Does E-mail Retention Require Your Attention?

By: CUinfosecurity.com
September 9, 2005

See Also: Webinar | Navigating the SEC Rules for Enhanced Cybersecurity in IT and OT Environments

Today, if you Google the phrase, “email retention,” 19.6 Million matches are found. If nothing else, that means that this topic is surrounded by industry buzz. With all of the complex regulations that only include vague policies on email retention, it is hard to assess whether or not you will soon be thrown into the deep end. While following behind the pace car that signifies “industry best practice,” it is also hard to justify whether or not this costly and time consuming practice truly warrants your immediate attention.

Requirements under the Sarbanes-Oxley Act, Sections 802 and 1102 state that anyone who knowingly destroys or alters a document that turns out to impede an investigation or obstruct an official proceeding, is subject to a 20-year prison term. While most corporations have set some ground rules in regard to the appropriate way to utilize your corporate PC, it is hard to ascertain to what extent a company understands the content of their employee’s on-line interactions. Running scans to pick up “naughty” words in your e-mail can not protect a corporation from avoiding in house terrorist activities or corporate fraud. Research from the Radicatici Group, Inc. found that the average corporate email user sends and receives 84 emails a day, equating to 10MB of storage each day. This number is expected to rise to 15.8 MB per user, per day by 2008. Therefore, monitoring and storing this mountain of content can easily seem like an overwhelming project to begin and maintain for corporations and financial institutions alike.

While it is has long been accepted that an employee’s corporate e-mail account is not protected under personal property laws, I do not believe that employees ever thought that their everyday banter would ever be neatly filed pending the possibility of future reference. Sarbanes Oxley (SOX) regulations may cause security auditors and data management professionals to move even the ever popular one-line emails to the filing cabinet. This is because although emails are informal in nature, electronic documents are as legally binding as hard copy communications. Already, the Securities and Exchange Commission (SEC) requires all private brokerage houses and financial institutions to save hard copy, email, and instant messenger communications in regard to any stock trade or investment which occurred within the past 3 years. This SEC retention of records statute (section 17a-4) has been continuously adjusted, added too, and enforced since 1939. These regulations were originally established to help assure that brokers did not raise their commission rates or become involved in investment fraud.

While public companies have already restructured and hired auditors to help them comply with the already arduous SOX regulations, they may have yet another hurdle to jump. Reuters has now reported that by July of 2006, the act will encompass reformed clauses which require all public companies to follow guidelines that are similar to those which are currently applied by the SEC to private institutions and brokerage firms. This need was stemmed by notable court cases such as Morgan Stanley V. Ronald Perelman (Revlon), a case which has already pushed Morgan Stanley ahead of the curve in saving all of their communications, and cost them somewhere in the ballpark of 1.45 billion dollars. Morgan Stanley is now leading the way in these practices in hope of avoiding further litigation and fines for not having proper email retention policies in place. With retention policies and procedures already affecting the Fortune 200, E-mail retention should be considered a necessary step in protecting your corporation from future litigation issues and sanctions.

The importance of this topic is more likely to increase once additional SOX regulations are implemented. Currently SOX is vague in regard to e-mail retention, and compliance is not only time consuming, but complicated and apparently not widely practiced. Data management solutions and various third party vendors are popping up everyday in this arena. Without industry partners stepping forward to begin this process it is hard to know where to begin working on this new task. Many entities are looking for the most cost effective services possible when beginning this process and this search has pointed towards hierarchical storage management services. By incorporating a hierarchical storage system, a firm can choose to use different storage media (based on categories such as information importance or age) devices that are of varying costs to keep there data handy. However, using these different mediums can also add confusion to this process, thus helping to pave the way for third party storage management.

So what happens once this transformation takes place and you need to comply? Being able to recover a single e-mail among this veritable mountain of data could be like finding a city without a McDonald’s. Many companies use separate storage devices to prevent data loss (such as backup tapes filed neatly in a CEO’s basement storage bins, next to the Christmas decorations), in case the information is needed for future reference. However, a recent TowerGroup study on email content management states that by 2007, the securities industry alone will handle more then 95.8 million email messages per day. This number has been proposed due to the fact that most companies will most likely be willing to outsource the large number of man hours required to extract email and file this enormous volume of data appropriately. Creation and implementation of an industry best practice in regard to these regulations will have to be forthcoming, as there is currently no set way to easily, securely, and cost effectively organize this mass of data. While the storage of these communications will be imperative, being able to find specific e-mails when required will be paramount. When attempting to support a burden of proof like Morgan Stanley was unable to accomplish earlier this year, it seems clear that professionals will need to be brought in to appropriately automate and facilitate this process.

Therefore, it seems that the proactive and conservative business should take strides towards incorporating E-mail retention into next year’s technology budget. Research and due diligence will need to be accomplished to assess the vendors that are now providing these types of services and products, and industry “best practices” will need to be observed and followed. References: 1)Sarbanes-Oxley “Compliance Journal,” What Every Company Should Know About Email Management for Sarbanes Oxley Compliance,

1) Sarbanes-Oxley “Compliance Journal,” What Every Company Should Know About Email Management for Sarbanes Oxley Compliance, http://s-ox.com/feature/detail.cfm?articleID=206

2) SOX: E-mail retention is ‘a legal Chernobyl,’ By Reuters http://www.silicon.com/research/specialreports/compliance/0m3800003180,39130615,00.htm

3) Banks Need to Consider E-mail Retention Solutions, Elizabeth Schnitzer, Iron Mountain Consulting Services, Bank Systems& Technology, http://www.banktech.com/features/showArticle.jhtml?articleID=14701334

4) Email Retention; Can your policy stand up? From the editors of Regulatory Risk Monitor http://www.rrmonitor.com/frcjsp/index.jsp


About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.