Legal

Get IT Done: IT pros must stay in compliance with e-mail retention laws

Establish policies to comply with e-mail retention laws

By Ruby Bayan

"Proactive e-mail management is very compelling when confronted with the monetary penalties, bad press, regulatory oversight, and investor's loss in confidence that can result from inaction," said Randolph Kahn, ESQ. Kahn is a principal with Kahn Consulting, Inc. and an internationally recognized authority on the legal, compliance, and policy issues of information technology, electronic records, and information management.

In an interview with TechRepublic, Kahn said that after having recently penalized five brokerage firms in excess of $8 million for retention failures, the U.S. Securities & Exchange Commission (SEC) is clearly intent on penalizing those who fail to follow the rules. And although network administrators and IT managers may not be the ones ultimately held responsible by the SEC, they are the ones who are likely to be held accountable internally for investigating and implementing the policies the business must maintain to stay in compliance.

"Increasingly, technology personnel are being asked to accept greater responsibility not only for the systems they manage, but also for the contents of those systems," Kahn said.

Is your company in compliance with e-mail retention laws? Here's a look at what you need to know—and do—to make sure your records stand up to legal scrutiny.

Know the rules and regulations
To understand the e-mail retention rules that your company needs to comply with, begin with a look at this list of pertinent sections of the amended Securities Exchange Act of 1934, also called the "Books and Records Rules", which apply to brokers, dealers, and members of the exchange:
  • 17 CFR 240.17a-4: All business-related e-mail and Internet communications sent and received must be retained for at least three to six years (depending on your type of company).
  • 17 CFR 240.17a-4(f)(1): Data must be maintained and preserved in a manner that verifies the authenticity of the data.
  • 17 CFR 240.17a-4(f)(2)(ii)(A): Records must be preserved exclusively in a non-rewriteable, non-erasable format (such as a WORM—write once read many—drive).
  • 17 CFR 240.17a-4(f)(3)(iii): Records must have a duplicate copy stored separately, for the time required, on a medium acceptable under Rule 240.17a-4(f)(2)(ii)(A).

Corollary to the SEC rulings, the National Association of Securities Dealers (NASD) disseminated Rule of Conduct 3110, which requires each member to make and preserve records in compliance with all NASD rules and as prescribed by SEC Rule 17a-3, as well as to follow the recordkeeping format, medium, and retention period requirements set by SEC Rule 17a-4.

In addition, to hold someone directly accountable for strict compliance of these records retention rulings, the SEC implemented a provision of the Sarbanes-Oxley Act, which "requires the CEOs and CFOs of public companies to personally certify that the reports their companies file with the Commission are both accurate and complete."

Mind your role in the scheme of things
Ignorance of the law will never pass as an alibi, so even if you're not directly involved in managing e-records for a public company that's within SEC and NASD jurisdiction, it's still best to keep track of sanctions that affect certain areas of the IT landscape.

Companies run the risk of paying hefty penalties for noncompliance for reasons including:
  • Lack of awareness
  • Deprioritizing nonincome-generating projects
  • Simple failure to understand the laws

Although experts continue to discuss and translate the ramifications of the rulings, certain concepts are clear: CEOs and CFOs assume authority and accountability for accuracy of records, and CIOs or IT divisions ensure effective implementation and technical compliance.

Kahn said the SEC's 240.17 a-4 regulation spells out the requirements for electronic storage of information and records, and the responsibility to "get it right" falls largely on technology professionals.

In recent court cases, technology professionals' "innocent" conduct has been called into question, he said. For example, recycling backup tapes without regard to the legal reasons for retaining their contents has been viewed as destruction of evidence.

Explore compliance options
Fortunately, tech pros who are directed to "make sure we comply" have plenty of options to consider. Your course of action toward compliance could be to:
  • Hire: A quick online search for SEC specialists and consultants should provide a shortlist of outsourcing options.
  • Build: If resources and expertise are available in-house, building a system that supports functionality, which meets retention compliance, should be worth considering.
  • Buy: If your company is more inclined to say, "Why build if we can buy?" the leading records/information management solutions providers to see are:
    EMC Corporation. The Centera Compliance Edition™ content addressed storage (CAS) is currently the only disk-based WORM device that facilitates compliance with the most stringent regulatory requirements.
    Legato Systems Inc. Soon to be acquired by EMC Corporation, Legato developed the EmailXtender for enterprise data storage and content management for electronic messaging, supporting Microsoft Exchange/Outlook, Lotus Notes/Domino, UNIX Sendmail, and Bloomberg Mail.
    Nexic. The Discovery e-mail product line addresses Novell's GroupWise.
    eManage Inc. A developer of e-mail lifecycle management and electronic records management products, eManage integrates its solutions with Exchange and SharePoint Portal Server.
    Lotus and Microsoft. For small/medium-size organizations, the native functionality of enterprise e-mail systems such as Notes and Exchange can be configured in a way that may support basic retention needs.

Set up a strategy
"Satisfying laws and regulation regarding records retention does not require a particular technology," Kahn added. "But implementing good, trustworthy computing environments is essential in today's legal and business environment." Therefore, before building or buying a system, "companies should develop a compliant e-record strategy and corresponding policy," he said.

Kahn suggested a number of ways IT departments can take a holistic and compliant approach to e-mail management:
  • Develop an e-mail retention policy that is based on legal requirements and business needs.
  • Don't throw the baby out with the bath water; instead, develop rules for methodical retention of e-mail records and proper disposal of "nonrecords."
  • Communicate with the help of senior management for enterprise-wide buy-in of retention strategies.
  • Train employees and advise them to refrain from writing unsubstantiated personal opinions in e-mail, which may be taken out of context and used against the company in a lawsuit.
  • Audit and monitor conduct, make sure to discipline as appropriate, and correct problems.

"E-mail is the way that business happens today," Kahn said. "It is not merely a bunch of lunch appointments, but rather all sorts of business content that requires real management. Manage it and it makes your business happen 'faster, better, cheaper.' Fail to properly manage e-mail and it can become a major source of liability, inconvenience, and expense."
0 comments