Not having an effective retention policy increases storage and retrieval costs, create inefficiencies, and leads to non-availability of the data when required. Adopting best practices for email retention allows organizations to save money, improve efficiency, and eliminate non-compliance risks.
Many organizations retain all their emails. This increases storage cost, and very often, the required email lies hidden among the millions of junk, spam, and irrelevant emails, making retention an arduous, stressful, and productivity busting activity.
A good email policy provides users with guidelines on which email to achieve and which email to delete. Allowing individual users to make retention and classification decisions however run the risk of each user classifying differently, leading to mismatch and inconsistencies.
The best practice is to allow the user to sort emails into broad and easily identifiable categories such as Business, Personal, Junk, and Spam. Report spam, delete junk straightaway, leave it to the individual user on what to do with personal mail, and subject business mail to automated classification tools. Automated tools scan the metadata of the e-mail message and categorize the mail according to a predefined list, with the user only having to choose from a subset of classifications when the system fails to do so. Such a system allows consistency across users and departments, and improves productivity.
Classification of emails for deletion and archiving is one dimension of an effective policy. A good policy also sets timelines for how long to retain emails. The best practice is to set different retention times for different categories. For instance, all archived emails may remain for one year, general business messages may retain for five years, specific legal, financial, or human resources e-mail may retain for ten years, and so on.
Incorporate inputs from all key functional areas such as finance, human resource, and legal when determining such retention times, for such functional areas might have legal requirements on document retention. For instance, the Fair Labor Standards Act require retraining compliance documents for three years.
3. Access Rules
Set access rules for email archives. When allowing employees to retain their own archive, ensure the archive does not delete along with the employee user ID when the employee leaves. The best practice is to create a central repository and grant access to archives to the users, department head and/or other relevant employees such as legal team.
A good system places someone in ultimate control of the archives, usually someone from an IT team, legal team, or Human Resources team. At times, different personnel may share responsibility, in which case the requirement is a clear-cut demarcation and clear accountability. The company also needs to make all employees accountable to retention rules and impose strictures for non-compliance.
Good email retention policies are flexible. The major requirement for flexibility comes when:
- Litigation requires storing all related documents indefinitely, even after the litigation is over in the eventuality of appeals.
- Accommodating special situations, such as exempting inbox of employees on long leave from a weekly swipe that delete all read messages
- Allowing employees with hyper-critical data to retain backups outside the network to enhance security, and so on
6. Ease of Use
The best email management system works seamlessly, with a clean and neat interface, and users having the same level of comfort and alignment as they would when using the normal email system. A search feature allowing the user to search for a particular mail, date wise, subject wise, sender wise, or a piece of body from the text helps in easy retrieval.
Many organizations allow individual employees to back up or achieve important emails in the manner they deem fit. Others have a centralized cupboard that stores backup CD from different departments. The latter serves no purpose, as finding the required information becomes next to impossible.
A good email policy incorporates uniform standards to categorize and archive emails, allowing for easy retrieval when required. Allowing individual users to achieve emails may increase ease of use for the specific user, but increase storage space owing to duplication of the same email by different users, and / or make it difficult for other users such as the legal team who may want to access the achieve later . Centralized storage saves space, makes retrieval easy and not dependent on individual employees, but increases risk.
The storage policy needs to consider the format to store archived emails. If adopting a format different from the native format of the email, ensure data integrity remains intact and restoration capabilities exist. Many times, changes in technology render old emails unreadable making the whole exercise of archiving an exercise in futility.
Network security is a major concern in most organizations. Live networks may have adequate safeguards such as data encryption, passwords, and firewalls to protect against data theft. Make sure the archives enjoys the same level of protection and anti-virus and anti-malware scanning extends to such archives. Also ensure the archives remain free of malware and Trojans. Infected email archives are time bombs that may compromise the system later.
10. Legal Compliance
A major purpose of having an email system in place is to ensure legal compliance. Legislation such as Federal E-Discovery Rules, the Health Insurance Portability, and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOX), the PCI Data Security Standard, the Federal Information Security Management Act (FISMA) and others require companies to produce e-mail records relevant to litigation. A good email retention policy needs to comply with all such legislation and any other applicable legislation. Legislation changes with time, and as such, the policy requires periodic review to accommodate such changes.
Poor email retention facilities may cost the organization dear. The $1.45 billion verdict against Morgan Stanley for failure to produce e-mail from back-up tapes on time, the $29 million verdict against UBS Warburg for failure to retain relevant information including e-mails, and the $15 million sanctions against Morgan Stanley owing to its inability to produce e-mails on request are all recent examples.
Following the best practices in email retention and records management helps to preserve the right messages in the right classification for the right duration. This ensures legal and statuary compliance and increase operating efficiency, allowing the company to move ahead with confidence.
- Symantec Information Risk Management Center. “Best Practice E-Mail Retention Polices: Why 90-Day Deletion Doesn’t Cut It.” https://www.devx.com/symantec/Article/32613. Retrieved July 12, 2011.
- “Correcting Your Worst E-mail Retention Practices.” https://esj.com/Articles/2009/01/13/Correcting-Your-Worst-Email-Retention-Practices.aspx?Page=1. Retrieved July 12, 2011.
- Computer Technology Review. “Best Practices and Procedures for Building Effective Email Policies.” https://www.wwpi.com/index.php?option=com_content&view=article&catid=99:cover-story&id=8175:best-practices-and-procedures-for-building-effective-email-policies&Itemid=2701018. Retrieved July 12, 2011.