E-Mail Management: Avoiding the 6 Common Mistakes, Tower Software North America
Information management has become a vital focus for all organizations to address risk mitigation, compliance and overall business continuity. With the line between documents and records being blurred in recent years due to lawsuits and new legislation, it is imperative for enterprises to manage business-critical information, irrespective of format.
According to Ferris Research, 35% to 60% of this business-critical information is stored in personal messaging systems—e-mail. If this information is not properly managed in accordance with a well thought-out corporate records management policy, it is unavailable as a resource to the organization, becomes a massive liability in a legal or audit situation and creates mayhem for IT departments that are often more concerned with data back-up, recovery and storage. Not managing corporate e-mail properly, in tandem with a records management policy, can lead to massive fines, jail time or both.
This paper explores some of the common mistakes made when rushing into an e-mail management initiative. Avoid these pitfalls, and you can effectively exploit your information assets, remain competitive and thrive.
Common Mistake #1: Do Nothing
Amazingly enough, according to Forrester Research, only 15% of organizations report that they have a policy in place regarding e-mail management. And since “e-mail management” can mean different things to different people across different business functions, the actual percentage is likely much lower. With this in mind, it stands to reason that more than 85% of enterprises have no policies in place for managing e-mail.
Likely, a large percentage of these organizations are leaving e-mail management completely in the hands of their employees. As a result, these enterprises lack:
- Operational efficiency—With no e-mail management policy in place, there is no way to know exactly what information is available without arduous searches. If e-mail is managed as it is sent and received, it takes seconds. If organizations only manage e-mail once it is “necessary,” it can take months. Consider how many e-mail message subject lines start with “RE:” or how many e-mail dialogues have little to do with their subject line. Without a system in place that categorizes and sorts via metadata, finding the right information at the precise time it’s needed is virtually impossible.
- Compliance with legislation such as Sarbanes-Oxley—Although Sarbanes-Oxley doesn’t require that companies manage e-mail per se, it does state that an organization must provide a methodology for showing that business decisions are based on accurate and truthful information. But, if your organization uses e-mail—and it most definitely does—then to comply with this piece of legislation, you must manage information within this medium. Some e-mail, like it or not, is a corporate record. And it must be treated as such.
- Risk mitigation—E-mail has become a major liability for an enterprise that is sued or investigated. Most have no idea what exists in their e-mail systems. During the discovery phase of litigation, an enterprise may be asked to produce specific e-mail records for a particular employee, for example, from the past five years. Without a policy and system in place, there is no way to know what information the employee has been retaining and exchanging. E-mail in these cases is often “the smoking gun.”
And these are just three examples. In the case of litigation, it’s interesting to note that in general, courts have been lenient when dealing with organizations that have e-mail management systems and policies in place, even if these policies are misguided. They are generally less lenient with organizations that can demonstrate nothing in regards to managing e-mail. In this sense, established policies regarding how employees should treat e-mail are extremely important.
If an organization can show that it has policies in place and has done everything possible to follow these policies, a court may conclude that the organization cannot be held accountable for any e-mail destroyed based on company e-mail policies, no matter how misguided the policies may be.
Doing something is better than nothing at all ... except perhaps in the case of....
Common Mistake #2: Archive Everything
Archiving everything is a policy. However, the enterprise that saves every e-mail that crosses its servers faces almost as much risk as the enterprise that does nothing. Why, you ask?
It’s simple. In the courts, e-mail very often provides “the smoking gun.” If an organization is retaining everything that crosses its servers, then everything is discoverable during litigation.
In a recent anti-trust case involving a very well-known technology provider, e-mail not required to be saved was, in fact, still being retained on back-up tapes. Since there was no policy in place other than archiving all e-mail for a set amount of time, everything found on the back-up tape was considered discoverable information. And the company lost the case because of it.
In government, things operate no differently. Freedom of Information Act requests must be processed. Since e-mail content is indeed information, it must be treated no differently than any other format. However, some e-mail is not necessarily public information, as defined by Federal and State Freedom of Information Acts. For example, if an employee sends a personal e-mail to her doctor regarding the need for a new prescription, it is protected under HIPAA (Healthcare Insurance Portability and Accountability Act). If this e-mail is saved due to an “archive-everything” policy, and then shared as part of a Freedom of Information request, then the agency fulfilling the request is not in compliance with HIPAA and faces the same risk of litigation.
Common Mistake #2A: Use a back-up policy as an archive. Many IT organizations make a practice of using back-up tapes as a corporate archive of all company documents, e-mails, etc. And, in many cases, this is done without the knowledge of legal and/or records management departments. Back-up tapes serve a purpose: they enable an organization to restore IT infrastructure and current data. They are not meant to serve as archives. It is important to consider that any record of corporate information is admissible as evidence in a court of law. So even if your legal/records management departments are unaware of what makeshift records management policies IT may be practicing, the enterprise as a whole is still held responsible in court. Overcoming this mistake means setting e-mail management policies that correspond directly to the overall records management policies of the enterprise, and more importantly, making sure employees across all departments understand and practice these policies.
Common Mistake #3: Treating E-mail Differently Than Records
There are many different choices when it comes to e-mail management solutions. Whichever solution you choose, it is imperative that your policies, procedures and technology all correspond to the overall corporate records management principles. E-mail is information...information in a particular format. At the end of the day, it is no different than the memo produced by marketing, or the spreadsheet produced by finance, or the policies produced by legal. Some e-mail is a corporate record and must be treated as such across the enterprise. By employing an e-mail management system that is separate from the overall document and records management system, you decrease efficiency, increase risk and create confusion.
It’s all information. Treat it with one policy that recognizes this.
Common Mistake #4: Team is Not Cross-functional
Like any other initiative involving technology, e