Email Retention Policy

From: retention policy

Email. Retention. Policy.

Three words that businesses often overlook. Almost every business today is receiving emails, a lot of them! As I am writing this article, the volume of global email is reaching 210 billion emails a day and is expected to grow up to 297 billion a day by the end of 2010. The Radicati Group, a market research firm specialized in the technology industry, released those compelling numbers. The same firm also predicts that workers will spend 41% of their time handling email by 2011.

The dramatic part, that we notice here at Sonian, is that most of the management of these 210,000,000,000 emails is left to employees - as if emails were random pieces of information with no intrinsic value. Usually, employees walk into work in the morning, open their computer, and brave the onslaught of emails invading their inboxes. I know my personal habits involve straight up deleting what I deem to be most irrelevant, unimportant, or SPAM.  Right there is a prime example of why an email retention policy should be a common practice nowadays. Allowing employees to manually archive emails can great gaps in an archive, and regardless of whether this was done intentionally or unintentionally, this could cause big problems from an eDiscovery perspective. 

Companies should, first and foremost, create an email retention policy that clearly outlines archiving practices. Leaving it up to employees to decide leaves your business open to some serious fines. Next, incorporating a third-party hosted archiving solution will not only alleviate pressure and lighten the workload of a company's IT staff, but it allows your IT staff and law department to define an automated email retention policy that automatically archives all necessary emails, protecting the company should it face litigation. 

An email retention policy is especially relevant, and not just for industries that are highly regulated by increasing constraints and compliance laws. Financial services, educational institutions, government agencies, and health care related entities are, now more than ever, concerned with data archiving regulations like the Sarbanes-Oxley Act, SEC and NASD requirements, Gramm-Leach-Bliley Act, HIPAA, and FRCP. These regulations changed the weight that emails, IM, SMS, and other files carry in case of litigation or eDiscovery requests. In fact, those regulations are driving more and more companies to put in place, or drastically revise their, archiving policies. Today, a lack of email retention policy can, lead to millions of dollars in fines and even put companies out of business.

As I mentioned earlier, all emails don’t have the same weight when it comes to archiving them. Here comes into play your email retention policy, which will help you to determine what are the qualified emails for archiving. Once the policies have been determined, another important step is to determine how (can I suggest 3rd Party email archiving) and where (on-premise, hosted, cloud…) you will archive those emails.

According to email experts, you have to consider 5 steps when designing your email policy.

  1.   Decide what are the relevant emails to keep.

  •   Choose how long you want to store them.

  •   Determine how you want to get rid of them.

  •   Define the way to educate and notify employees about the policy.

  •   Establish sanctions for employees failing to comply with the policy.

Companies should particularly spend time on the last step and make sure that the implications of breaking the rules match the incurred risks for the company. This is even more relevant for small businesses risking going out of business in case of litigation if they don’t have an efficient archiving system or retention policy. The ePolicy Institute and the American Management Association found out in their 2007 survey that 28% of the surveyed bosses had fired employees for email violations.

A small business should make sure that the chosen archiving system matches the following criteria:
  -  Ability to capture inbound and outbound messages and their attachments.
  -  Presence of an advanced search feature based on indexing to make sure that emails are easily retrievable.
  -  Matches the regulations in case of a litigation or eDiscovery request (capacity to retrieve an email in its native format, ability to put legal holds…).
  -  Ensures security of the archives, e.g. through encryption..

The final thought I want to leave you with: companies should never let their employees save their emails in “individual” archives or on their PCs. The reason is very simple, in case of a litigation the forensic team in charge of the case will start by peeling off your employees’ mailboxes and personal hard drives, which can be invasive and time consuming.


How To-Best Practice
Comment List