Don't wait for a lawsuit before you resolve the issue of
storing and retrieveing e-mails, says Maxine Holt
The retention of e-mail is a compliance issue. Although
compliance with regulations and legislation is thought to
predominantly affect the public sector and financial services
industry, this is clearly not the case. The investigations earlier
this year by the Financial Services Authority into Stuart Rose,
chief executive of Marks & Spencer, (which used e-mails as
evidence) highlights the legal weight now given to
e-mails.
Indeed, about 75% of all discovery requests in legal cases are now
for e-mail, so it is important that the data can be archived and
retrieved successfully.
E-mail is now used extensively in litigation, and it is likely that
most larger organisations (and many smaller ones) will at some
stage find themselves involved in lawsuit where e-mail will provide
valuable evidence.
Although a number of organisations do now retain e-mails, it is
clear that many of these companies do not appreciate what the
retrieval of specific e-mails entails. The complexity and possible
consequences of this are demonstrated by an example from the US,
where a company was requested to retrieve e-mails that were stored
on back-up tapes. Retrieval cost more than £325,000 simply to
obtain the required information from 124 sample back-up
tapes.
If the required information cannot be retrieved, then fines may be
levied. Some companies believe that it is cheaper to pay the fine
rather than retrieve the requested information - and indeed it may
well be cheaper - but regulators and the legal profession are
unlikely to continue accepting this. The message is clear: get your
e-mail house in order.
There are a number of benefits to be gained from archiving e-mails
properly but simply using back-up tapes as an archive for retained
e-mails is not an adequate solution to compliance requirements. The
cost of responding to one or two requests to retrieve an e-mail
more than justifies the cost of an e-mail archiving system.
In addition to simplifying and reducing the cost of the discovery
process, an archive eliminates the problems of full mailboxes and
the battle between the e-mail system administrator, the compliance
officer and end-users.
However, to persuade end-users that it is safe to delete e-mails,
they must have access to their own e-mails in the archive.
Archiving is not, of course, without its problems. The first of
these is deciding at what point an e-mail should be archived, and
the options are:
- To archive the e-mail on arrival to the organisation before it
is delivered to the recipient
- After a period of time if the recipient has not deleted
it.
Access rights to the archived e-mails are also important. Staff
should only have access to their own archived e-mails, and should
not be able to delete them from the archive. This is especially
important from a compliance perspective, and must form part of the
e-mail retention policy.
As the number of regulations and legislation grows, an increasing
number of organisations are required to retain business e-mails.
Employees cannot be expected to know which e-mails need to be
retained and which can safely be deleted. Even where retention is
not required at the moment, it is still preferable not to leave
e-mail management in the hands of staff.
The retention period for e-mail varies - each piece of regulation
and legislation specifies a different length of time, as does the
form in which it needs to be made available to the regulator. It is
possible that some organisations will be subject to several laws or
regulations under which e-mail must be retained, each with
different retention periods.
Some organisations choose to retain e-mails beyond the retention
period, because of the value of the information held within
individual e-mails, but this could be risky. Organisations need to
balance the value that can be gained from an e-mail against the
risk of it being used in litigation, when deciding how long to
retain an e-mail beyond its retention period.
Despite the obvious risks, the sensible approach is to retain
business e-mail regardless of whether it is currently required for
compliance, as it often forms proof of events that took place or
electronic conversations. It can be difficult to decide what is
business e-mail and needs to be retained, and which e-mails can
safely be deleted, such as spam.
One approach is to retain all e-mails, including spam, to ensure
compliance. The downside of this is the size of the archive and
also the impact on searching through the archive.
Alternatively you can filter out non-relevant e-mails, by using an
external spam filter with the ability to check rejected e-mails to
ensure that they are spam.
The third approach involves keeping all e-mails, categorising them
according to content and giving different retention periods to each
category. Spam e-mails will have a short retention period.
By reducing instances of non-compliant e-mails, the regular review
of e-mails becomes a less onerous task. With a product that can
identify e-mails not needed for compliance and can block them, a
compliance officer can kill two birds with one stone by reviewing
only the e-mails that have been flagged. This proves to the
regulator that the organisation has implemented policies to block
non-compliant e-mails.
We are still in the early days of compliance, and there will be
more pieces of legislation - and a tightening up of current laws -
as scandals occur. Many future pieces of legislation will require
the retention of e-mail, which will result in most organisations
needing to retain e-mail. It is better to start now than to leave
it until the lawsuits land.
Maxine Holt is senior research analyst at Butler Group
Case study: Somerfield has e-mail
sorted
The Somerfield Group has 1,300 Somerfield and Kwik Save stores
and 59,000 employees. The retailer deals with numerous suppliers
and its buyers must keep up to date with special promotions and
consumer demand, if it is to maintain its position in the
market.
About 90,000 e-mails are generated a week within the retailer by
the 3,500 employees throughout the group who use e-mail. The IT
department had to impose mailbox quotas of 30Mbytes per user. Some
users had PST files of 2Gbytes, and the amount of information held
within the Exchange system meant that it was very difficult to
restore the system within times specified by the service level
agreements.
Because of e-mail misuse and the inefficiency of the storage
system, Somerfield found it was unable to support claims or prove
that events had taken place. To resolve this problem the company
installed an e-mail archiving system from KVS Enterprise
Vault.
A pilot was set up in about a week and the e-mail archiving
system was rolled out across the entire company in two weeks during
September 2002.
The archive is easy to search and data can be extracted in about
a minute. The system also proved useful after someone employed as a
buyer by Somerfield deleted all their e-mails before leaving the
company. When the replacement buyer arrived there were no records
available. All of the relevant e-mails were restored from the
archive, and it was discovered that there was £120,000 worth of
business which had not been invoiced.
The company also implemented SurfControl E-mail Filter to filter
out spam and has been able to reduce the growth in e-mail by
50%.
Source: Butler Group
The defence case
- About 75% of discovery requests made by lawyers are now for
e-mail
- Check the cost of retrieving archived e-mail from back-up
tapes
- Just agreeing to pay the fine may not be an option in the long
term
- Archive on receipt takes e-mail management out of users'
hands
- Provide users with access to their e-mail archive to improve
the knowledge base.