Modernizing Authentication — What It Takes to Transform Secure Access
Following the hack of Sony Pictures Entertainment, the initial pulling of the release of the movie "The Interview" grabbed most of the headlines. But the hack also revealed emails indicating future Sony plans and some embarrassing opinions about actors, actresses and others who had working relationships with the entertainment giant.
This brought to light not only some insight into business dealings and Sony executive thoughts not meant for public consumption, but also the issue of how long emails should be retained.
With prices continuing to drop for storage and resources thanks to the cloud, the easiest answer is "forever." But that's not the best answer, many experts agree.
"It's easy to rationalize to keep it forever," said Dean Gonsowski, vice president, business development and head of global information governance for San Francisco-based Recommind. "'Storage is cheap is the mantra. When you combine that with the notion that Big Data can help you generate insight, then it seems like there is no reason not to hold it. There is a chance it could be valuable someday."
Importance of Information Management
"The Sony hack brings us the issue of information management: the policy that dictates what is created, where it is stored, when it is open and when it is destroyed," said Susan Usatine, partner at the national Cole Schotz law firm, headquartered in Hackensack, N.J.
Information management can be an afterthought for many firms because it is not a revenue driver, nor does it prevent hacks. But it does minimize the return on investment for hackers, Usatine said. And hackers tend to go where they can get the greatest return for their efforts.
"We needed to quit being data octopuses, keeping all data forever," Usatine said, adding that many companies are "information hoarders" and admitting that lawyers are among the biggest culprits.
Some proponents of keeping emails forever refer to the value of the data that may be contained in communications, data that can be combined with data from other sources for Big Data uses such as targeted marketing. But some emails don't have any such data value, Usatine pointed out.
"The value of any [email] information erodes quickly," Gonsowski said. "It has a half life of maybe a couple of weeks." Conversely, the governance risk and all of the other risks associated with it constantly increase.
Sean Curran, director of infrastructure and operations excellence for Chicago-based consultancy West Monroe, recommends that rather than storing full emails, companies should instead determine what information contained in the communication is of value and store that instead. That way, hackers cannot access details like names and who sent the email.
Companies are legally required to retain other emails for specified periods of time. This includes emails in regulated industries such as financial services, emails involving financial transactions, and emails regarding anything when "litigation is reasonably anticipated," which may occur many years before any actual litigation starts. The retention times vary by the subject of the email.
"Preservation of data (including email) is an obligation owed to the court and should not be taken lightly," Usatine said. "Perfection is not the standard. Reasonable, thorough and diligent effort is the requirement. The courts understand that the preservation effort [can be] crippling to any business."
Far less email is subject to legal hold than one might initially think. According to Usatine, over the last two years, more than 90 percent of all emails were not considered to possess any legal value.
Archiving Email: When and How
The Association of Corporate Counsel, a global bar association, recommends the following 10 steps in establishing a company's legal hold process:
1. Consider risk/exposure.
2. Outline the specific criteria required for a defensible hold notification.
3. Determine who in the company needs access to the hold information.
4. Identify your custodians -- those people who may possess information potentially relevant to the litigation.
5. Create notification templates.
6. Gather additional information from the custodians.
7. Communicate regularly.
8. Document activities.
9. Consider technology solutions.
10. Preserve the data.
Email Archiving Tech
If the email doesn't have the data value or is not subject to legal hold, it should be destroyed, Usatine suggested.
All emails should be subject to routine purges, Curran advised. Several companies offer technologies to "mark" emails for deletion or archiving at certain intervals. Those subject to "indefinite" legal holds can be marked as such. However, Curran pointed out that even in these cases, there can be issues recovering emails several years in the future due to changes in hardware and software over the years.
Email archival systems tend to offer more security than the typical email server, noted Greg Arnette, CTO and founder of Sonian, based in Dedham, Mass. Thus, he recommended that companies enforce mailbox quotas and have standards for automated archival of emails after a designated period of time.
The archival process can be largely automated, Arnette said. However, archived emails are more difficult to retrieve than emails in one's own inbox, so some are reluctant to take this step. While some companies regularly purge or archive email inboxes, they often neglect the outboxes, he added.
Phillip J. Britt writes for a number of technology, financial services and business websites and publications, including BAI, Telephony, Connected Planet, Savings Institutions, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.