IT faces regulatory requirements for electronic communications archiving

IT is under pressure to keep more data for longer periods of time, and with greater consequences surrounding its entire life cycle.

by Steve Kenniston, Senior Strategist, Connected Corporation

This article grapples with one of the hottest business and technology issues facing companies today: What do you do with all your data? One thing is certain: We're all under pressure to keep more data for longer periods of time, with greater consequences surrounding its entire life cycle. At each stage—from creation onward to retention and destruction—doing the correct thing with your corporate data is more important than ever.

As a result of the corporate accounting scandals of the last few years, new laws and the increased enforcement of old laws now require enterprises to reevaluate their records-management policies. E-mail records management has become a particular area of focus. Printing documents was the electronic records management solution for some enterprises, but with the growth in the volume of e-mail and instant messaging, enterprises need a new approach. Concurrently, the expanding size of e-mail system data stores presents operational challenges to IT organizations as they try to keep these systems running efficiently.

A new set of solutions has emerged to help solve these complex e-mail records management and e-mail system management issues. In their research, many industry analysts refer to this market area as "e-mail active archiving."

A good e-mail active archiving product provides a searchable archive of all e-mail messages for a defined period of time. It can often be used independently or as part of a corporate business record repository for legal and business management uses. It should also allow organizations to reduce the size of production e-mail data stores to gain significant operational efficiencies and related cost savings.

Clearly, as more vendors concern themselves with protecting, archiving, and recovering distributed data for their customers, we'll all be prompted to think about how we're addressing e-mail records management. But it's becoming clear that vendors aren't the only ones banging this drum. Published research, from analyst firms such as Gartner and others, also supports this view. Given regulatory requirements and escalating requests for electronic discovery, waiting until the enterprise plan for electronic records retention is defined, or for e-mail active archiving technology to get even more mature, could place your entire enterprise at risk.

IT departments already had enough on their hands trying to cope with the relentless increase in data storage and backup requirements. Now the need for secure, long-term electronic communications archiving procedures is greater than ever, significantly adding to IT's burden. To help in easing this burden, here are some areas to consider when selecting an e-mail archiving solution for your organization.

The regulatory landscape

The Securities and Exchange Commission's investigations into recent "creative" (i.e., unethical) accounting practices have led to a number of changes in the ways corporations will be required to manage their records. "In the past year or two," says Dave Simpson, editor-in-chief of InfoStor, "events such as the scandals that have hit very large companies have led to new federal regulations, which mandate how long companies have to hang on to e-mail, including attachments." Some of these regulations include:

SEC Rule 17a

  • Requires that certain business records and communications be readily accessible for two years and at least accessible for a year after that. It further requires that transaction-related records and communications be kept and accessible for seven years after the event.

National Association of Securities Dealers (NASD) Conduct Rules 3010 and 3110

  • Requires NASD members to designate a supervisory role within the company to ensure compliance with regulations, and have a system in place to supervise the activities of its employees and associates. This system must enable the retention and review of transactions and correspondence.
  • Requires members to preserve all books and correspondence, including customer order tickets, account information, and complaints. Much of this material is in the form of e-mail.

The Sarbanes-Oxley Act

Specifically related to document retention, the Act states the following:

  • A failure to maintain audit or review of work papers for at least five years is punishable by up to five years in prison, and/or a fine.
  • Corruptly altering, destroying, or concealing records or documents in order to compromise the integrity of the record for use in an official proceeding is punishable by up to 20 years in prison, and/or an unspecified fine amount.
  • The alteration, destruction, or concealment of any records with the intent of obstructing a federal investigation carries an unspecified fine amount, and/or jail time of up to 10 years.

General legal discovery

Legal discovery rules require any company involved in legal proceedings, regardless of size or industry, to produce evidence contained in electronic communications. The typical process can be exhaustive and expensive.

It's true that paper trails can do a good job of protecting organizations from fraud and error by providing evidence that is acceptable in court. But what happens when interactions and records exist only in electronic format, as is more and more often the case? Many companies, unfamiliar with the concept of treating e-mail messages as business records, have been accustomed to deleting them automatically after a certain time period (usually 90 days or so). Subsequently, if any of these messages are needed as evidence in legal proceedings, these companies are often out of luck.

As regulatory and legal discovery pressures continue to increase, however, the corporate world is learning its lesson. "Most large companies," says Andrew Rathmell, CEO of the Information Assurance Advisory Council, "now recognize that they can be crippled overnight if their reputations are harmed by failure to protect their information assets." That underscores the importance of ensuring that business-critical e-mail messages and their attachments are efficiently captured, classified, archived, retrieved, and also destroyed when they've finally outlived their usefulness.

Building the foundation for e-mail-related regulatory compliance

The requirement: An efficient and affordable compliance solution that preserves maximum evidential weight. While regulations can be very strict about how archived messages should be treated, these rules refer only to relevant messages that have to do with client and partner communications, or contain internal sharing of important information. None of the regulations so far has required companies to archive absolutely all messages passing through the system.

At the same time, archiving absolutely all messages is often seen as the easiest and lowest-risk route to compliance. While today this may still be the safest choice, these companies will face the difficult task of managing an enormous volume of messages in two to three years, which not every archiving solution may be able to handle. Given this, it's critical that you select a solution that is ideally suited for corporate-wide e-mail capture and archiving based on key words/phrases, individuals, roles, or other customizable identifier—while maintaining long-term security, efficiency, and economy related to storage requirements.

Beyond backup and more than mail store management

Distinguishing between e-mail backup and e-mail archival is critical if regulatory problems are to be avoided. E-mail backup systems are designed to provide wholesale recovery of the e-mail server, should a disaster befall the production environment. These systems are not designed for compliance or legal discovery-related record retention.

Simple e-mail system backups have no provision for the review of individual e-mail records. Backup processes format the data to reduce storage space and speed future recovery processing. This formatting works against attempts to review and retrieve individual messages.

A true e-mail archiving and retention system ensures, at a minimum, that companies have ready access to any given e-mail record, whenever it is needed. Maximizing the evidential weight of e-mail records also requires a secure audit trail capable of tracking every action against every archived e-mail message.

Look for security and scalability

A good approach to e-mail archiving will capture every e-mail and attachment and compress the data. A better approach ensures that a unique key is generated and encrypted, and that the message is digitally signed. The compressed, encrypted, and signed messages and attachments, normalized for single-instance, should then be written to a highly scalable relational database. Only after the archived message is successfully stored in the database should it be deleted from the archive inbox.

Keep in mind that solutions that troll mail servers for messages may not provide the best approach. Some products process mail messages as they pass through the server. This real-time processing provides airtight auditing and leaves no window for the messages to be tampered with prior to being encrypted and archived. A distributed configuration for the archiver, which may run as a Windows service, can also eliminate the potential for degraded mail server performance due to archiving. Look for a solution that is able to run multiple archiver processes simultaneously, each accessing a different mail server. This will aid in scalability as the flow of e-mail increases.

True compliance means maintaining the audit trail

The best e-mail archiving solutions will perform comprehensive auditing of every event in the life cycle of an e-mail message. Each time a message is stored, viewed, retrieved, or deleted, the audit system tracks the change, logging the activity in a secure database. Any changes made to policy configurations affecting an archived message should also be audited.

The encryption and digital signing of all e-mail and attachments, as soon as they enter the archiving process, eliminate any possibility of the audit trail being circumvented. Without comprehensive encryption, this guarantee cannot be made. The combination of strong encryption and a bulletproof audit trail allows administrators to vouch for organizational compliance with auditing requirements and regulations with confidence.

NOTE: This article is meant for information purposes only. Designing and deploying solutions for compliance purposes should always be done with the advice of a lawyer or consultant whose specialty lies in the area of archiving regulations.

Editor's Picks

Free Newsletters, In your Inbox