WHITE PAPER The Road To Email Management Compliance: Balancing Strategy, Process And Technology EXECUTIVE SUMMARY One of life s more frustrating experiences is being lost and unable to see the path to where you want to go. When your destination is known, but the path to reaching it is unclear, how are you expected to get there? Many organizations face these kinds of directional challenges when it comes to managing email. The road to email management compliance has many components record identification, role definitions, retention rules, storage procedures, information privacy concerns, and more. How should an organization handle escalating email management costs? What should a legal department do when ediscovery times are lengthening? When an organization gets close to compliant, but just doesn t know how to achieve full compliance, the most logical and often the best response is: ask for directions. In recent years, software vendors and storage providers have responded to the growing need for email management solutions by flooding the market with email archiving systems, Electronic Content Management (ECM) applications, or Hierarchical Storage Management (HSM) platforms. Yet even with email management technologies readily available, the ARMA International 2008 Executive Survey Summary found that 62 percent of 1,602 respondents do not have an email archiving system, while only 20 percent of companies with greater than 1,000 employees acknowledged having an email archiving system in place. 1 Even though there are so many email management technology platforms available, many organizations are still not successfully gaining control over their email. A comprehensive approach that is collaborative and process-based is recommended to organizations when developing a new email management strategy one that does not rest solely with a particular functional area or in a specific piece of technology. The goal of this new approach is to arrive at a successful email management implementation that combines the right processes with the most appropriate technology to address all of an organization s email management requirements. Organizations can increase the success of their email management policy implementation by walking through a step-by-step email management strategy development process. This type of approach will help organizations make informed decisions about policy and procedure requirements, technology purchases, and storage options. By addressing email management from a collaborative perspective involving Records Management, Legal, IT, and Compliance organizations will achieve a high level of awareness and streamline their email management practices. Risk can be reduced by prioritizing email obligations, controlling costs by pooling resources, and reducing ediscovery times in response to litigation requests for material. More importantly, a collaborative approach will ensure that an organization ultimately meets all of its business requirements and minimizes its risk of non-compliance. 1 ARMA International 2008 Survey Executive Summary US-CS-WP-070109-001 (800) 899-IRON www.ironmountain.com
Balanced Email Management: Too Much, Not Enough, and Just Right How do organizations know when their email management practices are properly designed to meet their needs? For one, policies should meet all regulatory requirements for email management in their industry. Second, the enabling technology should allow for records classification and be able to respond efficiently to litigation requests for email. Next, the email management strategy should consider key drivers as well as environmental factors that are unique to the business that could impede the successful strategy implementation. And finally, the overall solution should maximize the efficient utilization of available technology and storage systems. In other words, over-sizing an email management infrastructure will create unnecessary costs, while under-planning could expose the organization to non-compliance penalties and fines. Email management practices should be proportionate to the compliance regulations placed on the organization. BENEFITS OF A COMPLIANT EMAIL MANAGEMENT STRATEGY Effective Risk Management A compliant email management strategy manages risk effectively by establishing appropriate processes and technology. A comprehensive email management strategy that is collaboratively built by the Records Management, Legal, IT, and Compliance departments can result in the avoidance of penalties and fines due to non-compliance. 2 Controlled Email Storage Growth A well-designed email management strategy will control storage resources by reducing the complexity and cost of maintenance and storage of email. The rapid growth in the size of message stores leads to the following problems for email administrators: Slow Backup and Recovery: More data means longer backup times and longer outages when email systems fail. It is not uncommon for larger organizations to face full recovery time windows in excess of 48 hours. Because the speed of the Microsoft Exchange interface for data import and export is largely fixed, backup and recovery times are directly proportional to the size of the message stores. As email volumes continue to grow, this problem will continue to compound. An effective email management solution, in accordance with the organization s retention schedule, will ensure that there is less data to back up and therefore a more efficient backup and recovery process. Complex Maintenance: As email stores grow rapidly, administrators must manually balance users with different mailbox sizes and growth rates across different storage groups. This process is complex, risky, and time-consuming. In addition, the time required for standard maintenance processes such as defragmentation is directly proportional to the size of the message stores. By having an email management strategy, organizations can reduce the complexity of maintaining user mailbox sizes and growth rates. Expensive Storage: As message stores grow, IT organizations add expensive storage and highly skilled staff to manage complex storage environments. By controlling emails in accordance with an organization s retention policies, IT can limit storage-related expenditures and streamline email administration tasks, which often comprise more than 40 percent of total IT support costs. In addition, this approach limits the amount of content requiring evaluation during the legal review phase of ediscovery, further reducing costs. 3 2 Osterman Research. July 19, 2007. 3 Eric Lundgren. 10 Steps to Establishing an Effective Email Retention Policy. January 2009. 2
IRON MOUNTAIN WHITE PAPER Efficient and Cost-Effective Email Discovery Many firms cite ediscovery as their number one legal concern. As email is increasingly used in business transactions, the discovery of these electronic records grows in significance. The cost of dealing with ediscovery requests is overwhelming to most organizations. Restoring email involved in a discovery request costs approximately $1,200 for every person who has information relevant to a case 4. Considering many discovery requests require the involvement of hundreds of people, the cost can easily be in the millions of dollars. A compliant email management strategy enables organizations to respond faster to email-based litigation or investigation inquiries. Responding to an ediscovery request typically represents significant work hours for IT and Legal departments often involving the significant expense of outside counsel. These requests create unplanned work that is outside the scope of daily IT and Legal activities. Considering that the average personal email collection or archive analyzed in a litigation request has 25,000-40,000 items, the total number of emails analyzed in a single lawsuit usually reaches three million or more 5. A well-designed email management strategy allows organizations to respond to email inquiries with efficiency and confidence, which translates to lower operational expenses as fewer parties are involved in the discovery requests for a reduced period of time. 4 Ameet Sachdeve. E-Mails Become Trial for Courts. Chicago Tribune, April 10, 2005. 5 John Montana. Strategies for Minimizing Litigation Risks, Costs. Information Management Journal. March-April 2008. (800) 899-IRON www.ironmountain.com 3
ACHIEVING A WELL-DESIGNED EMAIL MANAGEMENT SOLUTION Define Program Goals Involving the right people in deciding on an email strategy is the first step to a successful implementation. Begin by conducting collaborative workshops with senior-level stakeholders from IT, Legal, Compliance, and Records Management to collect data about business requirements, and achieve a higher level of organizational awareness. This collective approach will ensure that no single department or business unit is focused solely on its own individual interests or obligations. Figure 1 illustrates how the IT group might be driven to a solution by storage costs while the Legal department needs assurance that email required for production in litigation can be found, retrieved, and preserved. At the same time, Records Management might be most interested in making sure records are retained and destroyed according to policy, while the Compliance Officer is focused on complying with rules and regulations. As the team works together toward the same email management goals, a big picture view of the solution will help address the range of email business requirements in a cost-effective manner. At this time, it is recommended that organizations identify and assess their greatest challenges. If an email management strategy was attempted in the past, questions to be asked might be: have we trained our employees sufficiently; are our policies and procedures clear; did we conclude all activities on our implementation plan? Be sure to ask all the questions that might help to identify if there was a lack of awareness of email compliance requirements in the original strategy, or if the selected technology only addressed a portion of the necessary business requirements. All of these components hinge on the approach and process that is taken to arrive at a successful implementation. Figure 1: Involving decision makers from IT, Legal, Records Management, and Compliance departments ensures that everyone s key drivers and concerns will be met in the form of a collaborative, and comprehensive email management strategy and implementation. 4
IRON MOUNTAIN WHITE PAPER Stay Focused on the Goal: Email Record or Not? To increase the success factor of the organization s email management strategy, it s important to stay focused on the goal. Determine what qualifies an email as a record, keeping in mind that this is determined by its content, not its format. By common definition, a record, regardless of format, is recognized as establishing some fact or containing evidence of a business transaction. A non-record refers to materials that lack evidence of an organization s business activities or have no lasting value to a company. Identify Specific Regulations and Industry Standards that Affect the Organization HIPAA, Sarbanes-Oxley, FDA 21 CFR Part 11, SEC 17a-4, Gramm-Leach-Bliley, FRCP Rule 26, FACTA; every industry faces different compliance standards and regulatory requirements. Depending on an organization s industry, it will be subject to retention requirements that dictate different periods of time regardless of format and media. Additionally, organizations might be subject to email specific requirements that dictate what must be done around email. The Fair and Accurate Credit Transaction Act, otherwise known as FACTA, is amended by the Red Flag Regulations. The purpose of these regulations is to prevent identity theft, the fastest-growing white collar crime in the United States. The Federal Trade Commission developed the Red Flag Regulations to enforce and increase business accountability for protecting information from theft, fraud, or misuse. These regulations not only have significant impact on financial institutions federal and state banks, credit unions, and savings and loan associations but on any company that issues credit on a deferred payment basis. By this definition, a creditor can then be found in almost any industry. The FACTA Red Flag Regulations are relevant to companies using email in a way that could contribute to an increase in identity theft for customers. An industry standard that impacts many organizations is the Payment Card Industry Data Security Standard (PCI DSS). Commonly referred to as PCI, this industry standard consists of comprehensive requirements for enhancing payment account data security as developed by the PCI Security Standards Council. The objective of the PCI program is to encourage companies to maintain a high level of security to protect cardholder information regardless of where it resides. PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The standard provides an actionable framework for developing a robust account data security process including preventing, detecting, and reacting to security incidents. 6 To comply with PCI standards as well as with Federal and State Privacy Laws and regulations, companies must take exceptional care managing email that contains private information. Steps should be taken to identify business areas that are most likely to be handling personal identifiable information, such as Human Resources or Accounting, as there is a significant potential for email, or an attachment in email, to contain personal or private information. 6 PCI Security Standards Council Website. https://www.pcisecuritystandards.org/ 2009. (800) 899-IRON www.ironmountain.com 5
Creating a Retention Schedule for Email In the current regulatory environment, specific rules at both the federal and state levels determine how long business records must be retained before they can be destroyed. As these rules are applied to email, the mail administrators need to find new processes and technologies to manage email retention, and deletion in accordance with their corporate retention schedule. A retention schedule is a foundational part of any records management program. While most retention schedules are developed to include the identification of both hardcopy and electronic records, many times the schedule is difficult to apply to an electronic records environment. For example, the number of records series or classes may be too granular for easy classification of electronic records by an employee in an email or content management system. In addition, some types of records are to be destroyed some number of years after an event, such as the termination of an insurance policy. In a paper environment, the policy can be removed from onsite storage and placed in an offsite records center at which time the retention clock begins. This is an activity that is not so easily managed in an electronic records system where records at all stages of their life cycles are co-mingled. One approach to effectively classifying email is to create a subset of the enterprise retention schedule that is specific to email. The goal is to create bigger buckets, which are broad categories of records based on commonality of retention periods, legal obligations, and record content. There might be a certain record series that would never contain email (for example, general ledger records might be entirely contained within the general ledger system) and would not be required in the email subset. Bigger buckets and fewer choices could lead to better email record retention classification and might make it easier for users to learn how to classify documents to their appropriate retention categories. Big buckets make a streamlined retention schedule easier to implement and easier to maintain, thus reducing the total cost of program ownership. Classification Methodology The next decision to make is the method for classifying email inside of an email archive. Some organizations have adopted a keep everything approach because they are unsure of how such classification could happen in a consistent and defensible manner. Others require that their employees make classification decisions about what and where to archive email. An increasingly popular approach is to assign specific record series to roles, such as accounting or quality control. Employees are associated with the roles enabling a default classification of email. The ability to properly recognize an email record and classify it according to a company s records retention policy is the cornerstone of a successful program, regardless of the approach taken to get there. There is no one right answer; knowing and accepting your employees ability to interact with the classification of email as records will help determine the right approach. Utilization of Existing Technology A compliant email management strategy can leverage existing investments in technology as an effort to keep technology acquisition costs to a minimum. The process includes closely evaluating the tools already purchased to understand how they align with enterprise requirements. Collaborative discussion among the Records Management, Legal, IT, and Compliance departments will increase organizational awareness of technology that is in place, as well as gaps that exist, and will provide a vehicle for effectively leveraging existing resources where appropriate. If gaps in technology do exist, then the technology in which the organization should be aligned with the overall goals of the email implementation strategy. 6
IRON MOUNTAIN WHITE PAPER Define Policies and Procedures Policies and procedures define in clear terms for the employees the who, what, and how of email management. For regulators and the courts, they provide evidence of support and investment in compliance. For Legal, Compliance, Records Management, and IT groups, policies and procedures create a framework that allows the organization to respond promptly to audit, discovery, and regulatory requests, with minimal cost and disruption to the business. Records Management policies and procedures are the key support documents for a successful email management strategy. As the email management process is developed, any necessary updates should be added to the policies and procedures document if one already exists for other record formats in the organization. Common Pitfalls Even with the best email management implementation strategy, it is important to consider some common pitfalls. Server and PC backup policies conflicting with retention policies is something with which many organizations struggle. Typically, server and PC backup policies are determined by IT, and retention policies are determined by Records Management and/or Compliance. As discussed earlier, these two business units might not collaborate often and therefore the policies might conflict with one another. Policies for server and PC backup should be coordinated with the retention policy and executed consistently to ensure the organization is in compliance. Underground archiving is a practice that occurs when end-users begin creating archives in locations counter to email policy requirements. In many cases, this practice originated at the request of IT with a main focus of freeing up space on the network. Some examples of underground archiving that have proven challenging to the search and recovery of email for discovery are desktop search and.pst files. It is nearly impossible to manage the email records in these files according to the Records Management program policies. Most organizations are in the process of prohibiting the use of.pst files in favor of central control over email storage, which greatly facilitates search and recovery for legal and compliance requests. The problem is so pervasive that 38 percent of IT managers list eliminating local.pst files as one of their top five email concerns 7. Another way users circumvent the email policy requirements is by using desktop search products. These local indexes retain cached copies of email that have the same risks associated with them as with.pst files. Design an Attainable Implementation Schedule Setting realistic milestones for email management allows the organization to measure progress and drive a successful implementation. Defining an incremental strategy with a clear beginning, middle, and end will keep stakeholders on task. Developing a priority email risk structure provides much needed guidelines to help employees archive or discard emails according to the organization s definition of what is a record and what is not. Compared to the former environment, where all emails were stored indefinitely, an email archive built upon these risk prioritization guidelines will eliminate records that can be discarded and create room within the storage system. In addition, this helps IT administrators by reducing the size of the email databases they must search to locate emails that might be requested by legal teams. Determining the organization s risk exposure and level of commitment for achieving compliance is an important step. Organizations should implement the highest risk employees first, as there might be different strategies for different roles. 7 Iron Mountain. The Email Management Crisis. 2007. (800) 899-IRON www.ironmountain.com 7
IRON MOUNTAIN WHITE PAPER The Last Mile Training Compliance begins at the desktop. Therefore, a successful implementation of an email management strategy enables adoption across the organization by providing employees clear parameters around how an email record should be identified, classified, retained, or discarded. The implemented email management process and technology should complement the business culture, and help compensate for any variability in performance against the process that employees might have while performing these tasks. Depending on an organization s strategy for approaching the classification and retention of records, one method of enabling adoption throughout the organization is elearning. elearning is an effective and efficient mechanism by which organizations can reach a large audience, regardless of location, and ensure that all employees understand the fundamentals of the organization s email policy. It also facilitates the instruction of new hires and can be used to periodically refresh employees understanding of the email policy, especially as changes in the organization occur and/or new regulations emerge. Audit the Program Over Time In an effort to measure compliance and maintain the continuous improvement of the organization s email compliance strategy, regular audits can help achieve high levels of consistency throughout the organization. By evaluating key components of the email strategy, organizations can gauge the overall health of their compliance efforts and drive continual improvement quarter over quarter and year over year. WHO CAN HELP WITH DIRECTIONS? Selecting an Email Management Strategy Partner As an email management partner, Iron Mountain Consulting Services can empower your organization to shift from reactive, quick fix email management to process-based, proactive email management. Iron Mountain is backed by expertise and knowledge gained from being in the information management business for over 55 years. Iron Mountain Consulting Services takes a diagnostic approach to helping our clients navigate their way through the process of defining and implementing an email management strategy that addresses more than technology. Iron Mountain s Email Management Strategy addresses email throughout your enterprise across geographies, business units, departments, and employees. The final result is a comprehensive and executable email management strategy that your organization can follow from vendor selection through implementation and compliance. Our approach reduces your compliance risk when responding to litigation, increases your implementation success factors and, when possible, controls your costs by making the right decisions about technology. We begin by conducting formal analyses of your current email administrative practices. Next, we host collaborative workshops with your senior-level stakeholders from IT, Legal, Compliance, and Records Management. In these workshops, we guide you through a structured review of your organization s key drivers, environmental factors, risk exposure, and employee experience. By pulling all of the pieces together in a pragmatic approach, we satisfy the needs of IT, Legal, Compliance, and Records Management. Lastly, we recommend enterprise-wide email management solutions that are tailored to your unique environment. For more information please call 1-800-899-IRON. 2009 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated. All other trademarks and registered trademarks are the property of their respective owners. 745 Atlantic Avenue Boston, Massachusetts 02111 (800) 899-IRON Iron Mountain operates in major markets worldwide, serving thousands of customers throughout North America, Europe, Latin America, and Asia Pacific. For more information, visit our Web site at www.ironmountain.com. US-CS-WP-070109-001 (800) 899-IRON www.ironmountain.com