Email retention is a very important component in every company’s day to day business practices. The reasons are many: legal requirements, efficient use of storage, privacy of corporate email messages and others.

Policies and best practices should be clearly stated in every company’s IT department for how best to archive the multitude of emails that accumulate each day.

Here are some of the best practices and considerations for email archival.

1. Indexing and searching capability should be features of all email archival systems. Companies need to be able to respond quickly to requests for old emails particularly when those requests are coming from legal entities outside of the company. Months and months of email messages can quickly become millions of archived messages. IT departments will need to be able to respond to information requests in the least amount of time possible so as to meet any legal requirements necessary. Having a fully indexed archival message system will support the retrieval of any documents or email messages in a short period of time. In addition, being able to respond to requests for archived emails can help to meet discovery or subpoena requests in a timely manner.
2. Audit trails should be another component of any good email archival system. Companies need to secure and track their archived emails to meet the regulations of the various governing bodies such as the SEC (Securities and Exchange Commission) that can request specific emails from them. Audit trails can also be used to prove compliance with reporting regulations such as the Sarbanes-Oxley Act.
3. Complete email integrity needs to be maintained so as to meet the rules of evidentiary standards. Email integrity can be maintained by use of electronic signatures and time stamps of each email that is archived, redundancy of archival systems to provide continuous access to archived emails and encryption of email messages to protect against tampering of original data.
4. Virus scanning of all email messages prior to archival should be an additional step in the archival process so as to ensure not only the integrity of archived email messages but also the protection of email system at the time of retrieval of email messages from the archive system.
5. Support of multiple email systems and protocols is another feature that can help to reduce the number of archive systems that are needed within a corporation. Some of the more widely used email systems that ought to be included in an email archive system include: Microsoft Exchange, Lotus Notes, Novell Groupwise, First Class, standard POP3, SMTP and Imap protocols.
6. Administrators should coordinate with their in-house legal department and with the department managers of the various business units that the IT organization is responsible for supporting. Those department managers may have additional requirements for email archiving of their employees emails based on their applications used and types of businesses they engage in. And legal departments can also provide guidance in the necessary archival rules and regulations which the company as a whole must comply with.
7. Know what time periods are required by specific regulations when determining how long to keep email messages in the archives. Some companies do not routinely rotate their archived email messages out to the bit bucket and as expected continue to drive up their storage and administrative costs unnecessarily. The more email messages that are stored then the more indexes are required and longer search times than are necessary will occur.
8. Designate someone within the IT organization who is the interface to the legal department. In smaller organizations the legal department will most likely be an outside law firm. Schedule regular quarterly reviews of the laws and regulations specific to your industry that have mandates related to email retention requirements. Some of these compliance laws, regulations, and standards that can impact how email is retained include: the Federal E-Discovery Rules; the Health Insurance Portability and Accountability Act (HIPAA); the Gramm-Leach-Bliley Act (GLBA); the Sarbanes-Oxley Act (SOX); the PCI Data Security Standard; the Federal Information Security Management Act (FISMA); the EU Data Protection Directive 95/46/EC; the Basel II Accord and others.
9. Although not considered email, instant messages should also be included as electronic items that can be stored in an email archival system. Within the course of daily activities business communication emails that are received can sometimes start off as instant messages that have been converted into email when the sender was no longer able to communicate with the recipient.
10. The implementation and execution of a good email archival system can save a company much valuable time and money when all contingencies have been taken into account and the planning has been done well.

There’s a bank clerk in Wyoming who is in deep trouble with the boss. According to news reports, an employee of a bank in Wyoming sent an email that contained customer data to the wrong recipient’s Gmail account. The employee of Rocky Mountain Bank made two critical errors: First, they sent it to the wrong address, and second, they attached a file with sensitive information that should not have been attached.

According to news reports, the employee, realizing they had sent it to the wrong address, tried to “recall” it after sending it. Huh?? How long has this employee been using email? Just about anybody that isn’t living in a cave knows that you can’t recall an email once you’ve sent it out. That’s why standard procedure should include at least a quick once-over of the contents and recipient list before hitting the “send” button.

The attachment that was sent contained customer information, including social security numbers and loan data.

Continue reading Bank learns its lesson, you can’t recall email

Viral emails get circulated around offices and places of businesses far too easily. It happens all the time, and is an enormous waste of time and a danger to company productivity and morale. What happens is that some employee receives a viral email that propagates some untrue rumor or urban myth, but which nonetheless evokes a strong reaction. Said employee says to himself or herself, “Why, everybody needs to know about this outrage!” And so they click “send all” and everyone in the company gets it. Pretty soon, everybody in the company is outraged about the rumor–the fact that it’s not true is besides the point–and productivity suffers. I get these all the time–but the only outrage is that the content contained in them is incorrect and usually designed just to rile people up.

These emails pop up all the time, usually propagating some sort of misinformation surrounding a minority group, immigrants, or government policy. In almost every case, the facts are completely false, but they deal in subjects that are sure to get a response.

Of course, these have no place in the office, and the administrator would be justified in appending the use policy to prohibit distribution of these emails. Of course, besides wasting time and getting people angry over false information, they just contribute to the ever-widening sea of useless email that clogs up all of our email servers, since the typical response is to say, “Oh, this is terrible, I have to send this to everybody in my mailbox right now!” The viral emails that perpetrate these and other rumors are a waste of time and a danger to society–any company use policy needs to prohibit propagating viral “rumor” and urban myth emails.

If your company is having problems with employees and their email usage it might not be the employee’s fault. When was the last time your employees reviewed the company’s email policies? If you can’t answer that question then it means that there is a problem with communication.

It should be standard practice that all employees are required to sign a document upon acceptance of employment that they will abide by the rules and policies regarding email usage whilst employed at the company. It should also be mandatory that employees review and sign the agreement each year or every six months whilst employed.

This brings up the question of what exactly should go into an acceptable Email Usage Policy.

Continue reading Why should you have an Email Usage Policy?

The devastatingly high rate of unemployment, not just in the US but all over the world, can cause problems not just for the unemployed themselves, but also for the IT departments of the companies that laid them off.

Even when the economy was booming, I always advocated a clean break when letting somebody go. It may seem a little heartless, but the standard protocol is to de-activate their passwords and computer access first, and then lower the boom at the end of the day. A disgruntled employee can be very dangerous to a company, and I have first-hand experience seeing one such employee take down a very large San Francisco-based firm I used to work with. Leaving employees with computer access, even for a few minutes after the axe falls, is just too risky. With computer access, the employee can too easily email out sensitive information minutes before walking away. And besides outright theft of information, if the employee continues to have company email until IT gets around to cutting it off, it’s all too easy to pretend that one is still employed with the company, and send out potentially damaging emails to clients.

A recent blog entry on ITSecurity.com reminded me of this, citing a survey on deleting accounts from laid-off employees. According to the survey, 30 percent of respondents had no policy in place to find orphaned accounts, and 30 percent said it takes more than three days to terminate an account after an employee leaves the company.

The State Government Watch blog has an interesting article on how the former head of Hawaii’s Tourism Authority netted a hefty “resignation payment” after he was caught in an ugly email scandal:

The embattled former chief executive of the Hawaii Tourism Authority, Rex Johnson, will receive nearly $300,000, including unused vacation pay, as part of an agreement with the state agency. The tourism agency, which faces significant challenges ahead in guiding Hawaii’s bread-and-butter industry through its most turbulent time, agreed to a resignation payment of $208,181 based on Johnson’s initial annual salary of $240,000 through August 2009. Johnson’s vacation pay, also based on his $115 hourly rate, amounted to $83,304, bringing the total resignation package to $291,486. Johnson resigned Oct. 8 after a state auditor flagged his email for pornography sent to friends via his state laptop. Racist and sexist messages sent during the same period surfaced a few months later.

Yes, that’s right. He was caught with porn and racist emails on his state issued laptop, yet made out like a bandit. Not exactly a deterrent againt violating email policies, is it?