The state of e-mail compliance: a technology perspective

Computer Technology Review, May, 2004 by Denise Reier

The importance of data management and information lifecycle management (ILM) has never been greater--as a result of the proliferation of compliance regulations across industries from financial services to healthcare to life sciences in parallel with the exponential growth of data and use of e-mail as a business communication medium. The mandate to create a strategy to securely archive, monitor and "promptly" produce records has companies struggling to make sense of the requirements and figure out how to manage their electronic data, particularly e-mail and instant messages (IMs). Rules like SEC 17a-4, which applies to registered broker-dealers, and the May 2003 implementation of the SEC Books and Records rule have created even more stringent mandates for record keeping of e-mail and other electronic communication, requiring secure archiving, monitoring and "prompt" production of records.

This, in turn, has created a three-fold challenge.

* First, simply having a records management system does not ensure that it is compliant with the rapidly evolving regulatory environment.

* Second, the records management system that worked for paper documents may not work for e-mail and IMs, particularly when it comes to discovery.

* And third, at this point, the truth is that regulations are continually being tested by litigation, so that demonstrating compliance is judged by a perpetually shifting standard that changes as regulations are challenged in court.

With these uncertainties, how can businesses begin to address the technology issues to bring themselves into compliance? The reality is that regulatory bodies aren't in the business of putting people out of business. Therefore, a demonstration of investment and sponsorship at the highest levels within an organization may be sufficient to satisfy compliance requirements in the short term. However, as regulations continue to evolve and are better defined through case law and best practices evolve to match the changing regulations, companies (particularly in the financial services space) should not wait to begin investing in compliance.

From a business perspective, bringing your e-mail infrastructure into line with regulatory compliance not only enables companies to protect themselves against the penalties for non-compliance but, over time, also contributes to reducing total cost of ownership and return on investment through streamlining information management in the data center.

From a technology perspective, the three most salient issues are: sizing and deployment, controlling unmanaged data and training--all the way down to the user level.

Sizing and Deployment

The first step toward successfully bringing IT into line with compliance regulations is evaluating and deciding the scope and how to bound the initial compliance effort.

It sounds obvious, but taking a hard look at your infrastructure and the needs of the various parts of your organization is key. Ask yourself, over time, how large will this archive grow? We know that e-mail is a primary means of business communication and analysts at Ferris Research say that the number of corporate e-mails has increased by 50% over the last year and is predicted to increase an additional 35-50% next year. Take into account that regulations also have different time requirements for data retention.

Controlling Unmanaged Data

Building a compliant system must take into account how different users within an organization create unmanaged data--either through saving e-mail archives to their desktops, on NAS devices or tape backups of servers--all of which can be significant roadblocks to creating a compliant system. Recognize that different regulations have different requirements on how long data must be retained, where it is saved and who has access to it. For instance, for financial services companies, the need to be compliant with state and federal securities regulations defines the business value of data and its associated retention period. For example, if a firm chooses to manage e-mail as simple correspondence, then there is a regulatory obligation to retain the e-mail for three years. At the end of those three years, the business value of compliance stops and the resulting action is that the record is destroyed.

Drilling down even further, the issues of authenticity, use as evidence and completeness further illustrate that reining in unmanaged data through a solution which captures e-mails, archives them and keeps them available, is as much a compliance issue as it is a protection in the discovery process

The importance of setting a retention and disposition policy and following it is highlighted by multiple court cases, including the ruling in 2002's Murphy Oil v. Fluor Daniel case. Though the case was focused on the question of who should pay for the cost of restoring and printing e-mails, an important point in the case was that the defendant's e-mail retention policy was to recycle backup tapes every 45 days; but because it neglected to follow its own policy, there were 93 tapes from the time period at issue, containing more than 25,000 e-mails. The defendant estimated that it would take six months and cost $6.2 million to restore the tapes, convert the e-mails to TIFF images, and print the e-mails.