It is hard to believe that with all that’s been written about compliance legislation in recent years, a political aide in a major city’s administration would not know a little something about the rules of email retention. However, if another cautionary tale is needed on the subject, just look at the brewing political scandal in Boston:

Secretary of State William F. Galvin’s office has ordered the city of Boston to immediately secure City Hall computers and hire an independent computer forensics expert to retrieve emails that were improperly deleted by Mayor Thomas M. Menino’s top policy aide….

The public records law requires municipal employees to save electronic correspondence for at least two years, even if the contents are of “no informational or evidential value.” Penalties include fines of up to $500 or prison sentences of up to one year.

Apparently, the aide in question believed that despite his routine deletion of emails and trash-emptying at the end of each day, the emails would still be backed up by city servers. The message for CIOs should be that you can never assume too much on the part of your organization’s users, no matter what their role or status.

In addition to having a clearly-stated email retention policy and requiring some sort of acknowledgement from users that they’ve read and understood it, it is also necessary to review the configuration of servers, backup procedures, and archiving programs to make sure that all reasonable technical measures have been taken to safeguard the organization’s data from improper deletion and employee cluelessness.

How do you feel about your own organization’s data retention policies? In the Boston case, where do you think the greatest fault lies for the situation now unfolding?