Executive Summary
This paper discusses issues related to the use of email within large organizations. While
email has become an indispensable tool of modern communications, its misuse has also
been at the center of ethical and legal breaches across diverse organizations. In response
to these breaches, regulators have stipulated a wide range of measures that must be taken
to ensure security, privacy, and accountability. This paper provides IT professionals and
executives with an overview of issues and the regulatory responses across a number of
sectors. It describes classification-based strategies to comply with requirements to
manage email effectively. It also discusses the role of classification in managing email
from an operational perspective.
The Email Policy Challenge
Over the past decade, email has become virtually ubiquitous. Organizations of all sizes and types
rely on it to communicate with clients and customers, partners and suppliers and for the massive
amounts of collaborative information exchange between employees that are the lifeblood of
information-based work. Even in the face of newer technologies such as instant messaging and
VoIP, email remains the killer application of the Internet, intranets and extranets. In 2005, the
average corporate user sent and received 84 messages per day, requiring over 10 megabytes of
storage space and including every sort of information from proprietary intellectual property to
client or customer records. Yet email remains primarily an unmanaged medium. While
governments, corporations and other organizations have invested heavily in protecting themselves
against the threats posed by inbound email, such as spam, viruses, worms and trojan horses, little
thought has gone into the risks posed by outgoing and internal email. These risks are potentially