Only a fifth of firms fully understand the law on email use and retention, according to a new report, though most are aware of the business value of good email management.

Despite their poor understanding of legal requirements, the study by security specialist Diagonal Security found that three-quarters of firms had email management policies in place. Furthermore, most respondents said effective email management could improve operational efficiency and reduce business continuity risks.

But worryingly, almost one in 10 of the executives questioned were unable to say whether their firm had an email policy at all. Meanwhile, the introduction of new reporting rules such as the recent Sarbanes-Oxley (SOX) Act in the US, is increasing the need for email policies for compliance.

Michael Stimson, principal consultant at Diagonal Security, said a lot of companies do not realise that email can constitute a business document for legal purposes. "Email has grown up with business but is not seen as one of the key features of business," he said. "However, society is changing slightly, primarily because of corporate governance initiatives like Sarbanes-Oxley and Basel II, which are making firms sit up and take notice of [the need to keep records]."

Stimson added, "Companies are aware [of corporate governance and email management rules], but many have not done enough research yet to fully understand why it is an issue to them."

Implementing a policy on email use and retention should only be the first step, said Stimson. He added that policies must be frequently revised, and staff must be trained to understand the importance of these policies and to follow them.

Firms must regard email as part of their official records, to comply with rules such as the SOX Act and the UK Data Protection Act. "A technology focus is vitally important, but if firms are going to work in compliance with all these rules and regulations there has to be a combination of policies, procedures and technology," said Stimson. He added that good storage and data retention systems are needed to aid compliance.

Mike Davis of analyst firm Butler Group said one way to reduce the chances of breaking the law could be to keep all emails, but added there could then be a risk of keeping certain data for too long, so careful judgement is needed when writing policies.

Meanwhile, Microsoft's email storage policy recently came under the spotlight when it was accused of deliberately deleting emails relevant to an ongoing legal dispute. The company's group vice-president Jim Allchin allegedly instructed staff to routinely delete emails after 30 days.

The incident highlighted the importance of having formal procedures for email storage. Legal experts usually advise that emails relating to business contracts should be archived for several years.