E-mail archiving: a key piece to a compliance strategy

Computer Technology Review, Oct, 2004 by Mary Kay Roberto

The convenience and immediacy of e-mail makes it an instant necessity for organizations of every size, but the storage of very large volumes of e-mail represents both an asset and a liability. There are powerful reasons for accessing stored e-mail messages, including compliance with laws and regulations that require the retention and supervision of e-mail, such as SEC Rule 17a-4 and NASD Conduct Rule 3010, as well as the corporate governance recommendations established by the Sarbanes-Oxley Act. Government agencies, too, must archive e-mail messages to comply with regulations set by the Freedom of Information Act (FOIA), the Patriot Act, and other Federal and State legislative acts. For example, Florida's Sunshine Laws grant Floridians the right to request copies of all public records, including e-mail, and receive them in a timely manner. Failure to comply exposes state agencies to lawsuits. Additionally, many organizations face the looming possibility of civil litigation, with consequent demands for copies of archived e-mail messages and their attachments.

Swiftly growing e-mail stores and increasingly stringent e-mail retention and supervision regulations are requiring IT professionals to develop effective compliance strategies. Simply backing up data is not enough. They are expected to put in place a retrieval mechanism that assures their companies will be in compliance when presented with a variety of demands. And, as always with IT projects, they will be expected to find a way to do this with the least possible expense impact to the business.

The cost potential of operating without a compliance strategy is staggering. Attorney Jeffrey Plotkin, a partner with the New York City law firm of Eiseman Levine (with 18 years of experience handling securities enforcement matters) says the cost of court-ordered searches of scores of backup tapes can easily run into the hundreds of thousands of dollars. Even if a company's e-mail store contains no evidence of wrongdoing, failure to simply produce all records requested by investigators can be both time consuming and costly.

The question of archiving e-mail extends beyond compliance, however. An effective archiving strategy can not only reduce business risks but also reduce IT costs and generate everyday operational efficiencies.

A Software-based Archiving Framework

It's important to emphasize the difference between backup and archival storage. Backup saves your current data against the event of disaster; archives protect data so it can be accessed when needed. For that reason, archives should be organized for search and retrieval, not simply for safekeeping.

The basis for an effective content archiving strategy is a software archiving platform that enables administrators to set policies specific to their organization's specific needs. It should keep data instantly accessible. If, for example, the decision is to migrate e-mail messages to lower-cost storage when they reach a specific age, then the users who access them should not need to change the way they work. When they pull up an archived message, they should have access to all the usual commands, such as "Reply" and "Forward."

Ideally, the archiving platform you choose should be able to manage e-mail and unstructured content generated by your e-mail system, such as Microsoft Exchange, as well as instant messaging, file-server environments and collaborative services such as Microsoft SharePoint Portal Server. It should be highly customizable to your company's needs for data lifecycle management and scalable enough to accommodate foreseeable growth. Also, look for an archiving platform that reduces storage space and costs by compressing files before sending them to longer-term storage media.

Setting Up Policies

Migration of e-mail messages to the archive is automated by the software archiving platform, and is controlled by the policies set by administrators. Setting aside for now industry regulations, such as SEC Rule 17a-4, that require e-mail retention, the basic criterion for archiving a message is its current value. Your policy can instruct the system to identify certain types of e-mail (for example, messages that include phrases such as "after work" and are clearly not business-related) and delete them so they aren't transferred to the archive at all.

The value of e-mail messages drops precipitously after the day they're sent. How long should they keep them before they're automatically archived? This policy varies dramatically by business and industry sector, but is typically based on the number of days elapsed since a specific message was accessed. For some businesses, a week-old message is history. For others, messages may have residual value for months or even years.

This time-to-archive policy becomes more valuable when you apply it more granularly by message type. For example, armed with knowledge of the demand for e-mail storage and the capacity you're working with, you may decide that large messages, and messages with large attachments, should be archived sooner. On the other hand, some organizations that receive a blizzard of e-mail in connection with time-sensitive projects may decide to archive all messages as they receive them, so they can be more readily accessed and passed on for review through the archiving platform.