Better Compliance Strategies for Email Risk

Harvey Pitt, a former chairman of the Securities and Exchange Commission, had a pithy observation about corporate compliance called the Pitt Rule of Discovery: “A document necessary for a company’s defense shall not be found when needed, unless the document actually makes the company’s situation worse—in which case, said document will be discovered at the least opportune time.”

There’s a lot of sense in the Pitt Rule of Discovery. A new research report has tried to quantify just how painfully true Pitt’s rule is.

The report, breathlessly titled “The One Email You Can’t Ignore,” estimates that the average business executive now receives 88 emails per day—and of those 88, roughly 5 percent would qualify as a “business record” that should be preserved for litigation or compliance reasons. In a business with 1,000 employees, that translates into 1.6 million emails that need to be found, classified, and preserved every year. For a Fortune 1000 business, the number soars.

The report’s authors, two software firms called and Gimmal, call this “the Last Mile” problem: how to channel that torrent of email, when 5 percent of it should go into storage and the remainder wash out to sea. Somehow you need to find, capture, classify, and store that important stuff. The report surveyed more than 100 high-level information governance executives, and 79 percent of them ranked those tasks as either important or very important.

That’s not news to compliance officers per se; on the contrary, you’ve been telling me for years that you worry all the time about “email risk.” The real threats here are two. First, a large number of companies store much more than the report’s 5 percent estimate; many, I’m sure, simply store everything, and that creates more litigation risk than it prevents.

Second, on practical basis, many companies just use the Archive feature on employees’ email programs as the retention system. As one executive once told me, “We use Gmail to run our corporate email, so they must have a record of everything.” That’s actually not wrong; Gmail is a feasible email archive system, along with vendors like Mimecast or Smarsh. But if you aren’t doing that evaluation of an email’s content, and just hoping you can find that one important message when the when the subpoenas arrive—well, good luck with that.

Enter Automation, Kinda Sorta

Harmonie-coverStill, even if you are capturing and classifying email, go back to those numbers from above. If we take the 88 emails per day and 5 percent retention statistics as reasonable, that means you receive a business email every 6.15 minutes (assuming you work nine hours a day). Who wants to be interrupted that often to review and classify an email? How many companies want their employees to spend time that way? How many companies trust their employees to do that?

I asked the head of product marketing and strategy at, David Lavenda, how compliance officers might try to automate some of that Last Mile challenge. He admitted that true artificial intelligence to read and sort our emails isn’t here yet, so human intervention (read: employees reading and reviewing an email) is still important. Meanwhile, compliance officers can help by developing email management protocols that make the human workload as easy as possible.

Disclosure: and Gimmal purport to offer just that assistance to compliance and data governance officers. That’s fine; the problems outlined in their report are still valid and their ideas worth considering.’s approach is to work with SharePoint (which makes sense; any large company using Microsoft software has SharePoint already), and ease the moving an email or attachment from Outlook into SharePoint. For example, it converts email headers (the “To” and “From” and “Re” fields, etc.) into SharePoint columns, which should simplify e-discovery or audit requests.

Lavenda says that yes, meta-data to describe email messages (search term keywords, for example) is important, and you may still need employees to assign meta-data to the messages they’re dumping into SharePoint. But you need to keep that process simple, or they won’t bother. How simple? Lavenda recommends not more than two or three fields an employee has to fill out.

This does raise a point of policy and process. Lavenda described one customer, a large defense contractor, whose email retention process ran as follows: first, the employee had to save the email message to his desktop. Then he would open his web browser to a SharePoint site; upload the message into it; visit the Properties editor in SharePoint and configure the meta-data; and finally confirm the message as checked into SharePoint. And you had to do this for every message.

That is not good process. plans to add features later this year that let a company establish Outlook rules that can be applied enterprise-wide, to simplify some email management and moving records into SharePoint. That is functionality compliance and records retention officers need, whether you use or any other records management vendor; it gives you more power to oversee and execute email management policies.

I asked Lavenda how companies are faring with email management right now. Success, he said, hinges on how clearly a company defines what a record is, and how well companies train people on this task. “Part of it is education,” he said. “Part of it depends on the business process and who’s doing it.”

You could say that about a lot of corporate compliance. No truer words have ever been spoken.

Leave a Comment

You must be logged in to post a comment.