Don't wait for a lawsuit before you resolve the issue of storing and retrieveing e-mails, says Maxine Holt
The retention of e-mail is a compliance issue. Although compliance with regulations and legislation is thought to predominantly affect the public sector and financial services industry, this is clearly not the case. The investigations earlier this year by the Financial Services Authority into Stuart Rose, chief executive of Marks & Spencer, (which used e-mails as evidence) highlights the legal weight now given to e-mails.
Indeed, about 75% of all discovery requests in legal cases are now for e-mail, so it is important that the data can be archived and retrieved successfully.
E-mail is now used extensively in litigation, and it is likely that most larger organisations (and many smaller ones) will at some stage find themselves involved in lawsuit where e-mail will provide valuable evidence.
Although a number of organisations do now retain e-mails, it is clear that many of these companies do not appreciate what the retrieval of specific e-mails entails. The complexity and possible consequences of this are demonstrated by an example from the US, where a company was requested to retrieve e-mails that were stored on back-up tapes. Retrieval cost more than £325,000 simply to obtain the required information from 124 sample back-up tapes.
If the required information cannot be retrieved, then fines may be levied. Some companies believe that it is cheaper to pay the fine rather than retrieve the requested information - and indeed it may well be cheaper - but regulators and the legal profession are unlikely to continue accepting this. The message is clear: get your e-mail house in order.
There are a number of benefits to be gained from archiving e-mails properly but simply using back-up tapes as an archive for retained e-mails is not an adequate solution to compliance requirements. The cost of responding to one or two requests to retrieve an e-mail more than justifies the cost of an e-mail archiving system.
In addition to simplifying and reducing the cost of the discovery process, an archive eliminates the problems of full mailboxes and the battle between the e-mail system administrator, the compliance officer and end-users.
However, to persuade end-users that it is safe to delete e-mails, they must have access to their own e-mails in the archive.
Archiving is not, of course, without its problems. The first of these is deciding at what point an e-mail should be archived, and the options are:
- To archive the e-mail on arrival to the organisation before it is delivered to the recipient
- After a period of time if the recipient has not deleted it.
Access rights to the archived e-mails are also important. Staff should only have access to their own archived e-mails, and should not be able to delete them from the archive. This is especially important from a compliance perspective, and must form part of the e-mail retention policy.
As the number of regulations and legislation grows, an increasing number of organisations are required to retain business e-mails. Employees cannot be expected to know which e-mails need to be retained and which can safely be deleted. Even where retention is not required at the moment, it is still preferable not to leave e-mail management in the hands of staff.
The retention period for e-mail varies - each piece of regulation and legislation specifies a different length of time, as does the form in which it needs to be made available to the regulator. It is possible that some organisations will be subject to several laws or regulations under which e-mail must be retained, each with different retention periods.
Some organisations choose to retain e-mails beyond the retention period, because of the value of the information held within individual e-mails, but this could be risky. Organisations need to balance the value that can be gained from an e-mail against the risk of it being used in litigation, when deciding how long to retain an e-mail beyond its retention period.
Despite the obvious risks, the sensible approach is to retain business e-mail regardless of whether it is currently required for compliance, as it often forms proof of events that took place or electronic conversations. It can be difficult to decide what is business e-mail and needs to be retained, and which e-mails can safely be deleted, such as spam.
One approach is to retain all e-mails, including spam, to ensure compliance. The downside of this is the size of the archive and also the impact on searching through the archive.
Alternatively you can filter out non-relevant e-mails, by using an external spam filter with the ability to check rejected e-mails to ensure that they are spam.
The third approach involves keeping all e-mails, categorising them according to content and giving different retention periods to each category. Spam e-mails will have a short retention period.
By reducing instances of non-compliant e-mails, the regular review of e-mails becomes a less onerous task. With a product that can identify e-mails not needed for compliance and can block them, a compliance officer can kill two birds with one stone by reviewing only the e-mails that have been flagged. This proves to the regulator that the organisation has implemented policies to block non-compliant e-mails.
We are still in the early days of compliance, and there will be more pieces of legislation - and a tightening up of current laws - as scandals occur. Many future pieces of legislation will require the retention of e-mail, which will result in most organisations needing to retain e-mail. It is better to start now than to leave it until the lawsuits land.
Maxine Holt is senior research analyst at Butler Group
Case study: Somerfield has e-mail sorted
The Somerfield Group has 1,300 Somerfield and Kwik Save stores and 59,000 employees. The retailer deals with numerous suppliers and its buyers must keep up to date with special promotions and consumer demand, if it is to maintain its position in the market.
About 90,000 e-mails are generated a week within the retailer by the 3,500 employees throughout the group who use e-mail. The IT department had to impose mailbox quotas of 30Mbytes per user. Some users had PST files of 2Gbytes, and the amount of information held within the Exchange system meant that it was very difficult to restore the system within times specified by the service level agreements.
Because of e-mail misuse and the inefficiency of the storage system, Somerfield found it was unable to support claims or prove that events had taken place. To resolve this problem the company installed an e-mail archiving system from KVS Enterprise Vault.
A pilot was set up in about a week and the e-mail archiving system was rolled out across the entire company in two weeks during September 2002.
The archive is easy to search and data can be extracted in about a minute. The system also proved useful after someone employed as a buyer by Somerfield deleted all their e-mails before leaving the company. When the replacement buyer arrived there were no records available. All of the relevant e-mails were restored from the archive, and it was discovered that there was £120,000 worth of business which had not been invoiced.
The company also implemented SurfControl E-mail Filter to filter out spam and has been able to reduce the growth in e-mail by 50%.
Source: Butler Group
The defence case
- About 75% of discovery requests made by lawyers are now for e-mail
- Check the cost of retrieving archived e-mail from back-up tapes
- Just agreeing to pay the fine may not be an option in the long term
- Archive on receipt takes e-mail management out of users' hands
- Provide users with access to their e-mail archive to improve the knowledge base.
This was first published in November 2004