Start With the Three Jobs of Email Governance
A defensible email program has three jobs.
First, it must prevent unauthorized access. That means reducing the odds that attackers, impostors, rogue insiders, or careless employees can expose sensitive communications.
Second, it must preserve what the law requires. That means suspending deletion when litigation, investigation, audit, or regulatory duties arise.
Third, it must produce what is lawfully required without overproducing privileged, confidential, irrelevant, or protected material.
Most email failures happen because organizations optimize for only one of those goals. Security teams may want everything locked down. Business teams may want everything convenient. Legal teams may want everything preserved. Privacy teams may want less data retained. A mature program balances all four interests.
1. Keep Business Email in Governed Channels
The first rule is simple: business communications should happen in approved business systems.
When employees use personal accounts, side channels, aliases, encrypted consumer tools, or unapproved messaging platforms for work, the organization loses visibility. That makes security harder, retention harder, legal holds harder, privilege review harder, and breach response harder.
It also creates a credibility problem. In a dispute, off-channel communications can look suspicious even when the motive was innocent. A private email account used because “it was easier” may later be portrayed as an attempt to avoid oversight.
Policies should tell employees where business communications belong. Training should explain why. Technology should make the approved path easier than the workaround.
2. Use Strong Authentication, Especially for Email
Email is often the master key to the organization. It resets passwords. It receives contracts. It contains privileged communications. It stores invoices, wire instructions, HR records, board discussions, settlement positions, and client data.
That makes authentication critical.
Multi-factor authentication should be table stakes for business email. But not all MFA is equal. NIST’s current digital identity guidance explains that phishing-resistant authentication requires cryptographic authentication, and that one-time passwords manually entered by a user are not considered phishing-resistant because they do not bind the authentication output to the specific session.
In practical terms, businesses should move toward phishing-resistant MFA, such as passkeys or hardware security keys, especially for executives, finance teams, administrators, lawyers, HR, and anyone with access to sensitive client or company information.
A subpoena may be a legal threat. A compromised mailbox is a business threat. Both deserve planning.
3. Encrypt Sensitive Communications, But Do Not Oversell Encryption
Encryption matters. It protects confidentiality in transit and at rest. For particularly sensitive legal, financial, health, employment, trade secret, or M&A communications, encryption may be part of a reasonable security posture.
But encryption is often misunderstood.
Encryption does not make a document non-discoverable. It does not make privilege automatic. It does not eliminate preservation duties. It does not prevent a recipient from forwarding, screenshotting, printing, downloading, or producing the message. And if the organization has the ability to access the content, a court may still ask whether the content is within possession, custody, or control.
The better framing is this: encryption protects against unauthorized access. It does not eliminate lawful access.
For lawyers, this distinction aligns with the professional responsibility framework. ABA Model Rule 1.6(c) requires reasonable efforts to prevent unauthorized disclosure or access to client information, while Formal Opinion 477R recognizes that ordinary internet communication can be permissible when reasonable safeguards are used, with heightened precautions when the circumstances require them.
4. Build Retention Rules Before the Dispute Arrives
Email retention is where many organizations drift into danger.
Keeping everything forever is expensive and risky. Deleting everything quickly can be worse if the organization cannot suspend deletion when preservation duties arise. The defensible middle is a written retention policy that is reasonable, consistently followed, and connected to legal hold procedures.
A good retention program answers basic questions.
What categories of email are retained? For how long? Who owns the policy? How are exceptions handled? What happens when litigation is anticipated? How are custodians notified? How are auto-delete rules suspended? How are departing employees’ accounts preserved or defensibly closed?
Once litigation is pending or reasonably anticipated, routine deletion may need to stop for relevant information. Rule 37(e) makes clear that courts can address lost ESI when it should have been preserved and reasonable steps were not taken. The most severe measures require intent to deprive, but even lesser failures can create costly motion practice and reputational damage.
The cleanest legal hold is the one built before anyone needs it.
5. Separate Security Review From Privilege Review
Cybersecurity and privilege are related, but they are not the same.
Security review asks whether the information is protected from unauthorized access. Privilege review asks whether a communication is protected from disclosure in litigation or investigation. A secure email can be non-privileged. A privileged email can be insecure. A privileged email can also be accidentally produced if review workflows fail.
That is why discovery protocols matter. In significant matters, parties should consider Federal Rule of Evidence 502(d) orders. Rule 502(d) allows a federal court to order that disclosure connected with the litigation does not waive privilege or work-product protection in other federal or state proceedings.
For organizations with large email volumes, this can be the difference between a manageable review and a waiver nightmare.
6. Treat Metadata as Evidence, Not Exhaust
Many people think only the body of an email matters. In legal disputes, the surrounding data can matter just as much.
Headers, sender and recipient fields, timestamps, IP logs, device data, forwarding history, attachment metadata, mailbox access logs, retention events, and audit trails can all tell a story. Sometimes they show authenticity. Sometimes they show who knew what and when. Sometimes they show whether a message was altered, deleted, forwarded, or accessed.
That means security logging is not just an IT function. It is potential evidence.
Organizations should preserve logs long enough to investigate incidents, respond to subpoenas, and support legal positions. The exact period depends on the organization, industry, risk profile, and applicable law. What matters is that the decision is intentional, documented, and coordinated among legal, IT, security, privacy, and records teams.
7. Prepare for Breach Duties Before a Breach
Email compromise is one of the most common gateways into legal exposure. A hacked mailbox can trigger contract notice duties, privacy notification laws, professional responsibility obligations, regulatory inquiries, insurance claims, employment issues, and litigation holds.
For lawyers, ABA Formal Opinion 483 states that when a data breach involves, or is substantially likely to involve, material client information, lawyers have a duty to notify clients and take other reasonable steps consistent with the Model Rules.
Other regulatory regimes may also apply depending on the organization. The FTC Safeguards Rule requires covered financial institutions to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards designed to protect customer information. Public companies may also face cybersecurity disclosure obligations when a cybersecurity incident is determined to be material. SEC guidance notes that Item 1.05 of Form 8-K is tied to incidents determined to be material, and that a later materiality determination can trigger a Form 8-K filing within four business days.
This is why email security belongs in the boardroom and the general counsel’s office, not only in the IT ticket queue.
8. Build a Practical Email Governance Checklist
A defensible email program does not need to be theatrical. It needs to be real.
At a minimum, organizations should be able to answer these questions:
Do we know where business email is stored, including archives, backups, mobile devices, and third-party platforms?
Do we prohibit or tightly control personal email use for business communications?
Do we use strong MFA for email, with phishing-resistant MFA for high-risk users?
Do we have written retention policies and legal hold procedures that can suspend deletion quickly?
Do we have a privilege review process, including clawback protections where appropriate?
Do we log access and preserve security data long enough to investigate suspicious activity?
Do our vendor contracts address security, legal process, breach notice, data location, access controls, and retention?
Do employees understand that “private,” “hidden,” “encrypted,” and “off-system” do not mean outside the law?
The answer does not have to be perfect. But it should be defensible.
The Closing Argument
Email security is often sold as a shield. Legally, it is closer to evidence management.
The right controls can keep attackers out, preserve privilege, reduce breach risk, support compliance, and make discovery less chaotic. The wrong controls, or the wrong culture, can make an organization look like it was hiding the ball.
A mature email program does not promise subpoena-proof communication. That promise is usually false, and sometimes dangerous.
The better promise is this: our communications are protected, governed, preserved when required, reviewed when necessary, and produced only when the law requires it.
That is not secrecy.
That is defensibility.