Creating an e-mail records management system from scratch is not an easy proposition. However, the complexity is magnified when you are faced with potential litigation regulations, and are hampered by the increasing volumes of data arriving every day, says Dave Hunt, CEO of C2C.
No heavy user of e-mail can possibly keep up with the management of their mailbox and folders, not without wasting valuable working hours at least. It is doubtful that even a medium user can maintain their load. The volumes are too great and the need to retain certain e-mail is high.
In the last couple of years we have seen a rise in the interest of e-mail retention management, often called e-mail records management. In the past, records management was usually applied to document created within an organisation and stored on paper or electronically. The volume of electronic records was relatively low in most companies.
The risks associated with e-mail are high and have led to well documented landmark court cases, rulings and fines. This has caused many companies to rethink their strategies and policies related to e-mail. IT executives have realized they must take control of the data and they cannot rely on users to manage it themselves. Implementing a self-management system is not practical for two reasons: The volume of e-mail to many users is simply overwhelming; written procedures on what to keep, what to file and how long to keep it for are open to interpretation at best, and at worst slowly forgotten and then disregarded entirely.
We have seen IT projects targeted at implementing and running records management system to incorporate e-mail records. Are e-mails records or just data? They certainly don’t look like Word or Excel documents, yet a single line e-mail commenting about a work colleague may be a potential time bomb and could cost the organisation tens of thousands of pounds in investigation or settlement, or both. Not to mention a damaged corporate reputation.
In putting together such an IT project, the support of executive management is vital to its success, and it is especially advantageous to have the CIO and your company’s legal counsel’s office onboard. This way the CIO can prepare to work with the IT department to facilitate the processes and implementation of the new system while the legal department develops and evaluates the information retention policies?preventing lengthy delays later on in the project.
Equally important is creating a project team with members from all the key departments and stakeholders. Ideally, this team will be composed of a core technical group supported by in-house IT teams, the project managers and an outside systems integrator responsible for installing and configuring the software solution. The project steering committee should include representatives from IT, legal and human resources departments as well as the operational business units.
Then the first step is to understand the variety of documents that can exist across all applicable departments and to review and validate any existing records retention policies. This phase of the project includes defining the records classification parameters based on input from, and customised for, each department involved. The classification and metadata search parameters are then built into the policy manager component of the solution, which enables the team to create content-specific search and retention criteria to meet the particular needs of each department.
There are a number of objectives which could be the target of the project, which may include some or all of the following:
Capacity management: to reduce the storage demands of the e-mail system on IT resources, including servers and disk storage.
Compliance management: the requirements for compliance to a variety of laws in regulated industries. These laws may require e-mails to/from certain people, executives or departments to be copied and stored for safe keeping for specific periods of time. Compliance is about meeting the laws such as Sarbanes-Oxley, HIPAA and SEC, acts which dictate what must be kept and for how long.
Legal discovery: the need to search for data when demanded and to retain it for inspection. In short?‘if it exists, you must produce it when required’. If required, this data may need to be marked in some form or other and retained in a tamper proof environment until cleared to be expired and deleted. Legal Discovery covers the amended Data Protection Act, Freedom of Information Act, and similar laws.
Retention management: the ability to define when e-mail can or must be permanently deleted from the system. Most importantly this has to be agreed with the legal counsel.
Your records management system should have the ability to interrogate the contents of the live e-mail stores, search amongst deleted items, support delegated supervisor searches and helps to meet the latest e-disclosure legislation and associated legislative rules. Once proven that certain data exists, you are almost certainly required to retain it until the case is closed.
But beware vendors who argue that to control e-mail records one needs to archive them and index them. Writing into an archive adds a level of complexity to the problem and may well cause your legal counsel more headaches when investigating an action or defending a suit.
According to the Enterprise Strategy Group even though much corporate e-mail is mission critical, an excessive amount of IT resources can be wasted on uncritical data. Their research indicates that organisations will archive an estimated 30,000 petabyes of e-mail over the next five years mandating the need to automate some of the processes before and after retention policies are sent.
There are some good terms that cover this such as Integrated Content Archiving and Information Retention Management. It is not essential to archive everything in order to make a decision on whether to keep it. A good understanding of record retention is probably the key foundation to any project. Being able to dispose of data as early as possible will reduce demands on storage.
IT administrators also know that archiving is just one of a number of chores in effective data management. Make sure your solution allows you to do more than just archive e-mail because you need a systematic and efficient approach to managing e-mail in this content, resulting in far more effective use of IT resources.
IT administrators require full control and unbounded flexibility over not just archived e-mail but live e-mail and discovered PST files. This can be likened to cleaning out your closets or your garage before you pack up and move to a new house. It saves time, effort, and space to edit and purge first. Unnecessary data can be removed instead of placing it into the archives. This saves valuable time, conserves storage space, and may reduce corporate liability while ensuring that e-mail data is managed in a consistent and cost-effective manner.
A good solution will provide a rule set for management of e-mail records. It might be just age or size that gives you a decision criteria on which to archive, but to/from, subject, attachment type, specific word content may lead you to delete the record pre-archive.
Automation, in this case, should stand for the ability to create a process for analysing e-mail by your criteria, and, upon obtaining a match, to take the action you require. That action might be ‘delete’, ‘copy’, ‘archive’, or even ‘pass to another application for further analysis’. Once you have proven your automated test meets all your criteria, it can be set to run hourly, daily, weekly or at whatever time suits to administer the process required by your organisation. This automation can apply to all or selected users to meet your management requirements.
Providing IT administrators with the ability to flag all MP3 files in messages and moving them out of the system automatically or notifying individual users with items suspected of falling outside of HR guidelines will help run your e-mail system more smoothly. So long as you conform to your legal counsel’s interpretation of regulations, then you can opt to remove this e-mail and ensure that no trace of them exists, including references to them in an index, offering another reduction in storage demand.
Test the implementation of the records management system and once proven your company should have a successful proof-of-concept that decreases operating costs by reducing the time and resources needed to manage and retrieve information. You should also be able to measure success by setting (and achieving!) its return-on-investment objectives and prove the business case for the records management implementation.