Despite increasing concern about the considerable growth of corporate e-mail and its associated costs, most businesses have yet to protect themselves against the risks of non-compliance. In fact, according to industry watchers, most organizations do not have an e-mail retention policy, the foundation for minimizing risk, in place.

While some companies may have paper-based document retention policies there's a good chance they’re out of date, given that more than 90 percent of the documents organizations have coming in are electronic. More importantly, the bulk of these electronic documents never see print. Today’s regulatory and e-discovery climate dictates that no organization should leave good business policy to chance.

Rethinking and implementing a solid e-mail retention policy, one that’s simple, automated, legally defensible, and ensures compliance, will ultimately save companies money, according to Mark Diamond, president and CEO of Contoural Inc., a technology consultancy in Mountain View, Calif.

“Having a good e-mail retention policy is likely to save companies money in storage, e-discovery, and not having to settle lawsuits,” he says.

As the corporate messaging market continues its aggressive growth, from an expected $2.7 billion in revenue in 2007 to $4 billion in 2011 according to The Radicati Group, a technology research company based in Palo Alto, Calif., e-mail is fast becoming a de facto business record.

Over the past several years, the recognition of e-mail as a legitimate business record has taken center stage. Government and other industry regulators routinely request e-mail as part of court and regulatory proceedings. Producing e-mails in a timely manner upon request for e-discovery is also part and parcel of the recent revisions to the Federal Rules of Civil Procedure (FRCP).

Businesses are sitting up and taking notice. “Today, when we talk with customers about updating their retention policies, it’s less about how to deal with structured data in databases and more about the e-mail, messaging, and file servers,” says David Campbell, senior product marketing manager, Symantec Enterprise Vault.

Get Going
Becoming today or tomorrow’s headline news a la Wall Street giant Morgan Stanley & Co. Inc., who in 2006 agreed to pay $15 million in civil fines for failing to provide requested e-mails, should be enough incentive for any business to revisit its retention policy.

“A good retention policy for e-mails is important in litigation, regulatory compliance, and to know what employees are doing in terms of legal and compliance risk,” says Diamond.

In fact, unbeknownst to most organizations, is the fact that employees routinely save e-mails in .pst files, on USB drives, print them out, and even e-mail them home. It’s what Diamond calls the underground e-mail archive. “Many companies have 30-day e-mail retention/deletion because they’re looking to mitigate costs. In reality, such policies have the opposite effect because they increase discovery costs,” he says, noting that employees find ways around them.

Companies must consider the drivers for retention policy development:

• Compliance
• Privacy issues
• Litigation readiness and e-discovery
• Business productivity and end-user liability
• Cost

At many organizations, compliance opens the discussion about e-mail archiving. That’s because compliance requires organizations to save certain types of documents. Compliance can be prescriptive or non-prescriptive. Regulatory compliance that’s prescriptive makes it clear for companies to understand what to save and how long to save it. Non-prescriptive compliance, in essence, is vague, as in "save anything thought to be bad."

The second driver for formulating retention policy has to do with privacy, which also falls under the regulatory banner. “Regulations about privacy don’t have specifics, so companies have to be careful that if they’re saving e-mail and other documents that they have effective and appropriate security and expiration times,” says Diamond.

Developing a retention policy is most influenced today by litigation readiness and e-discovery. While government regulatory compliance may affect some industries but not others, the FRCP sweeps a broad brush across businesses, in general.

“When it comes to e-discovery what we’re finding is less concern that bad e-mails will come up, but rather, discovery defensibility, or will you have it and will you have it fast enough so as not to have sanctions,” says Diamond.

Of course, having a retention policy is worthless if it’s not consistent with employee work habits. A retention policy that’s not followed by employees will ultimately put companies at risk, as in the example of the underground archive.

Finally, the fifth driver for retention policy is cost. Companies that fail to implement an e-mail retention policy will pay more for storage, e-discovery, and to settle lawsuits.

Save It, Store It
A good e-mail retention policy not only reduces risk but also meets business needs. The best approach, according to Diamond, is to save more and do it intelligently. “At the end of the day a good e-mail retention policy is as automated as possible so that it takes people out of the effort of doing manual classifications,” he says. A good automated retention policy and solution also allows information to be retrieved quickly and easily.

Applying products such as Symantec’s Enterprise Vault 7.0 to the problem, for example, provides organizations with a platform that stores, manages, and enables discovery of corporate data from e-mail systems, file server environments, instant messaging platforms, and content management and collaboration systems. Enterprise Vault also intelligently manages data to help protect corporate information while reducing costs.

“Many of the companies we talk to either save everything or delete everything. Enterprise Vault allows companies to get to the middle of the spectrum, to hold critical e-mails and delete the rest,” says Symantec’s Campbell.

Saving more is better than saving less, according to Diamond. A save-more electronic policy reduces liability, but also reduces litigation costs, avoids the consequences of failing to retain or produce documents, and avoids ancillary litigation about document retention policies and practices.

An added benefit of a save-more policy is that it can drive good employee behavior and stop the underground archive. Additionally, if employees know that their business communication will be saved, they may be less likely to use e-mail to create inappropriate messages in the first place, says Diamond.

Getting to Yes
How do companies develop a retention policy that works? Building consensus among all the stakeholders is inherent to developing a solid retention strategy. Stakeholders include everyone in the company.

At the same time, who owns a corporate retention policy tends to involve a committee that spreads across organizational departments such as legal, records management, IT, and security and compliance.

“Policy development often takes weeks or months. A lot of the time, the committee isn’t always on the same page at the start, but over time you see convergence,” says Diamond.

Developing a retention policy should not stop a company from deploying an archive solution today. “You don’t have to wait until a policy is in place to archive,” says Campbell. Companies can turn on a solution today, install it, get it up and running, and begin to capture data.

“As the organization works through its retention policy you can easily pull it back, expire information that’s been captured, or expand policy and save information for longer periods of time,” he adds.

The bottom line when it comes to retention policy development is that every company must have one.