Boston politics, always an interesting spectator sport, also is providing a lesson in the enforcement of data retention policies. The latest headline: “State orders [Boston] City Hall computers secured in email dispute.” A key insider, it turns out, routinely deleted email messages in clear violation of the state’s public records law.

The top aide to the mayor apparently deleted the messages in a way to avoid the messages being included in the city’s routine server backup. Throw in a contested mayoral election and a juicy bribery scandal involving a disgraced state senator who took payments to help a constituent get a liquor license from Boston City Hall—and no wonder state and FBI investigators as well as the candidates running for the mayor’s job all want to see those email messages. Computer forensics experts are recovering the messages now.

International Data Corp. (IDC) addressed the email retention issue in a recent report, “Insider Risk Management: A Framework Approach to Internal Security.” Insiders like the aide pose grave compliance risks that can suddenly bite the organization. Advises IDC: “Managing insider risk should be a top priority for CISOs, CSOs, and other C-level executives globally.”

In the report, IDC defines insiders as “authorized users with legitimate access to corporate networks, applications, and data,” including employees, executives, board members, business managers, IT, consultants, outsourcing providers, contractors, and business partners. Furthermore, “the exposure of confidential information is now the single greatest threat to enterprise network security,” IDC declares in its 2008 Enterprise Security Survey.

The current approach to addressing the risk of information leaks as well as complying with various regulations and policies is called Data Loss Prevention (DLP). DLP, however, does not specifically solve the problem of insider risk.

Third-party email archiving vendors promise a solution for the email portion of the risk, including risks like Boston’s burgeoning Freedom of Information Act (FOIA) compliance problem. (Exposure of confidential information or the destruction of confidential information goes beyond email alone, although email is a big piece.)

What the vendors provide is automatic and transparent email capture and guaranteed retention. Every message sent or received is immediately captured, saved, and backed up offsite in accordance with the organization’s retention policies. So even if the mayor’s aide deleted his messages, copies would remain. Any effort to bypass retention policies would assuredly raise red flags.

Email archiving vendors and products include Mimosa Systems, Smarsh Inc., Symantec, Autonomy, CA Message Manager, IBM Content Collector, and many more. For small and midsize organizations, email archiving service providers offer an easier choice than licensed email archiving software vendors, whose products require a supporting IT infrastructure.

While FOIA compliance applies to government entities, private organizations also face situations where insiders violate internal retention policies. In fact, there are many reasons for organizations to deploy email archiving besides FOIA compliance, such as the possibility of litigation and its accompanying e-discovery process. Whatever your issue, managing insider risk by automatically enforcing data retention policies is a smart practice. ###