If your business allows its individual employees to delete or archive e-mails as they see fit, it isn't alone. However, given the business impact of e-mail today, it's a practice you should consider revising.
E-mail has become much more than just a convenient way to communicate. It has become a primary means of conducting business. Most organizations now consider e-mail a viable medium for taking orders, granting approvals, formalizing contracts, and making employment offers. In fact, according to Ferris Research, 35% to 60% of today's business-critical information is stored in e-mail systems.
As dependence on e-mail and its use has grown, so has the governmental and legal scrutiny regarding its value and impact. E-mail is now just as admissible in court, and just as critical for an enterprise to maintain, as paper records. If this information is not properly managed in accordance with a strategically sound corporate records management policy, it is unavailable as a resource to an organization and can become a legal liability that leads to fines, jail time, or both.
CREATE AN E-MAIL MANAGEMENT POLICY
An effective e-mail management system begins with a sound e-mail management policy. Without a common e-mail management policy in place, there is no way to find e-mails of interest or even identify what e-mails you have stored without arduous searches of individual mailboxes or backup tapes. These searches can take months because it is often impossible to identify the content of an e-mail simply from the date, sender, recipient, and subject line.
To streamline efforts, your e-mail management system should correspond to your overall corporate records management principles. E-mail is information. It should be treated no differently than a marketing memo, a legal contract, or an accounts payable spreadsheet. By establishing an e-mail management policy that mirrors your overall document and records management system, you increase efficiency and decrease risk and confusion.
It is imperative that you communicate the e-mail management policy to your employees as early in the process as possible — even if it hasn't been perfected yet. The policy can always be tweaked or updated, but the sooner your employees are aware of the common procedures they should follow and importance with which they should treat e-mail, the better. In general, courts have been lenient with organizations that have established e-mail management policies, even if these policies are flawed. They are generally less lenient with organizations that have done nothing to manage their e-mail.
FILTER YOUR E-MAIL
When constructing your e-mail management policy and system, it is important to identify and carefully select which e-mails should be managed or archived. This process often begins with proper filtering of all e-mails that enter your employees' inboxes.
"It is inefficient and dangerous to manage and archive all e-mail," says Randy Keith, CEO of Redmap, U.S. "Your e-mail management solution should begin with a filtering product that screens for and weeds out spam, viruses, and unacceptable attachments. These items are not only annoying, they interfere with an organization's productivity and cause security threats to a company's vital data."
Once problem e-mails are identified and quarantined, clean e-mails should also be evaluated for their business value. An e-mail that contains information about an upcoming lunch meeting between coworkers, for example, is not vital to business operations and does not need to be archived. On the other hand, an e-mail that contains a broker's comments on the financial stability of a company will probably need to be kept for many years because it is a record of corporate viewpoint.
"Companies should examine the character of their e-mail traffic to determine how much of that traffic falls under government regulations, constitutes corporate information policy, or might be relevant to some current or potential legal action," says Eric Bean, senior director, products group, Captaris, Inc. "For example, a medical center that uses e-mail for many routine uses may have recently started to allow patients to follow up with caregivers via e-mail. While routine e-mails may not require archiving, the patient follow-up e-mails fall under HIPAA [the Health Insurance Portability and Accountability Act] regulations and must be managed carefully and securely."
BACKUP ISN'T ENOUGH — ARCHIVE E-MAIL AS A RECORD
Simple tape backups, the traditional method for backing up an e-mail system, are not effective at ensuring that legal requirements are met, nor are they a good way to gain access to the wealth of content housed in a typical company's messaging system. Furthermore, backups require a great deal of IT involvement and create long e-mail downtimes in the event of a server crash or other technical problem.
To facilitate e-mail discovery and ease the burden placed on your organization's IT infrastructure, your e-mail management system should categorize and sort e-mail using metadata (i.e. sender, recipient, date, subject line, keywords, and other identifying characteristics of a file). Since your e-mail management policy should mirror your records management policy, it stands to reason that your e-mails should be archived in the same fashion as your paper records. Your e-mail management system should index all content based on your e-mail policy so that e-mails can be quickly recovered in the event of legal action or audit.
Your system should also enforce corporate data retention policies. Your corporate policy or an external regulation may require that certain content be retained for a minimum period. Your e-mail management system should manage these retention schedules, permitting all data to be kept as long as necessary, but no longer, allowing data to be removed from the archive easily and in accordance with corporate and legal policies.
Your e-mail management system should also allow end users, such as compliance officers or corporate counsel, to access archived e-mails themselves. This capability will reduce the workload on your IT staff and accelerate the e-mail recovery process. However, the system must also protect this information from end user tampering. Archived e-mail records should be saved in such a way that they cannot be altered. Also, if content from an archive is accessed, the system should provide an audit trail of who accessed the content and when.
ENSURE USER ADOPTION WITH NONINVASIVE E-MAIL TECHNOLOGY
Like any technology initiative, e-mail management requires cooperation between departments in order to be successful. While the records management and legal departments certainly should play significant roles in creating and driving policies, IT and representatives from other departments should be involved as well. Also, the organization's senior management should communicate the e-mail management policy to employees to foster user adoption.
Another way to ensure the success of your e-mail management initiative is to implement technologies that do not change your employees' current e-mail habits. "A good e-mail solution should not be invasive," says Keith. "The goal is to make e-mail safe and reliable, but the threat of big brother watching could have an undesired effect and cause employees to reduce their e-mail use. A good e-mail management solution should integrate seamlessly into a company's current e-mail environment, and a review of your basic technology stack should be among the first things you cover with a vendor."
The cost of an e-mail management solution generally depends upon the number of employees and complexity of the implementation. However, a small to midsize business should be able to implement a good system for less than $10,000. Depending upon how sophisticated your requirements are, you may need to deploy multiple tools to develop the overall solution.
"No one vendor does everything," adds Keith. "If a vendor claims to provide a one-stop e-mail management solution, it is unlikely it is an expert in all realms. Getting the assistance of a systems integrator that specializes in e-mail management is usually money well spent, not only in the implementation phase, but also in defining your up-front requirements and evaluating possible solutions to meet your needs."