Gravity Union

View Original

Email Governance Best Practices

How to manage email?  Everyone’s favorite subject isn’t it?

Email – one of the most pervasive technologies to date has been the most popular form of communication for organizations over the past 30 years. Many organizations find email a difficult beast to manage and many are holding on to millions of emails, some of which may be decades old.

Executing any kind of email governance is one of the hardest ventures anyone can take on.  Everyone is extremely possessive of their email and few want to share or have anyone talking about their email habits.  It takes a strong-minded and determined person to tackle this issue, and those of us who practice information governance and records management are the right group of folks to take this on.  Ok, but how?

Let’s start with how many organizations are “managing” their email and what some of the risks associated with those practices are. 

5 email management risks

1. Making Local Copies

Personal storage table (PST) files are often considered a major risk to an organization.  These are email files that an individual creates and saves locally to their desktop. As all content stored on someone’s desktop, PSTs are typically not backed up as part of a standard backup, they are prone to security issues such as data loss or data breaches, they are easily corrupted and they make e-discovery much more difficult and expensive.  They can also provide a means for a user to get around information governance and records management policies.  Allowing for the creation of PSTs is generally considered a risky option and not a best practice.

2. Limiting Mail Boxes by Size

Managing email by limiting the size is a common practice for many organizations, but it is also a practice with significant risks.  Email is more than just a file format.  Email can contain substantive business information (approvals, contracts as attachments, major decisions) that an organization may be required to keep, along with other related content, for a specific period of time.  By limiting the size of email or the inbox folder you may be losing important, and/or forcing users to save email to other devices or locations which may make it even more difficult to manage or respond in an e-discovery scenario.

3. Keeping it all forever

Keeping all email, unless required by law, is another risky practice.  Not only can this strain your servers and network, but it can also create a treasure trove for opposing counsel in a litigation resulting in large costs and possible fines or impact the reputation of your organization.

4. Limiting Mail Boxes by Time

Deleting emails after a period of time is yet another risky practice followed by some organizations.  For example, an organization may have the policy to delete all email more than 1-year-old.  Once again, we have the issue of losing substantive business information that may be required to retain and creating an environment for users to find ways to retain email outside of approved and managed repositories.  This can be especially difficult for end users to get behind if they’ve never had limits before and the thought of cleaning up decades of emails may have end users feeling overwhelmed.

5. Hiding it in the Trash

Using the Trash folder as an archive is also a common practice allowed by many organizations.  Many people get nervous about deleting email, usually due to cover-your-but purposes, and though they may “delete” an email, they never empty their trash and instead use “trash” as just another repository for their less important email.  Obviously, this practice also creates many of the same risks previously mentioned.

So what can we do to help mitigate these risks?

The best place to start is by drafting a Records and Information Management Policy that incorporates email management guidelines.  These guidelines should include:

•    Eliminating the creation of new PSTs

•    Retaining email based on the business content, not the file format or size restriction

•    Keeping substantive email with other related business content

•    Retain emails and related business content in accordance with record retention schedule requirements

•    Require empty/deletion of “trash” items after 7 days

•    Moving the important emails to a system like SharePoint where the items can live contextually along with other records.

Dealing with historical PSTs

Ok great, now what do we do with all of those PSTs?  The best practice is to ingest all legacy PSTs into an email archive solution where they can be managed.  Once in an email archive, substantive emails from a PST can be moved to a proper location with other related content, or left in the archive for a period of time.  This period of time should reflect the risk tolerance level of the organization, but on average, archived emails are kept for 10 years and then deleted.  This process acts like a conveyor belt where items are added and stay on the belt until they eventually drop off.

Managing Your E-mail Going Forward

Determining which emails have substantive business content is often best left to the individual user to determine.  Some newer technologies leverage auto-classification to help facilitate this process, but either way, we want to identify the email with business value and keep it accordingly.  In contrast, we also want to cull out the non-substantive emails (i.e. the let’s get lunch emails) and automatically delete them after a period of time.  How long the period of time before automatically deleting email from the inbox is up to the organization, but commonly organizations will use 30, 45, 60, 90 or 180 days before deleting from the inbox.  Of course, this makes everyone nervous, and that is where having an email filing ‘tool’ comes into play.

There are a variety of email filing tools that exist today.  These tools can help enable users to file their business substantive emails into a managed repository with other related content.  Some of the more advanced tools allow for simple drag-and-drop functionality, auto-filing or threading where similar emails are automatically filed for the user, and some can even de-dupe when an email and or it’s attachment already has been filed to a collaborative workspace.  Once in the managed repository, the email and their related content can be managed and retained according to the organizations records retention policy.

Being a Collabware partner we typically help organizations build out solutions in SharePoint to store email contextually within team sites. Emails are easily filed leveraging Collabmail, who’s record retention requirements are then managed by Collabware CLM.

So there is a three-phased approach to solving this puzzle.  Phase One is dealing with legacy emails (ex. an email archive), Phase Two is having policy and guidelines that follow best practices and Phase Three is the go-forward approach that incorporates and email filing tool and/or auto-classification to file substantive emails to a managed repository with other related content.

What the Future Holds for Email Governance

At the end of the day, your end users are likely too busy to spend a lot of time managing their emails and likely won’t have the capacity to deal with decades of historical email when first rolling out mailbox based retention policies.

With the increasing popularity and availability of artificial intelligence technologies like Machine Learning many product companies are investing in platforms that not only help auto-classify your content but help derive value from it.

Collabspace – Collabware’s new cloud-based product will cash a protected authoritative copy of emails (and other content from various sources like SharePoint) in a secure WORM database (Write-Once-Read-Many) that provides protection from accidental or malicious deletion as well as protection from ransomware. This is all is married alongside other features like automatically OCR-ing scanned files, transcribing audio and video files for search-ability.

In the near future, Collabspace will be auto classifying content (emails and otherwise) based on user built rules and artificial intelligence allowing the platform to manage the life-cycle of both the protected authoritative copy and the copy in the mailbox in accordance with record retention schedule requirements.

This means that end users will not have to actively manage their emails and yet the organization can trust that its email is protected and managed properly while increasing find-ability. This approach reduces risk on both sides of the equation while minimizing costs around e-Discovery.

Our Final thoughts on this topic…

It’s a sensitive area for every organization to deal with.  Communicate openly and often with the users.  Employ a proof-of-concept (POC) when considering the right email filing tool or auto-classification solution.  Get user feedback, identify points of frustration and educate on the risks and the benefits of implementing these policies and guidelines.  Eventually, people will come to understand and appreciate what you’re doing and get on board and if you’re stressed out about the tools available in the market will soon be able to make this process a whole lot simpler.