Corporate email archiving and retention policies are muddled and unclear, with many businesses leaving themselves exposed to potential litigation or compliance issues, according to new research launched today by Mimecast®, the leading supplier of cloud-based email archiving, security and continuity for Microsoft Exchange and Office 365.
The research, which surveyed IT managers on their organizations’ email policies and archiving practices, found that just 20 percent of businesses (23 percent globally) retain archived email for three years or more, with one in four businesses (25 percent U.S.; 26 percent globally) admitting that they do not have a clear policy on retaining email at all.
Key findings:
- Email retention policies are often ad hoc or based on guesswork – Just
one in four IT departments (30 percent U.S.; 26 percent globally) have
an email retention policy designed to comply with industry regulations:
- Forty-one percent of businesses surveyed (43 percent globally) say
their archiving policies are based on ‘internal best practice’
with no consideration given to industry or country specific
regulations - Six percent of U.S. and global businesses admit to deciding their
email retention policy around a ‘random future date’ with ‘no
basis’ - eDiscovery for email is a major area of concern – Many
businesses are not confident that they would be able to identify all
emails relating to a specific customer in a timely manner:- On average, it would take a U.S. business 15 working days to
identify all emails relating to a potential litigation - Eighteen percent of U.S. businesses do not think they would be
able to comply with this kind of email eDiscovery request within a
month
- On average, it would take a U.S. business 15 working days to
- Forty-one percent of businesses surveyed (43 percent globally) say
their archiving policies are based on ‘internal best practice’
with no consideration given to industry or country specific
regulations - Six percent of U.S. and global businesses admit to deciding their
email retention policy around a ‘random future date’ with ‘no
basis’
- On average, it would take a U.S. business 15 working days to
identify all emails relating to a potential litigation - Eighteen percent of U.S. businesses do not think they would be
able to comply with this kind of email eDiscovery request within a
month
- Concern around email compliance – IT departments are concerned
that they are leaving their businesses exposed:- Just one in four (24 percent U.S.; 27 percent globally) IT teams
are ‘completely confident’ that their email policies comply with
all relevant regulations - Forty-eight percent (46 percent globally) are ‘mostly confident’
with 34 percent (23 percent globally) ‘minimally confident’ or
‘not at all confident’
- Just one in four (24 percent U.S.; 27 percent globally) IT teams
- Just one in four (24 percent U.S.; 27 percent globally) IT teams
are ‘completely confident’ that their email policies comply with
all relevant regulations - Forty-eight percent (46 percent globally) are ‘mostly confident’
with 34 percent (23 percent globally) ‘minimally confident’ or
‘not at all confident’
“Taking fifteen days to identify all relevant emails sent and received by a client is a massive and unnecessary resource drain,” said Jim Darsigny, CIO, Brown Rudnick LLP. “For IT departments, managing and enforcing email policies can no longer be an ad-hoc approach as the risk potential and time wasted is too high to ignore. In our organization, the cloud enables our business to significantly reduce the pain, costs and resources normally dedicated to sourcing archived email data. With a solid email eDiscovery strategy in place, we are not only able to better serve our clients, but we can also more accurately assess their level of risk.”
“IT departments can and should be doing more to protect their organizations by adopting a more rigorous approach to email archiving,” Eliza Hedegaard, Account Director Legal, Mimecast. “However, the businesses I speak to are not being helped by a regulatory system that is incredibly confusing and difficult to navigate. Regulators should be helping businesses by simplifying the regulatory framework and putting greater emphasis on clearly communicating what organizations need to do to in order to comply instead of adopting scare tactics that focus on what will happen if organizations fall foul of the rules.”
