Ask the Expert - E-Mail Archiving

 

About the Expert:

Martin Tuip is a senior technical product marketing manager for Iron Mountain. He has more than 15 years of IT experience in messaging and is a widely known and well-regarded technical expert on archiving and records management. In his career, Tuip has helped many customers around the globe plan and deploy large-scale messaging and archiving environments (read more).

 

Tuip can be contacted at martin.tuip@ironmountain.com.

 

Questions:

 

Bookmark and Share

Q: What is e-mail archiving?

E-mail archiving uses an application that runs with an e-mail server, such as Lotus Notes, Novell Groupwise, or Microsoft Exchange, to capture and preserve e-mail messages. In addition, it can index the information, which allows users of the system to get access to some or all of their content.

E-mail archiving systems have been around for more than a decade and started out primarily to manage mailboxes for storage management, but they have since expanded with functionality to protect mission-critical data and to retain data for compliance and legal requirements.

E-mail archiving solutions can be deployed on an organization’s own servers that it maintains itself, but it is also available as a hosted service in the cloud (i.e., software-as-a-service). Some vendors can expand this service with a multitude of options, such as e-discovery, enhanced retention, and classification.

Q: Who is responsible for e-mail archiving in an organization?

Within an organization, departments are responsible for the successful operation, implementation, and management of e-mail archiving. IT is responsible for the daily operation, which includes keeping the systems and software up-to-date. Records management and legal staff should assist IT to help define the policies about what data is being archived and how long the data should be preserved.

Occasionally, the implementation of archiving products is unsuccessful, causing frustration among various departments. Unsuccessful implementations are generally due to one or more of the following factors:

  1. The purchase decision was made without input of all stakeholders. Archiving is one of those solutions that touches more than one department, each of which can receive significant benefits from the solution. 
  2. The implementation and configuration was done without understanding the organization’s compliance needs and requirements. When dealing with archiving, regulatory compliance comes to mind, and this can be achieved in many ways. E-mail archives are not records management solutions first, but they can be configured and set up in such a way that they could perform some of these duties.
  3. Wrong retention policies were instituted. Some solutions don’t allow the organization to change policies without significant effort. Therefore, it is important to establish retention policies before implementing a solution. It is best to keep it simple.

Q: What are some e-mail archive options for organizations?

There are lots of options available to organizations to implement e-mail archiving, and it might be difficult to choose at first. The following are a few questions the organization should ask itself:

  1. What does the organization want to achieve with an archiving solution? Without a clear goal, the organization might pick a solution that isn’t going to be capable of fulfilling its requirements (e.g., records retention and e-discovery).
  2. Will the organization’s requirements and needs change in the long term? Implementing archiving isn’t a quick checkbox item but a long-term strategy, especially in the current business and economic climate in which laws, regulations, and requirements change over time. It is fairly difficult to change solutions once implemented.
  3. Will the solution be hosted or be located on the organization’s premise? Is internal staff capable of managing the software and hardware, or does that need to be outsourced to a hosted provider? Usually this is a business decision; however, the organization  should understand that on-premise solutions, in general, offer far more functionality and flexibility than a hosted solution.

To be successful, staff members must work together to define the needs for a proper solution.  It is important to be realistic about those needs.

Q: How does archiving reduce risk?

Today, e-mail is held in a variety of locations, such as on e-mail servers, PCs, file and print servers, DVDs, tapes, and other media. Organizations often lack the ability to reliably find specific e-mails. Attorneys are skilled at understanding the weaknesses of e-mail systems and of demonstrating those weaknesses to the court.

E-mail archiving provides an especially good base platform on which to build systems that identify and mitigate this risk. Organizations must ensure they document the technology, processes, and procedures they use to capture e-mail and IM content, and they must manage the chain of custody of that content to avoid spoliation (i.e., make sure e-mails have not been changed).

Additionally, organizations must be able to recover any e-mail quickly (e.g., SEC Rule 17A requires retrieval within 48 hours). The primary driver for implementing e-mail archiving systems is risk reduction, with legal – or even corporate boards – taking the lead in demanding their implementation.

The degree of risk exposure varies by industry, as well as the degree of regulation. At one end of the spectrum, highly regulated financial institutions (e.g., brokers/dealers) can be shut down by regulators. Non-compliance is a risk to the very existence of the organization, and e-mail archiving is a cost of doing business.

At the other end of the spectrum, the risk reduction for small retail organizations with razor-thin margins might not justify the cost of an e-mail archive system. Organizations with a high potential for being sued, such as pharmaceutical companies, would be in the middle. For some organizations, the requirement to keep e-mail as proof of contracts (enabled by the Electronic Signatures in Global and National Commerce Act) could be the deciding factor.

E-mail archiving provides an infrastructure base for organizations to reduce risk. The IT staff plays an important role in putting an archive system in place, but IT must meet with other departments, such as compliance, legal, and business operations, as they are usually needed to help with implementation procedures to reduce risk (e.g., compliance training, filtering e-mail for words and phrases, and e-discovery).

Q: Is it just e-mail that I should archive?

Laws and regulations are not the only determinants of what data organizations need to retain. In order to achieve a state of compliance (and decrease e-discovery costs), organizations must retain more than just e-mail messages and attachments.

Mailboxes, such as those in a Microsoft Exchange system, contain not only e-mail, but also other information that is touched, used, and managed by the end user. This information, for example, can include calendars, tasks, and contact information, all of which an organization may be required to retain for legal compliance or to disclose in litigation.

It is a common misperception that only e-mail is targeted in e-discovery or litigation. An example is the case of Trigon Insurance vs. United States. In this corporate taxpayer suit, the defendant retained a litigation support team that hired third-party experts to consult and testify in the case. According to organizational policy, the litigation support team destroyed all e-mail messages and draft reports between themselves and the third-party experts.

Based on the facts of this specific case, the court found that the e-mail messages and the drafts would have been discoverable, and the defendant was held responsible for the deliberate spoliation of these documents. The court imposed sanctions on the defendant in the form of adverse inferences regarding the content of the destroyed electronic documents.

 

Ask the Expert sponsored by: 

 

Submitted questions:

Q: Can you tell me what are the best litigation practices for the length of time archived e-mail should be retained?

Unless your organization is under federal or state regulatory retention requirements for electronically stored information (ESI), and yes, e-mail is considered a regulated records in many cases, the retention period for e-mail is really best justified to your business, as well as your employees' needs.

In reality the courts do not specify how long organizations should archive their e-mail ... their only requirements is when you should have begun protecting ESI under a litigation hold, that you gather and protect all potentially responsive e-mail at that point until released from the litigation hold responsibility. Otherwise e-mail retention should be driven by business needs.

— B. Brown