For companies who believe that the proliferation of e-mail and e-mail management, as they relate to security and storage-related issues, are among IT's biggest headaches, it's time to wake up to the reality of regulatory compliance. In short, defacto risk management standards such as 90-day deletion policies are out and best practice e-mail retention policies that comply with recent laws, regulations, and standards are in.

Why? Because 90-day e-mail deletion policies address the growing burden and IT cost of corporate e-mail stores, but not the legal requirements for e-mail lifecycle management. In the end, the increasing costs of e-mail storage pale in comparison to the risk and cost of businesses not paying attention to electronic records compliance and e-discovery.

A few cases in point:

• The $1.45 billion verdict against Morgan Stanley for failures to produce timely e-mail from back-up tapes.
• The $29 million verdict against UBS Warburg for failure to retain relevant information, including e-mails from back-up tapes.
• $15 million in sanctions against Morgan Stanley by the SEC and NASD due to its inability to product e-mails upon request.
• A $10 million fine imposed against Banc of America Securities LLC for, among other things, delayed recovering and reviewing of e-mail.

The list goes on.

The bottom line is that beginning in the 1990s, e-mail for the purpose of e-discovery, although defined as a legal electronic record some 20 years prior, was not only important for e-discovery and e-mail retention in lawsuits, but legal forensic groups began to use e-discovery and a lack of e-mail retention as a lever against big corporations in the courts, leading to sanctions against those organizations with failed e-mail policies.

Beyond Storage
When it comes to corporate e-mail, the numbers are staggering. On any given business day, 35 billion e-mail messages are generated, an increase of more than three-fold compared to the estimated 10 billion e-mail messages generated daily by business users just five years ago, according to market research firm IDC. For many companies, the proliferation of e-mail has increasingly become an IT storage management nightmare.

The solution to throw more terabytes at the problem is short-sighted. In the long run it doesn't address the various compliance and regulatory requirements specific to corporate e-mail. And gone are the days when only certain industries had to worry about compliance—banking, healthcare, pharmaceutical, and publicly traded companies, for example. Think of the upcoming amendments to the Federal Rules of Civil Procedure on E-Mail Discovery, as an invitation to all to join the party.

In a nutshell, the new legal rules will require every corporate litigant to recognize, declare, and produce e-mail and files in civil litigation. And these rules impose standards on discovery issues that are unique to electronic records. Unless challenged by Congress, the proposed amendments go into effect on Dec. 1, 2006.

"What's been missing in the records management debate is that e-mail or IM may need to be preserved if it contains information that is relevant to a lawsuit or an investigation," according to M. James Daley, a principal partner at Redgrave Daley Ragan & Wagner LLP, a law firm that specializes in information and records management issues. In this context, he adds, "It's the content, and not the container that is important."

That said, it's time for business to go beyond grappling with e-mail storage issues and formulate an enterprise strategy for e-mail lifecycle management. To help formulate e-mail retention strategies, it's imperative that IT gets guidance from legal on regulations and law.

"If an organization simply goes out and creates a hard and fast e-mail retention policy without adhering to the legal requirements for creation, administration, and monitoring, they can also create an unanticipated level of risk of civil and even criminal sanctions," says Daley.

The list of compliance laws, regulations, and standards that effect e-mail, in particular, is long: the Federal E-Discovery Rules; the Health Insurance Portability and Accountability Act (HIPAA); the Gramm-Leach-Bliley Act (GLBA); the Sarbanes-Oxley Act (SOX); the PCI Data Security Standard; the Federal Information Security Management Act (FISMA); the EU Data Protection Directive 95/46/EC; and the Basel II Accord, to name a handful.

Putting Best Practices in Place
When it comes to putting best practices in place, the courts are sending businesses a clear message about electronic records: It's later than you think. Medium-size and large data producers, in particular, are advised to set in place policy and procedures for the management of electronically stored information.

The upcoming Federal Rules of Civil Procedure addressing e-discovery, according to Daley, "increase pressure on companies with large electronic information collections to identify and be prepared to address very early in every federal case the preservation and production of electronically stored information."

The first step companies must take is to create enterprise-wide policy that lets employees know what constitutes a record for the purpose of e-discovery.

Next, companies will need to have systems in place that enable them to identify all sources of potentially relevant data, including legacy data, back-up media, deleted data, portable media, remote, or third-party locations under its custody or control.

Then, whatever policy the company establishes for its records retention rule, the company also needs to establish what's called an exception process, or legal hold process. "Companies need a well-developed records management policy that includes ESI (electronically stored information), as well as a legal hold process that ensures communication, coordination, and compliance of preservation obligations for litigation and investigations," says Daley. In other words, he explains, the law states that in the exception process, notices must be sent out and processes must be in place.

Electronic records management systems, such as Enterprise Vault from Symantec Corp., for example, can help companies best manage e-mails and other electronic data by accepting e-mail and instant messages directly from the management system so that individual employees aren't at risk for deleting information. They serve as technological enforcement for the legal hold process. Enterprise Vault can automate the process of declaration, classification, and retention of electronic data.

Establishing a system for archiving e-mails for future review or audit is also part of a solid best practice strategy. However, companies are advised to invest in an archival data system that includes a framework that enables the discovery of content held within e-mail and manages content via automated policy for active retention and seamless retrieval of information.

Finally, companies must not only administer the policies set in place for compliance but also enforce them within the enterprise. All employees must be held responsible and accountable for complying with procedures and policy.