In the latest of a series of rulings, a federal judge has issued a $1.45 billion judgment against Morgan Stanley for not keeping records of email communications. Partly in response to such rulings, many corporations now have detailed email retention policies and keep years of email records. But this is a lose-lose situation for companies: five years ago, New York Attorney General Eliot Spitzer fined Morgan Stanley $10 million dollars because it (like most firms at the time) did not keep e-mail records. Merill Lynch was one of a few that did keep detailed records, and was fined $100 million dollars for its efforts because some e-mails contained compromising materials.Keeping track of what e-mail is to be retained for how long is a major headache – and not just for mail administrators like myself. While SEC regulations require a variety of periods for record retention, anti-discrimination statutes like the Data Protection Act of 1998 require that personal data should not be kept “for longer than is necessary.” This effectively means that each e-mail user must be an expert in the relevant laws in order to filter every single received email into the appropriate category, as dictated by a multitude of vague and contradictory regulations. Managers must obsess over trifling communications sent by a low-level employee that might be uncovered by prosecutors armed with powerful search software years later. The consequent cost (or boon, depending on your perspective) to software-development and consulting companies is enormous as well.
Can you guess the most likely response to the DOJ’s policy? If you guessed that companies are likely to severely restrict e-mail use, you might be right. Next on the DOJ agenda: requiring years of instant messaging and phone records.