Recap and IM Action Plan

Recap and IM Action Plan

  1. Define the meaning of business records for your organization. If necessary, create a definition of business records on a department-by-department basis.

  2. Create a written IM business record retention policy. At the same time, review your retention rules and policies for e-mail and other electronic data. Update as necessary.

  3. Educate employees about electronic business records, the organization’s retention and deletion policies, content guidelines, compliance requirements, and enforcement guidelines.

Chapter 12: How to Manage Instant Messaging Business Record Retention


‘‘In this era of back-up tape recycling, automated monthly deletions, and delete buttons, the environment for committing spoliation by a corporation is more ripe than ever.’’ [1]

IM Rule # 23: Retain business record instant messages according to clear rules and written policies.

The retention of electronic business records is fundamentally a legal issue, particularly for companies that are publicly traded and organizations that are heavily regulated. Although IT can certainly help the legal department understand retention issues, challenges, and solutions from a technology perspective, the organization’s legal counsel must take the lead in determining what—and for how long—IM and e-mail records are to be retained.

As detailed in Chapter 6, spoliation is the intentional or accidental alteration or destruction of a document—instant messages and e-mail, as well as traditional paper. Because the courts and regulators frown upon and are free to impose sanctions on organizations for spoliation, it is in every organization’s best interest to establish and enforce an electronic document retention policy that governs the ‘‘systematic review, retention, and destruction of documents received or created in the course of business.’’ [2] Business records, in other words.

In spite of growing scrutiny from courts and regulators, only 34 percent of employers in 2003 had written e-mail retention and deletion policies in place. [3] That’s the same figure reported in 2001, a year before five Wall Street brokerages were fined $8.25 million by the SEC for failing to retain e-mail in accordance with regulations. [4]

Rulings by the SEC and NASD stating that IM records must be retained for three years should serve as a wake-up call to regulated and unregulated businesses alike. Responsible organizations operating in the age of electronic communications must adopt rules, policies, and procedures to help manage business risks, retain business records, and reduce legal liability.

Employers continue to drop the ball when it comes to educating employees about retaining and deleting electronic business records. Only 27 percent of U.S. employers provide e-mail retention and deletion training to their employees. [5] It’s a safe bet that even fewer employers alert staff to the dangers (and possible illegality) of deleting IM business records, or train employees to spot and save them.

start sidebar
Real-Life E-Disaster Story:
Failure to Adhere to Policy Costs Millions

During a 2002 breach of contract lawsuit, Murphy Oil USA, Inc., sought to compel Fluor Daniel, Inc., to produce e-mail messages archived on back-up tapes. Unfortunately for Fluor Daniel, the company had failed to adhere to its own retention policy, which required the deletion of e-mail after forty-five days. Consequently, Fluor Daniel had ninety-three tapes—each recording some 25,000 e-mail messages— for the fourteen-month period in question. Despite the fact that Fluor Daniel estimated the job would take six months and cost $6.2 million, the court ordered the company to restore the tapes, convert the messages to tiff files, and print them. [6]

What good is a written policy if you don’t enforce it? Remember, your electronic retention and deletion policy is only as good as your willingness and ability to follow through. Consistency is crucial to business success and legal compliance. Establish clear retention rules, educate employees about their retention roles, and insist on 100 percent compliance—on both the organizational and individual levels.

end sidebar

[1]J. Robert Keena, ‘‘High-Tech Discovery Disputes,’’ Legal Tech Newsletter (December 2001). See also

[2]Linda G. Sharp and Michele C.S. Lange, ‘‘E-Pitfalls,’’ Daily Journal (June 16, 2003). See also

[3]‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ conducted by American Management Association, The ePolicy Institute, and Clearswift. Survey findings available online at

[4]‘‘2001 AMA, US News, ePolicy Institute Survey: Electronic Policies and Practices,’’ conducted by American Management Association, US News& World Report, and The ePolicy Institute. Survey findings available online at

[5]‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ conducted by American Management Association, The ePolicy Institute, and Clearswift. Survey findings available online at

[6]Lucas Mearian, ‘‘Sidebar: Regulations, Volume and Capacity Add Archiving Pressure,’’ Computerworld (February 16, 2004).