In-Depth
Ten Tips for Smarter E-mail Archiving
We offer prudent best practices that minimize risk and are broadly acknowledged with widespread use because they work.
by Ron Robbins and Stephen Foskett
How’s your e-mail retention system? For most companies, the answer may be "not good." According to Osterman Research, although 43 percent of companies have an e-mail retention policy, only 12 percent have an automated archiving and compliance system in place. The rest may rely on backup systems and end-user habits to protect and manage e-mail. Believe it or not, this approach actually puts companies in more legal risk than if they had no policy at all. Our top-ten list of tips will help you better manage your e-mail archiving.
It might seem like the easiest approach would be simply to not archive at all. That is, delete every e-mail message and file after a certain number of weeks or months. This is, of course, an unworkable approach. It is virtually impossible to guarantee that all copies of an e-mail have been deleted from all clients, so this opens your enterprise to prosecution for ineffective enforcement.
We must archive, for the same reasons that we archive physical (paper) business records: to protect against litigation, to conform to company policies, and to remain in compliance with industry or government regulations and laws.
Getting old data off expensive production servers makes good business sense. Doing so in a manageable fashion so it's easy to find and retrieve messages and files when needed is even smarter. Electronic business records are just as valuable an asset as they were when they were physical and should be treated as such.
We have developed ten solid tips for archiving e-mail and other electronic business data. Based on our experience in the field, these tips are prudent best practices that minimize risk and are broadly acknowledged with widespread use. In short, they work.
10. Engage Key Stakeholders
It’s always tempting to jump right into implementing the solution, but wait until you fully understand the problem and requirements. To do that, you need to engage with those inside and (especially) outside the IT organization.
For example, is the solution needed for litigation readiness, business productivity, or regulatory compliance? If more than one of these conditions apply, what is the relative importance of each? Having a variety of inputs will likely broaden the scope of the solution, which, while complicating things, really is essential for the solution to bring the most value to the business.
The best plan here is to create a steering committee made up of representatives from human resources, legal, finance, compliance, and records management departments, key individuals from all lines of business, and IT staff. The nature of archiving demands this broad cross section of input. A key goal is to create a bridge between IT and the business’s legal counsel. Also important: build an engaged group of sponsors who can push through any obstacles.
9. Define Needs and Goals
Once you’ve engaged key stakeholders, work with them to determine the archiving needs and goals. Every stakeholder and sponsor has particular requirements. For example, what types or records are kept? What historical data does your business need to retain? What regulations must be met? Corporate culture is another factor: is the tendency to save more or save less?
It’s impossible to have complete agreement among stakeholders about what is needed, and, in fact, requirements will often conflict. While litigation and compliance may discourage deletion of data, the challenge of manual management of an ever-growing archive may become too cumbersome and costly.
Outline the requirements in both technical and business terms, and identify and categorize the risks. A clear and comprehensive list of needs and goals will make it easier to select and evaluate archiving solutions later.
8. Consider Search and Tagging
Archiving solutions have improved their ability to retrieve records via search or by using tags. This has become important for the regulatory and compliance industry, specifically for e-discovery. For example, common requests during litigation include "every e-mail related to this customer" and "every file containing this keyword."
If this functionality is important for your stakeholders, you must identify how well available archiving solutions can provide it.
7. Automate the Archiving Process
There’s really no way around it -- archiving must be automated. Relying on employees to manually classify and manage records is unworkable, particularly if the archive must be complete and consistent.
Like any IT technology purchase, you need to select and evaluate archive solutions using your requirements. Important considerations include:
- Any archive solution claiming to serve the needs of regulators and litigators must contain a complete set of information
- Enterprise-wide solutions are preferable to separate, fragmented archives generated by different tools
- Focus on solutions tailored to the data types or applications you need (such as e-mail, document management, CRM, other databases, and file servers)
- Consider security implications; the archiving solution must be secure by providing confidentiality, integrity, and availability
6. Start Archiving Now
Don't wait for an overall data retention policy to be established. We have found that the most effective approach is to start collecting data from all main sources as soon as you can.
Choose an archiving solution that is compatible with your existing e-mail system, file server, or database, and begin archiving data -- without specifying a deletion schedule. Typically, organizations retain at least a year’s worth of data before deleting anything, so the retention policy can be developed during this time.
The archiving system will not be fully functional until it has an archive covering the entire retention period. For example, if a company decides to retain all e-mail for five years, the archive won’t be considered complete until five years have passed.
Although it is tempting to fill the archive with any and all manner of old backups, PSTs, online datasets and previous manual archives, this process opens the door to duplication and inconsistency and should be avoided.
5. Monitor the Growing Archive
One benefit of starting archiving immediately is to be able to see the actual growth trends while you are still in the planning phases. Monitor and generate reports on the archive regularly to see the trends. It’s particularly important to ensure you aren’t running out of storage faster than expected. Most archiving solutions provide capacity reports you can use to develop such forecasts.
Be sure to monitor compliance. Reports can be generated to show how the archive is performing, any unexpected results or failures. Share these with the key stakeholders.
4. Keep Retention Simple
It’s worth the effort to keep the record retention methodology as simple as possible. Balance completeness and auditability. While a retention schedule that is hundreds of pages long gets high marks for completeness, it is virtually impossible to implement and monitor for compliance, which severely curtails its effectiveness.
We recommend having broader categories and fewer retention periods, which reduces the need to identify precise retention periods for every record type. Legal research and review can then focus on the record types and jurisdictions that represent the highest levels of risk or cost.
Start with a few simple retention periods such as one year, five years, ten years, and indefinite. Match these to the requirements of each record type. For example, HR employee records that need to be kept for six years can be assigned to the ten-year category.
3. Expect Retention Period Exceptions
It’s impossible to completely automate all record retention, particularly for global companies. Exceptions to the automated period may be needed for different countries, locations, industry specific rules, or record type (electronic or physical).
The best way to handle exceptions is to educate employees about how to recognize and manage exceptions. For example, if an employee receives an e-mail that needs to be retained for a longer then normal period, the employee could either print the e-mail (and save the paper record for the longer period) or copy the e-mail into a Word document if documents are retained for a longer period
2. Train Employees
If archiving is automated, do employees even need to know it exists? Emphatically, yes -- you must educate employees and managers about the system. Knowing the broad strokes of what it does, and the retention periods for e-mail and other business data will help employees better work with the system and manage exceptions. Such knowledge ensures compliance with the policy and schedule.
Training should be appropriate to each level of employee and manager and can be delivered in a number of formats, such as classroom, online, or through Webinars.
Capture employee acknowledgement of the policy via the training and to make the training, policies, and schedules available on the corporate intranet.
1. Define Your Record Retention Policy and Schedule
Our top tip for smarter e-mail archiving: define your retention policy and schedule or review and update existing policies and schedules.
A data retention policy must cover all who create, send, or receive e-mail or other electronic files. It should address the retention, storage, and disposal of all types of electronic business records, data, and e-mail, including paper and other physical forms, consistent with applicable laws and regulations.
Once in place, the policy should be reviewed and updated annually to respond to any changes in regulations and policies.
Summary
Our last tip spurred us to write this article. We are continually surprised by how few companies in our experience have actually defined or reviewed their policies and schedules, obvious and central as it is. Just because business is now done electronically rather than physically doesn’t mean good business practices should be abandoned. Companies need to make just as much effort to ensure that their electronically stored business information (e-mail in particular) is archived and managed correctly. Besides the business value of these information assets, compliance and litigation readiness virtually demand it.
= = =
Ron Robbins, MCSE, is a product manager at Quest Software, and has over a decade of experience in help-desk management, systems administration, and consulting.Stephen Foskett is the data practice director at Contoural, which provides strategic consulting to help Fortune 500 companies align their storage and computing infrastructures with their business objectives.