Need Assistance?

Chat with a representative now.

+1 408 342 5400 / 888 268 4772

Barracuda Product Blog

Putting your organization at risk: Relying on retention policies to meet regulatory and litigation support requirements

By Aseem Asthana and Kevin Sheu The Safe Harbor Provision Misconception Many organizations don’t plan for email archiving as a component of their email architecture.  Often they  feel protected by the retention policies set in email servers, typically in the form of policies that purge emails after 60 to 90 days.  A separate variation places the responsibility of saving emails on the user, by enabling employees to individually determine which emails should be stored in separate PST files.  As a result, organizations often decide that they do not need an email archiving solution. Unfortunately, this is false and greatly increases the financial and operational risk to an organization. The legal underpinnings of these misconceptions derive from the safe harbor provision of the Federal Rules of Civil Procedure (FRCP).  This rule allows organizations to perform routine and good faith destruction of emails on a regular basis without penalty.  Organizations often interpret this rule to indicate that it is unnecessary to archive emails for a period beyond 60 or 90 days and it is hoped that these retention policies will suffice in a court of law. Unfortunately, safe harbor provisions do not always apply. When an organization is faces a lawsuit, it needs to change its routine and good faith destruction policies. Policies also need to change when relevant industry events indicate that emails may come under scrutiny or when members of the organization are working on projects that might be subject to litigation.  This, regrettably, is when organizations begin to face unplanned sanctions or legal fines. An Emprical Example: ASUSTek A patent infringement case involving ASUSTek Computer Inc. illustrates the dangers of relying on retention policies as a substitute for email archiving.  The patent in question focused on correcting errors in floppy drive controllers. ASUSTek was told that, due to relevant industry events, it had the responsibility to retain email beyond its regular policies, a full five years before the start of its court trial. During the e-discovery phase, ASUSTek was unable to reproduce emails.  Because the company had limited storage capacity in its email servers, its policy was encourage employees to download and save emails that they considered important to their personal drives. Any email that was not saved by employees were automatically overwritten to make room for additional email storage.  ASUSTek incorrectly assumed that the safe harbor provision of FRCP would apply. In particular, the court noted that, “A court is not required to simply accept whatever information management practices a party may have. A practice may be unreasonable, given responsibilities to third parties. While a party may design its information management practices to suit its business purposes, one of those business purposes must be accountability to third parties. “ AsusTek claimed that it only needed to start saving emails from the moment it was aware of its patent infringement lawsuit.  However, in the opinion of the court, because other component manufacturers were being sued for issues arising from floppy disk errors, AsusTek should have retained emails beginning from the point in time when comparable litigation occurred in the industry.  Since ASUS employees were working on floppy disk controller errors, ASUSTek should have initiated email preservation related to floppy disk controller errors at a much earlier point in time. Lessons Learned Because of the ambiguity surrounding when safe harbor regulations apply, organizations place themselves at great financial and operational risk by solely relying on standard retention policies.  Even when enacted at the appropriate time, email servers are not designed to suddenly begin deploying tremendous amount of content. It is for this reason that a separate email archiving solution that can save and search all emails, while providing the capability to create global and granular retention policies, provides the appropriate answer for organizations today.  The Barracuda Message Archiver was specifically designed to meet the requirements for organizations that are concerned about their regulatory compliance and litigation support requirements. The original case brief is at: For questions about the Barracuda Message Archiver, please visit or for a free 30-day evaluation, call Barracuda Networks at 1-888-ANTI-SPAM or +1 408-342-5400. For more information on our other security and productivity solutions, please visit

Live Chat Support Software