E-mail hygiene, storage, and policy management, which have been largely ignored, have recently (2002) become business imperatives. Many organizations, particularly in regulated industries, can expect their total costs for e-mail storage and hygiene needs to double or even quadruple through 2006. Spam and virus management in particular are problems for all organizations because they clog networks, e-mailboxes, and e-mail stores. Spam with salacious content also has triggered multiple hostile workplace environment suits and represents an increasing organizational risk. In addition, failure to apply effective management controls for outbound e-mail programs can expose organizations to legal and regulatory issues concerning consumer privacy requirements and preferences, and potentially cause customer dissatisfaction or switching.
Organizations should address several key concerns related to corporate e-mail, which we organize into the following categories:
With current technology, companies should be able to consistently block about 90% of the spam sent to users' e-mailboxes. The remaining 10% will still cause users some annoyance and increase storage costs, but will be manageable. While the worst consequence of spam blocking is preventing the flow of legitimate e-mail (so-called false positives), organizations must expose quarantined (blocked) e-mail to end users and ensure minimal disruption of daily business routines.
"The largest issue in e-mail compliance," says META Group analyst Charlie Brett, "is understanding which regulations are applicable to an organization." This is particularly true in the US, where regulatory bodies (e.g., SEC) and regulations (e.g., HIPAA, Sarbanes-Oxley, UETA) have requirements for privacy, retention management, and supervision of e-mail. The European Union, Canada, Japan, and other nations are not far behind in implementing similar regulations. However, with little technology available for large-volume filtering or categorization of e-mail, brute-force e-mail capture and storage is still the standard operating procedure, especially in environments with thousands of users.
In non-regulated organizations, aggressive e-mail purging policies are being recommended by some US-based legal counsels (the opposite of what is typically recommended in Europe) to minimize both storage space (IT drive) and the risk of "smoking gun" e-mails that may create problems in litigation (legal drive). Organizations must begin addressing efficient methods to capture, store, and search those e-mails, and to treat all e-mail as valuable - though potentially risky - corporate content.
Internally, business and IT groups must make certain that a system is in place to ensure privacy policies are followed and personally identifiable information is protected. We recommend a centralized approach to consent management that links specific versions of privacy policies to consumers' preferences, applicable internal rules and external regulations, and consistent monitoring of industry trends on spam to ensure that any bulk mailings do not fall into that category.
User Action: Organizations should begin to treat e-mail as a core, vital business infrastructure that is on par with inventory management and order entry. Indeed, the increasing volumes of critical business data contained in e-mail, the level of threat to the organization, and the relationships maintained with customers through e-mail channels now necessitate that organizations reconsider where e-mail fits within the infrastructure. They should plan on tripling or quadrupling the capital resources devoted to such systems.
META Group originally published this article on 2 July 2003.