• United States



Document Retention Policies May Decrease Litigation Costs

Sep 11, 20083 mins
Data and Information Security

Most businesses have retention policies governing how long documents are to be retained before being destroyed or discarded.  A growing number of businesses are extending their existing retention policies to include electronic documents, particularly e-mail.  For example, a common retention policy for e-mail would require deletion after 60 days.  In many instances, the deletion is accomplished automatically by programming the business’ computers to review the dates on e-mail and to delete those messages having dates beyond the allowed limit.  If an employee desires to retain a message past the automatic deletion date, she must take affirmative action to preserve the e-mail (for example, contact the MIS department or copy the e-mail to a special directory).

  In the absence of a law specifically requiring certain documents to be retained or if the owner of the documents is on notice of a pending or threatened claim, document retention policies in the electronic context accomplish three goals:

  • Document retention policies conserve valuable computer storage space.
  • Reducing the volume of stored electronic documents improves the efficiency of the computer system.
  • Provided there is no legal obligation to preserve evidence, deleting electronic documents when they are no longer necessary reduces the likelihood that such documents may be exploited in future litigation.

  Because of the informality with which e-mail is treated by employees, it is a frequent target of discovery in litigation.  As illustrated in the following example, failing to implement an effective retention policy for e-mail can substantially increase litigation costs and lead to greater liability.

 XYZ corporation is sued by one of its employees for wrongful termination.  During the course of discovery, the plaintiff serves a document request seeking all relevant e-mail.  If the business does not have a practice of periodically deleting e-mail, which were of no reasonable value after some relevant period, it would be under an obligation to search through all of the e-mail on its systems.  This could mean reviewing an enormous volume of e-mail accumulated over many years.  If XYZ is like most companies, it not only does not have an established retention policy for electronic documents, it also has no policy requiring where e-mail messages are to be stored on its systems.  This means that instead of requiring that all e-mail be stored in a specific place, messages may be found in a variety of locations.  As such, the search for relevant messages will likely require a review of the local area network’ hard disks, network backup tapes, the hard disks installed in relevant employee’s desktop computers, company laptop computers, handheld PDA’s, and the home computers of certain employees.  A search of the foregoing nature can cost thousands of dollars and take substantial time to complete.  If the company had a retention policy in effect and had required e-mail to be stored in a central location, the expense and time required to respond to the discovery request would be significantly reduced.

Next time, we will talk about some of the basic elements of a document retention policy.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author