Webster’s New World College Dictionary defines "risk" as "the chance of injury, damage, or loss." In the corporate world, "risk" translates into the possibility of lost assets, decreased productivity, loss of reputation, and liability—all of which gnaw at the bottom line. That old stalwart, email, and some Web 2.0 upstarts like wikis and blogs, are supposed to make us more productive and collaborative. However, the challenge is how to get all digital communication and collaboration tools to conform to business best practices as well as legal requirements.
The Rise and Fall of Email
In the beginning…there was email, and it was good. Good as a substitute for the missed phone call; for scheduling; for distributing information; for preserving the minutes of meetings; for archiving data, policies, and procedures; for early warnings regarding the pesky virus du jour; and for informing employees about corporate news. It has been one of the best methods of organizational communication, collaboration, and intelligence-caching we’ve had to date.
Unfortunately, the downside of email has become plain to anyone with an inbox. Email has become unwieldy in terms of volume, particularly in terms of compliance, given storage requirements. Radicati Research estimates that corporate email traffic will almost double between 2005 and 2009, going from 64.9 million to 2 billion messages per day. Storing email is expensive and servers bloated with email devour a lot of time when there's a need to recover messages. This, in turn, makes other applications less available and results in costing the employees and the company downtime.
Yet despite increasing volume—and awareness that email must be stored and managed—a survey conducted in February of this year by email- archiving solution-provider Fortiva reported that 45.9% of respondents had no retention policy for email. According to Keith McCall, CTO at Azaleos, an email-management solution for Microsoft Exchange, "older, stored knowledge must be indexed, classified, and easily recoverable to be useful."
International Data Corporation has estimated that as much as 60% of email information is mission-critical, such as sales proposals, marketing plans, contracts, customer profiles, and personnel files. However, corporations that still depend on email and instant messaging as their primary communication and collaboration tools—and leave the management of email in the hands of individual employees—run the risk of losing essential data or precious assets such as audio or visual media. If a corporate resource is "un-findable," the cost to re-create it can be daunting. Osterman Research estimates that the IT departments of large corporations spend 5 hours per 1,000 users per week performing routine archiving tasks and recovering deleted emails.
A recent information security survey of corporations with over 1,000 employees conducted by Insight Advantage showed that 94% of respondents either believe that email messages containing private or confidential information are leaving their organization, or else they are simply unaware of a violation. This sensitive information could be customer profiles, trade secrets, or product development strategies. Incredibly, 57% of these corporations don’t have a specific method for enforcing data privacy and document-security policies.
Emails and instant messaging have become major features in litigation and headlines; they have become electronic evidence, the digital smoking gun. According to the American Management Association, 27% of Fortune 500 companies have defended themselves against claims of sexual harassment stemming from inappropriate email and/or internet use. According to Alan Armstrong, VP of product development at Fortiva, "Corporate emails are the number one discovery request in litigation." In an employee discrimination suit, UBS Warburg was forced to pay out $100,000 in recovering internal emails alone, never mind the whopping litigation costs. Merck and Company’s shares plummeted following reports that internal emails revealed the risk of Vioxx years before its voluntary withdrawal of the drug.
Moreover, in the last couple of years, hundreds of federal and state regulations have been promulgated that require businesses to retain and archive email messages just as they do formal corporate records. The Sarbanes-Oxley Act, enacted in response to the Enron and WorldCom financial debacles, defines those records that are to be retained and for how long. The Health Insurance Portability and Accountability Act (HIPAA) ensures prosecution of wrongful disclosure of personally identifiable health information. The new Federal Rules of Civil Procedure allow weighty fines to be levied if a company fails to make email evidence available within 30 days of a discovery hearing. Indeed, Bank of America was fined $10 million for failing to produce emails and other documents in a timely manner to the SEC. Says Fortiva’s Armstrong, "The FRCP does not dictate what is to be included in your policy; it says that you simply have to have one. The courts look unfavorably upon unattended policies."
Given the potential financial and even criminal consequences for noncompliance, some companies are trying to educate employees about how to handle this type of content. Richard Cellini, VP of Integrity Interactive, a global leader in ethics and compliance programs says that despite its downsides, "Email is forever." As such, Integrity trained 3 to 4 million employees "in the proper use of computers and email last year. This was our second most highly requested topic," says Cellini.
Not surprisingly, a number of solution providers have come to the forefront of the email management/archiving space: among them Fortiva, Symantec, EMC, Open Text, Microsoft, and IBM. In response to the loss of proprietary data and to comply with regulatory/legal requirements, a number of best practices or recommended policies have evolved.