Originally published - June 19, 2006
The impact of e-mail on businesses these days is enormous. Companies use e-mail to conduct business, for responding to clients, for internal communication, for discussing strategy, and for responding to regulations. Roughly 35 billion e-mails are sent a day, and the number is growing. The Radicati Group estimates that by the end of 2006, 52 billion e-mails will be sent daily, including all types of correspondence. More importantly, 60 percent of business-critical data is sent via e-mail, according to Gartner.
Unsupervised and improperly disciplined e-mail behavior causes headaches to corporate management. Viruses hiding within e-mails can cause huge harm to organizations. The fact that so many e-mails are sent every day means that there is a chance of inappropriate e-mails (with respect to virus content, sensitivity or privacy issues, incorrect addresses, and so on) slipping through. Yet organizations do need to focus on storing business-critical information, and it is essential that this information is properly stored so that it is accessible and reusable.
E-mail management aims at the preservation of e-mails and the information contained within them. Historically, e-mail management consisted only of storing and preserving e-mails to optimize server efficiency. The focus of e-mail management today, however, has shifted to addressing regulatory compliance more than anything else.
The current market seeks to integrate e-mail management with a full document and records management (RM) solution. This enables organizations to index e-mails, and provides users the ability to search and to use the repository as a knowledge archive.
Currently, most content management vendors have already moved towards integrating an e-mail management solution with an RM solution. Examples include EMC/Documentum's acquisition of Legato, a provider of e-mail archiving products, and IBM's integration with iLumen, a provider of enterprise message management tools.
Knowing What to Store
Storing e-mails or any other kind of data is not problematic for organizations. The cost of extra storage space has decreased significantly over the last decade. The problem is knowing which e-mail content to store and preserve, and which to destroy.
Organizations need to set forth policies on e-mail usage. Policies should address not only e-mail use and misuse, but also retention and destruction. According to research conducted by the Association for Information and Image Management (AIIM), 80 percent of organizations have some kind of policy for e-mail use, but 60 percent have no formal policy governing its retention. Organizations need to rethink their strategies on e-mail management: currently, 31 percent of all organizations keep e-mails indefinitely, and preserve 26 percent of e-mails for less than 120 days, or establish a maximum storage on people's inboxes to limit the retention.
The problem with this approach is that inadequate restrictions or improper methods can eventually harm the organization itself. For example, internal e-mails regarding lunch appointments do not need to be saved, while an e-mail regarding a lunch appointment with a business client should be. Saving all e-mails in the hopes of preventing some information loss is not the right solution. On average, according to AIIM, 75 percent of e-mails are not useful for saving, but finding the 25 percent that are important can be quite difficult.
One potential solution is to create business rules within archiving software. These business rules avoid unnecessary storage, as users can flag the e-mails they want to archive. Defining these rules has to be a joint effort between the information technology (IT) department and the business sector to make sure it covers more than just the technical side of actual e-mail storage. Flagging should be made possible based on a company name, keywords, subject or message text, the sender, or even the software used to send the e-mail.
However, users should not have full control on what should be saved within the e-mail management business rules: this should be controlled at a systems level. This way, the basic principles will be governed at the administrative level, while individuals can refine the rules on a more personal level.
Manage Volume and Risk
The volume of e-mails grows daily. And it's not just the number of messages, but also their size. Organizations deal with all sorts of messages: chain letters, joke-of-the-day e-mails, lunch meetings and arrangements, business e-mails, and so on. E-mail also grows in size because of attachments, pictures, movies, large documents, and even colorful signatures with company logos or theoretically witty sayings. Also, the misuse (or lack of knowledge) on the part of undisciplined users leads to unnecessary duplication of e-mails through copying and forwarding and replying, which in turn causes capacity overload. Because of this overload, organizations have to focus on managing e-mail volume.
Even though storage decreases in price every year (a 550-gigabyte hard drive currently sells competitively for about $400 [USD]—that is, $0.80 [USD] per gigabyte), retaining too many e-mails means storing needless data. The cost of retrieving the data (and the risk of not being able to find the right information within an appropriate time frame) is even more important than just the cost of storage.
Organizations should control e-mail management proactively before they find themselves facing involvement with litigations or regulatory compliances. They should consider reducing the amount of inessential e-mails prior to any filing, or in anticipation of litigation. With an e-mail retention and destruction plan, and by combining e-mail management with document and records management, risk potential for organizations potentially decreases.
Employees must be aware that all e-mails (received or sent) can be reviewed during litigation. This includes personal e-mails, as many courts do not consider them to be private if they are within a company's e-mail system. Do not underestimate the importance of educating employees on policies within the organization. Organizations should educate employees regarding the consequences of e-mail behavior, including such details as copied recipients, unnecessary forwarding, and so forth. Organizations should develop policies and guidelines, and properly train and monitor employees. There are external specialized consultancies that can assist in setting up these strategies if needed.
Discovery of e-mails is becoming a necessity and legal reality for organizations. Legal discovery requests can require an organization to provide all records and documentation relevant to a specific matter. Discovery requests for e-mails may target not only external matters (such as business litigation or regulatory compliance), but also internal matters such as allegations of sexual harassment.
With respect to internal matters, e-mails may contain essential information for corroborating or disproving the key allegations of a complaint. Thus, retrieval is critical to both parties. Similarly, compliance regulations, such as the US Sarbanes-Oxley Act (SOX) and Health Insurance Portability Accountability Act (HIPAA), necessitate managing e-mails with care. Because the burden of production typically falls on the organization, e-mail management may require assistance from third-party solutions to demonstrate compliance with regulations.
If there is litigation, the production of e-mails is a costly undertaking. Several things need to be taken into consideration, such as finding out on which server the e-mails are stored; finding the right information among the stored business and personal e-mails stored; paying the cost of lawyers reviewing the information in the e-mail for content; and representing the e-mails in the right format. Legal liability for being able to retrieve all information is important too, which will be discussed later.
Deleting e-mail is not as simple as people might think. Just because a user deletes an e-mail does not mean that the e-mail cannot be retrieved. E-mail may be deleted from the inbox, but remains in the system because it has been duplicated on a server or backup tape. Thus, a deleted e-mail may remain searchable and retrievable through forensic tools such as Encase if the e-mail's original storage location remains unallocated. Indeed, as suggested earlier, there already have been several lawsuits where one of the parties denied the existence of evidence, and later discovered a relevant e-mail on backup tapes or local hard drives. Lacking a proper e-mail management system may become a hazard. Therefore, e-mail management applications (in conjunction with internal policies on what to store and delete) will reduce the time and risk associated with e-mail retrieval, especially during litigation.
Saving the Right E-mail
Backing up all e-mails is not the solution. Organizations use backups for disaster recovery, not for archiving purposes. Organizations need to develop e-mail policies which also provide clear guidelines to employees on which e-mails need to be saved.
Policies should outline the roles and responsibilities of the employees. These policies will likely hold legal responsibilities for the organization itself. Consequently, policies should address the type of content and the risks that e-mails have for the individual and the organization.
As a starting point, there is a difference between official and unofficial e-mails, which should be defined in the guidelines. Official e-mails should refer to decisions, procedures, business functions, meetings, or certain transactions. Unofficial e-mails comprise personal communications and less relevant business communications, such as communications of thanks.
When saving e-mails, organizations should also consider categorizing e-mails that employees receive from customers. This makes e-mail retention simpler. Classifying e-mails with "proposal," "quotation," or "contract" (and synonyms) in the subject line makes capturing and archiving more efficient. This should reduce the amount of e-mails that needs to be archived by the individual afterwards.
E-mail management systems interact with RM systems for the actual storage, preservation, and eventually destruction of the records. RM systems are designed for these tasks, and have the advantage of search capabilities, as mentioned earlier.
Knowledge within the E-mail
Although e-mail management is important within the context of litigation and compliance regulations, there is more to it than that. The actual unstructured data stored within the e-mails is knowledge within the organization.
E-mails referring to business transactions or confidential information such as intellectual property are important and must be stored and preserved. These e-mails should be stored in such a way that the knowledge within the e-mail can be retrieved, reviewed, and used within the organization. This is the essence of knowledge management. Just saving the right information for litigation or regulatory compliances should not be the only purpose: organizations should consider what to do with this stored information, as reusing the information makes organizations more efficient.
Organizations grow with technology. Information needs to be shared quickly, securely, and efficiently. Almost everybody uses e-mail to communicate and for business purposes. With the current compliance regulations and the fact that the law considers e-mails to be official documents, organizations must be aware of the liabilities that come with using e-mails within their businesses. The storage of e-mails, in terms of both volume and size, should be considered as well, as searching for information through backups is a cumbersome task.
Organizations should focus on storing and retrieving valuable information captured within the e-mails sent by the organization. They should focus on why information needs to be captured, rather than storing as much as possible in the hopes of saving every last detail. Organizations should begin by developing a proper strategy for this.
E-mail management solutions provide organizations with a tool to capture and preserve the information contained within e-mails. The tool alone is not enough however, as organizations need to create policies that address the risks and costs of handling e-mails within the organizations. Organizations should educate employees on these policies because no matter how much technology the organization has, without proper use by employees, the technology will not solve the problems. Within these policies, clearly state what needs to be saved, and how to save the content. Taxonomies should be put in place, and metadata should be filled out by employees to ensure that the retrieval of content becomes possible as well.