Is Poor Email Management Putting Your Organization At Risk?
Er. Isha
Nagpal
Assistant
professor,DCSE, PPIMT,Hisar
CONTENTS
Abstract
The Balancing Act of Preservation
The Consequences of Not Preserving
Storing of email is complicated by its Form
The Cost of Compliance
The Benefits of an Information Management Solution
ABSTRACT
Organizations are driven by email,
whether they are private companies or operating within the public sector. While
regulations are often specific to various industries and operating sectors, the
need to retain as well as produce email is universal. This paper will look at
the risks entailed by improper email management, and how organizations can
mitigate their risk.
An e-mail drives the business.All organizations,
whether private companies or entities in the public sector. Employees
communicate via internal email, often in preference to the telephone, and
inquiries and support concerns are increasingly handled via email.
This creates a complicated
balancing act for organizations, as they are bound by a variety of overlapping
laws, acts, and regulations which both force them to preserve email and to
produce them to outside parties, virtually on demand.
Systems which simply backup email
stores cannot handle the tasks of demonstrating that proper preservation was
followed, that laws were not violated, and that the entity can provide
information when the laws require it to do so. This is where an email archiving
or information management system becomes vital.
The Balancing Act of Preservation
There is a tangled web of
overlapping regulations which all speak to preservation of email. These
include:
1.
Human Rights Act
2.
Data
Protection Act
3.
Regulation of Investigatory Powers Act.
Under each of these Acts, the
provision for retention varies, while each typically looks to entities to
preserve the original email yet adhere to the Data Protection Act’s mandate to
retain “only as long as there is a business reason for that retention.”
For example, within the
highly-regulated financial service industry, FSA mandates that all business
emails be retained for six years, and certain ones indefinitely. HR records are
typically retained for some period of time following the departure or dismissal
of an individual, but some records are mandated to be kept for three or six
years (Statutory Pay Regulations require three-year retention whilst the Taxes
Management Act mandates six years).
Even unsuccessful job applicants’
applications and interview notes must be kept for at least six months per the
Disability Discrimination Act. Therefore, the requirement to store emails is a
lengthy one and affects virtually every communication in an organization.
The Consequences of Not Preserving
Each of the various Acts and
regulations to which retention of data is a part has different consequences for
organizations who do not comply. Public entities find themselves worried about
the Freedom of Information Act, which includes a penalty scheme for
non-compliance, The Data Protection Act, which affects virtually every organization
in some manner, is more severe. In fact, the Liverpool City Council pled guilty
to a criminal charge in 2006 for failing to comply with a subject access
request and was levied a fine in lieu of more serious punishment, the first
such organization punished by the Information Compliance Office.
In
addition to fines, which can range from relatively trivial to substantial,
there is the consequence of loss of confidence. When this happens to a
commercial concern, the ramifications are often reduced turnover and other
negative business consequences. When this occurs to a public entity, the
situation is a bit different. Because such entities are not competitive i.e.,
there aren’t two competing council authorities for Liverpool City – the
consequences of loss of confidence may include staff changes, either by vote or
fiat, and even reduced funding.
Finally
there is the issue of discovery. HR complaints are only one aspect wherein organizations
may be subject to legal proceedings. Liability lawsuits can be much more
significant in one recent case, a high-profile utilities authority was sued on
a quality of service matter, specifically nuisance. They had extensive stores
of emails and were unprepared for the extent of complex discovery which this
case entailed. The resultant legal preparation and defense required expensive
specialized software, an army of solicitors, and costs that ran into the
millions of pounds. Even though the authority prevailed on larger damage
issues, the expense of defending themselves remains a significant and
unanticipated cost.
Storing of email is complicated by its
form
None
of the acts or regulations describes what constitutes “storage,” only that
emails need to be stored and available for recall during the specified time
period. In reality email can exist – and as thus, stored - in three different
forms. The first of these is “live,” specifically within the user’s inbox; the
second is locally-stored email (aka PST files); and the third is archived
email, the preferred method for long-term storage.
Of these three, the second form is
the most problematic. Local email storage arose from attempts to place quotas
on mailboxes to control storage costs and IT maintenance issues, and within
certain programs as a way to create backup images of users’ Outlook data. The
notion has since gained wide success but brings its own set of challenges. One
of them is that locally-stored email is outside of the purview of the IT
organization. Simply put, they have no visibility to what has been stored in
these files.
A second is that these files tend
to be unstable over time, and corruption means they are no longer accessible by
the user, requiring additional IT cycles to try to recover them. And a final
challenge is that the size of such files in terms of how many emails are
contained within is not documented. A PST frequently contains tens of thousands
of emails, even though it looks like a single file name.
The
key to effectively storing email is the use of an information management or
archiving system that understands all three forms in which email may be
encountered. These systems can apply rules-based retention and disposition
schemes regardless of the form of the email. They can also eliminate the need
for large volumes of locally-stored email by proactively archiving and deleting
emails which have passed the required compliance dates.
The cost of Compliance
Organizations that have no solution
to the challenge of storing and later producing emails face an increasing risk
of monetary fines and other indirect consequences. There are really only two
ways to address the problem: one is with increased personnel, and the other is
to deploy an information management solution.
Either solution has cost
implications, which are amplified by the current recession and shrinking
budgets. In terms of pure cost, deploying an information management solution is
inherently less expensive than adding personnel: these systems are largely
automated, and existing staff can utilize them effectively without additional
resources.
An information management solution
has additional cost-saving benefits which should be considered when budgeting
for such a solution. First, by effectively eliminating trouble-prone
locally-stored email, the IT staff will not face the additional burden of help
desk support to fix and restore these files. Second, organizations who have
some history of using an Exchange-based email solution find that up to 20% of
their central storage is consumed with local email storage files that were
re-imaged onto central servers for a variety of reasons. The bulk of those
files can typically be removed upon successful deployment of an information
management solution, deferring anticipated purchases of additional storage.
Finally, service requests and discoveries can typically be handled in-house
using the information management solution, thusly eliminating additional
outside resources which would be required to comply with these requests.
The benefits of an Information
Management Solution
Modern email archiving solutions have
become highly credible information management solutions: these solutions
include modules for policy, retention management, compliance, and discovery. An
information management solution archives emails based on adherence to
rules-based policies – which are spelled-out in clear natural language rule
sets – and automatically applies retention and disposition strategies. The
users aren’t required to do anything, nor are their preferred environments
compromised.
These
solutions can eliminate the need for locally-stored emails because they will
proactively archive email yet provide users a direct way to access those stored
emails, eliminating the need for any local storage. To alleviate the need for
additional storage for archived email, these solutions include compaction
routines which automatically compress emails for archiving and conversely
decompress them when they are accessed.
The
preferred information management solutions use a “manage in place” strategy,
wherein policies and retention management will be applied regardless of where
an email is found (live, local, or archived). This ensures that IT has a
consistent understanding of the landscape of stored emails.
Preferred
information management solutions also offer search and discovery capabilities.
Users naturally engage search engines to retrieve older, archived emails, and
search must be part of the information management solution. More sophisticated
search capabilities, under the requirements of discovery, must also be
provided, wherein legal professionals can query email archives and mailboxes to
locate and catalog potentially-relevant emails in the face of litigation.
Finally, these solutions need to offer a preservation mechanism that permits authorized
personnel to place such emails under legal hold, such that the email, any
attachments, and all relevant metadata are preserved and secured from further
editing or modification.
|
|
|
|
No comments:
Post a Comment