Not archiving your e-mail properly can land you in legal trouble and cost millions
The following is excerpted from a transcription of the Sept. 11 Wikibon.org Peer Incite Meeting, focused on issues surrounding an article titled "Architecting e-mail storage," by Wikibon community member and consultant Kashik Das. The meeting was a discussion of specific issues by four recognized subject-matter experts and Wikibon.org community members: Josh Krischer, David Floyer, Peter Burris and David Vellante.
Krischer: There is no point in compliance if you don't keep e-mail. In Germany, for example, e-mail is official business paper, and companies have to put in the footer all the company details. All business e-mail has to be kept for 10 years.
Floyer: A lot of business is done with e-mail. About 10% of an average IT user's working life is spent on e-mail; for some people, it's a lot more than that. And there are huge deposits of e-mail and of instant messaging that leave a very strong audit trail of how organizations and people have been acting. This is a good thing, and it's also a risk.
What we have found in our discussions with people is [that] the primary driver with e-mail archiving is reducing risk. It's usually top-down, either from the CEO or board or from the legal department -- legal counsel [deciding] that e-mail archiving with mitigation systems needs to be deployed.
The courts have been emphasizing that e-mail should be captured. One of the primary objectives of e-mail archiving is just literally being able to prove in a court of law that [the e-mails] have all been captured and none have been changed. The secondary requirement for an e-mail archive is that it allows the exploitation of that data to help reduce risk to the organization.
Krischer: I identify three kinds of risk: compliance requirements for preserving e-mail, the risk of punitive damages if you can't produce the e-mails in a court case and [personal] protection. For instance, in [the Enron case], some defendants [as part of their defense] showed they were ordered to do illegal things ... in e-mails from company officers. Enron investigators found a lot of relevant information in deleted and recovered e-mails. See the $1.45 billion judgment against Morgan Stanley in the Ronald Perelman case because Morgan Stanley could not reliably produce e-mails for the court.
Floyer: If you think of a spectrum of risk, at one end, you have organizations at high risk with a lot to lose, usually highly regulated, so for example banking environments or trading environments in particular. The fundamental risk is that they can be closed down if the regulators find they are not complying with the regulatory requirements -- and there are a lot of requirements in that area. Obviously, to them, reduction of risk is very important.
Vellante: There are certain industries that are regulated. For instance SEC Rule 17A came out and essentially mandated that all electronic communicationd be archived in the financial services industry -- you have to keep everything.
Floyer: At the other end, you might take for example retail operations, which have razor-thin profits and have enormous pressures on just staying in business. What's interesting was [that] the fundamental strategy was one of minimizing the risk by minimizing the number of e-mails kept. So they kept e-mail for less than a month and then got rid of them altogether. They kept [the e-mails] of only about 200 key executives of all the people in a large organization.
Is the second approach legal? The new federal rules say you have to have solid procedures in place and that
those procedures have to be kept -- reasonable procedures. Whether reasonable is getting rid of stuff after 30 days, well, time will tell. But their argument is "the less kept the better."
Burris: This raises a very interesting question. Let's talk for one second about what we mean by risk. It sounds as though in Germany there are statutory edicts that dictate what you are supposed to do from an archiving standpoint. Whereas in the U.S., there have been some edicts, but for the most part, the biggest concerns stems from what we have learned from case law over the past few years -- namely the discovery process and how that is going to work. The risk issue then becomes different in the two places. In Germany, you either are in compliance or you are not, whereas in the U.S. ... you never know because case law is going to evolve over the next few years, and some very high-priced law firms are going to find some loopholes and screw some companies in the process.
So, does that ... change the nature of risk? [It] certainly suggests that in the U.S., because of the uncertainty of how this will play out over the next few years, that this will absolutely be decided by corporate legal minds as opposed to anybody else.
Krischer: Some of the companies I surveyed a few months ago said they plan to keep all their e-mails forever. When we ask, "Why you do that?" then normally the answer is because we don't know what we may need in a few years.
1. Focus on the issue of risk when selecting the technology for the base archive.
Floyer: From an infrastructure point of view, what I've seen is sometimes people are very focused on that risk, but other times, the project gets muddied up with a large number of wish lists that get added into the project around e-mail and around disks and around lots of things.
Then, what are the risk mitigation systems that are going to be put into place? Some of those will be technology-driven: The ability to do e-discovery more quickly or completely, for example, may reduce risk. The ability to search for rogue e-mails, the ability to ensure compliance, etc. But an awful lot of what the people we talked to were talking about -- the general training, awareness, stuff like that -- are part of that project but not the responsibility of IT.
So my point is that if you focus e-mail archiving on those two things, you may well come up with a much simpler and easier type of solution than many that are on the market. This focus will tell you which things to maximize and put significant value on in these solutions and which things to discount in the context of risk.
I think some of the current "magic quadrants" that are out there put far too much emphasis on e-mail functionality and fancy systems and fancy technology, and far too little on the core reason for doing it, which is risk reduction.
Architecting the e-mail archive to be flexible, to have access to that data, is incredibly important. And I think that alone can eliminate a number of vendors from any short list. And much simpler solutions then come into play that previously would not have been considered because they don't have all the fancy bells and whistles on them.
2. Good procedures are more important than access speed.
Floyer: What was interesting for example was that from a legal risk point of view, having good procedures was much, much more important than speed of access to it. As long as you could produce [the e-mail required in a legal discovery] within 48 hours, that was fine. Speed of access was not the important criteria for reducing risk. But good procedures that could be shown in court that were being followed were much more important.
For many companies, the reason for outsourcing e-mail archiving was that the outsourcing company showed world-class procedures that they felt would be much better than their own and would hold up much better in a court of law and therefore would be reducing risk, even though the functionality of the actual solution was not as high as others on the marketplace.
So taking that risk reduction I think can significantly simplify that whole process and therefore the whole focus of IT.
3. Do not archive e-mails from before the archive was created
Floyer: That brings me to one other point. Vendors are often pushing to include historical e-mails. One of the key points of reducing risk is to ensure that you've captured all e-mails and that nothing's been changed. That is a big reduction in risk -- just being able to prove in court that it is a complete record. For historical e-mails, it is going to be very difficult to do that.
Is putting historical e-mails into an e-mail archive going to reduce risk? The answer to that is probably not. It is extremely difficult to do [and] very, very labor-intensive -- extremely disliked by the users themselves. Probably it is better to draw a line in the sand and say from this point onward, all the data is being captured in the e-mail archive. Use the current procedures to go back and look for e-discovery on a best can-do basis and don't try to solve the historical problem by putting it into an e-mail archive. It doesn't reduce risk, and it's extremely expensive.
4. Design for secure transfer from one medium to another.
Krischer: If you want to keep something for 10 years, you can't put it on the same media for 10 years. I mean theoretically you can do that, but it will cost you a lot of money. For example, because of the price erosion of disk subsystems, it is cheaper to buy a new subsystem after three to four years than it is to pay the maintenance fee for the next six years for the old one. In addition, due to constant technology developments, new subsystems will usually be more reliable, deliver better performance and require less energy. Therefore, in 10 years, at least one media change has to be done, and this migration should be designed to and audited [to prove] that nothing was deleted and nothing was modified during this migration.
5. Build to support derivative uses of the data.
Burris: What [does] it mean to build an information store that could be used by derivative applications and create derivative types of value? So, for example, [these could include data] mining activities on e-mail archives to identify pockets of expertise or pockets of activities or pockets of relationships that might have significant business value in an upcoming sales activity or a critical support issue. The storage administrators need to be sensitive when they set up that archive so that there will be derivative uses of that information. It's guaranteed that the business will find ways to use [the archive].
Floyer: This e-mail archive infrastructure ... will live for 10 years, probably more. It's very likely to have a long life because the processes and procedures around it are going to be honed in, going to be assessed by auditors, etc., and you won't want to change those very quickly. What that means is the data held in that archive should be accessible, should not be a format that, to put it crudely, is a vendor lock-in. For example, it should be in some sort of way, either database or file-based system, where you can utilize [the data] for other functions.
No comments:
Post a Comment