What is an Email Retention Policy?
An email retention policy or ERP is a process describing how long emails should remain in our inboxes before we need to erase them. Email retention policies tend to decrease human error and decrease risk. An effective email retention policy should cover and protect all emails being sent and received from different organizations.
Email contains massive amounts of valuable data. Despite the rise of a million other ways to communicate, the vast majority of our digital lives still end up in our trusty inboxes. The value of that data is obvious: there are hundreds of kinds of sensitive information at your fingertips in a readily-available, easily-searched, long-term memory for your organization and your personal life. We’ve all gone searching for an old email and been saved when we found that magic attachment or record of a critical decision.
Yet many of you might cringe reading that because you know that email, like any valuable resource, attracts malicious actors. And the more valuable the resource, the more attention it will receive. Attacks on these valuable archives are far too common, from the 2016 U.S. Presidential Election and Solarwinds hacks, to HBO and Hafnium.
The result is a tug-of-war between the productivity gains of email’s ubiquity and easy access, and the risk of maintaining such a radioactive archive. So the eternal debate ensues: when should you (and your organization) delete email? Given the work we do at Material to prevent data breaches we get that question a lot.
Let’s answer it by understanding the needs of different stakeholders and outlining the most common solutions.
Email retention: a quick overview
We’ll start by understanding how we got here, and why the email retention policies at the center of these debates exist.
Over time, email has evolved from a messaging app to a filing cabinet. Not only do employees collaborate over email on confidential announcements or financial reports, but they also store DocuSign contracts (which are emailed to you after signature by default!), Zoom meeting recordings, Jira tickets, and much more in their inboxes. Modern email services made this possible—and useful—by offering near-unlimited storage and easy-to-use search capabilities. That leads all of us to hoard messages in case we might need them in the future. The result: a repository of our most sensitive content sitting in the inbox that’s useful for the owner and highly attractive to cybercriminals.
An email retention policy attempts to address the problem indirectly by dictating how long a particular message (or class of messages) should exist in mailboxes or archives until it is deleted. For example, a legal team might create an email retention policy to comply with industry or government regulations. Many other motivations and departments affect email retention policies, and they can be very controversial in many modern workplaces.
Email retention policy vs data deletion policy: the stakeholders involved
The email retention vs deletion debate typically involves a few groups:
- Users typically love to hoard their email because they want to maximize their own productivity. Email is ubiquitous and searching it is easier than remembering everything or taking copious notes. If asked to delete older messages they think “what if I need this in the future?” This desire is so strong that they’ll often work around a draconian deletion policy by forwarding individual emails (or even every email via a filter or rule!) to their personal email or abusing an exception mechanism (like a “keep folder” or “keep label”). One hears stories of high-level leaders advocating for a strict email retention policy only to grant themselves an exemption.
- Security teams advocate for strict email retention policies because it’s their job to lose sleep thinking about the copious risk associated with email. They worry about business email compromise (BEC) and the loss of sensitive, confidential, or highly-regulated information (each of which can exponentially increase the cost of a breach and might even prove fatal to the business).
- Legal unsurprisingly answers “it depends.” Their job is to monitor compliance with laws and to ensure certain types of data are never in email in the first place. They enforce legal holds to meet obligations. They may want certain messages kept if they’re useful in making a point (especially an exculpatory one) for potential litigation or if they are required to for pending litigation holds.
- IT is the flag in the middle of the tug-of-war rope. They implement the chosen email retention policy and act as the front-line for users, both explaining the policies influenced by security and legal, and taking the brunt of complaints about productivity.
How teams are trying to find compromise
Everyone disagrees, and everyone (from their very valid perspective) is right. So how do we solve the problem?
The most extreme solutions—keeping everything forever, or deleting everything after a short time—are seductive for some but essentially maximize risk and may functionally lobotomize an organization. Nobody should be part of a massive email breach, but is an organization better off if sensitive company documents are saved to local devices and forwarded to personal email accounts, or simply lost forever?
Compromises of using a “keep label” or archive folder for users to self-identify content that’s exempt from retention policy commonly frustrate multiple stakeholders and can easily be misused. It only takes one person on a thread to undo much of the benefit—everyone has a copy of the email so it’s not really gone unless everyone deletes it.
Bolt-on email archive products can appease Legal by giving the organization close control over what’s kept and what isn’t, and security might see them as an extra layer of defense. But these rarely maintain user productivity and create a headache for IT to manage.
Keeping everyone happy with a simpler solution
At Material we’ve built a new solution that our customers tell us makes this debate so much easier: Leak Prevention. While email retention policies sometimes fall short, our leak prevention solution offers a better middle ground for teams to secure sensitive data in mailboxes without needing to delete messages entirely. Here’s how it works:
- Material finds messages with sensitive information using built-in and customer-created rules.
- Sensitive messages are redacted—only a “stub” remains in mailboxes so users can find them by searching their normal inbox for the sender, recipient, date, and subject.
- To view the original message, a user authenticates with the organization’s chosen multi-factor authentication and the message appears—all without leaving their inbox.
- IT and security can monitor and later audit retrieval of sensitive messages.
Stakeholders across the organization are happy:
- Users get to keep their email in their inbox to be easily found and retrieved as needed.
- Security and legal have visibility into the type of content stored in email and how it’s being accessed and appreciate the significantly reduced consequences of a malicious actor getting access to an email account.
- IT has a simple rollout and low ongoing maintenance.
"With post-delivery protection, sensitive information within the inbox can be redacted and put behind additional step-up authentication. This capability also allows for a more user friendly and less aggressive retention policy due to the additional protections around the data." - MELODY HILDEBRANDT, CISO AT FOX CORPORATION, A MATERIAL CUSTOMER VIA TECHINSIDERS
The debate over email retention policy isn’t going away. Each stakeholder has legitimate needs that must be addressed and historical options haven’t helped much. We’ve seen Leak Prevention make a big difference for customers.
You can learn more about how teams are using Leak Prevention in this Risky Business episode on Email Retention Strategies or by checking out our Material customer stories.
.png)