Why I Said “No” to a 90-Day Email Deletion Policy

When the C-suite calls you in and says, “We want all emails deleted after 90 days,” it might sound like a quick win for storage management or “cleaning up” the system. But as an IT and compliance professional, I had to draw a hard line — and here’s why.

1. The Real Motivation Often Isn’t Storage Leadership may say it’s about saving space or reducing clutter, but in many cases, this kind of policy is pushed to reduce legal exposure. The thinking is simple:

• No emails, no evidence in the event of lawsuits or regulatory audits.

While that might sound like risk reduction, it’s actually the opposite — it creates bigger legal and operational risks.

2. Legal and Regulatory Compliance Many industries have mandatory data retention requirements:

• Finance: SEC and FINRA require retention for years, not months.
• Healthcare: HIPAA can require certain communications to be preserved.
• Utilities, critical infrastructure, and government contractors: Contractual retention requirements may be measured in years.

A blanket 90-day purge could violate multiple laws and contracts — putting the company in direct legal jeopardy.

3. Litigation Hold and Discovery If your company is ever sued, a court can issue a litigation hold — requiring you to preserve all relevant data.

• If your policy automatically deletes those emails, it can be seen as destruction of evidence (spoliation).
• Judges have handed down severe sanctions, including default judgments, for companies that “accidentally” deleted emails during litigation.

4. Operational Risk Emails aren’t just legal records — they’re operational memory.

• Project details.
• Contract negotiations.
• Client history.
  Delete those every 90 days and you’re erasing critical institutional knowledge that no knowledge base or SharePoint site will ever fully replace.

5. The Better Approach Instead of a reckless blanket purge:

• Implement tiered retention policies based on department and content type.
• Use archiving solutions to move older emails into low-cost storage while keeping them searchable.
• Train staff on when and how to manually delete emails that truly have no business or legal value.

This keeps inboxes lean without exposing the company to compliance and litigation risks.

6. Why I Said No As the IT and compliance lead, my role isn’t just to do what leadership wants — it’s to protect the company from avoidable disasters.
Saying “yes” to a 90-day deletion policy would have been:

• Legally dangerous — violating retention laws.
• Operationally harmful — erasing critical business history.
• Ethically questionable — enabling a potential “out of sight, out of mind” approach to accountability.

So I told them No — and instead proposed a compliant, risk-aware retention strategy.

Final Thought Good IT leadership means knowing when to say “yes” to efficiency — and when to say “no” to something that could destroy your company’s legal standing.
Deleting all emails after 90 days might seem like “getting ahead of problems,” but in reality, it’s setting up bigger ones.