Executive Summary

This paper discusses issues related to the use of email within large organizations. While

email has become an indispensable tool of modern communications, its misuse has also

been at the center of ethical and legal breaches across diverse organizations. In response

to these breaches, regulators have stipulated a wide range of measures that must be taken

to ensure security, privacy, and accountability. This paper provides IT professionals and

executives with an overview of issues and the regulatory responses across a number of

sectors. It describes classification-based strategies to comply with requirements to

manage email effectively. It also discusses the role of classification in managing email

from an operational perspective.

The Email Policy Challenge

Over the past decade, email has become virtually ubiquitous. Organizations of all sizes and types

rely on it to communicate with clients and customers, partners and suppliers and for the massive

amounts of collaborative information exchange between employees that are the lifeblood of

information-based work. Even in the face of newer technologies such as instant messaging and

VoIP, email remains the killer application of the Internet, intranets and extranets. In 2005, the

average corporate user sent and received 84 messages per day, requiring over 10 megabytes of

storage space and including every sort of information from proprietary intellectual property to

client or customer records. Yet email remains primarily an unmanaged medium. While

governments, corporations and other organizations have invested heavily in protecting themselves

against the threats posed by inbound email, such as spam, viruses, worms and trojan horses, little

thought has gone into the risks posed by outgoing and internal email. These risks are potentially