Message Archiving Is a Must

That's incredibly shortsighted. Federal laws and federal and industry regulations--including the Patriot Act, HIPAA (Health Insurance Portability and Accountability Act), Basel II, Sarbanes-Oxley, SEC Rule 17a-4, NASD Rule 3010 and the Code of Federal Regulations (CFR) Title 21, Part 11--dictate electronic records retention requirements for businesses based in the United States and abroad, and impose penalties that dwarf the price of the automated e-mail archiving products we evaluated in "Yeah, We've Got That E-Mail,". Last March, Banc of America Securities paid a $10 million civil penalty to settle an SEC enforcement action for failing to promptly produce e-mail records that were deemed important to an investigation.

We could go on with the horror stories, but the bottom line is that the 83 percent of readers without a well-planned e-mail retention policy are living on borrowed time. When (not if) you're hit with an e-mail discovery request, how many hours will it take to scour bloated e-mail storage systems? Backup tapes could be as old as your eldest senior staff member and contain data from e-mail systems that haven't been used for years. Individual Outlook files alone could involve hundreds or thousands of PCs and laptops. We don't know about your staffing levels, but around here, a lot of other critical stuff wouldn't get done.

And it's just as vital that you systematically delete records. Regulations that require e-mail retention contain time limits. Be it three, five or seven years, if you don't remove e-mail from the archive when it reaches the end of its regulated life, you're storing a liability time bomb just waiting for a plaintiff to set it off (see "The Trouble With E-Mail,", for more on the legal issues of records retention). Tape-backup systems don't provide the granularity necessary for this level of records management.

A new class of product, by melding aspects of records management, document management, indexing, search and retrieval, security, content analysis, and policy and process management, provides a framework for active e-mail archiving that meets or exceeds regulatory compliance requirements. And the same features that make these products valuable for legal discovery also can help your organization mine the knowledge in hundreds of thousands of e-mail messages.We define active e-mail archiving as the process of automatically taking a copy of e-mail as it arrives or is sent and storing it so that it's secure, tamperproof and retrievable, and can be purged based on policies you've established to comply with government, industry and company regulations. If you rely on a backup system to archive e-mail, you'll miss messages that arrive and are deleted or that are sent and deleted from the sent mail folder between backup cycles.

A system that requires users to move mail into a special folder to be archived or relies on users to know and consistently apply retention policies is an even worse idea. That's placing an unrealistic expectation on your company's employees: The archived store will be only as complete as the end users are conscientious.

In our reader poll, respondents rated off-loading e-mail storage from the mail server, automating internal retention policies and automatically deleting old e-mail per policies as critical or important factors driving their decision to investigate or implement e-mail archiving. Compliance with government regulations was also high on the list. All those capabilities and more are available, as we found in our product analysis.

We installed three e-mail archiving frameworks in our Syracuse University Real-World Labs®. We imported gigabytes of historical e-mail and for several months streamed live e-mail into the systems. We were pleased to find that these products aren't excessively complex, even though they unite a number of technologies in one cohesive package and meet the needs of constituents ranging from IT administrators to compliance officers, corporate counsel and end users.

For example, IT administrators need a secure system that can easily scale both processing power and storage space as demand increases. Compliance officers require tools that let them define, test, implement and monitor retention policies and ensure that users aren't violating corporate e-mail usage rules. End users (and IT trainers) need a system that interfaces with the mail client and doesn't require a vastly different skill set to retrieve archived messages on demand. And the legal department must have tools that let it respond to discovery requests in a timely manner with little overhead.Because the uses for e-mail archiving are so varied and there are so many stakeholders, we recommend making system selection a community affair. Get a set of requirements from every constituent, and ensure that each group is involved in testing the systems that make your shortlist. If you aren't inclusive from the start, you'll pay down the road.

We recently participated in a teleconference with some top e-mail archiving vendors and hosted by the Radicati Group. From that discussion, we compiled a list of key items to look for in an archiving framework.

• Capture all e-mail messages designated as legal records.

• Encrypt the message store. Security is job 1. If you can't prove that the store is tamperproof, you won't meet compliance requirements.

• Have a clear audit trail so you know who's doing what with the archive--searches, message aging and other deletions must be logged.• Make the user experience as seamless as possible.

• Look for the capability to expand beyond e-mail, to Sharepoint, IM and file stores, for example.

• Ensure that you can migrate to other storage platforms.

• Design the system to solve business problems proactively, not just comply with regulations.

Among the common mistakes we discovered are:• Not having a well-defined e-mail policy. Ideally, this policy should come from corporate counsel. Vendors can help, but we wouldn't trust our business to their having all the answers. Although the policy can address what defines a business record, assuming that you're going to archive everything that comes in, the retention period is key.

• Not testing prospective products thoroughly and ending up with an overly complex system. Or conversely, trying to solve problems without understanding the costs or features available. Do your homework.

• Scope creep. IT systems have limits, and some constituents have unrealistic requirements.

• Confusing document management with e-mail archiving. For a rundown of document-management tools and strategies, see "Drowning in Documents,".

• No exit strategy--what happens if you change vendors or hardware?• No entrance strategy--failure to implement any e-mail archiving system at all. This is often the case with "it will never happen to me" types.

The bad news is that once a piece of e-mail makes it past the antispam/antivirus software at the edge of your network, it enters your mail server and needs to be retained. Some argue that you must retain only e-mail that meets the definition of a business record, and everything else can be ignored. This is a tempting concept, but there's no automated content-analysis system in existence that can determine with 100 percent accuracy whether a particular piece of e-mail qualifies as a business record. So unless you're willing to lose business-record-class e-mail based on faulty automated content analysis or allocate enough people to make the retention decision for each e-mail message, retain it all.

Yes, you'll chew up tons of storage space. But as anyone who has managed an antispam system will tell you, content analysis isn't perfect. You'll have mistakes, both false positives (e-mail that is archived but shouldn't be) and false negatives (e-mail that should be archived but isn't). Tightly regulated industries can live with the former but not the latter. (For more on the limitations of content analysis, see "Filters Take a Bite Out of Spam,".) Note that if a spam filter deletes a message at the gateway, it never arrived and so is not subject to retention.

The only way around archiving nonbusiness e-mail along with the important stuff is to forbid your employees from using company e-mail for personal matters. In highly regulated industries, like financial securities, this type of policy makes sense, but for most businesses it's draconian.

Making the SaleBased on our reader poll, the biggest roadblocks to implementing e-mail archiving are cost, complexity, administrative overhead and product immaturity. Couple these concerns with the necessity to pitch e-mail archiving based on cost avoidance, and it's easy to see why only 17 percent have taken the plunge.

Even though compliance with e-mail retention laws and regulations is the main impetus behind archiving, these products can be an asset to your business in other ways. For example, how many times have you tried to find a vaguely recalled e-mail message that you sent or received a year ago? Why were you looking for it? Because the contents of that message, the knowledge it held, is useful for your current project, or answers a question your boss asked about why you implemented one thing rather than another.

Now consider that everyone in your company sends and receives these nuggets of information daily and you'll appreciate the potential mother lode of knowledge stored away in your e-mail records. If retention compliance is on the liability side of the ledger sheet when considering an e-mail archive implementation, then knowledge mining helps to balance the ledger on the business asset side. And don't forget the lessons imparted by J.P. Morgan and Banc of America: In our highly regulated and litigious society, missing e-mail can cost big bucks.

Ron Anderson is Network Computing's lab director. Before joining the staff, he managed IT in various capacities at Syracuse University and the Veterans Administration. Write to him at [email protected].

If you believe that your company's e-mail is not subject to government regulations, it's time to pull your head out of the sand. The reality is that the legal establishment--get this--actually expects IT professionals to comply with every jot and tittle of these new guidelines and may fine your organization if you don't. When it comes to e-mail, our advice is to cover your butt by way of an automated e-mail archiving framework. These packages aren't cheap, but in "Archive or Else," we offer tips on making a case for purchase and for putting together a multidiscipline team to choose the best product for your environment.Of course, the glaring problem with active e-mail archiving is that you'll have to store every tee-time request and grocery list reminder as though they had the same status as a business record that meets the criteria for regulated retention. Remember, this is an automated process--the volume of e-mail is so great that it would quickly overwhelm any process that wasn't. In "Yeah, We've Got That E-Mail,", we tested archiving suites from EMC Corp., Waterford Technologies and Zantaz. Each works in both Microsoft Exchange and Lotus Domino shops and includes utilities to generate reports and let users search the archives. Zantaz's EAS was both more complex and more expensive than rivals, but it had a trump card: It was the only product tested that could delete e-mail at the end of its required retention period automatically, and this helped earn it our Editor's Choice award. EMC's and Waterford's offerings were easier to get up and running, and easier on the wallet, but both will require ongoing attention to delete aged messages manually.

To regulators and litigators, the hundreds or even thousands of e-mail messages fired off by your company's employees every day can be business, tax or legal records that demand respect and retention. And in this sense, e-mail can be an asset providing protection--or a liability causing destruction.

As an asset, an e-mail record supports business transactions, financial statements and audit records. If there's a question surrounding a transaction or report, an e-mail message may support your position. Unfortunately, e-mail also can become the subject of litigation and the target of expensive discovery requests. A message may provide the foundation for a discrimination claim or lay bare a trade secret or marketing strategy. Therefore, the policies your company develops to guide its automated e-mail archiving implementation are important.

Although no two companies will have the exact same mix of regulations and in-house guidelines, there is one universal rule: Don't be a pack rat. Because you never know which side a given message will land on, we recommend keeping e-mail only as long as required by law. The government is not going to ask you to produce a business record beyond its required retention period. And if litigation ensues, you don't want any ancient e-mail messages coming back to bite your company.

If your e-mail is used in any way to transact business, be it a sample, a quote or an offer, it is a business record that must be kept for a period defined by law, usually seven years. An e-mail message, however, may be more than evidence of a business transaction. It may add to an audit report, change a financial statement or even remove a clause from a labor contract. In these cases, federal and state laws may demand that the e-mail and any attachments become permanent records. In some states and industries, e-mail can even get preferential treatment.For example, Florida requires all public agencies to retain records, including all e-mail messages created or received, and make them available to the public. Under HIPAA, health-care providers in all states must keep documents related to the use and disclosure of patient information for six years. And brokers and dealers on a national securities exchange must comply with the e-mail retention rules of the SEC, NASD (National Association of Securities Dealers) and their respective exchanges like the NYSE (New York Stock Exchange).

The SEC rules on e-mail record retention are exhaustive and may be indicative of the rules that could come into play in a future regulatory framework. If your e-mail archiving system can satisfy SEC requirements, you can bet it's future-proofed beyond 2008. The current administration is highly unlikely to enact legislation further burdening the reporting capability of enterprises.

Here's a rundown of the requirements for an e-mail archiving system that will meet SEC regulations:

• Preserve e-mail messages relating to business transactions for the period required by law, and maintain the current and previous years in an easily accessible place, such as on- or near-line hard disk storage or optical disk storage like CD-R or WORM.

• Preserve all e-mail messages sent and received for a period of not less than three years, and maintain the current and previous year in an accessible place such as on- or near-line disk storage or optical disk storage like CD-R or WORM.• Store separately from the original a duplicate copy of each incoming and outgoing e-mail message in an optical disk storage format like CD-R or WORM.

• Organize and index accurately all information maintained on both original and any duplicate storage media.

• Supply an audit system that provides a record of creating and editing retention rules used to maintain and preserve the message archive, and record message events such as write and delete.

• Preserve this audit record for the time required for all retained messages.

• Have in place a procedure to search and retrieve archived e-mail messages on request, and write them to hard disk or optical disk storage media.For more on building an archiving policy, see "E-Mail Archiving 101,", and "The Rules of Electronic Record-Keeping,".

0