What s in that Cute Little E-Mail Mailbox?

What's in that Cute Little E-Mail Mailbox?

The problem with e-mail storage and retention is basically this: you do not know what your employees are keeping in their e-mail mailboxes. If you are auditing workstations and you review the results, you may be shocked or amazed at what is found. Talk to your employees, explaining the risks surrounding the retention of e-mail and the reason for the destruction policy. Policies should direct employees not to retain old e-mail messages. Policies should consider that some employees may want to store e-mail on their workstation hard drives or on floppy disks, and this practice should be discouraged. Make it very clear that saving messages to hard drives and floppies violates retention policies. If e-mail is going to be saved, it must be saved in project folders or other pertinent files. In this way, e-mail is accessible and retrievable. Emphasize the risks associated with the retention of e-mail outside of policy mandates. Employees should understand that workstations are audited and one of the areas of compliance is the storage of e-mail on hard drives and other media. Through training, employees should be instructed how to delete e-mail, and should receive an explanation of how the delete folder works. Many employees will not understand that e-mail messages may sit in the delete folder unless the user manually takes steps to empty it.

Consider installing and configuring software that automatically empties employees' e-mail folders at designated intervals. Assign limited e-mail space on your mail server for individual accounts. Reducing the size of e-mail accounts will encourage employees who retain e-mail to delete it, as they will simply run out of room. Exhibit 3 is a sample policy for e-mail retention.

Exhibit 3: Sample E-Mail Retention Policy

All e-mail more than 30 days old will be automatically purged from server mailboxes, mail queues, and backup media. Individual e-mail accounts will be limited to 2 MB in size. Users are explicitly prohibited from saving e-mail to hard drives or other media for a period of more than 30 days. If specific backup is required, it should be saved to specific program or project files. Employees do not have a reasonable right to privacy, and workstations will be periodically audited for policy compliance.