Policy Workbook: Unified Message Archiving

As we discussed in a recent story on long-term storage, data retention is like nuclear energy--it can be used for good or evil. During a harassment trial, for example, archived e-mail, instant messaging conversations, phone calls or videoconferences could illustrate a history of an employee with problems.

A messaging-retention policy covering not only e-mail but IM, voice and video is vital. Letting users decide what to keep and what to delete isn't a policy, it's an invitation to anarchy. The goal of a messaging-retention policy is to ensure that when--not if--the IT group is asked to produce records to meet an e-discovery or management request, it can do so in a reasonable time.

In "Policy Workbook: E-Discovery", we drill down to developing a policy for e-discovery. Here's how to lay the groundwork on the message-archiving side.

Your overall document-management policy should define what must be kept. Courts are not making distinctions between files commonly archived, such as Word documents relating to a project, and the e-mail communications discussing the project. Private firms have fewer regulations than public; financial industries have had retention policies and regulations in place for years. The federal government has policies for public companies.

The process for e-mail recovery and discovery during litigation should be defined in a policy. This will avoid unnecessary confusion over who is responsible for what. Spell out the correct order of operations, the chain of command and expected response times. Unfortunately, Lotus Notes and Exchange weren't designed for very-long-term storage and retrieval. Meeting e-mail regulations with these two market leaders is nearly impossible out of the box. We expect new versions of enterprise e-mail systems to offer better support. Exchange 2007, for example, provides improved capabilities to search retained e-mail.

Your messaging retention policy should specify that new employees sign a form spelling out how messages are archived, inspected and monitored. This will prompt employees to be more circumspect and lessen the chance someone will subject your firm to legal action if a disciplinary move is instigated based on monitoring. Your policy should also spell out to employees that they are not allowed to try and bypass filters set up to log or limit IM or regulate access to objectionable Web sites.Your policy must state what actions to take while your firm is in the midst of a lawsuit--suspend purging of outdated messages, for example. Philip Morris was fined $2.75 million for continuing its monthly e-mail purge policy during an investigation. Destroying relevant documents can cost you money, and could open an admin to liability.

With IM, you must determine if IM conversations must be retained. Some financial institutions are already going this route. Not many IM products support full logging and searching out of the box--WiredRed's comes mind--requiring the purchase of a separate add-on archiving product, such as those from Entrust, Exclaimer, Unified Archival and ZipLip.

Your policy should define whether employees may use public IM networks like AIM. Public IM offers no access-control capabilities, which can affect organizations required to maintain walls between users to prevent conflicts of interest, such as between brokerage firms and investment bankers. If you do allow IM, consider an IM security gateway, like FaceTime or IMLogic, to control and record IM sessions. Reliance on just the IM client's logging capabilities is not sufficient.

Recording audio and video places even more demands on your archiving system. Currently, we're not aware of a legal requirement stating that advanced collaboration files, such as videoconferences, must be archived and stored. However, it's only a matter of time, so put a contingency policy in place.

Policies on recording phone calls are likely to be in place, and many IP PBXs and call-center software support this feature for both supervisors and agents. As with e-mail, management oversight of calls should be spelled out in your policy, so that employees know their expectations of privacy.IP PBXs can deliver or forward messages to the e-mail server as WAV or MP3 files; your policy must spell out whether these attachments will be archived. At this time, searching for archived sound files in e-mail is difficult, as there is no context beyond date, time and maybe phone number. We hope to see advancements in voice recognition that make archived voicemail and phone recordings more useful.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].