Re: Email Archiving

[Tracy Mitrano <tbm3 () CORNELL EDU>]

I largely echo Eva's thoughts posted here.

There is no comprehensive, overarching federal law requiring record retention.  State laws may come into play, in 
combination with business needs (which are probably the most prominent of any reason for which to retain records), and 
the institution should codify those needs in institutional policy, including procedures for the practice of 
storing/retaining specified electronic mail.

Here is a link to Cornell's record retention policy, fyi, if it offers some guidance.  
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/governance/retention.cfm

E-Discovery only kicks into effect if the institution has reason to believe litigation will ensue; no laws, not even 
FRCP require proactive retention of records.

The particular desires or needs of an institution may be expressed in policy or local practice.  It may be of some 
interest that in these conversations we consider Fair Information Practices as a guide, largely the practices that 
state an entity should retain personally identifiable records only for a relevant business purpose, for no longer than 
is required for that purpose, with appropriate security (administrative, technical and physical) as required to keep 
the mail private and to dispose of it as soon as it is no longer needed.  These practices (non-inclusive list, for 
example notice and the ability to correct a mistaken record are also included; a search on the term will provide many 
resources with comprehensive information about the practices) form the backbone of European Privacy Laws.  It would be 
well for colleges and universities to begin to consider implementing these practices, certainly those that consider 
themselves "international" or "global" in scope, or, more simply, have students who come from areas with more developed 
and comprehensive privacy laws than does the U.S.

Best, Tracy


On Jan 20, 2010, at 10:51 AM, Lorenz, Eva wrote:

Brad,
If you have a retention requirement in place, it would affect also non-email records. Retention is based on content, 
not on format.

As a start, check with your General Counsel, as others have already suggested, to determine whether there is a 
retention schedule in place and then determine under which retention requirement email would fall. It is possible that 
email may be subject to a number of retention requirements based on the specific content or that a general “retention 
bucket” would cover email, if the legislature addressed the email format specifically.

A general advice that I received from records managers was, if you keep any email, to always keep the sent email and 
not delete it. A specific retention schedule for your business unit or school is certainly the better way to go.

Retention schedules can be invaluable if you receive discovery or FOIA requests since you can point to the active 
schedule and explain that certain records were disposed off in line with the specific retention requirement. In our 
state (NC), retention schedules are centrally approved by the state (Dept of Cultural Resources) and certain records 
must be archived forever (and I mean forever, no excuses for formats no longer supported etc.)

-       Eva



Eva Lorenz
ITS Security
2800 ITS Manning
211 Manning Dr
CB3420
Chapel Hill NC 27599

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad 
Alexander
Sent: Wednesday, January 20, 2010 10:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Email Archiving

We are installing a new email system here on campus and my question is, is it a law that we are required to have email 
archiving?

I have been doing a little light reading of the Federal Rules of Civil Procedures and EDiscovery, but now I am more 
confused.

I see that 17 states have adopted the rule and another eighteen states are considering it.  I thought a federal rule 
was mandatory for all states.




IS staff will never ask you for your password. Do not share your password with others.

----------------------
<image001.jpg>