Classification & Retention

Subscription Options

Retention, regulations and corporate records have a long history together when it comes to storing paper documents. In today’s world, however, such records are increasing electronic. As a result we are seeing the expansion of these “traditional” regulations to include electronic information, bringing along with it the inclusion of email and new IT responsibilities. The White House’s loss of up to 5,000,000 emails is one example of a current high visibility investigation into email archiving practices. Another is the ongoing case between AMD and Intel. The antitrust suit was filed in 2005, and as part of the discovery for the trial it was revealed that regardless of Intel’s litigation hold policy; email messages have still been lost. Litigation hold requires that a company preserve all relevant information, which today includes email. Intel has attributed the lost email to human error; the company has since been told that it must invest in the automated preservation of emails. “In the AMD vs. Intel case, the court determined that not keeping all the messages related to the case in an automated fashion was not up to standards, and ordered Intel to look at back up tapes and do some very expensive things to try and find the messages that should have been classified, but were not,” says Paul D’Arcy, director of marketing for Dell MessageOne (In April, Dell completed its $155 million USD acquisition of MessageOne, hence the new name.)

A recent survey conducted by Osterman Research and sponsored by Dell MessageOne strongly suggests that corporate email storage and retrieval is not well managed and with increasing legal requests for email, that businesses and management are at risk. In its Dell MessageOne Survey of Rogue Email Practices, a different survey conducted last spring—again by Osterman Research, in which employees working in medium and large sized U.S. businesses were interviewed—another challenge to email retention was revealed: the use of personal email for business purposes. The survey found that the average employee sends and receives some 170 emails a day while at work, and revealed that 33 percent of them use personal email accounts at least once or twice a week for business purposes—17 percent of those did so every day. Furthermore, 15.7 percent of respondents admitted to using their personal email to avoid corporate review or retention of their messages. “With the increasing importance of email as a business communications tool, the fact that employees are conducting business through outside email accounts leaves businesses with no formal email record of those emails, making them vulnerable to all sorts of risks,” warns Osterman. “This underscores the tremendous importance for businesses to ensure they are covered with a strong email archiving solution that stores, tracks and locates all of an organization’s email.” The survey also indicated that 60 percent of employees use a personal email account to conduct business communications when the corporate email server goes down. Indeed, the first step to ensuring proper retention of business email might be to ban personal email accounts from being used for business.

Classifying Email

Is email classification an important part of a retention strategy? “That depends on two things: the underlying capabilities of the email infrastructure; and the specific needs of individual organizations,” responds Duncan Greatwood, CEO of PostPath. “For email infrastructures that scale poorly, and so require frequent content deletion or offloading, content classification can be useful as a means of determining what to keep, and where to keep it. That said, an email infrastructure with improved scalability and massive (“bottomless”) mailboxes can largely eliminate this need. Beyond that, some companies, especially in heavily regulated industries, have the need to classify content for legal and/or compliance purposes—for instance, are employees sending emails that they should not be sending, either internally or externally? Typically these compliance-driven content analysis actions will take place before an email is delivered, though they can also be applied to archived emails after the fact.”

According to David Vella, director of product management for GFI Software, the implementation of categorization policies in an email archiving strategy serves one main purpose: that of making it easier for searches to be made for a specific subject area or department. “Categorization policies enable you to categorize emails at the organization level, by labeling emails based on content before they are stored in the archive stores,” he says. “For example, you can configure a categorization policy that labels emails with the label ‘Sales’ if they contain the keyword ‘advert’ in the body or subject, and are sent or received by the following address, sales [at] master-domain [dot] com. Thus a search for an email that originated from the Sales department would be easier to trace because all sales-related emails would have been labeled beforehand thus narrowing down the search to a specific label.

When it comes to classifying D’Arcy observes that we tend to take document classification rules that have existed for a long time for paper documents and apply it to email. “If we look at classification there is only three or four ways to approach the problem. It is clear that Federal Rules of Civil Procedure (FRCP) and regulations put requirements on organizations to keep information for a certain amount of time. If you want to figure out which ones you need to keep, you can sort by the content, sort based on metadata from the mailbox—such as who the person is sending or receiving that email—or you can have people manually file, so that it is based on someone’s decision. Really from our perspective, the only thing that works best is the automated filing, based on who sent or received it.” While content analysis technologies are available, D’Arcy offers an example of why it can be challenging, “One of the most important emails ever sent in the entire company may just have the word ‘yes’. There is no classification engine that can know if the one word email that has said ‘yes’ is something which needs to be kept.”

Alan Elliot, VP of marketing for Mirapoint, has similar thoughts on approaching retention via content scanning. “Content filters, can be relatively good, but they do not catch the intent of the message as much as they catch the lexicon,” he says. “However, the lexical analysis may not be sufficient to cover an organization if they are trying to be prudent. What we are seeing traditionally is a broader based set of archiving requirements that tend to focus on the users roles, more so than on the content, although content can be and is one of the many criteria—after all, email content scanning has been around for years searching for spam.”

Not only did the court in the AMD vs. Intel lawsuit specifically state a preference for an automated mechanism to store messages (as opposed to instructions delivered to an employee to do so manually), but most experts also agree it is the preferred method to classify messages. “Although users can label emails themselves, relying on them to label emails correctly is not a reliable method, as a user might forget to label an email,” summarizes Vella. “Categorization at the organizational level means that all the users who have access to that particular email will be able to see the label and they can search for all the emails categorized with that label. Automatic archiving makes most sense because the process is managed from a central location and every email is archived according to the policies in place.”

Adding to the argument in favor of automation, D’Arcy says “it has been found that if you have users manually determine of their own email what is kept, or not, it tends to drift over time, so that an individual will wind up marking everything as needing to be retained, or nothing has needing to be retained. It is very difficult to audit and make sure that users are making good decisions on a message-by-message basis.”

The Policy

Osterman explains that because email is now included in about 75 percent of all e-Discovery proceedings, an organization’s ability to preserve this content for the appropriate length of time, in the right form and in a manner that makes it easy to access over the long term will be increasingly critical. “This will dictate the use of archiving systems that can automatically index incoming content, place it into archival storage where the chain of custody for the data can be demonstrated and allow it to be searched quickly and easily over long periods.”

Consensus on what to keep and how long is aided by the regulations, but that does require some interpretation and determining which ones apply to which organizations. One of the reasons that companies have been slow to comply with the new requirements is that there are typically many stakeholders involved in setting retention policies. According to the Email Archiving Practices survey by Osterman Research for Dell MessageOne:

Legal typically drives the development of retention policies. The legal team was involved in setting policies at 81 percent of the companies surveyed.
Other stakeholders typically involved included IT (72 percent of companies) and compliance (65 percent of companies).
Business stakeholders play a less important role in the development of retention policies. Only 48 percent of companies included business managers in the process and only 28 percent included records managers in the development of email retention policies.

When talking about setting the policy, D’Arcy notes that it can be challenging. “Each group tends to have its own opinions about what should happen. Legal often wants to get rid of things as fast as possible, business folks want to keep things as long as possible, IT wants to get rid of things as fast as possible, and records management wants to organize them into as many different categories as possible.”

Industries that are heavily regulated like financial services or healthcare are more straightforward and legal staff tends to drive compliance. “For other sectors, and SMBs, it is generally IT,” observes Greatwood. “IT may be motivated by immediately accessible retention-and-recovery of email provided by an archive—which is quicker and easier than recovering email from a backup—as well as by protecting against e-Discovery issues, or offloading data from a poorly performing primary email mailbox server.”

While IT is increasingly responsible for meeting retention requirements, it is not always an easy task. “Most IT departments are in the cross hairs between potential litigation and the lawyers that work for the firm who take the stand that having the emails can be a bigger liability than having no information,” believes Elliot. “That is a real challenge and quite near-sighted—just because you do not have it, does not mean someone else does not. What control do you have over the email that was sent, and where did it go from there? That can put the company at risk for not having full clarity of the potential risk of the situation. I have found that most large organizations have, in my humble opinion, received relatively poor counsel about deleting information as often and quickly as possible.” He goes on to note that email is a record of business, and that there is very little that is not conducted via email. Not having data might not be a sign of guilt, but Elliot thinks it is one of negligence. “It is ironic that IT departments are spending so much money and resources on disaster recovery systems, alternate sites, and yet their lawyers are telling them to keep things for 30 days and then delete it all.”

Greatwood weighs in noting that “Increasingly, many organizations are choosing a ‘keep everything forever’ policy. HIPAA (healthcare) mandates six years, Sarbanes-Oxley (public companies) mandates five years, and FRCP (applies to all U.S. organizations) does not set a time limit. Provided email infrastructure and archiving solutions are selected that scale appropriately—and are well architected to scale on low cost storage—if it is worth an organization setting up an archive, it is likely worth them adopting the ‘keep everything forever’ approach,” he advises.

Retention

Retention strategies typically reflect an individual corporation’s philosophy around email and litigation. Companies that view email as a strategic asset and who value the context provided by email in litigation, keep email messages for many years. Other companies view email as a necessary evil and who worry about “smoking guns” tend to delete messages as quickly as possible. “There is no right or wrong answer,” believes D’Arcy. It is a philosophical decision.” Asked it one is more prevalent than the other, he replies, “It is a fairly even split—we run into as many companies that get rid of email after 30 days, as we do ones that keep it for five years or more.”

With the list of regulations continuing to grow, retention needs are anticipated to grow along with it. “Legal compliance is here to stay. With email such an important business tool and many important decisions transmitted via email (as well as important documentation), regulations will be an important safeguard against wrongdoing, fraud and data leakage,” thinks Vella. “We see the demand for archiving solutions to increase considerably over the next few years as more companies see the benefit of email management as they are pressured to keep a copy of all electronic documentation. Companies that fail to implement an email archiving and management strategy will risk being overwhelmed by the anticipated growth of email correspondence in the next few years.”

Without a retention strategy, organizations may have to resort to searching back-up tapes, desktop files and legacy systems to find missing information. Manual e-Discovery searches can cost hundreds of thousands or even millions of dollars. In addition, these companies risk being sanctioned for the illegal destruction of evidence, including courtroom penalties that can cost a company an important legal case on process grounds.

“Today, most organizations are focusing on email in relation to litigation and the FRCP,” states D’Arcy. “Many of the companies choosing short term retention policies, in the future will likely begin to keep more data, rather than less in order to comply with a broader range of regulations. I think the trend is going to go towards saving more stuff as opposed to less stuff. In the end it is less risk for organizations.”