A Modern Approach to the Email Retention Policy

A brief history of the email retention policy

We all understand that an email retention policy is a set of rules that governs how long emails are stored and when they should be deleted. That sounds simple enough on its face… but to employees, email retention policies can feel like a barrier between them and the information they need to be effective at their jobs. 

Email isn’t just a point-in-time messaging system: it’s used as a store of important information about clients, a filing cabinet of past projects, and even an impromptu task management system. As a result, a strict email retention policy can get in the way of a fast-moving business.

How did email retention policies come about in the first place? And do they really need to be so painful?

How we got here

In the earliest days of email, storage was limited by a combination of technology and cost. Through the 1980s, companies were motivated to limit their email storage as a simple matter of economics: too many emails equaled too much spending. Email was deleted on a regular basis to free up room for new messages, and emails that felt important enough could be digitally archived or even printed and filed if they contained important information. 

As email became a more common form of communication, government regulation began to address issues around the privacy of communications. The Electronic Communications Privacy Act (ECPA) of 1986 provided guidelines on access and privacy for email, but did not touch on how email should be retained. Increasing use of email meant businesses had to develop their own systems to contend with its role in record-keeping. 

Around the same time, these businesses began to realize that email could be discoverable during litigation, which incentivized certain companies to be less-than-ethical when it came to how they viewed this communication tool.

The 2000s saw multiple serious corporate scandals that brought email retention to the forefront. Both the Enron and Worldcom fraud scandals hinged on evidence found in electronic communications, putting the spotlight on how companies handle historical email. Instead of being left to figure out their own best practices based on cost and permissiveness, companies now had to comply with government-mandated email retention guidelines.

Enter the 'Department of No'

The new millennium has seen a veritable alphabet of regulations and legislation, ranging from SOX to FRCP amendments to GDPR and CCPA. These all play a role in defining how email is stored, retained, and protected. This, among other developments, has turned compliance functions into the Department of No: consistently tasked with telling employees what they’re not allowed to do with their emails, whether keeping them or deleting them. 

Risk and compliance leaders need to write policies that will comply with the law while keeping the best interests of the business in mind. This means holding onto certain kinds of emails for up to 7 years, while reducing the amount of sensitive information that’s held in inboxes that can be all-too-easily breached by a sophisticated attack. 

We’ve heard of email retention periods as short as weeks, which sounds like a great idea to limit the blast radius of an attack. But the unintended consequence is that email is no longer a reliable resource for historical knowledge. While it is true that employees rarely need older emails, when they do need them, it’s often for a critical need.

This puts IT and security teams in the awkward position of having to balance three seemingly contradictory needs:

1. Regulatory requirements to hold certain kinds of emails for up to 7 years.
2. Security requirements to make email inboxes a less exploitable source of company info.
3. The business needs of employees who rely on email as both a form of communication and a store of information.

Same policy, different problems

For sellers, executives, and other team members who regularly correspond with third parties, this can lead to work-arounds or policy exclusions that undercut the efforts of compliance, IT, and security teams. While the vast majority of employees want to do the right thing for their companies, if the “right thing” conflicts with getting their job done, they’ll try to figure out ways to work effectively.

Take a 90 day email retention policy for example: this is a great way to make sure that any attacker who gets into an inbox will only get a limited amount of information. There’s also a solution for archiving specific kinds of data outside of the inbox for regulatory and legal requirements. The data isn’t “gone,” but it isn’t within the reach of the greedy hands of hackers. Sounds like a perfect solution, right?

Except for a few weeks later, when a frazzled executive reaches out to IT wanting to know why an important email from a year ago disappeared from an inbox folder. Someone will have to go back into an archive and restore the executive’s inbox to make sure they have what they need. And to make sure it doesn’t happen again, they’ll create a work-around so this executive is exempt from the policy. The exec is satisfied, but their inbox has just become a treasure trove for a bad actor.

This isn’t just having an impact on the C-suite, either. Let’s put ourselves in the position of an account executive whose customer is nearing a renewal. What if they need to reference an exchange about an issue that happened six months ago? What if they need to refresh their memory of who is copied on quarterly check-ins? 

This information becomes much more difficult – if not impossible – to find, so they may wind up forwarding emails to a personal account or saving them to a personal drive or even to a laptop, opening that data to different kinds of risks outside of the corporate inbox. 

In this scenario, it would be very difficult for an IT or security team to know this behavior was taking place. The company would carry on, thinking the 90-day retention period is working, only to learn too late that the information was made vulnerable by being stored outside of the email ecosystem.

Changing outcomes with minimal change management

If this is starting to sound like a puzzle without a solution, don’t worry–there’s a technology-first way to make sure you’re protecting against radioactive inboxes without getting in the way of business. Material offers protection for data stored inside of inboxes, allowing companies to be more flexible in their email retention policies while keeping prying eyes off of confidential information. 

Instead of deleting messages, Material categorizes sensitive information. After a waiting period set by the security team, the platform redacts that sensitive information, leaving a “stub” in the inbox. When a legitimate employee wants to access the email, they simply validate their identity using multi-factor authentication (MFA) and the message is restored to the inbox for a period of time. 

This email protection feature works across devices and operating systems, so no matter where someone is working, they’ll be able to get to their emails (as long as it’s really them!). Material’s protection for email in inboxes is like a safety deposit box: only the key-holder can see what they’ve stored.

Best of all, there’s almost no change management required to get users on board with this feature. Customers like David Cook, CISO at Databricks, have described the solution as “almost invisible.” “We were so paranoid about downtime for our users and confusion,” he explains. “But it went seamlessly with zero complaints from both technical and non-technical teams.” When was the last time you installed a security tool with zero complaints?

The bottom line is that email retention policies are a necessary part of doing business, but that doesn’t mean that compliance, IT, and security need to be the Teams of No. By implementing a pragmatic, technology-first solution to protect email sitting in inboxes, companies can satisfy regulators, teammates, and yes–even that frazzled executive.

“In the past, you had a decision about how many emails to retain and what to delete to reduce risk. Would I rather not allow employee access to any email older than 12 months, carte blanche, or leave years of communications exposed in case of compromise?” - Ryan Donnon, Director of IT, First Round Capital