Tuesday, July 23, 2013

Get on the Clue Bus and Revisit Your Email Retention Policy Randolph Kahn, ESQ.

Times change and sometimes your direction must change with the changing times. Evolve or wither is how some like to describe it. I prefer “get on the clue bus”.
The first book I wrote, “Email Rules” is over a decade old.  Shockingly, it is still published and sold today. “Email Rules” sought to give business folks a simple way to think about managing the complexity of email.
One of the simple rules of the book was that email should be managed by its content. Content is king, blah, blah, blah.  Nice perhaps, but I don’t believe that is practical guidance anymore.  Yes in a perfect world where each employee has one email a day and one easy-to-understand records retention rule to apply and a technology to manage it thereafter, managing by content would be terrific. But the reality is far from the perfect world of theoretical records retention. There was more than 2800 exabytes of new data last year alone created in the world. That is the data equivalent of about 140,000,000 years of continuous DVD movies.  There are around 150 BILLION emails every day.  
Believing that your employees can or should manage by content is not going to happen.  Most employees today have many hundreds of messages bombarding them all week long, from various communication tools, not just email.  Records Retention, if managed at the message or document level, if it was ever possible, would take a good part of the employees’ day every day and would be a very bad business decision.  After all, businesses are in business of selling things, providing service, making money and not having employees use precious time and resources to manage records. 
My view is that the retention rules that once made theoretical sense are today wholly impractical and undoable.  Plus we have a decade of experience to know what works and what doesn't.  Having employees classify and apply retention rules to an email message to manage it over its life cycle didn't work, doesn't work, won’t work, can’t work and you should be rethinking your policies. Remember—my admonition—“Evolve or wither”.   There are lots of ways to evolve your email management thinking depending upon your industry, users’ needs, litigation docket, IT realities, etc.  Here is one example.
In the last few months, several financial service companies have retained our services to revisit their email management strategy.  What is required NOW? What should our policy be NOW? How can we stop keeping everything forever NOW?  For large businesses keeping all email messages forever is an expensive proposition—costs millions or tens of millions of dollars and isn't required. 
In fact, no law requires that a financial service company keep all email, forever.  Yet some broker-dealers do just that-- retain all email indefinitely.  It is fear? Perhaps. Is it not knowing the law? Maybe. Could it be the lawyers have forced the IT department into preserving everything forever because its perceived  an insurance policy against discovery failures? Probably each of these motivates the brokers. But it's ill-guided because when do you stop keeping everything forever and how can you clean up the past.  (We can help you clean up the past, just ask me I will tell you all about it, but that’s not today’s blog)
As the law for the broker-dealers are well settled and cases reviewed on this very topic elucidate,  maybe its time to evolve your thinking on email retention. If you are a broker subject to the Broker-Dealer regulations, then FINRA Regulatory Notice 11-39 provides insights to your email management obligation. It states in pertinent part, “Rule 17a-4(b) under the Securities Exchange Act of 1934 (SEA) requires broker-dealers to preserve certain records for a period of not less than three years, the first two in an easily accessible place.
1 Among these records, pursuant to SEA Rule 17a-4(b)(4), are “[o]riginals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business as such, including all communications which are subject to rules of a self-regulatory organization of which the member, broker or dealer is a member regarding communications with the public.” 
When the SEC “interprets” their own rule, they conclude that a broker can satisfy the Broker-dealer regulations by retaining all email for 3 years even if the rules says a minimum of three years. See the regulator’s position below on this issue making clear that keeping all email for 3 years will satisfy the rule.

Further, when these matters get to Administrative Hearings, the way its addressed is similarly clear that 3 years and out is defensible. Neither the SEC nor FINRA demand brokers require that employees apply different retention rules based on the underlying business value of the message.  And they aren't demanding that all message be retained forever either.


It gets way more complicated for the financial services companies that are subject to additional or different regulatory frameworks, as well. So, if you are subject to the Investment Advisers Act or Dodd Frank Swap retention rules, for example, they are going to require different retention rules.  While I don’t want to get too deep into the legal issue (email me at rkahn@kahnconsultinginc.com if you want to talk about it), the real point is that it may be a good time to revisit and evolve how you retain email and see if there is a better way.
What if its way simpler and legally defensible to keep email for 3 years and then purge it unless its needed for audit, litigation or some other formal matter.   Why can’t you carve out the exceptions for the folks that are subject to Dodd Frank or the Investment Advisor’s Act or some more restrictive rules and mange those employees outside the general rule.  There are so many things you could consider, but last on my list is keeping everything forever. Not smart. Not needed. Not inexpensive. Not Productive. Not economical, not required. Not easily unwindable.
For companies subject to different regulations there is similarly different, easier and productive ways to attack email retention.  No laws or regulations for any industry require that all email be retained forever. Perhaps more importantly, when relooking at the retention question it is worth considering that employees rarely access messages a short while after they are sent or received.  So why are you keeping all that stuff anyway?

I have written numerous e-communications policies and have changed my thinking many times since I wrote “Email Rules”. I have hitched a ride on the clue bus many times and have taken clients for the ride over this very issue many times in recent years.  Keeping a petabyte of email costs millions just for storage, saying nothing of wasted resources, employee efficiency, privacy risk, litigation expense, etc. Keeping everything forever isn't tenable when information is growing at 30-50% per year.  I don’t believe your company is really benefited by keeping all email forever anyway.  I know there is a lawyer somewhere that sleeps well tonight, but there are a bunch of IT and business professionals that suffer many sleepless nights thereafter trying to manage the pile of digital debris and pay for it out of a limited budget.  The only way through this Information “Perfect Storm” is rethinking, evolving, reeducating, redrafting and getting practical albeit imperfectly.   


Tod Chernikoff said...


In this case, broker/dealer organization, or others for that matter, is there any major difference in your approach (role-based retention) than say the proposed Capstone approach being proposed by NARA? (see http://blogs.archives.gov/records-express/files/2013/06/Capstone-Email-DRAFT-NARA1.pdf)

In your proposed approach, most brokers and dealers would have appropriate emails retained for three years, while say others in the organization (outside of the broker/dealer mission) would have their emails retained for a period appropriate for their function (HR, Finance, etc.)