to trial costs a business a TON in IT related expenses (extra data storage when the inevitable cease and desist from data destruction/storage recycling is issued, labor costs, system costs, etc); and senior management should have a budget 'buffer' someplace to help mitigate these costs if they are in a regulated industry.

Editor's Picks