Email: The Good, The Bad and The Unruly
The only things that are certain are death, taxes and that some guy from Nigeria wants to put $10 Million US into your bank account. And if you're smart enough, you can skip the taxes part.
It will come as no surprise to anyone that email has both improved and screwed up our lives. For most of us, Outlook (or Firefox or Notes) is burning the phosphor in our screens more than anything else. But email is also busting our cajones as we learn more about the risk/reward compromises we are being forced to make each day. Each minute.
"Investigators and forensic guys all go for the email first...that's where the smoking gun is," says Dr. Johannes Scholtes, president and CEO of ZyLAB. "At a federal agency, I saw a sign that read: the following people will read your email within the next six years... And it listed the IT department, the FBI, various intelligence agencies, and the list went on. People are not aware that email is recorded and can be used against them as evidence."
Since it's the center of the known universe, email is getting a lot of attention these days. "If you want to understand what happens in a business's history, email is the first place to look. Oftentimes, it's the only place you need to look," says Nick Mehta, senior director for product management, data management group, at Symantec. "The fact that email is legally discoverable is the giant trend, more so than regulatory compliance. You may or may not be subject to regulation, but everybody can get sued."
"Here's a fun fact," says Joe Romanowski, VP of product strategy at ZANTAZ. "We recovered over five petabytes of information last year, mostly for companies getting into compliance or for legal discovery. If you printed that out and stacked it, it would make eight round trips to the sun." (But wouldn't it burn? I asked. "Yeah... that's why we did it at night," replied Romanowski.)
How did it come to this? Email was supposed to be a harmless communications device, not that different than a telephone, with which one should send documents and confirm appointments. And forward jokes. Now, all of a sudden, it's one of the great risk centers in any company, and one of the least managed. It's kinda scary.
Josh Jacobs, president of X1 Technologies, puts it bluntly: "Even though the medium encourages casualness, it's not casual. It's a subpoenable source of corporate information. It's potentially beneficial, but also a potentially very high risk thing. An email to somebody outside my firewall is a communication from the company. I speak on behalf of the company." Email has made it much harder to control who speaks on behalf of the company.
"Email is unique, because you don't know who was blind-copied, or who has a copy on their computer's .PST file. All you can do is mitigate your risk through your best actions," admits Dan Ryan, executive VP, marketing and business development for Stellent. Symantec's Mehta agrees: "You may think you're getting rid of emails, but they live in so many boxes. And they also live in the email accounts of the external parties. You may delete your copy, but the other party has their copy. There's a disconnect in many IT organizations between the way they treat email— the service level, the mission-criticality—and the perception from the management and the executives of how important it is," continues Mehta. "Add to that the increasing volume, and the result is: it's harder all the time, and more important all the time."
What Happened?
What happened was this: we became reliant on email for more than just forwarding jokes. "Something like two-thirds of US companies accept email as purchase confirmation," says X1's Jacobs. "That means email has to be handled as transactional data. It's a record; it's a contract. It's a documented trail of a negotiation. There are financial and legal risks. You absolutely have to have a centralized management component around it, and you have to have governance that includes policies, ranging from retention to ‘what do we and don't we say in email.'"
"People say they want to do records management," says Scholtes. "Then we tell them that every email is a record...suddenly they don't want records management anymore. It's a lot of work! Email started as a tool to route documents to one another," Scholtes continues. "Now it is a vault to store data. It's easy to use Exchange as your personal knowledge repository. But your PC and your Exchange server are not the right place to keep valuable information. Many companies delete emails after three months, making users do ‘doublework' to store important information in a content management system. And users are unhappy about it."
Andrew Pery, worldwide marketing manager of Hummingbird, adds that "email is the most pervasive and widely used content store for managing critical business information. "But," he quickly points out, "it's a misconception to think of an email vault as a safe storage mechanism. Internal policies are being more rigorously implemented, but there's still a lot of confusion about what you should profile into your content store as an active document, versus what you should move directly into archive."
"Two years ago this was just an IT problem... how do I get it off my Exchange server?" says Romanowksi of ZANTAZ. "But now, companies bring in their legal department to find out ways to lower their discovery costs. And the compliance officer wants to know if he can use the solution to get rid of stuff. In some cases, it's both. Even if it's able to be destroyed because of a retention policy, they still want to keep it for discovery. Different departments have their own problems to solve, but they're looking at the same solutions suite" to do it, Romanowski observes.
"The key is to consider email as important as any other knowledge object that you have," says Pery. "It should be managed as well as any other content object. It should be moved into the proper folders, assigned retention and disposition rules, and in general managed like any content repository, rather than just sitting out there in an inbox."
The "whose problem is it?" question seems to be pervasive: "The typical IT manager still sees email as a disk-space problem, not as a liability or even a knowledge management opportunity," points out ZyLAB's Scholtes. But it has far greater implications than that. For example, "In Europe, you're required by privacy law to delete any emails that refer to an employee's bank accounts or other financial information three to six months after the employee leaves the company. If he sent an email saying ‘deposit my salary in the following bank account,' you have to find that record and delete it."
Nick Mehta adds: "Customers are focused on the near-term risk. They haven't synched up with the business value of email. That's because the people making the decisions about retention work in the legal department. They don't grasp the dayto- day needs of the various department managers. But over time, companies will realize that email is an asset. They'll get away from focusing on the liabilities. I'm a firm believer that people will start keeping email for a longer time...more than they just have to for law or policy."
That may be so, but as long as there are email stores, there will be fragrantly smoking guns. "Legal discovery is a well-known problem," says Dan Ryan from Stellent. "Just not a well-solved one yet. Nobody wants to keep one item more or less than they need to keep. They can't afford to get rid of anything they legally have to keep, and they don't want to keep anything that they legally can get rid of."
"You have to balance risk against value," says X1's Jacobs. "Let's say you have the information created by 100 employees for the past 10 years. One of those employees did something bad five years ago. Does the danger of that one smoking gun outweigh the benefit of 10 years of customer history from 100 sales reps? My sense is: you want the information."
So...Now What?
If email creates a unique problem, what's the unique solution? There isn't one; it's a balance of many approaches. "There is a movement toward integrating archival systems with active stores," says Hummingbird's Andrew Pery. "Using this approach, you have only one instance of an email. You can apply retention policies to the important documents, and you can safely delete personal or spam email. Then you use a stub file, or a pointer, from multiple user locations. This way you avoid the problems of spoliation or inadvertent copies that someone might retain." (BTW, spoliation means "the deliberate or inadvertent modification, loss or destruction of evidence by a party who as been put on notice of litigation but has failed to take appropriate steps to preserve potentially relevant data." Thought that would save you from looking it up. Like I had to.)
"I absolutely believe you have to archive everything in a central server," insists Jacobs. "To the extent you may have exposure (because of this), you put monitoring in place. But making email searchable encourages more sharing, and discourages people from taking things off the server and putting it in their own .PSTs."
"I'm skeptical that filing systems are effective in the long run," says Symantec's Mehta. "What is most likely to work is this: for the people for whom it's in their best interest to file email, they have the ability to do it. For everyone else, you develop low-hanging fruit rules for basic things...emails that are marked ‘confidential' or ‘attorney-client privileged' for example, or documents that are tagged as intellectual property, and you don't want them out of the company...those get automatically filed. But the nirvana of every employee classifying every document and sent item...I don't think that will ever happen."
He's right, of course. But if there's a big enough carrot, sometimes you don't need a stick. "There is both a KM aspect and a compliance aspect," says Stellent's Ryan. "All content needs to be under some form of retention management, for records management purposes. But all content also needs to be able to be searched and discovered. The integration between the two worlds is certainly happening."
When we started this White Paper, we got a lot of different meanings for the phrase "email management." To some it means server offloading, to some it means records management. To a growing number it means knowledge management. Which is it?
All the above. The email that is important from a KM perspective—expertise and best practices—is not the same one that is important for discovery/contract negotiation. One you get rid of as soon as you're legally allowed, the other, you may want to keep longer. It's a tough challenge. Hope this helps.