TRENDING:

New Legal Rules Require Implementing Effective E-Mail Retention Policies

Andrew MillerJanuary 25, 2007    
New Legal Rules Require Implementing Effective E-Mail Retention Policies
The need to store and manage mushrooming quantities of unstructured content such as e-mails, instant messages, voice messages, and images is a major pain point for financial institutions of all sizes. An estimated 60 billion e-mails are sent across the globe each day and almost 80% of companies accept e-mail as confirmation of business transactions.

With the recent amendments to the Federal Rules of Civil Procedure (FRCP), which bring e-mail and other electronically stored information squarely into the discovery process in court proceedings, it's imperative that electronic communications be rigorously managed throughout its lifecycle.

Many corporations are ill-equipped to deal with the regulatory and technology issues surrounding e-mail. A survey by Osterman Research in December revealed that more than half of organizations don't understand the impact the new rules will have on their data retention policies.

The issue crosses organizational boundaries. Corporate counsel need to learn the legal impact of the FRCP changes, IT managers must grapple with the investments needed to preserve electronic data, and senior execs need to improve corporate governance policies and procedures.

Among the problems organizations face are discovering data from backup tapes in a timely manner; users sending large attachments through e-mail; mailbox quotas requiring user management; enforcing an e-mail retention policy; adware/spyware; increasing message sizes; spam; and growth in messaging storage requirements.

The FRCP amendments complicate matters further by treating electronically stored information as a part of the discovery process. "The changes reflect the reality that discovery of e-mail and other electronic information is now a routine, yet critical, aspect of every litigated case," according to a white paper by Osterman Research.

Although backups are performed at regular intervals by most financial institutions, they're not a substitute for archiving. A backup is designed to preserve data for short periods, while an archive is designed to preserve information on a long term basis. Most backups take periodic snapshots of active data so that deleted or destroyed records can be recovered, such as after a hardware failure. Because backups capture snapshots of data, information generated and deleted between backups will not be captured. Also, most backups are retained for no more than 60 to 90 days, after which they're destroyed or overwritten.

A well-designed archiving system can go a long way toward establishing peace of mind. Instead of frantically searching through reams of documents in response to a discovery proceeding, the legal team can automatically retrieve information that's been indexed according to predetermined policies. This applies not only to e-mail, but to attachments, instant messages, and other content that may be relevant to litigation.

An archiving system allows companies to preserve information for long periods so that employees have access to it when needed. This is underscored by the fact that 75% of users in the Osterman survey said that e-mail is "extremely important" in performing work, due to most information being tied up in the form of e-mail documents, attachments, contacts, and other content.

On the question of how much data to save, experts recommend saving more rather than less. Although a strategy of preserving less data may be less expensive from an IT infrastructure perspective, it runs the risk of deleting information that must be preserved because of FRCP or regulatory requirements. At the other extreme, preserving everything involves much higher storage costs, plus greater difficulty in locating necessary information. Organizations should strive to keep a balance.

This means establishing policies around data governance based on FRCP guidelines, regulatory compliance requirements. Implementing backup, archiving, and optimizing the use of primary and secondary storage is critical.

A comprehensive corporate governance plan should be established including data retention and content management policies. All the data that an organization generates should be managed as part of a centralized data management strategy that reflects not only FRCP requirements but regulatory compliance and IT effectiveness.

Osterman Research has outlined what steps companies need to take to respond to these requirements. Review and assess existing document retention policies and practices now, rather than when being hit with litigation. Pay close attention to e-discovery issues from the earliest stages of litigation. Learn what types of electronic data exist in the organization and what might be needed early in the litigation process. Investigate the cost of preserving, restoring, processing, and reviewing relevant electronic data. Determine an appropriate protocol for privilege and waiver claims.

Previous
Voice and Wireless Communications Present Unique Security Challenges, Regulators Say
Next
CUInfoSecurity.com Interviews Markus Jakobsson

About the Author

Andrew Miller

Andrew Miller

Contributing Writer, ISMG

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.



Around the Network

Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.