left quote mark

First and foremost, there needs to be a corporate policy, that is clearly stated that dictates how email is to be handled. The policy needs to be enforced, uniformly," Frappaolo says. "Then, it's a matter of deciding how long an email needs to be retained based on the records management policy.

right quote mark

Staying Out of Court: Managing Email by Design

AIIME-DOC MagazineHarnessing ways to manage proliferating email to mitigate risk begins with records management. Setting and enforcing email policies as a larger set of RM policies are key.

By Marcia Jedd, President, MJ &Associates

(originally appeared on AIIM E-Doc Magazine and website in 2006)

Email, one of the world's easiest, most commonplace business tools, comes at a high cost. As precedent-setting court cases on down to small court-skirmishes and email faux pas convey, when emails aren't managed correctly, there's unnecessary exposure to lawsuits and scandal. Plus, a host of regulatory compliance issues lurk in the electronic ethers.

The trouble with managing emails escalates as email growth rates mushroom. Even estimating the number and volumes of emails sent annually is dizzying. By 2008, conservative estimates put the number of emails sent in the United States between seven to 10 billion according to research by Cohasset Associates, an information management consultancy, up from some 2.8 billion in 2005.

"Until Sarbanes Oxley (SOX), email management did not get a lot of attention at the C level— or at the B level, meaning the board level," says Robert F. Williams, president of Cohasset Associates. "There's a pressing need for more information about managing email to bring about that awareness that you can't drive a car with three wheels very successfully."

If a leading industry survey conducted in 2005 is a good gauge, then businesses are in trouble. According to AIIM and ARMA International's bi-annual joint survey conducted by Cohasset Associates to more than 2,000 records management professionals only about one-half of organizations surveyed reported having a retention policy for email. And nearly one-third surveyed don't include e-records in their records management policies and procedures (the survey is available at http://www.aiim.org/Research/Survey).

Growing Threat

The exposure of risk if improperly saving and retaining emails or on the flipside, failing to properly archive and store emails at all, is mounting as lawsuit-happy disgruntled employees cry fowl and regulating agencies of all kinds force compliance. "The pain is getting more painful and the economic hardship is getting more and more onerous," says Randolph Kahn, Esq., founder of Kahn Consulting, a legal IT consultancy.

About 75 percent of business email is considered intellectual property and is discoverable, says David Campbell, product marketing manager for Enterprise Vault archiving solutions at Symantec, an enterprise security solutions provider. "There are any number of regulatory factors like HIPPA for health records, SOX for financial records and FERC on the energy side. You have to retain and hold email based on what industry you are in."

Campbell says email retention policies are getting more complex because of these and other business issues, making enforcement mandatory. "Different industries have different levels of comfort. If you are taking in customer emails with sensitive data, or invoicing and long tracking of support cases, you will want to retain a lot of customer email. But external email is just as important as the internal stuff running around. Some companies will save everything for 90 days and then purge everything out of the system."

In a case like that, the company better be sure to have an archiving system with good records management policies. Why? As regulators say that email must be saved if it's involved in the business record, the courts are certainly driving the point home. In fact, in December 2006, a king of rulemaking—the Federal Rules of Civil Procedure—will broaden its definition of a document to incorporate emails, and even voice mails, stored in the computer. "Parties will be required to disclose, very early on in the discovery process, their computer systems and data, including email, that relate to the litigation," Williams says.

Email is thus discoverable but is difficult and costly at best to manage and retrieve.

So what to do about managing email to reduce legal and compliance risks? Here are some solutions.

Truly an RM Issue?

Above all, the managing of email is a records management issue, not an email issue, says Carl Frappaolo, executive vice president of the Delphi Group technology consultancy. "First and foremost, there needs to be a corporate policy, that is clearly stated that dictates how email is to be handled. The policy needs to be enforced, uniformly," Frappaolo says. "Then, it's a matter of deciding how long an email needs to be retained based on the records management policy."

Frappaolo advises IT and records management departments not to go running off and set their own email policy but to keep it broad around business records. "It's the content/subject matter, business issue, customer, and such that matters," he says. "The retention policy for email will likely be the same as a written letter, contract, etc. It is based on the content and nature of the communication, not the type of media."
"Institutions have to decide who will retain business email communications so you are using your resources efficiently and not wasting effort," Kahn says. This means determining how to retain the information and in what form. "You have to decide on technology and even storage locations so that you have access to the information, including locations so future litigants can have access to it. Build it with an eye towards expeditious and effective ways to retrieve the information in a cost effective manner."

What To Save and How?

Technology comes to the rescue with tools like filters to head off unwanted junk mail. Broader solutions such as records management/ enterprise content management software may or may not have email archiving and management capabilities. In many cases, individual email management and even compliance management point solutions can be integrated with these broader solutions.

Perhaps one of the stickiest areas is setting criteria for saved versus non-saved emails. This falls under a company's definitions for business records and business emails. "Our favorite definition is a business email is any email that has ongoing business, legal, compliance, or historical value and that has evidence of its business or business activities," Kahn says, noting emphasis on "ongoing value." He gives example of company email about a budget meeting on Friday. "After Friday, its value to the institution is marginal. It should go away. It is not the kind of thing the institution should retain and use resources to manage."

Kahn emphasizes the definition of a business email also requires a particular kind of value—legal, compliance, business, historical—certain kinds of value that are important. "You need to be clued into what that value is and make sure we are maintaining all of that in accordance with company policies."

Don't simply take a snapshot of all inbound emails, says Bill Forquer, executive vice president at Open Text, an ECM solutions provider, citing the additional risk and excessive costs firms put themselves under when they uses backup systems as archive. "You have to properly classify emails in the context of a records strategy. Otherwise you are creating liability for yourself by holding onto something that could be expired."

Once an organization is confident they're saving the right emails, Frappaolo says, "These emails should be automatically moved to a storage device and protected. They should also be tagged with metadata information, or else discovery and recall becomes a real problem." As Forquer emphasizes, the ever-changing winds of the business and regulatory environments compel firms to create agile records management and archiving systems that do a good job of indexing documents for swift retrieval.

Based on the industry an enterprise competes in, Forquer says, the enterprise needs to review its regulatory responsibilities, determine policies and procedures appropriate for its business and industry, and then tell how it's going to execute it. He gives the example of SOX requirements for publicly held companies that require firms to explicitly set business processes around external financial reporting. "The result is that companies need to maintain the appropriate business records and processes associated with that reporting for seven years," he says.

Policymaking at the Top

Priscilla Emery, president of e-Nterprise Advisors, an ECM consultancy, emphasizes setting policies from the top down. "Policies around managing email in general need to be set from as high up in the company as possible and need to be implemented using records management techniques."

With email management a critical but contentious subset of records management, Emery notes, depending on the size of the company, it often takes a village of participants to set policy. "Likely, this is records management and IT people together, and they should be getting guidance from legal, financial and audit and others with vested interests in the outcome."

Policing the System?

Another area that companies grapple with is setting and enforcing email usage guidelines. Inappropriate use of email networks, sending improper or proprietary information, can get a company or an employee into trouble but generally speaking, employers are legally responsible for an employee's bad act. Emery says a records management policy for email dovetails with other critical email issues like anti-spam filtering and the lawful monitoring of employee email and Internet use by the employer.

"You have to keep what you have to keep, but if someone is doing something stupid, it's up to the company to make sure the person is fired or appropriately disciplined," Emery says. She advises firms of any size to set guidelines around proper email etiquette and usage and to regularly communicate guidelines to employees, while enforcing them.

Kahn agrees. "You need to develop clear policies to tell employees what to do, what not to do, and how to do it. Tell them what is a business email. Have clear policies to tell them what is and what isn't a record."

Setting records management policies and guidelines around emails is one thing, but enforcing them is another. Kahn says this demonstration can include ongoing training for employees, ongoing review of the information that has already been kept, and keeping abreast of legal and regulatory developments. Training can go far to head off problems before they occur, especially if the employee knows the implications of their actions. To this end, Kahn's firm offers a training program called Keeping Good Company. "We use it to tell employees the importance of good records management, good email management. The average employee is the foot soldier on the front line of effective information management for the company so it's important to train them."

Managing It?

Forquer of Open Text says enterprises need an integrated approached to email archiving with other records management practices. "Use a series of automated capabilities set by the end user. That's where you start to filter down the information you really need to retain, set retention times, and follow through with the destruction of documents as appropriate to the policies that are in place, following compliance with regulations."

Like Open Text, user-driven classification is an element of Symantec's solutions. "You can archive specific folders. We also have flexible rules-driven classification. You can save content very easily based on the metadata. Rules are based off of the senders, the recipients, the subject line, or so forth," Campbell says.

Forquer says flexibility in content management systems are key to adapt to changing regulatory and business environments. Solutions by Open Text and other ECM vendors help enterprises to integrate with other enterprise solutions to form repositories of searchable files, such as by department or subject. So content systems can pull from programs like Microsoft Exchange for email or Microsoft SharePoint for documents. "The onus is on providers like us to move into these primary computing environments to ultimately effect records management policy within those systems," Forquer says.

Search and retrieval is where the rubber meets the road, Campbell says. These systems need to be based on archival systems, not daily backup. They also need to avoid redundancy with elements such as single instancing that only saves one company of a large PowerPoint presentation that went to 40 people in the company. "You can archive this of course on your own hard drive or a network drive. Single instancing means we are only going to archive one copy of that PowerPoint, even though the metadata will show who else received it."
As these ideas illustrate, incorporating email management, archiving, and searching into the broader context of enterprise content and records management will only improve a firm's business processes while keeping them out of court.

Marcia Jedd is president of MJ & Associates (www.marciajedd.com), a marketing communications and research consultancy in Minneapolis.

Managing Email Done Right

The consequences of ignoring email management are mounting. But now that the world is waking up to the fact that electronic information constitutes a business document or record, here are some email retention and management best practices from Cohasset Associates' white paper, Making the Case for Email Archiving and Litigation Readiness(July 2006):

  1. Retain electronic information – as long as it's needed for legal and ongoing business reasons and in a manner that allows for efficient search and retrieval.
  2. OK to destroy – after electronic information is no longer needed, destroy in accordance with the firm's records retention policies and practices.
  3. Demonstrate actions taken – in the lifecycle management of the organization's e-records. Show actions were performed in accordance with policy and procedures.
  4. Document audit trails of key activities performed – including management oversight for who did what and when.
  5. Provide assurances that the accuracy, reliability and trustworthiness of records are preserved – e-records are managed over time and through any successive technology upgrades or migrations.