We put the IT in city®

CitySmart Blog

Tuesday, February 28, 2017
Brian Ocfemia, Technical Account Manager
Brian Ocfemia

A city had relied on an old, aging email server for 10 years. Purchased in 2007, the email server often froze up and hit storage limits constantly. With the excuse of “budget,” the city did not want to invest in a new server despite these issues.

As a result, employees were often forced to delete emails in order to free up space. A city policy said the employees needed to keep “important” emails. However, it was unclear what “important” meant and the policy only loosely defined how the employees should retain them. Some employees used flash drives, some used external hard drives, and some even transferred files onto personal laptops.

One day, an outside investigation began that concerned a city department. Allegedly, funds may have been stolen and investigators wanted to get to the bottom of what happened. Suddenly, all eyes were on the city as word got out to the media.

The media made several FOIA requests to see emails related to the city department under investigation. Once the city clerk began trying to carry out the requests, she hit a wall. Not sure who kept what, she began to fear that key emails were deleted. Sending out requests to city employees in that department, the city clerk received uncertain replies about who had the specific emails.

Within days, she realized the city may not have been able to fulfill the FOIA request—even with a delay. The crushing realization settled in that emails the city was required to keep by law may have disappeared. Once the media suspected this happened, they began reporting on the city in a negative light—casting suspicion over the city in the local paper. The stories spread to various other papers around the state. Investigators also noted the serious nature of these missing emails and began to talk of misdemeanors, fines, penalties, lawsuits, and even possible prosecution for employees who possibly destroyed records.

Preventing This Disaster

Even for FOIA-related circumstances less serious than this situation, cities can feel painful repercussions when retrieving emails that are public records. Delays, excessive hours consumed searching for emails, storage limitations, and uncertainty about locating emails all increase your risk of liability. Let’s look at some errors in our story that the city committed.

Error #1: Relying on an old, aging email server.

The city thought it maximized its original email server investment. But holding onto an aging server presents too many problems that impact the accessibility and security of the information you store on it.

  • Cost: It’s expensive to maintain the hardware and software on a server that breaks down a lot, fails to operate at full capacity, and often isn’t supported by the hardware and software vendors any longer.
  • Threat of Server Failure: Whether you have data backup or not, a server failure is disruptive to your operations. Eventually, you will have to buy a new (unbudgeted) server if it fails.
  • Risk of a Data Breach: Older servers are less secure because vendors often stop providing security patches and updates after a specific period of time.

Error #2: Ignoring email storage limits.

Hitting email storage limits is no excuse for not following state retention laws. Today, many cloud email options exist that provide more than enough email storage space for an affordable price. Employees should never have to worry about deleting important emails or storing them in a separate location just because of email storage caps.

Error #3: Relying on employees to manually archive and retain emails.

This city lacked policies and procedures to ensure proper records retention—and they passed along their lack of problem solving to employees. It’s not a good idea to rely on employees to manually store emails in a consistent, legal way. Most employees have the best intentions—but they get busy, forgetful, or overwhelmed by their roles and responsibilities. They are not necessarily going to retain those emails in the most secure, consistent way.

Error #4: Following a weakly enforced policy not aligned with records retentions laws.

State records retentions laws specifically note how emails (and other public records) must be archived, retained, accessed, and deleted. Modern email servers can automate much of this process to align with laws. This city clearly needed to leverage technology more to help them automate the records retention process. Too many steps were reliant on manual, uncertain processes.

While it’s less likely that a scandal or investigation will happen at your city, it’s not impossible. On whatever level you respond to FOIA requests, it’s your legal duty to provide the information requested. If you can’t, then you’re asking for trouble.

Questions about your ability to respond to a FOIA request? Reach out to us today.