When it comes to managing e-mail to comply with federal and state regulations, Thibault is in good company. For many organizations, regulatory compliance laws have mandated a closer look at how they manage e-mail. From the Health Insurance Portability and Accountability Act (HIPAA), which seeks to secure the privacy of personal healthcare information, to SEC regulations that govern electronic information retention at many financial organizations, to the Sarbanes-Oxley Act (SOX), which mandates management and retention of financial records for any publically traded company, regulatory insistence on the ability to retain and quickly retrieve valuable data grows more common.
And as employees lean on e-mail as a vital conduit of exchanging, sharing and analyzing corporate information, the burden of managing it grows heavier. Not only must IT groups toe the line on regulatory compliance, but they must also keep e-mail growth at manageable levels, and do so under the tight budgets that are today's corporate norm. For them, technologies such as e-mail archiving, virus and spam software, and storage management are key.
"Managing e-mail is an enormous deal because it's not just about one area," said Peter Gerr, an analyst at Enterprise Strategy Group, a storage-oriented research company based in Milford, Mass. "It impacts storage management, data management and risk management. Everybody in the organization uses e-mail,and when that application is interrupted, everybody knows it."
With such an important application, it's doubly important to get its management and storage under control. Using the following four best practices, storage managers can make sure that their e-mail beast does not run amok.
1. Manage e-mail for regulatory complianceInvesting in an e-mail archiving application is almost a no brainer, as regulations that affect how companies store and retrieve electronic data seem to sprout like mushrooms after a rain. For example, any publicly traded company must comply with the SOX, which was written to improve the integrity of financial record keeping at such companies. As well, any company planning an IPO must comply with SOX before trading commences. Then there's SEC Rule 17a-4, which requires financial services companies to store a variety of records, including electronic and instant messages, for six years -- the first two years in an easily accessible place. Among other things, HIPAA requires health care providers to comply with data collection, integrity and privacy standards pertaining to information that identifies a patient. HIPAA doesn't necessarily affect pure health care providers, however. If a company touches patient information in any way -- for example, a life insurance company-- it should comply.
Here, it's a no-brainer for many large companies: Invest in an e-mail archiving application. "You almost have to [archive] if you're regulated," said Jenney Fields, a senior consultant at GlassHouse Technologies Inc., a storage research and consulting firm in Framingham, Mass. "If you get audited by the SEC, I think there's a 72-hour window of response. If all your messages are sitting on backup tape, good luck."
Vendors have responded to the increased need to archive e-mail in the past couple of years. Gerr cites KVault Software Ltd., which was recently acquired by Veritas; EMC Corp.'s Legato e-mail extender; iLumin Software Services Inc., and Zantaz and Iron Mountain Inc.'s new acquisition Connected, as market leaders in the archiving arena.
Depending on the size of the company and the complexity of its messaging environment, Gerr estimates that the cost of archiving ranges from a couple of dollars per desktop annually to up to $20 to $25 per desktop.
But that pales in comparison to the possible costs of noncompliance. Gerr cites Bank of America, which was forced to pay a $10 million sanction last spring to settle SEC allegations of noncompliance with laws on record keeping. "One motion for discovery on a legal case could run into millions just to locate and process tapes and find the correct messages," he says. "It's very time consuming."
2. Stop e-mail before it hits storagePut the kibosh on e-mail before it even hits the storage rack and eradicate as much spam as possible. GlassHouse's Fields said that companies should put in several spam filters for the best results. "Different filters use different types of algorithms, and you want to make sure that your filters will address the types of spam you're receiving," she said. Do some analysis of what kind of spam commonly hits your company and choose your filter accordingly.
Another new technology catching hold is single-instance storage. Here, storage tools can identify multiple copies of the same e-mail -- a Powerpoint presentation sent to 10 colleagues, for example -- and store just one copy, keeping placeholders for the other nine. "It can have a material impact on storage demand," Gerr said.
Fields also recommends monitoring the mail server for performance, virus verifications and the growth of data files within Exchange. It gives storage administrators a heads up as disk space fills up. "That way, if you know you're running out of disk space in a storage group or database, you can take some action whether it's creating a new database, or having users clean out their mailboxes," she said.
At Visible Path Corp., a social networking software maker in New York, CTO Jeff Patterson uses SharePoint software to mandate collaborative discussion groups that cut down on e-mail. For example, the developers all congregate on one discussion forum to share and analyze data -- rather than using e-mail.
"So you only have one copy of a message rather than 15 flying around and attachments only need to be shared once too," said Patterson. "It makes a threaded discussion group that's easy to archive and search, and it takes a load off the Exchange server. At the very least, providing employees with a document workspace, where they can store files for others to see rather than having to attach them to e-mails, will keep mailbox sizes in check."
3. Set companywide e-mail policies and proceduresThe next step is to create e-mail policies designed to spawn fewer e-mails and store them sensibly. Gerr recommends that storage managers work with line-of-business owners, risk officers and IT folks to develop a corporate guide for e-mail. "Everybody in the company should know what the messaging policies are," he said.
For example, at Visible Path, Patterson has instituted limits on mailbox size, capping sizes at 150 MB. "At this point, we aren't worried about regulation compliance, but we are worried about the sheer volume of archived data," he said.
Another decision is whether to allow users to store e-mail on personal mailbox folders on the desktop -- a tricky subject -- since e-mail stored on the desktop will be missed by e-mail archiving software. "Eliminating personal mailbox folders goes a long way toward eliminating risk because you're centralizing message management," Gerr said.
Policy makers also need to ensure that e-mail that has outlived its regulatory freshness date is promptly deleted. "Make sure you have outflow processes and procedures too," said Gerr. "It's okay to dispose of messages and attachments that have outlived their legal expiration dates."
4. Consider outsourcingFor many companies, outsourcing e-mail management is becoming a more viable option through companies such as Zantaz and Iron Mountain, Gerr said. He particularly likes this choice for the small- to medium-sized business market (SMB). "I'm seeing a lot of momentum for SMBs in both mailbox, and message management and archiving," he said. "Outsourcing can be cheaper for the SMB if it doesn't have high e-mail volume, and doesn't have to retain records for long. If it doesn't have the skills in house, this is a good thing to consider."
In the end, it's important to manage e-mail as the vital business conduit that it is. "It's not just a messaging application," Gerr said. "It's an application used to conduct business. E-mail is mission critical and needs to be protected as such."
This was first published in October 2004