Q: What is the best way to implement records retention in email
without the use of specialized software? Can it be done simply in the existing
email environment?
Blair: With email management, I think
it is important to focus on two things: 1) getting started and 2) getting
better. While some may be in a position to pull off a "big bang" project with
new software, policies, training, change management etc., others don't have that
luxury. I have had clients get started with email retention in their existing
email environment simply by creating an "Email Records" folder and directing
employees to drag all email records into it. Then, anything outside of that
folder is deleted after a set time period. It would also be advisable to provide
a similar method for anything requiring preservation under a Legal Hold. This is
far from perfect, but it does 1) get you started and 2) make you better.
Q: My organization is anxious to outsource our email into the
"cloud." What does that do to our ability to manage and retain our email? What
do you think about the risks of housing email in an offsite solution?
Blair: Hosted solutions for email are really nothing new,
even if they have a new name. The risks and rewards really haven't changed
either. Many experts in this space like to point to the cloud as the new
compliance bogyman, but I'm not one of them. The situation is pretty simple; you
can outsource your email, but you can't outsource your legal or compliance
obligations. So make sure that your provider can support those obligations, and
then address the important issues contractually. The issues are pretty
self-evident: Security, privacy, availability, service levels, response times,
representations and commitments, capability to support e-discovery requests,
continuity planning in the event of service provider bankruptcy or acquisition,
etc. The scope of the issues you need to address also depends on how you are
using the cloud, i.e., for simple storage, or for the entire email capability.
As a final note, I have seen plenty of IT departments who haven't exactly done a
great job on providing the capability to manage and retain email, so make sure
that you aren't comparing a mythical, perfect situation to the speculative and
scary new one.
Q: How can a company allow an employee to determine if the email is
not needed?
Blair: I like this question. Here are a few in
return. How can we allow employees to fly airplanes? How can we allow them to
make important business decisions? How can we allow them to monitor the
instrumentation that controls the power plant? How can we allow them to (fill in
the blanks)? My point here is that we allow (and require) employees to do all
kinds of things in their jobs that would be difficult, tricky, and downright
dangerous without the proper training and context. So why do we think employees
are unable to look at a piece of information and tell if it is a contract or an
invoice? Certainly I'm being a bit glib here, but this question seriously does
mystify me.
With the advent of personal computers and the Internet, the ability to create
and disseminate information was decentralized. The result? The records
management function was also decentralized. In other words, every employee today
is a records manager — like it or not. But, asking them to be a records manager
without showing them how to be a records manager is doomed to fail. So, in that
context, the question takes us to a useful place — if we don't show them how to
do it, we can no more allow or trust employees to make retention decisions than
we can allow them to run a piece of equipment or negotiate a deal. The great
news is that with newer technologies that support role-based retention
categories, automatic classification, and so on, their job is getting
easier.
Barclay T. Blair (bblair@fcsig.com or 403-638-9302) is a
consultant to Fortune 500 companies, software and hardware vendors, and
government institutions, and is an author, speaker, and internationally
recognized authority on a broad range of policy, compliance, and management
issues related to information governance and information technology. Barclay has
led several high-profile consulting engagements at the world’s leading
institutions to help them globally transform the way they manage information. He
heads up the Information Governance practice at Forensics Consulting Service,
LLC (www.forensicsconsulting.com).