Email Retention Tension: Legal Risk vs. Business Value

October 30, 2023

Email Retention Tension: Legal Risk vs. Business Value

Emails are both an important asset and a serious liability.

Mitigating risk is an essential pillar of any organization’s data management strategy. After countless tales of data leaks, thefts, and mishaps—along with the fines, penalties, and lost business that follow in their wake—any business that doesn’t prioritize risk management is playing a dangerous game.

Since risk management doesn’t generate revenue, it often falls under the purview of legal and/or compliance departments. This is ideal in some ways, as short-term business objectives or revenue targets don’t distract these teams from sticking to their core mission of keeping the business “safe.”

What keeps legal and compliance departments up at night

From a legal or compliance perspective, the more content you create, the more risk you create. Every new file, saved email message, and forwarded attachment creates one more potential weak point in the organization's armor. This might seem a little extreme, but it’s not that far-fetched when viewing things exclusively from a legal or compliance lens.

Their mission is to protect the organization from a host of unfortunate outcomes. Every retained item could open the organization up to future legal scrutiny, particularly if a legal matter moves into discovery. Any careless remarks or strategic conversations included in an email—even internal messages—could end up entered into evidence or released in the press during legal proceedings, which could both damage the business’s case in this matter and potentially further harm its reputation.

In addition to those direct legal risks, every email message and its contents and attachments could be a source for data leaks. Sensitive information could be exposed from a carelessly handled message. If it includes any personally identifiable information—particularly any financial or medical details—it could lead to costly violations of GPDR, HIPAA, or other data protection regulations.

And, in the event bad actors target your organization, retained emails represent a treasure trove of high-value targets. Whether they’re holding that stolen data for ransom, selling it on the dark web, or leaking it to the media, the outcome is bad for all parties involved.

Steep fines, tarnished reputations, lost customers, and scuttled deals… with so many negative repercussions to contemplate it’s no wonder legal and compliance departments are so focused on limiting risk via broad, non-negotiable policies and practices. Their broad initiatives to reduce liabilities typically lead to firm mandates to delete all emails older than 30 or 90 days, which usually doesn’t go over very well.

Why business users resist the urge to delete everything

While the calamitous consequences highlighted above might have everyone dreaming of Mission Impossible-style, self-destructing emails, plenty of good reasons for business units to keep those email messages around remain. While they may represent existential risks, they also provide lots of value.

First and foremost, business units aren’t quite sure what emails they’ll need to reference in the future, so their default mode is to keep everything. Since there are negligible costs to doing so, there’s little motivation to be more selective in what they retain. The odds may be fairly low that any particular email will be needed months or years from now, but why not retain them all to be safe?

Instead, business units focus on organization. They want to keep all these emails around just in case, but they also want them to be easily discoverable and stored in a logical hierarchy. This is why storing email messages on SharePoint or Microsoft Teams has become a popular information management strategy thanks to robust permissions management and metadata support.

The other concern driving business units to archive emails rather than destroy them is business continuity. What if a key contributor leaves the organization or a critical system experiences data loss? Business leaders know they can forensically reconstruct conversations and recover file attachments if those emails are still available.

Why IT gets stuck in the middle

With two competing goals and mindsets, the friction really begins heating up when IT is asked to implement a strict email retention and destruction policy. The technology itself isn’t the hard part, it’s dealing with the blowback that follows when rolling it out to end users. People aren’t often big fans of change, especially when it impacts their regular routines and expectations.

Finding a middle way to satisfy both sets of stakeholders often falls on IT’s shoulders, who want to keep data safe without negatively impacting business performance. The sweet spot that tends to work for most organizations is selective retention. In this paradigm, most emails get destroyed after, say, 90 days, but end users can select individual messages for long-term storage.

To qualify, these messages must have ongoing value. SharePoint and Microsoft Teams have emerged as the ideal locations to store these select email messages because they’re already the file repositories of record for many organizations, are tightly integrated with Outlook and the overall Microsoft 365 suite of applications, and have a host of built-in security and permissions features that easily adapt to email as well.

Best of all, when IT adds to the end-user experience, business users can drag-and-drop email messages right into SharePoint or Teams without ever leaving their inbox, including adding in essential metadata for classification purposes. If you’re wondering whether might be the perfect addition to simplify your organization’s email retention transition, try it out for free today or read more about what it has to offer.

© Copyright 2024 All trademarks, trade names, service marks and logos referenced herein belong to their respective companies