Messaging News - June 2008 - (Page 15) survey by Osterman Research for Dell MessageOne: • Legal typically drives the development of retention policies. The legal team was involved in setting policies at 81 percent of the companies surveyed. • Other stakeholders typically involved included IT (72 percent of companies) and compliance (65 percent of companies). • Business stakeholders play a less important role in the development of retention policies. Only 48 percent of companies included business managers in the process and only 28 percent included records managers in the development of email retention policies. When talking about setting the policy, D’Arcy notes that it can be challenging. “Each group tends to have its own opinions about what should happen. Legal often wants to get rid of things as fast as possible, business folks want to keep things as long as possible, IT wants to get rid of things as fast as possible, and records management wants to organize them into as many different categories as possible.” Industries that are heavily regulated like financial services or healthcare are more straightforward and legal staff tends to drive compliance. “For other sectors, and SMBs, it is generally IT,” observes Greatwood. “IT may be motivated by immediately accessible retention-and-recovery of email provided by an archive— which is quicker and easier than recovering email from a backup—as well as by protecting against eDiscovery issues, or offloading data from a poorly performing primary email mailbox server.” While IT is increasingly responsible for meeting retention requirements, it is not always an easy task. “Most IT departments are in the cross hairs between potential litigation and the lawyers that work for the firm who take the stand that having the emails can be a bigger liability than having no information,” believes Elliot. “That is a real challenge and quite near-sighted—just because you do not have it, does not mean someone else does not. What control do you have over the email that was sent, and where did it go from there? That can put the company at risk for not having full clarity of the potential risk of the situation. I have found that most large organizations have, in my humble opinion, received relatively poor counsel about deleting information as often and quickly as possible.” He goes on to note that email is a record of business, and that there is very little that is not conducted via email. Not having data might not be a sign of guilt, but Elliot thinks it is one of negligence. “It is ironic that IT departments are spending so much money and resources on disaster recovery systems, alternate sites, and yet their lawyers are telling them to keep things for 30 days and then delete it all.” Greatwood weighs in noting that “Increasingly, many organizations are choosing a ‘keep everything forever’ policy. HIPAA (healthcare) mandates six years, Sarbanes-Oxley (public companies) mandates five years, and FRCP (applies to all U.S. organizations) does not set a time limit. Provided email infrastructure and archiving solutions are selected that scale appropriately—and are well architected to scale on low cost storage—if it is worth an organization setting up an archive, it is likely worth them adopting the ‘keep everything forever’ approach,” he advises. Retention Retention strategies typically reflect an individual corporation’s philosophy around email and litigation. Companies that view email as a strategic asset and who value the context provided by email in litigation, keep email messages for many years. Other companies view email as a necessary evil and who worry about “smoking guns” tend to delete messages as quickly as possible. “There is no right or wrong answer,” believes D’Arcy. It is a philosophical decision.” Asked it one is more prevalent than the other, he replies, “It is a fairly even split—we run into as many companies that get rid of email after 30 days, as we do ones that keep it for five years or more.” With the list of regulations continuing to grow, retention needs are anticipated to grow along with it. “Legal compliance is here to stay. With email such an important business tool and many important decisions transmitted via email (as well as important documentation), regulations will be an important safeguard against wrongdoing, fraud and data leakage,” thinks Vella. “We see the demand for archiving solutions to increase considerably over the next few years as more companies see the benefit of email management as they are pressured to keep a copy of all electronic documentation. Companies that fail to implement an email archiving and management strategy will risk being overwhelmed by the anticipated growth of email correspondence in the next few years.” Without a retention strategy, organizations may have to resort to searching back-up tapes, desktop files and legacy systems to find missing information. Manual e-Discovery searches can cost hundreds of thousands or even millions of dollars. In addition, these companies risk being sanctioned for the illegal destruction of evidence, including courtroom penalties that can cost a company an important legal case on process grounds. “Today, most organizations are focusing on email in relation to litigation and the FRCP,” states D’Arcy. “Many of the companies choosing short term retention policies, in the future will likely begin to keep more data, rather than less in order to comply with a broader range of regulations. I think the trend is going to go towards saving more stuff as opposed to less stuff. In the end it is less risk for organizations.” SJ/TMP FOR YOUR REFERENCE Dell MessageOne www.messageone.com GFI Software Ltd. www.gfi.com Mirapoint Software, Inc. www.mirapoint.com Osterman Research, Inc. www.ostermanresearch.com PostPath, Inc. www.postpath.com messagingnews.com 15 http://www.messageone.com http://www.gfi.com http://www.mirapoint.com http://www.ostermanresearch.com http://www.postpath.com http://www.messagingnews.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.