What does compliance mean in the context of email? And why should the IT team care?
Compliance means storing email (and data) as long as the law (or corporate policy) requires, and then immediately deleting it to reduce your legal liability.
You should assume every email in your organization has a chance of being read by a judge or prosecution lawyer. If you don’t need that email, don’t keep it around.
Most users tend to hoard their email, and not want to delete it for fear of losing important information they might reference at some point in the future. The truth is that, on average, archives are accessed less than 7% of the time. So in your daily routine, the chances that you will access an email archive to retrieve data is less than 7%.
If you have never been sued, and asked to perform an eDiscovery for the prosecution, this may not seem like a big problem yet. But when that day finally comes, combing through hundreds of gigabytes of email searching for a particular set of words, you will wish that policy had limited the amount of email users could keep around.
You will also end up turning over a far greater amount of email than is actually related to the case, since the prosecution usually has just a few key words (or key people) they’re looking into. They don’t know what emails they need, so they want all of the ones they can get their hands on. How comfortable are you with a lawyer, who does not work for you, going through your corporate email?
For these reasons and more it is extremely important for the protection of the company, and for the protection of IT resources, to set policies on how long email can be retained. In order to make the policy successful users need to be trained, and the policies need to be enforced. Policy should always be set by a lawyer who is aware of the legal restrictions in your industry, and then you can take that information and turn it into technical solution.
What are the basic components to enforce email retention policies?
- With Exchange and Office 365 the first step is to translate corporate email retention policies into actual policies on user’s mailboxes. Here is a good article on understanding the different types of policies you can set up with Office 365/Exchange 2013: https://docs.microsoft.com/en-gb/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies?redirectedfrom=MSDN
- Train your users on the policies, and how to apply individual policies to emails/folders where necessary. Many companies have a blanket “keep email for only x years” policy, with a litany of exceptions to the rule. Users need to be trained so they can adopt that mentality, and understand what qualifies as an exception.
- Prevent your users from circumventing your retention policies. Many companies struggle with users who don’t think the rules apply to them, don’t care, or for some other reason are interested in ignoring the corporate policy. As an IT team you are responsible for ensuring the company follows retention policy, so it is in your best interest to do the following things to try and reduce the chance that someone breaks the policy:
- Turn on “copy on write” for your organization. The is the single most important thing you can do to ensure that your company fulfills its email retention policies. This prevents users from deleting email earlier than the policy states, which can be used as a tool to cover up illicit activities. Note: This is not the same thing as journaling, which is much harder to work with when doing eDiscovery for a law suit. We no longer recommend journaling for any reason, since the newer copy-on-write and archiving compliance features are compatible with the latest eDiscovery design.
- Send a reminder at least every 6 months to your user base. Remind them what the retention policies are, and give them resources for determining what emails meet which retention policies.
- Block PST’s in your organization. In order to enforce retention policy on emails, you need to have access to those emails in the first place. With copy-on-write turned on this is less of an issue, but it still doesn’t help you to have users working off a local PST (or heaven forbid a network PST).
Next we’ll discuss the different types of retention tags in more detail, so you can understand how to best design policies for your organization.
Allison Sousa, PEI