Basic Email Management Policies

Chris Bradley

Most organizations today are at risk because they have minimal or no policies to control data that is shared through everyday communications. According to industry analyst Enterprise Strategy Group, more than 65 percent of an average company’s intellectual property is sent both internally and externally via email and resides somewhere within the messaging infrastructure.

In addition, email has replaced memos, voice mails and face-to-face meetings as a means of sharing information and getting work done. Many employees prefer email over telephone conversations because it allows for easy and efficient communication with multiple parties, with the added benefit of a paper trail that can be tracked and referenced.

Perversely, as email becomes a workflow tool, its relevance deteriorates. Most now see email as a burden, despite its being a necessary communications tool. Users are copied and blind-copied as both a courtesy and requirement. Other “opt-in” email traffic, such as periodicals, newsletters, order confirmations and personal emails, add to the volume.

Nonetheless, usage continues to increase. With email now considered a legal business record, this growing volume of information become a source of increased legal liability. This leaves companies, especially those in highly regulated industries, in a precarious situation.

Underscoring the importance of properly categorized and managed email archives, the Federal Rules of Civil Procedure (FRCP) require that email and other electronic communication be provided in a timely and organized manner during the litigation discovery process. At the same time, regulations under SEC Rule 17a-4, SOX, FERC and HIPPA are also posing a violation risk to organizations lacking adequate controls. Today email risk management has become a strategic priority.

The problem for C-level executives is to find a way to comply with laws and regulations while keeping capital expenditures and operating budgets at a minimum. Organizations of all sizes are virtually compelled to implement cost-effective email retention and archiving policies that can be consistently enforced.

The following are some suggested basic components for such a policy.

• Manage intentional and unintentional employee misuse. While neither SOX nor the SEC’s implementing regulations impose specific requirements for email security, or IT security in general, the frameworks commonly used for assessing internal controls are still applicable to email. The instant and casual nature of email poses a risk for all organizations. To secure casual conversations and avoid routine routing of inappropriate emails to compliance departments, consider email controls as low-cost insurance and a critical component to preventing information from unauthorized use, disclosure or modification.

• Practice smart archiving. Many companies try to retain all emails, but the huge volume of email impacts storage budgets and resources. With SEC Rule 17a-4, securities firms must retain their electronic documents, including email, for five years and ensure that it is readily retrievable and reviewable. When email is requested by a regulatory body, the retrieval time is immediate, usually within the next 24 hours.

By applying real-time analysis through consistent email archiving controls before messages enter the archive, companies can avoid costly e-discovery litigation fines.

• Create email controls and policies that can intercept at-risk emails. Under HIPAA, companies must maintain administrative, technical and physical safeguards to prevent intentional or unintentional disclosure of “protected health information.” In order to maintain complete audit trails for any data leaving the company, look for a flexible real time system that enables management of information flow while mitigating insider threats.

• Audit and profile email usage in real-time. To guard against potential email risks, it’s necessary to implement policies that look for specific criteria in email attachments, including file formats and usage patterns. For example, the Federal Rules of Civil Procedure require speedy recovery of electronically stored information, something possible only with rapid search and retrieval capabilities and the ability to audit operations.

IT should have the ability to review emails and act based on established policies, group affiliation, as well as email and attachment content and context in real-time, within the live email stream.

• Provide real-time capability for blocking and re-routing of outbound emails. Companies need a solution that provides IT with the ability to review and monitor emails within the live email stream, through a network.

Damaging emails can impact an organization on many levels, ranging from reputation damage and legal liability to decline of the stock price. Companies can no longer ignore e-mail related risks and must take measures to meet compliance mandates, safeguard intellectual property, maintain shareholder value and prevent embarrassing headlines.

Chris Bradley is vice president of marketing and business development at MessageGate, a provider of e-mail controls for enterprise risk management.