The question of how to deal with email is a common vexation among records managers and information technology directors – the exasperation it causes being right up there with herding cats.
Effectively managing email is usually somewhere “on the list” of items to take care of, but rarely at the top. As a result, employees are often left to fend for themselves regarding how to manage their email records, most often outside the scope of data retention and information governance policies. This can bring rise to issues over data security, privacy, discovery, and cyber-theft. Most users want direction in this area to protect both themselves and the organization. But, this direction will only remain welcome if it’s not difficult to administer or overly complicated. Let’s take a look at some common approaches, pitfalls, and recommendations to get you started.
Email is Not Dead Yet
With the rise of so many instant messaging and collaboration apps like Slack and Teams, one might think email is not that big of an issue in 2020. In fact, According to HubSpot, 86 percent of business professionals prefer to use email when communicating for business purposes. Fifty nine percent of B2B marketers say email is their most effective channel for revenue generation. And 80 percent of retail professionals indicate that email marketing is their greatest driver of customer retention. While social media may get the headlines, email still is the foundation of business communication today.
80% of retail professionals indicate that email marketing is their greatest driver of customer retention.
In our work with various organizations across all industries we have found there are just a few common approaches to this problem of governing email. After the brief review of these below, we will discuss some of the issues with these methods, and also how they might be used in a more comprehensive approach.
- Do Nothing – you may be laughing but this is often the default action with regard to managing email retention and disposition. The practice may be justified by stating that emails represent transitory information, and therefore are not records. Most legal experts disagree with this argument, however.
- Safety Net – this involves setting up an email vault to capture all email at the server level and keep it for a set period of time, usually between one and five years, just in case something is needed for legal reasons. This default ”just-in-case” retention period is more for those who are worried about losing an important email than being found with one.
- Quotas/Short Term Retention – in this scenario a combination of company policy and technical configuration sets limits on how much email a user can store in their inbox, either based on storage space, or the age of emails. For example, one might be limited to 2 GB of data, or nothing older than 6 months. This practice forces users to purge old emails to free up space, or automatically removes old emails, thus encouraging important items to be saved elsewhere.
- Purge Days – following the often-used practice for physical records, specific days on the calendar are set aside for all employees to manually comb through emails and delete what’s not important.
- Capstone – many government agencies follow the Capstone Approach, whereby all email for certain individuals is saved based on their role or title. The idea is that the most important information will bubble up to the top levels of the agency, thereby limiting the need to collect email from everyone.
All of the common approaches have issues – some more than others – but they also have merits.
Doing nothing carries the most obvious risk, even if it’s backed by the formal retention schedule, because you risk both keeping and losing emails that you shouldn’t. Without any kind of technical rules or limitations within the email, you’re exposing the organization to a lot of ROT (redundant, outdated, and trivial information) that is subject to e-discovery, theft, and misuse.
It is common practice for opposing attorneys to hire teams of analysts for the express purpose of combing through email for the “smoking gun”
Having a safety net helps to address the inadvertent deletion of important emails, but only for the time set by the vault or policy. If there is content within emails that should be kept longer, then the vault does not help – except where individuals make conscious choices to save important items. It also exposes the organization to the risk of discovery, which can include the costs of the discovery effort itself, as well as the potential of finding damaging information. Indeed, it is common practice for opposing attorneys to hire teams of analysts for the express purpose of combing through email for the “smoking gun” that will help them win the case or force a settlement.
Limits on in-boxes in the form of quotas or time limits can help with keeping email from accumulating. It also enforces the idea that an inbox is only meant for short term preservation. However, this approach still lacks several fundamental principles that should govern business records, such as: determining retention based on content, rather than format; distinguishing between records and non-records; and providing a means to preserve long term records.
Purge days are relatively easy to implement and can get everyone on the same path for a shared goal. Although, most users rarely will have the time or patience required to do an effective job at managing email manually. Accordingly, purge days may look good on paper, but rarely succeed in practice.
The Capstone approach has merit in that it does limit the scope of what is collected and managed, which is a good starting point for any email management process. However, it often leads to over-retention of information because retention is based on the person’s role, even if they might retain all kinds of different content, much of which may have no value.
Let it suffice to say that without defined controls on email repositories along with a pathway for users to be compliant, you’re leaving it up to each employee to dictate their own email policies. This can create a lot of problems for the organization – the most notable being that each email is subject to discovery in litigation. Under the right circumstances, what an employee intended to say casually and innocently in an email can cause great damage to an organization in the form of potentially significant liability in litigation. Email can also contain a wealth of proprietary and valuable intellectual property that could pose a very real threat to the organization if it ever got out. And finally, the confidentiality of email can be compromised, exposing customer, employees, and the organization to breaches in security and privacy.
No individual solution will work for all, and any effective solution will likely use a combination of a policy, technology, and collaboration, and may include elements of the approaches outlined above. For example, it’s often very helpful to limit how much you can keep in an inbox (through quotas or time limits), but also have a vault to act as your safety net.
Good email management starts by creating policies. An organization needs to define what constitutes a record, the various types of records with appropriate retention rules, and how those definitions and rules can be applied to email. A policy will also define an organization’s risk appetite, which will drive how much and how long email is kept. For example, an organization that is concerned with losing important, regulated information will keep more emails, and keep them longer. An organization that is worried more about what could be found (such as PII) will keep less, and keep it shorter.
Temper your policy design with a clear understanding of each department’s needs and their typical use of email. You may need to create some exceptions for certain departments, or for departments that you know are heavy users of email. Certain roles within departments may also be a useful guide, especially for users with very narrowly-defined roles where the majority of emails they process all pertain to a similar subject, like invoices or contracts.
Technology will undoubtedly be a key to your organization’s email management solution. This is because you will need a long-term repository for saving, holding, and disposing of important emails according to your retention policy (either as a separate repository or one applied directly to your email system). Keep in mind, though, that the technology must be easy for the users. Incorporating simple drag-and-drop options, seamless mapping to pre-defined categories, or automatic sorting using artificial intelligence (AI) all serve this goal.
Ongoing adherence to policy is fostered when employees truly understand why it is important to follow policies.
Many organizations are relying more on AI to help manage email because the volume of information is simply too large to manage without automation. But when exploring this approach, keep in mind that AI systems still require significant time investments up front to properly train the system to identify one type of record from another. Nonetheless, AI can be a significant time saver over the long term.
Another option (and one which expands on the example given in the opening paragraph of this section) is creating a policy which permits users to keep email in their inbox no longer than a few months, but provides an easy way to save long-term emails into an official repository (perhaps with automation). As an additional layer of backup, all email is saved in a vault for 2 years in case something is not saved or categorized properly. Retrieving from the vault would require additional work, thereby discouraging the use of it as a standard fallback.
Collaboration may be the most important factor in an effective email strategy. To succeed, this task requires cohesion between legal, IT, and the entire user population (at minimum). Ease-of-use equals ease-of-adoption by users, and ongoing adherence to policy is fostered when employees truly understand why it is important to follow policies. Investing in training, incentives, audits, and regular communication will reinforce policy and practices, which will translate into better outcomes.
Organizations that get their email management in order enjoy not only the peace of mind that results from regulatory compliance, but also improved workflow and the ability to find important business records. Look for providers and partners, like Zasio, that have a combination of capability, expertise, and vision to help you get the most value out of your information.