Information Age: News, analysis & insight for IT & business leaders

Email is now the primary means of business communication. On any working day in 2005, an average of 35 billion emails will be sent; that is up from 10 billion in 2000. And analysts at Gartner estimate that as much as 75% of an organisation's total knowledge exchange occurs via email.

But how much of that should be retained and for how long and what should be available on demand - either to internal management or to outside authorities? The answer largely depends on the sector an organisation operates in.

In the financial services and pharmaceutical industries, for example, there are already tight regulations governing email retention. In other sectors, retaining data for long periods can contravene certain other legislation, such as the Data Protection Act and EU data privacy directives, or prove harmful to the organisation during legal proceedings.

"The largest issue in email compliance is understanding which regulations are applicable," says Charlie Brett, an analyst at IT management adviser the Meta Group. "This is particularly true in the US, where regulatory bodies such as the Securities and Exchange Commission and legal binds, such as HIPAA and Sarbanes-Oxley, have set requirements for privacy, retention and supervision of email," he says.

The rest of the world, including the European Union, Canada, Japan and several other nations are not far behind in implementing similar regulations relating to email, he adds. "However, brute-force email capture and storage is still the standard operating procedure, especially in environments with thousands of users."

The costs for getting it wrong can be severe. In March 2004, the US Securities and Exchange Commission (SEC) made its position on email retention clear. It imposed a $10 million fine on Bank of America after an investigation into alleged securities fraud found that the bank had violated federal laws on email retention, having recovered emails from its archive that would help in its defence only to delete the rest.

The penalty - the largest ever against a company for hindering a federal probe into suspected improper trading - demonstrated that emails should be subject to the same rigorous retention and deletion policies applied to other forms of business information.

But when it comes to email, many organisations are still unsure of their legal and contractual obligations. A survey conducted by enterprise storage management software company EMC's Legato division, found that 46% of UK companies felt they were in the dark on how they should structure their email policy to meet different regulatory obligations; another 32% have no formal email policy at all.

At many large organisations the policy is simply to delete email after a couple of months. But that may leave them exposed. In the case of the US's Sarbanes-Oxley Act, for example, officers of a company are required to maintain adequate "internal controls" over the company's financial reporting, assess the effectiveness of the company's internal controls, and disclose any "material weaknesses" in the company's internal controls.

Lawyers such as Jeffrey Plotkin at Eiseman Levine Lehrhaupt & Kakoyiannis believe that it is impossible for a company to properly maintain internal control over its financial reporting if the company deletes emails related to internal accounting. "In my view, systematic deletion of all emails related to internal accounting would most certainly constitute a material weakness in a company's internal financial controls," he says.

To achieve at least some level of compliance in the area of email management, organisations have an expanding choice of technologies. Email archiving products as well as related storage technologies top the bill, but as emails are now the vehicles for sending attached documents, bills, statements and so on, organisations are using electronic document and record management and enterprise content management systems to manage the lifecycle of such data.