E-Mail Management Demands Attention

E-mail hygiene, storage, and policy management, which have been largely ignored, have recently (2002) become business imperatives. Many organizations, particularly in regulated industries, can expect their total costs for e-mail storage and hygiene needs to double or even quadruple through 2006. Spam and virus management in particular are problems for all organizations because they clog networks, e-mailboxes, and e-mail stores. Spam with salacious content also has triggered multiple hostile workplace environment suits and represents an increasing organizational risk. In addition, failure to apply effective management controls for outbound e-mail programs can expose organizations to legal and regulatory issues concerning consumer privacy requirements and preferences, and potentially cause customer dissatisfaction or switching.

Organizations should address several key concerns related to corporate e-mail, which we organize into the following categories:

• Hygiene and security (applicable equally to all organizations)
• Compliance, storage, and retention (differs by industry)
• Privacy, preference, and policy management (differs by industry and geography)

E-mail hygiene and security are concerns for all organizations, with the major thrusts being spam management and security from viruses and other e-mail threats (including hacker attacks). Spam filtering is a particular challenge, since spammers are constantly becoming more sophisticated in their attacks. "Organizations should not expect government regulations to control spammers," says META Group analyst Matt Cain. "Legitimate organizations will follow the regulations, but spammers will flout the law because of economic incentives. And most of the worst spammers operate from overseas, outside the reach of local regulations."

With current technology, companies should be able to consistently block about 90% of the spam sent to users' e-mailboxes. The remaining 10% will still cause users some annoyance and increase storage costs, but will be manageable. While the worst consequence of spam blocking is preventing the flow of legitimate e-mail (so-called false positives), organizations must expose quarantined (blocked) e-mail to end users and ensure minimal disruption of daily business routines.

"The largest issue in e-mail compliance," says META Group analyst Charlie Brett, "is understanding which regulations are applicable to an organization." This is particularly true in the US, where regulatory bodies (e.g., SEC) and regulations (e.g., HIPAA, Sarbanes-Oxley, UETA) have requirements for privacy, retention management, and supervision of e-mail. The European Union, Canada, Japan, and other nations are not far behind in implementing similar regulations. However, with little technology available for large-volume filtering or categorization of e-mail, brute-force e-mail capture and storage is still the standard operating procedure, especially in environments with thousands of users.

In non-regulated organizations, aggressive e-mail purging policies are being recommended by some US-based legal counsels (the opposite of what is typically recommended in Europe) to minimize both storage space (IT drive) and the risk of "smoking gun" e-mails that may create problems in litigation (legal drive). Organizations must begin addressing efficient methods to capture, store, and search those e-mails, and to treat all e-mail as valuable - though potentially risky - corporate content.

Another area of concern for organizations is using outbound e-mail channels for consumer interaction (e.g., newsletters, marketing campaigns). Organizations must ensure compliance with governmental privacy legislation, especially within international markets that have strong regional privacy laws (e.g., Canada, Europe, Australia). In the US, an organization's privacy policy should minimally adhere to Fair Information Principles (e.g., notice, choice, consent) and include e-mail interaction in addition to other channels (e.g., Web). Organizations should also monitor local, state, and federal trends regarding DNC ("do not call"), which will likely be extended to include e-mail as well as phone contact by 2005.

Internally, business and IT groups must make certain that a system is in place to ensure privacy policies are followed and personally identifiable information is protected. We recommend a centralized approach to consent management that links specific versions of privacy policies to consumers' preferences, applicable internal rules and external regulations, and consistent monitoring of industry trends on spam to ensure that any bulk mailings do not fall into that category.

User Action: Organizations should begin to treat e-mail as a core, vital business infrastructure that is on par with inventory management and order entry. Indeed, the increasing volumes of critical business data contained in e-mail, the level of threat to the organization, and the relationships maintained with customers through e-mail channels now necessitate that organizations reconsider where e-mail fits within the infrastructure. They should plan on tripling or quadrupling the capital resources devoted to such systems.

META Group originally published this article on 2 July 2003.