Managing Email Overload: The Smart, Secure and Legal Way

Email is mission-critical. For many organizations, it is the most visible application provided and supported by IT. Email plays a leading role in both internal and external business communications, and it is used more frequently than telephone, fax or physical correspondence.

The preeminence of email in the enterprise, the onslaught of regulatory requirements and the growth of email as a primary source for legal discovery are driving organizations to identify tools that will help them gain custody of, and better organize, ever-expanding volumes of email. At the same time, mushrooming storage requirements and performance degradation of email servers are driving the need to control growth, or offload email to secondary storage.

Storing email on the corporate messaging system and backup tapes is no longer sufficient. Some organizations have spent millions of dollars to recover individual emails from backup tapes and production email servers for legal discovery. Much of the visibility of email in the news is a consequence of the importance of email as a source of corporate records. To protect the organization and to ensure compliance, emails must be controlled and managed according to an organization’s policies and procedures for record retention, access and disposition.

With industry analysts estimating that 60% of business-critical information is delivered via email, it is acknowledged that information cannot be trapped in personal mailboxes. Instead, it must be integrated with other corporate content and knowledge and shared across the organization.

Email Issues
There are three primary issues associated with email, each imposing a series of requirements on an email management solution:

• Email as a source of corporate records needed for regulatory compliance and legal discovery;
• Email growth as an IT headache; and
• Email as a source of business-critical information.

There is some disagreement as to which of these issues is most important, and confusion about how to address them—individually or together. There are vendors that specialize in individual solutions, and others that provide applications integrated with third-party components. Organizations should treat email issues as a whole and seek a solution that addresses all of them.

Corporate scandals and legal cases that involve electronically stored information (ESI), and in particular email, are a staple in daily news reports. Email users seldom realize that the emails they send constitute a permanent record internally and externally, for sender and receiver. Many people have learned the lesson the hard way. With governments and regulatory bodies working to establish laws and regulations that enforce or guide the proper use, storage, access and disposition of information, records and email management have become crucial to corporate governance and risk management.

Regulations such as the Sarbanes-Oxley Act (SOX), SEC 17a-4, NASD (3010/3110), FRA, HIPAA or FDA Rule 11 define different aspects of managing records, including email and other electronic or physical content. The amendments to the Federal Rules of Civil Procedure (FRCP) affect every organization that may be involved in a Federal court case. Rules 16 and 26 require opposing parties to meet and address issues relating to legal discovery and preservation of all reasonably accessible ESI, including emails. It follows that the need to capture, organize and preserve corporate records, including email records, is a fundamental requirement of compliance.

Email as Evidence
Email evidence in legal cases is not new. The PROFS case (Iran-Contra) in the late 1980s established email as a key component in litigation. Backup tapes dating from 1985 to the end of the Reagan administration were used in this case, and important email information was made available. More importantly, this case established that printed copies of email cannot be accepted as an original record.

In this litigious environment, many organizations are inclined to just keep everything—forever. That is not the answer. Fines, sanctions and legal exposure can be avoided by clearly defining and adhering to retention policies that establish the minimum time to retain records (e.g., six years). After that, organizations are permitted to destroy or dispose of those records to avoid additional storage expenses, and also to minimize legal exposure beyond these legally defined periods. An organization’s regulatory and legal obligation is to develop a policy that conforms to requirements for its industry and for different types of information—and to enforce it.

Legal discovery is expensive and time-consuming. Years of emails and other documents are very difficult to restore, filter and produce according to case or investigation criteria. Some organizations have been fined or forced to settle because they were not able to produce the emails required for legal discovery or because they could not find the key email that may have decided the case in their favor.

Email backup systems are also complex, and it is resource-intensive and expensive to find emails on certain topics or belonging to certain users. Some IT departments create a second email environment that replicates the production system just to be able to restore backup tapes to the replicated environment without disrupting or affecting the production system. Further, thousands of man-hours may be required to traverse all "restored" mailboxes to recover only the emails that are required by the court or legal department. At times, this is done manually by opening every single mailbox, analyzing and reading individual emails, and copying or exporting them.

Corporate Records
The solution is to treat emails as corporate records—to classify them, make them searchable, available for fast retrieval, and subject to lifecycle and retention management. Collecting backup tapes or emails from user mailboxes is not enough to satisfy regulations and to guarantee that captured emails are authentic, original and complete. Users can edit or delete emails from their mailboxes even before the first backup or mailbox-archived copy is taken. Email records should be captured before the user has a chance to tamper with them. Classifying email makes it possible to apply appropriate retention to different emails and also facilitates organizing email in categories for easy searching and retrieval. The ability to quickly search for and locate specific emails when requested to produce them forregulatory bodies or for legal discovery is critical. Internal legal and compliance departments also benefit from advanced search capabilities such as Boolean operators, proximity and other conditions applied to email metadata, bodies, or attachments.

Growth of Email Stores
Email systems were designed to carry large amounts of email communications daily, but the growth of email has been extraordinary. A leading analyst estimated that in 2006 there were 84 billion emails sent every day. Some estimates put the current figure at 175+ billion messages per day, a number that includes spam as well as legitimate messages. The multiplicative factor is not just the number of emails an individual sends and receives; it is also related to a broader use of emails. Initially, informal internal communications were the main reason to send or receive email messages, whereas today, email is the primary means of internal and external communication. In many organizations or departments, email use is more frequent and formal than phone communication.