Business dilemma: email retention policy; new SEC regulations to address storing and restoring

Computer Technology Review, Jan, 2003 by Christine Taylor Chudnow

Regulatory Requirements

Finance, pharmaceutical, healthcare, telecommunications and government-related firms must observe strict electronic document retention requirements. Regulations aren't strict for nothing: Email retrieval was key to the government's case in the Enron scandal (Andersen's shredding party notwithstanding). For instance, the SEC insists that American securities firms retain their electronic documents for five years--and be sure they can search and restore specific messages and threads in a short turnaround. Elizabeth Schnitzer of Iron Mountain noted that nearly 10,000 brokerage firms must keep all correspondence regarding a stock trade for six years, while email related to general business issues must be kept three years. And in companies whose analyst and investment banking divisions may have grown too cozy, the government closely analyzed email communications to build its cases.

Last year the SEC, NY Stock Exchange and NSAD forced five major, Wall Street firms to cough up over $8 million in non-compliance fees. What did they do--or not do--that cost them $1.65 million a firm?

The firms backed up email as part of their regular backup routines. However, they discarded, recycled and overwrote the backup tapes and other media, often a year or less after backup occurred.

Each firm had spotty procedures and systems around retaining and restoring email data. Some firms simply assumed users would retain all their email on their own hard drives. Many users did, but the firms could not efficiently search these emails in time to satisfy the investigators.

There were no formal policies in place for users to retain their emails. When a user left the company IT erased his hard drive, deleting the email along with it.

The irony of the huge fines is that unlike bad guys Enron or WorldCom, the securities firms didn't do anything differently than most firms do with their email. That is why Boulder's President Lesley Taufer commented, "It's unclear if their processes were haphazard. That's why the fines were so significant." The firms may have been acting within traditional acceptable boundaries for email management. But what used to be acceptable will no longer do.

Solving the Problem

Companies must walk a narrow course between the expensive and risky extremes of email management: neither keeping all message stores (strains storage and management resources; preserves smoking guns) nor deleting email without a strict retention policy (violates regulatory laws; invites litigation). Ideally companies will assess their email records situation, generate intelligent business policies, communicate the policies to all end-users, and use email management applications to archive, manage, audit, restore and delete messaging data. Primary messaging compliance objectives would include:

* Instituting effective back-up and restore procedures.

* Initially capturing and storing all email, TM and attachments.

* Basing retrieval capabilities on primary index values such as unique message ID, date, from, to, subject line, and combinations.