Over the years, I’ve noticed that many small to midsize companies do not save e-mail communication properly. They are typically concerned with being able to restore a failed system and don’t pay any attention to retention. However, in the light of new regulations, such as the Sarbanes-Oxley Act, your company could be at fault for knowingly replacing old backups and not saving them for possible future investigations. To help you make sense of this act, I will discuss Sarbanes-Oxley and its effect on IT managers.

Sarbanes-Oxley overview
The Sarbanes-Oxley Act of 2002 protects investors by improving the accuracy and reliability of corporate disclosures. The Act amends mail and wire fraud infractions with harsher punishments and imposes fines and prison sentences of up to 20 years for anyone who knowingly alters or destroys a record or document with the intent to obstruct an investigation. Due to the availability of reliable technology, most responsible companies have already regulated themselves, and the Act merely sets the tone for proper corporate conduct. While most provisions of the Act focus on financial records, they were clearly not meant to stop there. For example, during an investigation, discovery requests can be submitted to IT departments. In addition, such requests could require access to all e-mail communication.

Financial data and Sarbanes-Oxley

Section 302 of the Sarbanes-Oxley Act on corporate responsibility for financial reporting requires certification of financial statements by both the CEO and the CFO. This means that all future financial reporting must be thoroughly verified by management with more acuity than ever before. No doubt the IT department supporting financial systems will also have to ensure the accuracy of these records.

E-mail messages as business records
Although trivialized by mixed personal and business content, e-mails are, in fact, corporate documents and should be preserved. The courts will treat e-mail messages and attachments as business records that must be retained to achieve regulatory compliance. Most large companies have a policy on e-mail communication retention. But is this common practice? The answer may come from a PricewaterhouseCoopers survey titled “Digital Discovery and its Importance on the Practice of Litigation.” Surprisingly, respondents stated that their clients rarely act upon notice of litigation to stop automatic overwriting processes. In another section of the survey, almost 50 percent of the respondents said that e-mails are the most requested electronic data.

The scenario is common: A company gets a new Microsoft Exchange server, and the users are happy with the Outlook calendar and Internet e-mail capabilities. Messages go in and out, but there is no archival process. Backups are sent to tape, which are rotated weekly and overwritten. However, according to Sarbanes-Oxley, if your network administrator is instructed to overwrite the tapes, then your company knowingly allows potential evidence to be destroyed. Depending on your business risks, this scenario could become a malpractice time bomb. In addition, a simple backup of the Information Store with all the mailboxes in your Exchange server will not give you all the e-mails going in or out. So you are at risk when users delete messages, especially if they are engaged in some kind of misconduct.

E-mail communication retention policy and storage
Arthur Anderson’s document-shredding trouble has made many companies aware of the importance of a sound document retention and destruction policy that includes both paper-based and electronic documents. Recently, the Securities and Exchange Commission fined six securities firms a total of $10 million for failing to produce e-mails requested in the course of an investigation.

The retention period must be reasonable and clearly set in the policy. A good retention policy cannot be selective—all documents should be saved. The policy must be well known and understood by the employees and applied evenly across the company. Also, the storage type may vary as long as one can produce the evidence. For instance, courts may accept e-mail hardcopies as evidence, but such documents may lack necessary additional information, such as Internet header and routing information. Ideally, e-mail messages must be archived in their original form, which may reduce the potential liability for e-mail communication.

However, there are many problems with managing e-mail archives. E-mail consumes a great deal of digital storage. E-mail communication is expected to increase not only in number of messages, but also in size per message due to attachments. Companies must acknowledge the importance of e-mail retention—and the role that storage plays. In 2002, there were 24 billion e-mails sent per day in the world, with 40 percent attributed to North Americans. According to the IDC, it is estimated that over 36 billion messages will be sent daily in 2005. Many companies will experience e-mail storage growth of more than 50 percent in one year.

Education is critical
The effects of the Sarbanes-Oxley Act of 2002 reach further than just the publicly listed companies. If you do business with public companies, you may have already been asked to become compliant. Thus, it is difficult to quantify the ripple effect of the Act on how we will do business in the years to come. Most IT managers do not really understand the importance of the new regulations, and I think that ethical discussions and education on the topic will be the key for achieving compliance.

What is your experience with Sarbanes-Oxley?

Have you been working to comply with the Sarbanes-Oxley Act? What effect has it had on your IT department? Start a discussion by clicking on the discussion link below.