Magazine Article | January 1, 2006

Is Your E-Mail In Compliance?

Source: Field Technologies Magazine

As it has matured, e-mail has become a critical business application subject to a variety of government regulations. Here’s what you should know about managing your company’s burgeoning e-mail.

Integrated Solutions, January 2006
E-mail used to be an informal way for employees to communicate with each other. Most businesses let employees manage and archive their e-mails as they saw fit. Considering that up to 60% of today’s business-critical information is stored in e-mail systems, according to Ferris Research, you may want to rethink how you manage this information.

Companies’ dependence on e-mail has increased dramatically in just the last few years. It is now an accepted means for taking orders, formalizing contracts, granting approvals, and making employment offers. As this reliance has increased, so has governmental scrutiny. E-mail messages are now considered comparable to paper documents and are admissible in court proceedings. The associated legal discovery has cost unprepared companies millions of dollars in time, effort, and fines.

Before implementing an e-mail management system, a company should consult with its records managers and determine if it’s ready to implement such a system. “An e-mail management system is not just a method for removing the IT problem of excessive e-mails from the corporate e-mail servers,” cautions Kris Brown, senior sales engineer for TOWER Software. E-mail is a historical archive of corporate information that will have varying corporate value, disposition, retention, and compliance issues, depending on who inside the organization sent or received the mail and what the e-mail was in relation to.

Simply keeping everything forever or destroying everything after an arbitrary period will not help a company meet its compliance requirements or relieve it of its inherent liability. A business needs to understand what it has in its e-mails and what value or liability those e-mails bring to the organization. Through this understanding, an organization can implement an e-mail management policy that mirrors its overall document and records management system. Not integrating e-mail with other document management systems will only add one more system for the IT groups to manage.

Once the e-mail management policy has been created, it is important to train employees on the new policy – even if it has not been refined. The policy can always be modified and updated, but the sooner employees are aware of common procedures they should follow and the importance with which they should treat e-mail, the better. In general, the courts have been lenient with businesses that have established e-mail management policies, even if they are flawed. They are generally less lenient with organizations that have done nothing to manage their e-mail.

Once an e-mail management policy is created, carefully identify which e-mails will be managed and archived. This begins by properly filtering the e-mails that enter your employees’ inboxes. It’s inadvisable to manage and archive every piece of e-mail that enters your e-mail system; start by filtering out spam, viruses, and unacceptable attachments. These not only inhibit a company’s productivity, but also pose a security threat to the network.

After problem e-mails have been quarantined, the remaining e-mails should be reviewed for their relevant business value. For example, messages between coworkers about where to go for lunch are not vital to the business’ operation and do not need to be managed or archived. However, because stock traders are required by SEC (Securities and Exchange Commission) regulations to capture all relevant e-mail, an e-mail between a trader and a client about a stock sale will probably need to be kept for many years.

The most obvious benefits of meeting compliance requirements – reducing legal discovery costs, avoiding fines and jail time – can be difficult to quantify. Other benefits are more measurable. “Limiting exposure to employee e-mail abuse, time saved searching for e-mail for internal or audit/compliance purposes, and the possible loss of critical information are all very strong value points,” says Ben Woolley, VP for Redmap Networks.

Many organizations justify the cost of implementing an e-mail management system by measuring the time saved through information sharing. They are able to quantify savings in time spent searching for information and in IT in terms of single instance storage and management expenses. An e-mail management system reduces storage and tape backup requirements over the life of those purchases, which is between three and five years. Therefore, an organization can expect an e-mail management system to pay for itself in reduced storage requirements in approximately 12 months.

By sharing information that had previously been locked in e-mails, a business is able to mine its information better. New employees are able to advance along the learning curve faster if they are able to look through their predecessors’ e-mails. This reduces training costs. Also, when an employee leaves the company, the organization has key e-mails archived, so it doesn’t lose all the intellectual property associated with that individual.

By far, the most common issue an organization will face when implementing an e-mail management system is user acceptance. Users are the ones who send and receive the e-mails and are most likely to know what a particular e-mail is in relation to. The more metadata (i.e. sender, recipient, date, subject line, keywords, and other identifying characteristics of a file) a user can provide upon the capture of e-mails, the easier messages will be to find and archive later. “This, however, is a balancing act. Asking users to provide too much information will lead to resistance in use, and not involving the users at all will lead to a large archive of irretrievable e-mails,” warns Brown.

One way to mitigate this problem is to train users. This training should include, first and foremost, the company’s e-mail management policy. By doing so, users are more likely to understand the reasons why the new system is being implemented and accept the new system. Secondly, the training should include the new e-mail management system and how to archive and retrieve e-mails.

Another common mistake companies make is not involving all of their business lines. Without input from their different departments, organizations may run into resistance to the new system. By involving all the business lines, organizations also ensure the e-mail management system is flexible enough to meet all the business’ requirements.

Finally, the system must integrate with the organization’s existing systems. The courts have already determined that businesses cannot treat e-mail differently from other records in the organization. Therefore, an e-mail about a particular topic should be found with other information that was generated outside the e-mail platform, including paper and other physical resources.

E-mail has become the new version of the written letter. Simply allowing employees to file and delete e-mails as they wish not only demonstrates a lack of understanding of how business has changed, but also negligent management. “This is an issue that will land directors and officers in significant trouble should locating an e-mail be required by regulatory authorities,” says Woolley. “Businesses cannot afford to not have an e-mail management system and policy in place.”