Earlier this year, Harvard College made national news for conducting a search of its employees’ emails. The search, as reported by multiple media outlets, was connected to a student cheating scandal and was designed to locate the source of a leak of confidential information regarding the investigation. Notably absent from the news coverage were allegations that the search was against school policy. Consider, however, how different the story and public reaction could have been if Harvard did not have a policy permitting the search or, even worse, had violated a policy that it did have.
The Harvard incident demonstrates how important it is that your company have a policy regarding how it treats employees’ email. The best data retention policies will describe your employees’ privacy rights (or usual complete lack thereof) with regard to email they send or receive on your companies’ system and will delineate for how long emails are kept before they are deleted. In fact, your data retention policy, or perhaps more aptly named data “destruction” policy, should discuss all types of electronically stored information (ESI) sent, received, and used by your company and how long that ESI will be retained before it is destroyed. The policy should also cover ESI on mobile devices, text messages, instant messaging, and any other means of communication used by your employees.
But wait…are you really allowed to intentionally destroy emails? Yes, so long as (1) the destruction is done pursuant to a stated company policy and (2) the destruction stops immediately if an incident occurs which could give rise to a lawsuit. If those conditions are met, both Florida and federal rules of court expressly permit the routine destruction of ESI.
It is important to note that once a policy is in place, it must be followed. In fact, enacting a policy as to ESI retention/destruction but failing to follow that policy is probably worse than having no policy at all. To that end, you should take steps to help ensure your policy is followed. These steps should include regularly reminding your employees about the policy and using technology to automatically delete items that should be deleted. Perhaps most importantly, the destruction of email and other ESI once a lawsuit is “reasonably foreseeable” must be immediately stopped whether or not the destruction is occurring pursuant to your company policy.
Beyond the legitimate desire to have fewer emails available to be discovered in the event of a lawsuit, there are some very practical advantages to regularly culling your ESI. Regularly deleting email and other ESI will tend to help your computer system work faster, result in quicker and more efficient searches for relevant documents, and reduce the cost of data storage.
So, delete away! But first put in place a policy, and follow that policy.