This article can also be found in the Premium Editorial Download "Exchange Insider: Email lifecycle planning for Exchange Server."
Download it now to read this article plus other related content.
In many organizations, message archiving is thought of as something that has to be done just to keep the lawyers happy. Typically, a lot of planning goes into implementing a message archiving system in Exchange Server organizations. Most of it, however, focuses on controlling costs and ensuring that the proposed archiving system complies with regulations that apply to that organization's particular industry.
Message lifecycle planning is the process of developing an email message retention policy. Part of the planning process involves making up-front decisions about storing and retaining email messages, such as where messages will be archived, how those archives will be backed up and for what length of time messages should be retained. When it comes to creating a messaging archival strategy for your organization, less can be more.
Unless there is a critical reason behind retaining messages indefinitely, it's often better to store messages for no longer than what is required by the law or by your business needs. Keep in mind that your message archives typically contain an all-encompassing picture of how your organization operates.
Unless explicitly forbidden, virtually every aspect of a company's day-to-day operations is discussed through email. For instance, companies typically use email to communicate with customers, negotiate contracts, plan meetings and discuss marketing strategies on new products.
It's important to realize
Complying with message-retention policies
Planning a message retention policy is something of an art form. You have to retain messages long enough to comply with any applicable government regulations. Beyond that, though, you should consider how long the messages are going to be of value to your organization.
You should also consider the risks involved with storing older messages that have exceeded the required retention period. Remember: All regulations that require email messages to be archived and retained for a specific period of time do not exist to benefit the company specifically. Email archives exist to allow lawyers to search for evidence of wrongdoing in the event of a company lawsuit. These archives can actually be used against the company. Some companies retain all email messages indefinitely to ensure that no one can accuse the company of not being in compliance.
But imagine if a company was involved in a lawsuit in which message archives were subpoenaed. Lawyers won't simply ignore older messages just because those messages no longer need to be retained. Along these lines, consider how long the message format you're using for your archives will be valid.
Many current message archiving products use .PST files as a repository for archived messages. But what would happen if Microsoft stopped supporting .PST files 10 years from now? How would you retrieve those records from the archives? Storing messages for too long and storing them in an unsupported -- or soon-to-be unsupported -- format can cause several issues down the road.
How long should I retain messages?
When determining how long to retain company messages, no clear-cut recommendations exist. There are various legislative regulations that include email archiving requirements. For instance, all publicly traded companies are subject to the Sarbanes-Oxley (SOX) Act and the Gramm-Leach-Bliley (GLB) Act, both of which define email retention requirements, among other things related to data storage and security.
Even so, there are other more restrictive regulations that apply to specific industries, including financial services, healthcare and government. The entire healthcare industry is subject to the Health Insurance Portability and Accountability Act (HIPPA).
Financial services companies may be subject to Securities and Exchange Commission (SEC) regulations and regulations related to the National Association of Securities Dealers (NASD) or the New York Stock Exchange (NYSE). The General Records Schedules from the National Archives and Records Administration mandate archival requirements for government agencies.
The key to determining how long to retain a company's archives is to understand which regulations apply to your particular industry and which retention rules apply to that regulation. Smaller, privately owned companies may not be required to retain message archives at all. In any case, you also need to determine what your business needs are and balance that with any applicable regulations.
For example, if you owned a Web-based store that had a 60-day return policy on items, it would be good practice to retain email messages for at least 60 days after the sale -- even if it's not required. In other cases, you need to retain email messages for three years for IRS purposes as well.
In addition to legal ramifications, you must consider backup and storage in your long-term message archival plan. Most archiving products on the market use compression and single-instance storage to minimize the amount of disk space that the archives consume. Even so, long-term storage of messaging data will consume disk space at an ever increasing rate if your organization is storing messages indefinitely.
Generally, message archives are not stored on an Exchange server; therefore, they aren't typically included in the normal Exchange Server backup process. Although some administrators tend to think of email archives as a type of backup, it's also imperative to regularly back up your message archives.
For example, it would be difficult to explain to the courts that your company doesn't have the archived material that was required by law because a hard drive on your archive server failed and you didn't make a backup.
Some organizations avoid the long-term storage issue by outsourcing their archives. This means that the data is stored off-site, and the archival company it hires deals with the headaches of long-term storage and all necessary backups. If your organization decides to outsource storage of its message archives, be sure to read the service provider's contract carefully.
Be certain that you're protected against data loss and service interruptions and make sure that you retain possession of your data. Some unscrupulous archival companies try to retain customers indefinitely by claiming ownership of their data. If a customer tries to cancel an account, the archival company threatens to delete the data. Although most archival companies don't operate like that, read the fine print in the service contract to be sure your company is protected from such practices.
The risks of long-term message retention
Many organizations are required by federal law to retain all email messages for a specific length of time. Although you can store messages for longer than is required by law, there are significant legal risks in doing so. When the government requires you to archive old messages, it's for the government's benefit, not yours.
The underlying assumption is that if a company's business practices are ever called into question, the courts can subpoena message archives and search those archives for incriminating messages. Storing messages for longer than is required means there's more potential evidence. Remember: A message isn't exempt from being used as evidence just because it has exceeded the required retention period.
Sometimes there are legitimate business requirements for retaining an email message longer than is required. It's important, however, to strike a balance between the business's needs and the legal risks associated with long-term message retention.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.
But imagine if a company was involved in a lawsuit in which message archives were subpoenaed.
Lawyers won't simply ignore older messages just because those messages no longer need to be
retained. Along these lines, consider how long the message format you're using for your archives
will be valid.
This was first published in August 2009