A
city had relied on an old, aging email server for 10 years. Purchased in 2007,
the email server often froze up and hit storage limits constantly. With the
excuse of “budget,” the city did not want to invest in a new server despite
these issues.
As
a result, employees were often forced to delete emails in order to free up
space. A city policy said the employees needed to keep “important” emails.
However, it was unclear what “important” meant and the policy only loosely
defined how the employees should retain them. Some employees used flash drives,
some used external hard drives, and some even transferred files onto personal
laptops.
One
day, an outside investigation began that concerned a city department. Allegedly,
funds may have been stolen and investigators wanted to get to the bottom of
what happened. Suddenly, all eyes were on the city as word got out to the
media.
The
media made several FOIA requests to see emails related to the city department
under investigation. Once the city clerk began trying to carry out the
requests, she hit a wall. Not sure who kept what, she began to fear that key
emails were deleted. Sending out requests to city employees in that department,
the city clerk received uncertain replies about who had the specific emails.
Within
days, she realized the city may not have been able to fulfill the FOIA request—even
with a delay. The crushing realization settled in that emails the city was required to keep by law may have
disappeared. Once the media suspected this happened, they began reporting on
the city in a negative light—casting suspicion over the city in the local
paper. The stories spread to various other papers around the state. Investigators
also noted the serious nature of these missing emails and began to talk of misdemeanors,
fines, penalties, lawsuits, and even possible prosecution for employees who
possibly destroyed records.
Preventing This
Disaster
Even
for FOIA-related circumstances less serious than this situation, cities can
feel painful repercussions when retrieving emails that are public records.
Delays, excessive hours consumed searching for emails, storage limitations, and
uncertainty about locating emails all increase your risk of liability. Let’s
look at some errors in our story that the city committed.
Error #1: Relying on an
old, aging email server.
The
city thought it maximized its original email server investment. But holding
onto an aging server presents too many problems that impact the accessibility
and security of the information you store on it.
- Cost: It’s expensive to maintain the hardware and software on a
server that breaks down a lot, fails to operate at full capacity, and often
isn’t supported by the hardware and software vendors any longer.
- Threat of Server Failure: Whether you have data
backup or not, a server failure is disruptive to your operations. Eventually, you
will have to buy a new (unbudgeted) server if it fails.
- Risk of a Data Breach: Older servers are less secure because
vendors often stop providing security patches and updates after a specific period
of time.
Error #2: Ignoring
email storage limits.
Hitting
email storage limits is no excuse for not following state retention laws.
Today, many cloud email options exist that provide more than enough email
storage space for an affordable price. Employees should never have to worry
about deleting important emails or storing them in a separate location just
because of email storage caps.
Error #3: Relying on
employees to manually archive and retain emails.
This
city lacked policies and procedures to ensure proper records retention—and they
passed along their lack of problem solving to employees. It’s not a good idea
to rely on employees to manually store emails in a consistent, legal way. Most
employees have the best intentions—but they get busy, forgetful, or overwhelmed
by their roles and responsibilities. They are not necessarily going to retain
those emails in the most secure, consistent way.
Error #4: Following a
weakly enforced policy not aligned with records retentions laws.
State
records retentions laws specifically note how emails (and other public records)
must be archived, retained, accessed, and deleted. Modern email servers can
automate much of this process to align with laws. This city clearly needed to
leverage technology more to help them automate the records retention process.
Too many steps were reliant on manual, uncertain processes.
While
it’s less likely that a scandal or investigation will happen at your city, it’s
not impossible. On whatever level you respond to FOIA requests, it’s your legal
duty to provide the information requested. If you can’t, then you’re asking for
trouble.
Questions about your ability to respond to a FOIA request? Reach out to us today.