The need for compliance is driven by various governmental and regulatory demands. High profile acts such as SEC, Sarbanes-Oxley and Basel II were primarily driven by experiences of email mismanagement. Freedom of Information Act laws have also increased the visibility of email retention and accessibility.
Legislation commonly calls for retention periods but may demand deletion following expiration of the retention period. The requirement is usually to copy away all emails relating to subjects, departments or individuals before a user has a chance to manipulate or delete the information, providing a fully secure and audited record of email activity. System performance and selective retention have nothing to do with compliance; a solution to aid compliance is generally working behind the scenes, invisible to the end-user and with the archived copies accessible only by certain permitted Officers.
Regulations are requiring various industries to store electronic information for a period of time. These new standards are pushing the need to archive. Typical regulations force organizations to:
- Keep copies of all emails (selected by individual or department)
- Keep copies of all email transactions with third parties
- Maintain copies of the electronic calendars of key members of staff
- Save messages in a secure format, able to be retrieved as and when they are needed
Non-compliance with regulations is serious, and companies risk paying millions of dollars in sanctions and fines, not to mention loss of corporate reputation, lost revenue and embarrassment.
To meet regulatory requirements, the key is to find an archiving solution that maintains email integrity. DoD 5015.2-STD, for example, requires that any record (including email), when retrieved, can be reproduced, viewed, and manipulated in the same manner as the original. When it comes time for regulatory audits, you won’t want emails challenged for lack of authentication.
This is one of the main reasons why back-up of email isn’t enough to meet regulatory requirements. The fast indexing and search for retrieval of email is inherent to true archiving solutions. When you need to track down email, you’ll no doubt need to search millions of messages and their contents in a restricted time-frame. Back-up just doesn’t allow for this to happen – true archiving solutions are built for the writing away and retrieval of high volumes of email, maintaining full data integrity and audit trails which would stand up in a court of law.
Another point to remember is that searching and retrieving messages within a prescribed time-frame is virtually impossible to do manually; when the requirement is to retrieve an email out of millions within (say) 48 hours, this does not mean “give the request to the IT department and they must present the data within 48 hours”. This almost certainly means “your company has 48 hours in which to present the data”, so you need to get the data to the lawyer who probably needs to set it out in the context of the case and to present that within 48 hours. Realistically, the IT dept probably needs to find the data within an hour! This implies the need for a fully flexible, well managed system.
When you look at compliance you will need to bear in mind:
- The regulatory reasons for compliance
- Other legal factors pertaining to data retention
- Whether the data is tamper-proof
- Methods of sampling and review
- Log and audit trails of archive searches: this may involve a review hierarchy of IT, Security and/or Compliance Officers
- The abilities of the company to manage this data
- You may need to prove that you have undertaken all of these and more
- You will need to involve all aspects of management to ensure that the compliance project is not just left to IT, it is an organization wide activity
So what do you do if regulations don’t yet apply to your organization?
Our experience says ‘be prepared’. It is sensible for any organization to begin to archive emails that may be regarded as company records; whether for employee management or commercial reasons. Common sense says that it is likely that regulation will spread, and it is simply unacceptable in court to say that electronic data cannot be retrieved.
Manage Legal Risks and Compliance Demands with ArchiveOne
To help you meet regulatory requirements such as Sarbanes-Oxley, ISO, HIPAA, Basel II and others, ArchiveOne for Enterprise can extract and store a copy of every email sent or received.
By archiving internal and external email to secure, indexed repositories, you can ensure you will be able to find critical message content rapidly and with full, demonstrable records of every email transaction suitable for audit requirements.