In-Depth
Save Your E-Mail and Save Your World
E-mail archiving and storage that ensure compliance with regulatory standards continue to be an ongoing challenge.
Deep in the heart of governmental bureaucracy, something happened that, while barely noticed at the time, continues to control the way you have to think about e-mail some 38 years later. In 1970, the Federal Rules of Civil Procedure (FRCP) added to its text the phrase "data compilations from which information can be obtained." That defining moment of legislation meant all digital documents on computers had to be made available for discovery.
Legally speaking, discovery is the process by which the court requests parties involved in a lawsuit to submit information relevant to the case. The company that receives the discovery request must submit all relevant or requested information in a timely manner, with no expectation of reimbursement.
In December 2006, amendments to the FRCP again changed the rules that govern management of electronically stored information for all organizations operating in the United States. This further defined the role of e-mail and other electronic messaging with respect to litigation.
The Growing Scope of Compliance
No one could have predicted in 1970 how much data computers would eventually store and process. Analysts estimate that as much as 75 percent of corporate documentation is currently created and communicated via e-mail.
Therefore, the cost of retrieving electronic information to defend against a lawsuit can be colossal. And it's not an option -- it's essential. The costs can often outweigh the damages sought in the suit, especially if the organization does not use an adequate compliance solution. The situation gets more serious if the material demanded in the discovery is not available. Other regulations require that certain categories of information, like medical records or patient discussions, be given maximum privacy and protected from access by anyone but authorized persons.
At the same time, a significant amount of any organization's intellectual property lives in its messaging servers. As a corporate asset, you have to save and protect those e-mails; yet doing so is a moving target. Government agencies and corporate policy makers are defining regulations that affect e-mail and the data it contains. Their enforcement of and your adherence to these policies and regulations is the beast known as compliance.
Legislation and regulations define requirements for specific industries. Some relate to the amount of time you have to hold on to records, while others relate to the types of records you can legally retain. There is a certain degree of subjectivity in interpreting the laws. While it isn't always clear what the laws require, several common themes emerge:
- Electronic business records (including e-mail communications) are now under the same scrutiny as their paper-based counterparts. Failure to manage these records properly or to reproduce certain e-mail data upon request could be deemed an obstruction of justice.
- Organizations are required to systematically archive e-mail data as a standard business practice. In some cases, you may be required to use a non-alterable storage medium to bolster the data's evidentiary value.
- Organizations are required to document their data management practices and requirements related to e-mail and communicate this information to employees so all stakeholders are on notice as to the liabilities associated with e-mail messages.
- Metadata or descriptive information about the e-mail data itself is viewed as a key consideration when evaluating the evidentiary value of archived e-mail messages.
- Archived information must be safeguarded against all security threats, including access by unauthorized persons and anything that could physically damage or endanger availability of the information.
- Archived information must be easily accessible by authorized personnel whenever required.
The plain truth is that no organization can afford to simply ignore the whole aspect of compliance. The legal, regulatory and corporate requirements regarding the production, handling, transmission and retention of electronic messages are business-critical.
Be Prepared
With every day comes a demand for evidence for litigation or to provide documentation to regulatory agencies to prove compliance. Many organizations in the financial services, insurance and health care industries must maintain records of communication as employees perform daily business tasks.
Organizations that consider compliance when they plan their information technology infrastructures, especially their e-mail infrastructures, can supply the required documentation on-demand with less effort. They can also more easily comply with other regulatory requirements.
Organizations that don't may find themselves sorting through millions of e-mail messages manually, a colossal waste of time and money. They can also be legally responsible for not complying with laws or regulatory requirements.
It's important that you understand the laws and regulations that apply to your industry and take proactive steps to ensure compliance. There are three broad areas of requirements: information retention, access control and data integrity. The following list provides several examples of the areas where compliance expectations are increasing:
- Data retention policies: Many organizations are required to keep data for a specific time and then remove that data to protect privacy.
- Privacy and confidentiality requirements: Organizations have to protect the privacy of individuals and the confidentiality of communications.
- Ethical walls: Organizations that work with securities and other financial information are frequently required to prohibit communication among specific groups within their organization.
- Discovery requests: As part of this litigation process, litigants can request information from each other. This information frequently comes in the form of e-mail messages.
Whether you're responsible for designing the infrastructure of your messaging system or maintaining an existing system, you'll have to examine the current policies and determine what policies and practices you need.
Archiving Is Essential
As e-mail has evolved into a valid electronic substitution for legal business documentation, the information in e-mail now constitutes a legal record. As with all records, you'll have to retain those e-mails for a minimum period of time. Any messaging system design must include provisions for archiving e-mail. That's all. The data is not "archived," but merely stored.
An e-mail archive is a repository of correspondence, usually maintained in a non-production environment. A "true" e-mail archiving system automatically extracts message contents and attachments from incoming/outgoing e-mails. After indexing them, it stores them in read-only format. This ensures that archived records are maintained in their original state.
Archiving ensures that an organization has a centralized and accessible copy of all its e-mail. This provides additional protection against accidental or intentional deletion of e-mails by end users.
E-mail archiving also eliminates the need to search for personal archives on each and every local machine whenever litigation support is requested. Record authenticity, or preservation of a record in its original state, is one of the key requirements in many of the content regulations imposed by the law.
There are five key reasons for an organization to archive its e-mail: compliance, judicial discovery, storage management, knowledge control and performance.
Compliance: The new regulatory environment is one of the major drivers behind the increased demand for e-mail archiving solutions. The data is subject to regulatory statutes that vary by industry, but all records that pertain to the organization's business activity are subject to compliance regulations. These include employee and client records, correspondence among organizations and financial documentation.
Judicial Discovery: One issue with discovery requests is that there's often no specific time limit to define how far back a company must search. Organizations must provide all copies of e-mail relevant to the request, regardless of the date. The completeness and availability of all the requested records and time required to extract this information depends very much on the organization's e-mail archiving processes.
An organization that fails to submit the information requested in a legal discovery can be found guilty of "spoliation," a legal term that describes the improper destruction of evidence. If a court feels there's a basis to believe spoliation has occurred, it can do a number of things, almost all of them bad for the party found involved in spoliation. The court can order a verdict for the other party or the court can assume that the lost information was harmful to the party that failed to produce it, and instruct a jury to act accordingly. Finally, there can also be hefty fines.
Storage Management: It has been estimated that one in every four organizations experiences a storage-management growth in excess of 25 percent per year. It's also estimated that nearly 50 percent of organizations are providing more than 150MB of storage per user.
A study by Osterman Research Inc. confirms that e-mail stores are growing annually at 37 percent. Consequently, keeping e-mail in a "live," or online, storage format will necessitate more physical storage space, as well as increasingly powerful hardware to handle the loads. Compliance regulations have further contributed to the increased demand for storage by obliging organizations to preserve old e-mail, sometimes indefinitely.
E-mail archiving solutions can provide a more versatile method of storage management by:
- Centralizing the organization's e-mail records
- Storing e-mails in a compressed format
- Automatically archiving e-mails as they pass through the message store
- Allowing authorized users to view e-mails from a central repository can encourage them to eliminate bulky, locally stored .PST files.
Knowledge Control: An organization's e-mail system is also a vast and comprehensive corporate knowledge repository. It can contain huge quantities of useful e-mail information. An e-mail archiving system can provide appropriate knowledge-management tools -- for e-mail records sorting and advanced search and retrieval functions -- that enable IT to better manage the knowledge base contained in the company's e-mail archive.
Performance: Archiving can enhance performance. Decreasing the size of the primary e-mail database enhances the performance of the e-mail servers. There's also a subsequent reduction in the amount of high-performance storage required for e-mail. Backup and recovery operations are also improved. Persistent, or static, data is archived, so the amount of unchanged data that's backed up again and again is reduced.
Based on the above criteria, any e-mail archiving solution should include the following features:
- E-mails should be automatically archived with a minimal level of human intervention.
- Archived e-mails should be indexed -- especially the text content -- so search facilities will enable the quick extraction of records to support regulatory audit requests and legal discovery.
- The e-mail archiving system must include configuration features through which the company can define its archiving criteria. These features should at least allow archiving of specific mailboxes and messages from specific domains or e-mail addresses.
- The e-mail archiving system must be able to ensure that records are secure from loss, damage or misuse. The solution must also include access-restriction features.
- Journaling is essential -- especially for organizations using the e-mail archive solution for governance or a system of record -- as it ensures that each e-mail is captured and saved.
- The solution should help a company use its e-mail archive as a central knowledge repository from which authorized users can extract information required. Depending on how the system is configured, the retrieval can essentially be transparent to the end user.
- The archiving system should support all major messaging platforms to ensure standards compatibility.
In-House or Hosted Service?
There are two primary methods for deploying and managing an e-mail archiving solution: a completely in-house solution or a hosted solution in which the archive is maintained at a third-party data center.
The main advantage of in-house archiving is that your organization's e-mail repository is stored on a server within your organization. Sensitive information is behind the corporate firewall and handled by your staff. This ensures better control over data integrity and confidentiality.
The main disadvantage is the up-front cost involved and the sudden impact the system might have on your IT department. In order to deploy an internal e-mail archive, you have to purchase an adequate e-mail archiving program, as well as the hardware to host the archive.
Hosted solutions require lower up-front costs than in-house solutions. In a hosted solution, an app on your corporate e-mail server captures e-mail and migrates it off-site via the Internet to a third-party data warehouse for archiving. Authorized users can subsequently access the data stored offsite using a Web browser or compatible e-mail client.
Some organizations think hosted archiving solutions can be a way to shift liability to the outsourcing vendor. This is a serious misconception. Liability continues to fall with the data owner -- the organization employing the outsourced resources.
With an in-house solution, the organization also has the final say on when things get done, whereas with a hosted system the company's priorities compete with those of the service provider. Such a limitation may actually place an organization at higher risk because archival records might be incomplete or they may not be able to be retrieved in the time required by a request.
No matter how you choose to do it, e-mail archiving and maintaining compliance with legal, regulatory and business mandates is as important an aspect of your messaging infrastructure as the servers you use and how they're configured.
More Information
E-Mail: It's the Law
Here's a list of some of the major laws in effect as of 2008 that govern how
you have to manage electronic records, although this list is by no means exhaustive.
Some estimates number the actual laws that have an impact on electronic records
-- including international, federal, state and local statutes -- in the thousands.
- Sarbanes-Oxley Act of 2002 (SOX): This U.S. federal law requires
the preservation of records by certain exchange members, brokers and dealers.
- Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4): This
U.S. Security and Exchange Rule establishes the rules regarding the retention
of electronic correspondence and records.
- National Association of Securities Dealers 3010 & 3110 (NASD 3010
& 3110): The NASD requires that member firms establish and maintain
a system to "supervise" the activities of each registered representative,
including transactions and correspondence with the public. NASD 3110 also
requires that member firms implement a retention program for all correspondence
that involves registered representatives. These regulations primarily affect
broker-dealers, registered representatives and individuals who trade securities
or act as brokers for traders who are subject to the regulations.
- Gramm-Leach-Bliley Act (Financial Modernization Act): This U.S.
federal law protects consumers' personal financial information held by financial
institutions.
- Financial Institution Privacy Protection Act of 2001: This law amends
the Gramm-Leach-Bliley Act to provide enhanced protection of non-public personal
information.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA):
This U.S. federal law provides rights and protections for participants and
beneficiaries in group health plans.
- Uniting and Strengthening America by Providing Appropriate Tools Required
to Intercept and Obstruct Terrorism Act of 2001 (PATRIOT Act): This U.S.
federal law expands the authority of U.S. law enforcement for the stated purpose
of fighting terrorism in the United States and abroad.
Besides these U.S. laws and regulations, the following regulations also specify
requirements that may rely on journaling technology:
- European Union Data Protection Directive (EUDPD): This directive
standardizes the protection of data privacy for citizens throughout the European
Union (EU) by providing baseline requirements that all member states must
achieve through national legislation.
- Japan's Personal Information Protection Act: This regulates the collection,
use and transfer of personal information in Japan. The Personal Information
Protection Act applies to government or private entities that collect, handle
or use personal information of 5,000 or more individuals.
The Cost of Discovery
The cost of finding the electronic records for a discovery process can be astronomical,
requiring months of IT manpower to wade through backup tapes. Failing to find
the records or losing them can lead to a series of fines and directed judgments.
These are just a few examples:
- In Murphy Oil USA v. Fluor Daniel, the defendant was ordered to restore
and print e-mails contained in 93 tape backups and absorb the total costs
involved the operation, which amounted to $6.2 million.
- In March 2004, Bank of America Corp. was fined $10 million by the Securities
and Exchange Commission (SEC) for failing to retain e-mail records for the
time stipulated by the regulation and for failing to submit the information
requested by SEC in a timely manner.
- Investment firms Deutsche Bank Securities Inc., Goldman Sachs & Co.,
Morgan Stanley, Solomon Smith Barney Inc. and U.S. Bancorp Piper Jaffray Inc.
were fined $1.65 million each for not complying with SEC Rule 17 A-4 and for
failing to produce e-mails requested during the course of an investigation.
- The cost for restoring 77 tape backups in the case Zubulake vs. Warbung
(USB Bank) amounted to $165,954 and the relative review costs totaled $107,694.
- Philip Morris International Inc., one of the largest tobacco companies
in the world, was fined $2.75 million dollars for destroying e-mails in violation
of a 1999 order.
As you can see, failing to have an archiving solution that's compliant with
regulatory requirements can cause serious financial losses for your company.
It can even bankrupt it as well as cost you your job.
-D.T.