Miscues abounded in Boston email retention policy, practices

By Linda Tucci, Senior News Writer 23 Sep 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

We spoke with city of Boston CIO Bill Oates on the day the city published an email policy guide to how the city did things before and the measures taken since – including journaling -- to clarify its email retention policy.

Here is an edited and condensed version:

More on email archiving For CIOs, email deletion scandal shows need for email retention policy E-discovery rules double-edged sword for CIOs Email and messaging management Email archiving strategies: Five best practices

Were you surprised when you read, along with everyone else, that this mayoral aide had been cleaning out his inbox by double-deleting and that this has turned out to be a controversy for the current administration?
Oates: Most of our activity managing the mail system is concerned with capacity. We spend probably more time looking at the high users as opposed to looking for low levels of messages in people's mailboxes.

In this instance we had a records request. Normally, the result of such requests is volumes of data. So as soon as it came to our attention that there was a low number of retrievable emails we dug deeper and discovered that our users expected that all their mail was being saved. We reacted to that right away. But in the normal course, our technology support team would not be out there actively looking for folks with small numbers of messages in their mailboxes.

The other key issue is that what we're hearing now is a requirement to save everything, no matter what the content, for a minimum of two years. I think that if we understood that as a clear requirement we would have had a system in place that would support that requirement.

More email retention policy details Does Boston have a formal email retention policy? Oates: There really has not been a clear retention policy, but there has been a lot of discussion over the last couple of years. A task force in place this year with legal, the city archive management folks and our IT team has been looking into the Federal Rules of Civil Procedure and some of the Massachusetts requirements. We definitely had a disconnect between what the users were expecting was getting backed up versus what was actually getting backed up. Legal has just released a policy to make sure everybody understands what the policy is. Do I understand correctly that there was no email retention policy in place before the mayoral aide's emails were requested? Oates: We certainly had an email use policy that is consistent with our IT policies that has been up there for a number of years. But from the retention perspective, I don't know that there was a single email retention policy that had been officially adopted citywide. Last May we released to everybody an email policy that is also up on our employee portal. I don't believe prior to that that there a specific email retention policy. What explains a top mayoral aide's lack of knowledge about email retention best practices or policies? Oates: We found an expectation around retaining emails that was not consistent with what the systems were doing at that time. We now have put a safety net in place by enabling journaling in our Exchange environment, which creates a copy of every message that comes in or leaves the city mail environment, and this copy is saved separately from the email that would actually go into a user's inbox. In addition, we back up our systems every night. We retain all of those backups; we start on a Data Domain backup system and then it moves off to tape. So, for three months we have backup of our entire Exchange environment, which includes all messages. After the three months, messages are automatically thrown into an archive, where they stay indefinitely. --L.T.

So you were not aware of the two-year rule?
Oates: I do not believe that there is a requirement by any public-sector agency for us to do that. We value how important the retention of public records is for the city, and today we have an email system that has more than 10 million objects in it. We have a robust server and storage environment to support our mail system. We are very diligent about making sure that we provide the capacity in the systems to do those kinds of things.

But the idea that literally every message that comes into our city environment, whether it has business-related content or not, be saved and held on to without giving our users the ability to do some level of content filtering is not ideal. Our public records folks were telling our users, in a policy statement posted in May, to look at the content of their mail and if there is no business value to that information to get rid of messages when you don't need them. So it was very clear that the email system was not viewed as a record-keeping system.

We are going to be meeting regularly with the secretary of state's office, because we want to make sure our policies and our systems are supporting whatever the state and federal requirements are on public records. We want to comply; all I am saying is that if compliance is interpreted as the need to hold onto every single message that comes into and leaves our environment and that these messages be kept for two years, I am not sure that is the proper interpretation of what requirements are.

Is the goal to be working with the secretary of state and get the law changed?
Oates: I don't think we are talking about any law change. I think what I am saying is making sure we have clear guidance on the interpretation and application of that law. In our situation, we clearly had a disconnect between the expectations of our users and what our systems were doing in terms of email retention. I am not saying that I believe anything we were doing concerning message processing and retention was in violation of any statutes.

We are doing journaling right now because we want to make sure we are not losing any message that comes into our environment, and we will continue to do that as long as we need to. But I am not sure that that would be the regular practice anywhere else, but that would be the only way to hold on to all these messages and literally not give the user an ability to delete even an inconsequential message.

How much time have you spent on this the last couple of weeks?
Oates: More than we normally would! We have a lot of technology initiatives going on around the city. But we certainly understand this is critical, so we have been spending a lot of time on it. The good news is that we have spent a lot of time and effort over the past year in building up our system -- we have migrated our Exchange platform over the last year, which dramatically increased our server and storage capacity in the city to support the growth of all these things we are talking about.

Have you consulted with other cities on how they handle what is clearly a thorny issue -- email retention?
Oates:Yes, we have. I think that how we have managed our environment is very much in keeping with how other cities run things.

Disconnects and miscommunications are the Achilles' heel of IT. Do you plan to get out there and talk to users?
Oates: Absolutely. Take a look at our website, CityofBoston.gov, and click on the email policy link, which is a summary of our policy, including a couple of diagrams that show how we operated before and after the change. You'll see all the training and education of all the employees, on the new email policy issued by our corporation counsel.

Tags: Email and messaging management,  Government industry,  Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and messaging management Email archiving solutions and strategies for enterprise CIOs For CIOs, email deletion scandal shows need for email retention policy Gmail outage raises issue of control Enterprises look beyond Gmail, cloud for email outsourcing services Shifting IT business models in time of economic crisis Angelina Jolie-inspired spam campaign signals disturbing network threats Phony government spam targets executives Networking for CIOs: A SearchCIO.com supercast IBM targets threats against Web 2.0 systems BlackBerry service returns for most users, RIM says Government industry Healthcare IT standards still not clear Security standards to help manage compliance for those federal funds California appoints first cabinet-level state CIO, raises bar on IT DoD takes cue from U.S. businesses, blocks YouTube, MySpace Wi-Fi way to shrink digital divide, say big-city CIOs Vertical market guide for CIOs Lawson pitches SOA for the midmarket 'Sandal and ponytail set' cramping Linux adoption? Poor government security makes industry wary Wisconsin CIO gets slammed on Oracle email debacle Compliance strategies and best practices Information security and risk management guides for CIOs Email archiving solutions and strategies for enterprise CIOs Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Data protection quiz for enterprise CIOs Economic downturn hits IT budgets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary