‹  Back

February 16, 2022 · 6m read

The Great Email Retention Policy Debate: When should you delete it and what should you keep?

John Hrvatin 

@hrvats 

What is an Email Retention Policy?

An email retention policy or ERP is a process describing how long emails should remain in our inboxes before we need to erase them. Email retention policies tend to decrease human error and decrease risk. An effective email retention policy should cover and protect all emails being sent and received from different organizations.

Email contains massive amounts of valuable data. Despite the rise of a million other ways to communicate, the vast majority of our digital lives still end up in our trusty inboxes. The value of that data is obvious: there are hundreds of kinds of sensitive information at your fingertips in a readily-available, easily-searched, long-term memory for your organization and your personal life. We’ve all gone searching for an old email and been saved when we found that magic attachment or record of a critical decision.

Yet many of you might cringe reading that because you know that email, like any valuable resource, attracts malicious actors. And the more valuable the resource, the more attention it will receive. Attacks on these valuable archives are far too common, from the 2016 U.S. Presidential Election and Solarwinds hacks, to HBO and Hafnium

The result is a tug-of-war between the productivity gains of email’s ubiquity and easy access, and the risk of maintaining such a radioactive archive. So the eternal debate ensues: when should you (and your organization) delete email? Given the work we do at Material to prevent data breaches we get that question a lot.

Let’s answer it by understanding the needs of different stakeholders and outlining the most common solutions.

Email retention: a quick overview

We’ll start by understanding how we got here, and why the email retention policies at the center of these debates exist.

Over time, email has evolved from a messaging app to a filing cabinet. Not only do employees collaborate over email on confidential announcements or financial reports, but they also store DocuSign contracts (which are emailed to you after signature by default!), Zoom meeting recordings, Jira tickets, and much more in their inboxes. Modern email services made this possible—and useful—by offering near-unlimited storage and easy-to-use search capabilities. That leads all of us to hoard messages in case we might need them in the future. The result: a repository of our most sensitive content sitting in the inbox that’s useful for the owner and highly attractive to cybercriminals. 

An email retention policy attempts to address the problem indirectly by dictating how long a particular message (or class of messages) should exist in mailboxes or archives until it is deleted. For example, a legal team might create an email retention policy to comply with industry or government regulations. Many other motivations and departments affect email retention policies, and they can be very controversial in many modern workplaces.

Email retention policy vs data deletion policy: the stakeholders involved

The email retention vs deletion debate typically involves a few groups:

How teams are trying to find compromise

Everyone disagrees, and everyone (from their very valid perspective) is right. So how do we solve the problem?

The most extreme solutions—keeping everything forever, or deleting everything after a short time—are seductive for some but essentially maximize risk and may functionally lobotomize an organization. Nobody should be part of a massive email breach, but is an organization better off if sensitive company documents are saved to local devices and forwarded to personal email accounts, or simply lost forever?

Compromises of using a “keep label” or archive folder for users to self-identify content that’s exempt from retention policy commonly frustrate multiple stakeholders and can easily be misused. It only takes one person on a thread to undo much of the benefit—everyone has a copy of the email so it’s not really gone unless everyone deletes it.

Bolt-on email archive products can appease Legal by giving the organization close control over what’s kept and what isn’t, and security might see them as an extra layer of defense. But these rarely maintain user productivity and create a headache for IT to manage.

Keeping everyone happy with a simpler solution

At Material we’ve built a new solution that our customers tell us makes this debate so much easier: Leak Prevention. While email retention policies sometimes fall short, our leak prevention solution offers a better middle ground for teams to secure sensitive data in mailboxes without needing to delete messages entirely. Here’s how it works:

  1. Material finds messages with sensitive information using built-in and customer-created rules.
  2. Sensitive messages are redacted—only a “stub” remains in mailboxes so users can find them by searching their normal inbox for the sender, recipient, date, and subject.
  3. To view the original message, a user authenticates with the organization’s chosen multi-factor authentication and the message appears—all without leaving their inbox.
  4. IT and security can monitor and later audit retrieval of sensitive messages.

Stakeholders across the organization are happy:

"With post-delivery protection, sensitive information within the inbox can be redacted and put behind additional step-up authentication. This capability also allows for a more user friendly and less aggressive retention policy due to the additional protections around the data."

- Melody Hildebrandt, CISO at Fox Corporation, A Material Customer via TechInsiders

The debate over email retention policy isn’t going away. Each stakeholder has legitimate needs that must be addressed and historical options haven’t helped much. We’ve seen Leak Prevention make a big difference for customers.

You can learn more about how teams are using Leak Prevention in this Risky Business episode on Email Retention Strategies or by checking out our Material customer stories.

If you’re interested in learning how we can help you find a better middle ground around an email retention policy, request a demo today.

Back to top