By Ann Silverthorn
Although managing e-mail has become a major headache for storage administrators, who might have an overwhelming urge to delete entire mailboxes, a variety of products are available to make e-mail more manageable through technologies such as classification, de-duplication, and archiving. Such technologies make it possible for companies to retain e-mail indefinitely-while improving e-mail server performance, reducing risk from litigations, and ensuring compliance with regulatory entities.
In addition to e-discovery, other drivers for e-mail archiving are operational in nature, according to Gopico-Tero. “Storage managers and e-mail administrators feel they can address their operational issues if they use archiving in addition to their backup strategy,” she says.
Retain e-mail indefinitely?
Some industries, such as financial, pharmaceutical, and healthcare, are used to retaining e-mail because they’re highly regulated. For other industries, and particularly smaller companies, the approaches to e-mail retention policies can vary greatly.
“Those exposed to litigation may not want to keep very much e-mail,” says Dick Benton, a principal consultant with GlassHouse Technologies, an IT consulting firm. “Others might decide that having gaps in their e-mail records from not keeping everything might be worse. Our view is that nobody’s figured it out yet. We see most businesses adopting a ‘keep-everything-until-the-smoke-clears’ policy.”
Ideally, companies should retain e-mail correspondence indefinitely, archiving older e-mails while filtering out, for example, employees’ vacation pictures and eliminating multiple copies of attachments. Moving aged e-mails to disk-based archive storage takes a burden off the e-mail server and allows users to continue to access all of their e-mail records.
“Keeping e-mail indefinitely is not as unviable as we might believe,” says Benton. “You’re not keeping e-mail in its original form forever. You’re keeping a consolidated, de-duplicated, compressed version. Vendors such as EMC, Symantec, and Zantaz have products with those features.”
Benton says he has clients in higher education with grants that have lifetimes of 30 years or more. The administrators of those grants want to keep every e-mail ever sent about that grant because they are subject on occasion to search and disclosure.
As business records go, T.M. Ravi, CEO of Mimosa Systems, believes e-mail has as much historical value as other forms of records. “If I have access to point-in-time information or a history, which will allow me to make a better decision? The history. E-mails are business records and need to be managed as such,” says Ravi.
Of course, most employees depend on e-mail records to perform their job duties. E-mails may contain customer correspondence, an audit trail of workflow, or a string of correspondence related to a sensitive issue. When employers impose mailbox quotas, employees often find creative ways to preserve their own e-mails by storing them on their desktop hard drives or flash drives, or by burning them to CDs. At that point, the company can lose access to those e-mails.
What about the e-mail history from an employee who leaves the company? Ideally the employee who fills the position should have access to the former employee’s business e-mail in the same way the new employee is able to reference the contents of file cabinets. Mimosa’s Ravi says this can be done by migrating the previous employee’s e-mail to the new account so it displays as one of the in-box folders.
Because widely agreed upon best practices have not been established regarding the retention of e-mail, many companies are saving all e-mails until the dust settles. Brian Babineau, an analyst with Enterprise Strategy Group (ESG) research and consulting firm, advises, “If you’re keeping e-mail forever, you might as well keep it online so someone can get value out of it.”
Art Gilliland, a senior director of product marketing at Symantec, says companies are faced with trying to maximize the amount of information employees can reach, reduce the cost to enable that access, and also put in place tools for legal groups to mitigate risk to the extent possible.
Storing e-mails should not concern companies that are acting in an ethical manner. If a rogue employee engages in unethical activities, companies should be willing to remedy the situation to preserve goodwill. And companies should have sufficient liability insurance to cover such incidents.
Purging isn’t practical
For those companies that consider e-mail to be a legal liability, to attempt systematic eradication of e-mail is not only impossible, it’s foolish, according to consultants. After all, e-mails sent to recipients outside of the company may still exist. In that case, someone else has the e-mail that your company no longer has access to. That’s not very helpful when you’re trying to prove your case in a dispute or legal action.
Mailbox quotas force employees to delete e-mails that they may have needed later or could incite them to save their e-mails to flash drives, CDs or, worse, to forward them to their personal e-mail accounts, which are not subject to the company’s security policies. These e-mail copies may not contain the metadata that accompanies e-mail, so without the metadata, it may not be considered a valid record. Both Symantec (from its Sygate acquisition) and EMC (from its acquisition of Authentica), for example, have technology that can prevent unauthorized movement or copying of e-mail records. For companies that can afford it, this may be an option.
But generally, as Francis Lambert, senior compliance officer at Zantaz, puts it, “E-mail is gum on the corporate shoe. No matter what you do, it’ll stick there. Even if you do destroy it, you’re better off thinking you haven’t.”
Retention policies are necessary
“The biggest problem is that companies don’t have an e-mail retention policy,” says Sai Gundavelli, CEO at Solix. “They have multiple copies of the same e-mails and versions of the same e-mail. If something pops up in a lawsuit, it’s hard to figure out the credible version. You must have policies that you can enforce in an effective manner.”
Because e-mail has become a mission-critical business tool, companies ranging from small businesses to large enterprises must set policies regarding its use and disposition. In light of the e-discovery amendments to the Federal Rules of Civil Procedures (FRCP), which took effect on December 1, 2006, enforceable policies have become even more important, particularly if evidence has already been deleted.
“The new FRCP rules allow disposition of e-mail and other types of content under normal operating procedures if there’s a policy for it,” says Stuart Noyce, senior manager of product marketing, content management and archiving at EMC.
Of course, the rules also dictate that systematic deletion of e-mail must be suspended during an investigation until the case has been decided.
“Companies that are the most aggressive and on the up-and-up want to keep everything,” says Noyce. “They can set policies for appropriate employee behavior and use of the system, but then must enforce it. The enforcement can only occur if companies know everything that’s in the system and they keep it.”
GlassHouse’s Benton notes that there’s no point in having policies if you can’t enforce them. “Having voluntary policies are futile in a large organization. You should have a policy and rationale for the policy. Then you should be able to demonstrate that you’re enforcing that policy.”
Benton says an e-mail archiving policy might state that after 30 days, e-mail is taken out of the live system and moved to an archive. Most e-mail archiving products leave a stub in place of the archived e-mail. So when a user clicks on the e-mail, it’s retrieved from the archive without inconveniencing the user.
“IT wins because the Exchange database is easier to manage and end users don’t have to grapple with manually saving e-mails,” says Benton.
So who sets the policies? IT has to manage the e-mail and it’s their budget line item, end users depend on e-mail to do their jobs, and legal departments want to reduce risk.
According to Zantaz’ Lambert, policies should have the input of five entities in the business: legal, records management, IT, chief financial officer, and compliance officer.
Notice that end users aren’t included in this list, but Lambert says companies need to advise and educate users so they are aware of the rules and boundaries, and in some cases, the processes and procedures.
“You need a policy in place for any process, procedure, or activity that can create risk in your company,” says Lambert. “If you don’t, you’re saying to users ‘create your own policy because we’re not guiding you.’ ”
If your company has a stated policy that mandates e-mail deletion and employees save their e-mails to avoid losing them, that becomes your actual policy, and it could prove to be trouble in the legal sense.
To ensure employees understand the company’s policy, proper training for Internet and e-mail use is a must. Simply having employees sign an Internet use agreement is not enough. Employees should be versed in the proper use of e-mail. Concepts that should be taught include when a phone call might be more appropriate than an e-mail, professional language use in e-mails, prohibited e-mail content, and policies regarding personal communication in e-mails. Employees should be reminded how attachments with, say, vacation photos, glut e-mail servers and affect the company’s bottom line. They should be taught organization strategies and to regularly cull their in-boxes of non-business-related content. Instructing employees before they begin using e-mail correspondence for your company can reduce both potential embarrassment and the amount of space e-mails occupy on the server.
Part 2 in this series will run in the February issue.
A sampling of e-mail management/archiving vendors
- AXS-One - Compliance Platform (archiving, supervision, surveillance)
- Attenex - Attenex Patterns (e-discovery)
- Avalere - Information Assurance Manager (attachment supervision)
- C2C - Archive One, BrightStor (management, archiving, e-discovery)
- CA - Message Manager (from iLumin acquisition, archiving, e-discovery, monitoring)
- CommVault - QiNetix (archiving, indexing, e-discovery)
- EMC - EmailXtender (monitoring, archiving, e-discovery)
- EVault - Pro-mail (management, archiving)
- FileNet - Email Manager (management, archiving, e-discovery)
- Fortiva - Fortiva Suite (management, archiving, e-discovery)
- GMB - GEM (management, e-discovery)
- GFI - MailArchiver (management, archiving)
- HDS - Message Archive for Compliance (archiving, e-discovery)
- Hewlett-Packard - RIM for Messaging (archiving)
- Hyland Software - E-mail Archive (archiving, e-discovery)
- IBM - CommonStore E-Mail Archiving Solution, DB2 Content Manager for E-mail Archive
- Index Engines - Exchange Email Indexing Appliance (indexing)
- Lucid8 - GOexchange and DigiVault (management, archiving, e-discovery)
- Messaging Architects - GWArchive (GroupWise managing, archiving, e-discovery)
- MessageOne - E-mail Management System (EMS) - (management, archiving, e-discovery)
- Mimosa Systems - NearPoint (management, archiving, e-discovery)
- Mirapoint - MessageServer (management), RazorGate (classification) ComplianceVault (archiving)
- Nexsan Systems - Assureon (archiving system)
- NorthSeas - Guard E/N (e-mail archiving appliance)
- Open Text - LiveLink ECM (management, archiving, e-discovery)
- Orchestria - (message classification, legal hold)
- Permabit - Permeon Compliance Store (archiving, e-discovery)
- PowerFile - Active Archive Appliance (A3), Permanent Storage Appliance
- Privacy Networks - E-mail Integrity Suite (EIS) (archiving, security)
- Quest - Archive Manager (capture, index, archive)
- Sherpa Software - Mail Attender, Archive Attender, Discovery Attender
- Solix - ARCHIVEjinni (management, archiving, e-discovery)
- Symantec - Enterprise Vault (archiving)
- Waterford Technologies - MailMeter (management, archiving, e-discovery)
- Zantaz - EAS (management, e-discovery), Digital Safe (archiving)
- ZipLip - Unified Email Archival Suite (management, archiving, e-discovery)