Now recognised as the primary channel of business communication for organisations in every industry, email contains enormous amounts of important and useful content, including contracts, proposals, presentations, policy decisions and other business records. Employees communicate via internal email, often in preference to the telephone, and enquiries and support concerns are increasingly handled via email.
Retaining email and other electronic content is now necessary to not only satisfy the growing demand for valuable business knowledge constantly being mined by a business’ employees but more importantly to adhere to any litigation and regulatory compliance requirements.
Systems which simply backup email stores cannot handle the tasks of demonstrating that proper preservation policies were followed, that laws or regulations were not violated, and that the company can provide information if and when requested. This is why many organisations have already deployed information management and email archiving systems. However, the issue with legacy PST files is something frequently overlooked and the hidden threat that PSTs present needs to be considered either as part of a comprehensive email management system or as a standalone PST location, migration and elimination project.
The Dangers of PST Files
There are two major dangers to PST files. The more serious of these is corporate risk and governance.
The other problem is in IT operations, where PST files take up a lot of time as they corrupt easily, are often misplaced and rarely (if ever) backed up.
PST Files and Corporate RiskSince mail can be found in places other than a user’s mailbox, PST files (also known as personal archives) severely jeopardise best practice and compliance. These files present a significant challenge not only in environments where laws and regulations regarding preservation and protection are stricter, but also to general businesses as the data hidden within them can be subject to the following:
Data Protection Act 1998
The Data Protection Act controls how an individual’s personal information is used, giving the organisation’s employees the right to ask for details of personal information relating to them. One of the data protection principles is that the information is not kept for longer than is absolutely necessary. If this information is kept within PST files, it could easily fall outside of the organisation’s deletion and retention policies.
The Act also requires companies to ensure that they have taken appropriate technical measures to protect any personal data they hold from being misused, lost or damaged. Which means that any email retention policies need to protect against such emails being deleted either by accident or on purpose. PST files are notoriously unstable and frequently corrupt, they are also highly portable and seen as a great way of moving email data between people and/or organisations quickly. This puts data at high risk as it is more susceptible to loss or theft.
If a DPA request is received then the organisation needs access to all email records and be able to check whether any personal information is contained within it. The organisation has 40 days to provide a copy of this information so being able to quickly search and retrieve the information is a clear benefit. Any emails contained in PST files may not be identified as their contents are visible only to their end-user. Not knowing the location or sometimes the owner of PST files makes these disclosure requests incredibly difficult.
The Data Protection Act 1998 does not specify particular retention periods for employment data and records, only stating that personal data ‘should not be kept longer than necessary’ for the purpose for which it was processed. However, emails can be submitted as evidence in an employment tribunal and there are recommended retention times for different categories of employment data for job applicants, current employees and former employers including:
- Job applications and interview records of unsuccessful candidates (recommended 6 months)
- Personnel records of former employees (Maximum of 6 years after employment ends)
- Records of disciplinary matters (Maximum of 6 years after employment ends)
- PAYE records, maternity pay or statutory sick pay (Minimum of 3 years)
If this information is contained within PST files that are invisible to the central IT department, it will not be subject to the usual retention or deletion policies, nor will it be possible to easily locate and retrieve the information to submit as evidence.
Court Action under the Civil Procedure Rules
Businesses could be at risk if they fail to produce evidence which may be contained in an email for the purposes of litigation or auditing. Changes to standard terms and conditions, price changes or confirmation of a specific order could all be contained within email correspondence.
Since it’s possible to bring a claim for breach of contract up to 6 years later, it’s essential that an accurate audit trail is possible to quickly and simply respond to litigation or audit requests and determine the strength of any dispute.
The amendment to the Civil Procedure Rules and the issuance of Practice Direction 31B in October 2010 Disclosure of electronic documents effectively mandates that all companies should be prepared for electronic discovery. That means the organisation must know where the data is located, how to retrieve it, how to meet data requests as well as determine what data is not subject to search.
PST files can be found on desktops, laptops, corporate servers, removable media, even home PCs. Over 65% users store PST files on laptops and 20% users store them on portable storage devices.
If PSTs located on desktops or laptops fall outside the corporate backup strategy, they’re not backed up, protected, subject to retention or deletion policies and not easily located and retrieved during ediscovery or edisclosure requests.
Potential Consequences of Unmanaged PSTsThe PST itself is merely a container file and does not fall under compliance or edisclosure requirements but the emails and attachments that are hidden within it DO. If the IT department is not managing PST files, best practice is jeopardized.
PST files often contain emails which should have been managed but, owing to restrictions on access they are not subject to the usual retention or deletion policies.
This tangled web of overlapping regulations all speak to preservation of email. Not knowing the contents, location or indeed the owner of a PST file can put the organisation’s data at substantial security risk and leave them wide open to legal sanctions, regulatory fines or other consequences.
Under each of the Acts outlined above, the provision for retention varies and there are different consequences for organisations who do not comply, the Data Protection Act being the most severe.
In addition to fines, which can range from relatively trivial to substantial, there is the consequence of loss of confidence. When this happens to a commercial concern, the ramifications are typically reduced turnover and other negative business consequences.
Operational Reasons to Eliminate PST Files
PST files also present a number of issues for the IT department: location, access, ownership, volume of storage, content and age of data all of which effect cost, risk and resource.
PST files are difficult to locate
PSTs can be located almost anywhere. Older versions of Outlook create them by default on a user’s desktop or laptop, however that does not stop them being located on corporate servers, removable media such as USB and flash drives etc., or even home PCs. This makes it very difficult for IT departments to manage and control information centrally.
PSTs are neither secure nor reliable
Highly portable; PSTs can be disconnected from Outlook and copied or moved with ease. They can be seen as a great way of moving email data between people and/or organisations quickly. They can be password protected, although a simple search on the internet will find any number of programs that can crack these passwords.
Notoriously unreliable, PSTs were never designed to hold the amount of data they do today. Users pour more emails into them blissfully unaware of the risk posed to their data.
PSTs are not always available
Outlook must have access to the location where the PST file is stored. This is fine for office-based users who have the same access to either local or network storage, however if the user has the ability to work from different desktops or locations they may not be able to gain access to the PSTs. Also, if the user uses Outlook Web App (OWA) then they cannot gain access to the files. As more and more organisations embrace BYOD and mobile workforces, the risk is exacerbated.
Secondly PST files can be disconnected by users from Outlook profiles either inadvertently via a failure such as a power outage or PC crash or by the user ‘closing’ them. For most users, once the PST is ‘closed’, it is either forgotten about or they cannot find it again, which creates an ‘orphaned’ PST. Orphaned PST files can still contain valuable business information that may need to be preserved or discovered.
PST files are rarely backed up
Although this depends on the location and how an IT department manages PSTs, if they are located on desktops and laptops there is a very high chance that they will fall outside the corporate backup strategy and therefore not be protected. If however, they are located on network shares, chances are they are being backed up, however this in itself brings a set of new challenges to the IT department...
Every time Outlook connects to a PST- or if one email is added to it, it marks the PST as requiring backup and backs up the entire PST file. But the size of individual PST files is not the biggest problem.
Most enterprises have thousands of PSTs littered throughout their infrastructure going unseen and unprotected. So the scale of the problem with PSTs is significantly larger than most organisations realise.
How can we solve the issue of PSTs?
Project-based PST Management
One solution is to deploy a PST management tool. This will find all PSTs across the organisation’s network and help determine their contents. Items which must be kept can be re-ingested into inboxes, or better still archived, and any items not subject to retention policies can be deleted.
The benefit of a one-time project is that it enables IT to quickly understand the scale of the problem that PST files are causing, and to then take appropriate action to regain control over existing email stored within PST files. As it is a one-off exercise with no ongoing investment required, it can be easier to justify the overall cost of the project, but it doesn’t of course address the original reasons why users have been creating PST files. Even if end users are prevented from creating new files, an alternative means may need to be provided for them to retain selected email for their future reference.
Information management and email archiving solution
A longer term and more comprehensive solution is a comprehensive email archiving solution which includes modules for policy, retention management, compliance, and discovery that include PST location, migration and elimination. An Information management solution archives emails based on adherence to rules-based policies, and automatically applies retention and disposition strategies. The users aren’t required to do anything, nor are their preferred environments compromised.
These solutions can eliminate the need for PST files because they will proactively archive email yet provide users a direct way to access those stored emails, eliminating the need for any local storage. To alleviate the need for additional storage for archived email, these solutions include compaction routines which automatically compress emails for archiving and conversely decompress them when they are accessed.
The preferred information management solutions use a “manage in place” strategy, wherein policies and retention management will be applied regardless of where an email is found (live, stored locally, or archived). This ensures that IT has a consistent understanding of the landscape of stored emails.
Preferred information management solutions also offer search and discovery capabilities. Users naturally engage search engines to retrieve older, archived emails, and search must be part of the information management solution. More sophisticated search capabilities, under the requirements of discovery, must also be provided, wherein legal professionals can query email archives and mailboxes to locate and catalogue potentially-relevant emails in the face of litigation.
Finally, these solutions need to offer a preservation mechanism that permits authorised personnel to place such emails under legal hold, such that the email, any attachments, and all relevant metadata are preserved and secured from further editing or modification.
The Benefits of Managing PST Files
- Mitigate risk association of unmanaged email data
- Protect against end user data loss and intellectual property data loss.
- Implement robust data retention and defensible deletion policies
- Help with compliance, Data Protection and other regulations.
- Support eDiscovery and eDisclosure requests
- Streamlined processes with centralised storage
- Reduce IT overheads
- Reduce the amount of data to back up and restore
- Alleviate pressure on storage and back up windows
- Improve restore times of business-critical file servers
- Quicker retrieval of centrally stored information
- Reduce IT support requests
- Remove obstacles to hardware upgrade, BYOD, VDI or Office 365 migration projects
About Barracuda Networks
Protecting users, applications, and data for more than 150,000 organizations worldwide, Barracuda Networks has developed a global reputation as the go-to leader for powerful, easy-to-use, affordable IT solutions. The company’s proven customer-centric business model focuses on delivering high-value, subscription-based IT solutions for security and data protection. For additional information, please visit www.barracuda.com.
Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners.