Mimecast: Email Regulation Issues Leaving Businesses Confused

Corporate email archiving and retention policies are muddled and unclear, with many businesses leaving themselves exposed to potential litigation or compliance issues, according to new research launched today by Mimecast®, the leading supplier of cloud-based email archiving, security and continuity for Microsoft Exchange and Office 365.

The research, which surveyed IT managers on their organizations’ email policies and archiving practices, found that just 20 percent of businesses (23 percent globally) retain archived email for three years or more, with one in four businesses (25 percent U.S.; 26 percent globally) admitting that they do not have a clear policy on retaining email at all.

Key findings:

  • Email retention policies are often ad hoc or based on guesswork – Just
    one in four IT departments (30 percent U.S.; 26 percent globally) have
    an email retention policy designed to comply with industry regulations:
  • Forty-one percent of businesses surveyed (43 percent globally) say
    their archiving policies are based on ‘internal best practice’
    with no consideration given to industry or country specific
    regulations
  • Six percent of U.S. and global businesses admit to deciding their
    email retention policy around a ‘random future date’ with ‘no
    basis’
  • eDiscovery for email is a major area of concern – Many
    businesses are not confident that they would be able to identify all
    emails relating to a specific customer in a timely manner:

    • On average, it would take a U.S. business 15 working days to
      identify all emails relating to a potential litigation
    • Eighteen percent of U.S. businesses do not think they would be
      able to comply with this kind of email eDiscovery request within a
      month
  • Forty-one percent of businesses surveyed (43 percent globally) say
    their archiving policies are based on ‘internal best practice’
    with no consideration given to industry or country specific
    regulations
  • Six percent of U.S. and global businesses admit to deciding their
    email retention policy around a ‘random future date’ with ‘no
    basis’
  • On average, it would take a U.S. business 15 working days to
    identify all emails relating to a potential litigation
  • Eighteen percent of U.S. businesses do not think they would be
    able to comply with this kind of email eDiscovery request within a
    month
  • Concern around email compliance – IT departments are concerned
    that they are leaving their businesses exposed:

    • Just one in four (24 percent U.S.; 27 percent globally) IT teams
      are ‘completely confident’ that their email policies comply with
      all relevant regulations
    • Forty-eight percent (46 percent globally) are ‘mostly confident’
      with 34 percent (23 percent globally) ‘minimally confident’ or
      ‘not at all confident’
  • Just one in four (24 percent U.S.; 27 percent globally) IT teams
    are ‘completely confident’ that their email policies comply with
    all relevant regulations
  • Forty-eight percent (46 percent globally) are ‘mostly confident’
    with 34 percent (23 percent globally) ‘minimally confident’ or
    ‘not at all confident’

“Taking fifteen days to identify all relevant emails sent and received by a client is a massive and unnecessary resource drain,” said Jim Darsigny, CIO, Brown Rudnick LLP. “For IT departments, managing and enforcing email policies can no longer be an ad-hoc approach as the risk potential and time wasted is too high to ignore. In our organization, the cloud enables our business to significantly reduce the pain, costs and resources normally dedicated to sourcing archived email data. With a solid email eDiscovery strategy in place, we are not only able to better serve our clients, but we can also more accurately assess their level of risk.”

“IT departments can and should be doing more to protect their organizations by adopting a more rigorous approach to email archiving,” Eliza Hedegaard, Account Director Legal, Mimecast. “However, the businesses I speak to are not being helped by a regulatory system that is incredibly confusing and difficult to navigate. Regulators should be helping businesses by simplifying the regulatory framework and putting greater emphasis on clearly communicating what organizations need to do to in order to comply instead of adopting scare tactics that focus on what will happen if organizations fall foul of the rules.”