Email archives are great for individual users. The problems occur when they become inadvertent stashes of business information. Read more about are numerous reasons why permitting the use of PST files in corporate settings is a bad idea, particularly in regulated industries.
Back in the early days of email, when bandwidth was scarce and storage was expensive, Microsoft faced a problem: How to address the concerns of customers who needed to keep email for archival reasons, but who couldn't squeeze those records into the tiny 10- or 20-megabyte mailbox quotes that were typical at that time.
Its solution was to create archive files, which hold email records but don't take up mailbox space. Microsoft developed the Personal Storage Table (PST) format for these records. As a company rooted in personal productivity, it chose to give responsibility for creating and managing PST files to individual email users. To this day, any Outlook user can archive email on a local hard drive with a simple drag and drop motion.
And that's become a problem.
"You may now end up with a situation in which the only official record a company has is a PST file on an individual's hard drive," says Michael Haley, Director of Records Management at Radian Group, a Philadelphia-based financial services organization. "If it's not on the network or it's not backed up:It's like a hidden storage area where people can do what they want."
Haley is helping to sound the alarm about the risk of PST files to safe and compliant corporate record-keeping. His ARMA presentation, "How to Reduce Risk By Eliminating PST Files," drew a large crowd, and it's easy to understand why; managing PST files is a shared source of pain for email administrators, records and information managers, litigation teams, compliance professionals and IT operations people.
DID YOU KNOW?
As people automatically archive emails over time, PST files can swell to more than a gigabyte in size. Files that big don't travel well. They're difficult to move around and expensive to store.
The best way to deal with PST files is not to deal with them at all.
Good for people, not for companies
Email archives are great for individual users. The problems occur when they become inadvertent stashes of business information. If you use Outlook, there's a good chance you've established your own individual archive folder structure without knowing they result in PST files. Turning on the optional auto-archive feature automatically creates a PST file in a place few people ever go (usually C:\username\AppData\Local\Microsoft\Outlook in Windows). Or you can specify another place to store PST files, which creates more headaches for IT administrators.
There are numerous reasons why permitting the use of PST files in corporate settings is a bad idea, particularly in regulated industries:
- They may contain sensitive information that no one knows about. This can have serious consequences in the event of a hacker attack or compliance audit. Peering inside PST files is hard, which can make the process of uncovering information inside them a chore.
IT also can't control them. That can be a serious issue in regulated situations in which record retention rules specify how long information must be kept and when it should be deleted. Old emails that should have disappeared long ago can come back to haunt an organization. Keeping records past their expiration date "is risky business," says Sue Trombley, Managing Director of Thought Leadership at Iron Mountain. "PSTs breed a 'keep everything' culture, which isn't healthy, especially as email is the number one target for eDiscovery. You don't need to keep everything; you need to be aware of what you need to keep."
- They're difficult to protect. Organizations typically back up record directories on individual users' PCs, but archive files can be stored anywhere. If IT doesn't know the location, PST files are not recoverable.
- They can be large and unwieldy. As people automatically archive emails over time, PST files can swell to more than a gigabyte in size. Files that big don't travel well. They're difficult to move around and expensive to store. Backing up individual archives is also wasteful. If a big PowerPoint attachment was archived by 100 people, then 100 copies are backed up, consuming bandwidth, storage space and administrator's time.
- They're prone to corruption. PST files have a reputation for fragility, especially large ones. They are easily corrupted and almost impossible to recover once they break. Michael Haley once worked with an attorney whose archive file contained the only copies of many of his clients' records. The file got corrupted and those records were lost.
- They aren't secure. – It's possible to specify encryption levels when creating archive files, but many users either ignore or fail to notice that option. Unprotected PST files can then be opened by anyone with an Outlook application and the owner's email password.
- They're a target for litigation. When it comes to litigation, email remains the number one target for discovery. Searching through PSTs for responsive records is a costly exercise, and may expose more information than is necessary.
Safeguarding Your Data: A Crash Course in Compliance
What can you do to ensure you better safeguard your organizations data and comply with changing laws, regulations and operational requirements?
What to do?
The best way to deal with PST files is not to deal with them at all. Even Microsoft says personal archive files are "not meant to be a long-term, continuous-use method of storing messages in an enterprise environment." The company instead recommends using the Exchange server to archive email in a way that's safe, trackable and discoverable. You can disable PSTs in individual copies of Outlook or by using a group policy setting. Microsoft's instructions for doing that are found here
But before you turn off email archiving, you need to find all the PST files that are out there and ask the owners to designate what information must be kept. Back up those emails and then delete the PST files. Next, be ready to offer users alternative ways to manage their records. "Give people the ability to put emails that they want or need to retain in a place that's accessible with the proper controls," says Trombley."Use a system that's specifically built for that purpose, like Symantec's eMail Archive, Mimecast, Microsoft SharePoint or a cloud service." A Google search will turn up many options.
Microsoft has taken steps in recent years to make it easier for organizations to backup PST files to servers or the cloud, but the default storage location in Outlook is still a local hard drive. Companies that act now to eliminate them will save in the long run. The problem, like PST files themselves, only gets bigger with time.