Moreover, the overwhelming use of technology to create and disseminate documents has heightened the need for email management, said Mark Diamond, president and CEO of Contoural Inc., a Mountain View, Calif.-based consultancy that specializes in email and record retention strategies. "The majority of documents companies get are electronic -- the latest figure is 96%," Diamond said. "And even hard-copy documents are usually copies of electronic ones."
Going the opposite direction and letting the legal or compliance staff draft these policies unchecked can also be disastrous.
"Sometimes the CIO is just recovering from SOX, and the last thing they want is to look at the email litigation readiness issue," Diamond said. "But they need to be involved because they have to be able to make sure the policy can be effectively implemented and enforced." He added that a lot of legal people don't necessarily understand what is achievable via technology, and could thus prescribe something that is well-meaning but difficult to follow.
The CIO has several parts to play when it comes to creating an email retention policy that satisfies all parties, not to mention the investment of time and energy involved:
- CIOs need to facilitate cost and risk discussions.
The No. 1 thing CIOs need to understand is that they are not the policymakers, Benton said. That's the job of legal and compliance. "CIOs need to ensure that legal takes the heat for the legal aspects of policies that drive retention and so on with email archiving," he said.
The CIO chimes in when the discussion turns to cost, and evaluating the cost/risk tradeoff of different email retention policies. "Some people keep email for three years and others delete it after 30 days, but it's not the CIO's job to make that call," Benton said. "[The CIO] needs to have a cost model that gives the different costs involved in retaining email for three months, or seven years." That data should be used to drive a dialogue between business unit management and legal on how to reach a solution that balances cost and risk.
"At the end of the day it's all a risk assessment process," Diamond said. "Lawyers and CIOs need to create costing models on how much proposed policies will cost to put together."
- The CIO is not the policy creator.
While CIOs are important contributors to the policies that govern email archiving, they should by no means be the sole arbitrators. "Building a good policy is a consensus among IT, legal, compliance and the business side," Diamond said. But the CIO's role is that of helper, not creator. For example, the CIO can offer technical solutions to solve a conflict between business folks who want to hold on to data for business reasons, while legal wants to delete it for legal purposes.
Jeff Freund, CTO of Clickability Inc. in San Francisco, envisions his role in email archiving as one of implementer rather than creator. "As the CTO/CIO, I would look to HR/legal to inform me of the requirements and work with my administrators to figure out the correct solution to fulfill the requirements," he said. "Like most IT projects, success will be driven by a clear definition of these requirements, choosing a flexible solution that can evolve with changing regulations over time, and a solution that is easy to use by end users and administrators alike."
CIOs who design the actual policy can put the company at risk, Benton said. "It's really perilous when the CIO gets involved in advising what a policy should be," he said. "Imagine what would happen in the absence of legal participation if the CIO decides to keep emails for three years, and a legal discovery wants the emails from four years. It's not fair for the CIO to be responsible."
- CIOs should work to keep policies enforceable.
To build policies that actually work, the KISS Principle should be in full force. "Most companies try to create huge, detailed documents that have a retention schedule for every type of legislation, and want users to retain information according to the schedule," Diamond said. "What happens is that people just ignore it."
One key is to automate as much as possible, so CIOs don't have to rely on employees taking action. The other is to create a "high water retention mark" on the length of time emails need to be saved and to save all the emails to that period.
"Many companies are just saving everything for the longest period of time, in this case, three years," Diamond said. "Some will be saved longer than they should, but we're finding that it's cheaper, reduces risk and is more compliant to save for a slightly longer period of time and be able to automate it."
- Build a litigation hold process.
A litigation hold process allows a company to quickly stop the expiration or deletion of records when it gets notice of pending litigation. "For those companies that don't want to save records for long, that's OK, but make sure you have a robust litigation hold process," Diamond said. "The moment you get that legal note, you want to make sure that all the relevant records in all relevant departments are saved."
Building a strong email archiving process isn't impossible, it's just a matter of reaching consensus across a number of factions, including the CIO's involvement. "The IT and legal parts are not that complicated," Diamond said. "It's fitting the two together that's the challenge."
Carol Hildebrand is a contributing writer based in Wellesley, Mass.