Get started with Email Retention and Compliance policies
What most users ask of their Email system is merely that it work seamlessly in the background, proving quick and easy access to colleagues, clients, and vendors. However, as an administrator, you need to think beyond the obvious technical requirements to actually create a smooth-functioning Email system.
WHY DO YOU NEED AN EMAIL RETENTION POLICY?
There are three main reasons why any business should have a formalized Email retention policy in place:
Regulatory requirements: Your business might need to abide by certain government rules and regulations. Laws often vary by nation, state, and even industry.
Litigation: Your business might be involved in legal action that could require Email correspondence be submitted as evidence.
Knowledge management: Email is used for most of our business communication and it might be of use – in future projects, for example – that old communications be easily searched for and retrieved.
WHAT DOES AN EMAIL RETENTION POLICY INCLUDE?
An Email retention policy might include:
Types of messages that will be archived
Length of time – by type of message or user
Offsite backup policies
Document and attachment retention
Specific rules for certain departments of employee roles
EMAIL AND THE LAW
While many of us tend to think of Email as an informal means of communication, the legal and IT departments have to go beyond this and look at Email as a critical resource. While it’s often up to a business to decide what kind of mail and other communication it wants to archive and make discoverable, some businesses are tightly bound by governmental rules. In most countries, including the US, any Email sent (or received) from a government mail box is a part of the public record and must be archived. Strict rules also apply to the financial services industry, publicly listed organizations, and those in the medical and healthcare sectors.
Apart from these, many sectors or industries have their own best practices, which though not enshrined in law, might be a good place to start. Some laws and bodies that lay down requirements data and Email security, privacy, and retention include:
Health Insurance Portability and Accountability Act: Applies to the healthcare industry
Financial Industry Regulatory Authority
National Association of Security Dealers
New York Stock Exchange
US Securities and Exchange Commission
Keep in mind that local and state government might also add specific requirements. Companies operating in other regions – especially the UK and EU – should also be aware that local laws might often differ – and be more stringent - from those found in the US.
Looking at the United Kingdom as an example, companies falling under the jurisdiction of British law have to meet requirements set by:
Data Protection Act 1998
Civil Procedure Rules
This tangled web of rules and regulations can make it difficult for IT admins to pinpoint the terms they need to comply with – it is recommended that any entity take legal advice in drawing up its Email and data retention/compliance policies.
Also, while legal requirements governing data retention might be the driver for an Email and data retention policy, it might also be in your self-interest to save certain kinds of records for a while: Some organizations archive the CVs and (other communications) of all job applicants – this can often be useful if a discrimination lawsuit is ever brought against the company.
DESIGNING AN EMAIL RETENTION POLICY
Some pointers to keep in mind when designing your Email retention policy:
Involve your company’s legal department in this exercise
Ensure that you meet the requirements set forth in any jurisdiction your company falls under
Identify specific departments or roles that might need to abide by more stringent guidelines
Draw up an Email policy (including any content and attachment rules)
Educate all employees and obtain any necessary signatures
Ensure that the policy is formalized and documented
Ensure that privacy and data protection laws are complied with
Include an offsite backup in your planning
Make sure that archiving validation is included in your system
EMAIL ARCHIVAL SOLUTIONS
Email admins have a wide selection of archival solutions to search from. Apart from these software solutions, there are also hardware ‘appliances’ that offer easy-to-configure Email archival for businesses hosting their own mail. Here’s a look at some of the options out there:
Using Google vault for email archiving and retention
Per-user Litigation hold feature allowing for full Email backups
IM /chat backup
Perhaps the best-known Emails security and archival solution, Postini services are slowly being transferred to Google Apps (Google acquired Postini back in 2007. Organizations that haven’t made the move yet can use Postini’s in-built archiving, search, and logging features. Head over to http://www.postini.com/webdocs/archiving/en_US/arch_user/cover.html for a comprehensive look at what all’s possible.
Proofpoint offers cloud-based archival solutions that work with platforms such as Microsoft’s Office 365. Some of the features on offer include Email and document archival, SEC/FINRA compliance, Exchange integration, and more. Get more information at http://www.proofpoint.com/products/archive/index.php
Using Hardware appliances for Email retention
Orgs running their own Email hosting can also turn to hardware solutions. These Email archiving appliances usually work with leading platforms like Exchange, Notes, and Groupwise and may meet government-issued compliance laws. Here’s a short list of such appliances: