On Thu, Jan 5, 2012 at 7:56 AM, Eric J Esslinger <eesslinger@fpu-tn.com>wrote:
(I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.)
I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement.
This is probably not what you want to hear, but you should really read through EFF's "Best Practices for Online Service Providers." https://www.eff.org/wp/osp Specifically: OSPs cannot be forced to provide data that does not exist. EFF suggests that OSPs draft an internal policy that states that they collect only limited information and do not retain any logs of user activity on their networks for more than a few weeks. If a court order requests data that is more than a few weeks old, the OSP can simply point to the policy and explain that it cannot furnish the requested data. Likewise, if unnecessary PII is regularly deleted, the OSP cannot supply what it does not retain. This saves the OSP time and money, while also providing the OSP with sufficient data for its own administrative and business purposes.