As the quantity of illegitimate emails continues to rise, more companies have been employing mail-filtering products at the edge of their network. The filtering products generally contain a relatively small amount of storage to hold quarantined emails -- messages that are most likely spam, but may not be.
Sacrificing a legitimate email every now and again is a relatively low price to pay if it significantly reduces the amount of spam, but strict data retention laws, such as Sarbanes-Oxley regulations in the US, mean companies are obliged to keep records from certain electronic communications for specific periods of time. And what if the one email you lose is at the centre of a future court case?
As the electronic communications laws are still relatively immature, there is confusion as to how long companies need to archive their emails to ensure compliance.
This causes problems when email has been quarantined. A company could be legally responsible for archiving a particular message that has been caught in its filtering software. If this email is deleted, the company could face legal problems. But because the message has not been undeniably identified as non-malicious, it cannot be allowed onto the corporate storage system.
Colin Gray, vice president and managing director at email security firm CipherTrust, said the fundamental concept of email security is to not let illegitimate emails get into the mail system.
"If we were to let all these messages onto your email system and then quarantine them there, it would defeat the object," Gray said.
According to Gray, Sarbanes-Oxley and other regulations have led to "information paranoia". Companies recognise that they have to retain information, while at and at the same time finding a way of keeping potentially dangerous email messages separate from their main network.
Policy awareness expert Adrian Wright, who is the managing director of Secoda Risk Management, said the US laws in this area -- apart from those dealing with email abuse by employees -- aren't fully formed, and often contradict each other.
"It's very complicated because post-Enron, there are in the order of 10,000 federal and state regulations on how companies store and access records -- and their timescales don't match up," Wright said.
According to Wright, companies have to find out which regulations apply to their business and then decide how long they should keep their data.
"They have to look across all these regulations to see which ones apply to the retention of data and pick the longest period that applies. For brokerage data, the period is between three and six years, sometimes more," Wright said.
CipherTrust's Gray said the short term solution for companies is to build in much greater storage capacities in their email security products.
"Our products have increased from 36GB to 140GB and the high end product now has 300GB of storage," Gray said.
Gray said this is a trend that is likely to continue and evolve, ultimately leading to email security firms and storage vendors working together to create secure storage archives for potentially harmful data.
"Information paranoia is a positive thing; we have seen a growth in customers saying they want to guarantee that users never lose a legitimate email. You will see relationships forming between messaging security companies like ourselves and storage companies," Gray said.