Mimecast: Email regulation issues leaving businesses confused
October 2012 by Mimecast
Corporate email archiving and retention policies are muddled and unclear, with many businesses leaving themselves exposed to potential litigation or compliance issues, according to new research launched today by Mimecast®, the leading supplier of cloud-based email archiving, continuity and security for Microsoft Exchange and Office 365.
The research, which surveyed IT managers on their organisations’ email policies and archiving practices, found that just 30 percent of UK businesses retain archived email for three years or more, with one in four (26 percent) admitting that they do not have a clear policy on retaining email at all.
· Email retention policies are often ad hoc or based on guesswork – Just one in four IT departments (27 percent) have an email retention policy designed to comply with industry regulations
o 41 percent of UK businesses surveyed say their archiving policies are based on ‘internal best practice’ with no consideration given to industry or country specific regulations
o Six percent of businesses admit to deciding their email retention policy around a ‘random future date’ with ‘no basis’
· eDiscovery for email is a major area of concern – Many businesses are not confident that they would be able to identify all emails relating to a specific customer in a timely manner:
o On average, it would take a UK business 12 working days to identify all emails relating to a potential litigation
o 17 percent of UK businesses do not think they would be able to comply with this kind of email eDiscovery request within a month
· Concern around email compliance – IT departments are concerned that they are leaving their businesses exposed:
o Just one in four (26 percent) IT teams are ‘completely confident’ that their email policies comply with all relevant regulations
o 48 percent are ‘mostly confident’ with 23 percent ‘minimally confident’ or ‘not at all confident’
“For a busy IT department, managing and enforcing corporate email policies might seem to be a peripheral issue, but if they don’t get it right they could expose the organisation to huge risk,” commented Jeff Wright, Partner and IT Director, Morgan Cole. “Failing to comply with an eDiscovery for email request can be very serious and the 12 working days cited by the research is likely to be too slow and, in my experience, an overly optimistic estimate. In the event of litigation, you need to be able to provide all relevant messages as soon as possible and, crucially, guarantee their accuracy. Once an email is sent or received, it is often not possible to know how many copies exist, where they reside or if they have been tampered with or edited. Therefore a firm without a complete record of all its email history will not be in a position to accurately assess their level of risk.”
“It is clear that businesses are struggling to ensure their email policies and systems comply with the myriad rules and regulations governing this area,” commented Simon Thompson, Partner, Change Harbour. “The fact that just one in four organisations base their archiving policies on industry regulation is particularly worrying as many sectors have their own rules regarding email retention. What I have often seen is that, because this is such a high risk area, and the potential for damage is so high, IT teams tend to try and mitigate these risks by implementing their own solutions internally. Of course it’s very hard to do that effectively given the resource constraints that affect every business. This is where cloud computing can really be of value. A properly architected and implemented cloud solution can reduce the cost of these compliance technologies and help reduce the risks associated with email archiving and eDiscovery.”
Eliza Hedegaard, Director, Legal IT, Mimecast, commented: “IT departments can and should be doing more to protect their organisations by adopting a more rigorous approach to email archiving. However, the businesses I speak to are not being helped by a regulatory system that is incredibly confusing and difficult to navigate. Regulators should be helping businesses by simplifying the regulatory framework and putting greater emphasis on clearly communicating what organisations need to do to in order to comply instead of adopting scare tactics that focus on what will happen if organisations fall foul of the rules.”
About the research
In summer 2012, 500 interviews were conducted online with IT decision-makers (specifically about email hardware, software and services) across a range of company sizes and industry sectors and regions.
The sample consisted of 200 US respondents, 200 from the UK and 100 from South Africa. The research was conducted by Loudhouse Research, an independent consultancy based in the UK.