How much e-mail archiving is necessary to comply with regulations?
Do I need to archive all of my company e-mail? How do I comply with regulations, and what are my options when it comes to the solutions?
First of all, email compliance can mean different things to different organizations. To yours, it might refer only to compliance with internal policies that serve to protect your intellectual property.
Then again, you must always consider whether you’re adhering to PIPEDA (the Personal Information Protection and Electronic Documents Act), the Canadian federal act governing the collection, use and disclosure of personally identifiable information in the course of commercial transactions.
Depending on your circumstances, e-mail compliance might mean sticking to regulatory compliance rules set out by HIPAA, Sarbanes-Oxley, PCI, CA-SB1386, SEC, Gramm-Leach-Bliley or Bill 198.
The Ontario legislature enacted 2003’s Bill 198 after Sarbanes-Oxley legislation was introduced in the U.S. in 2002. A far-reaching piece of legislation that also included provisions regarding auto insurance and tax, the bill is probably best known for clauses to protect investors by improving the accuracy and reliability of corporate disclosures.According to the PricewaterhouseCooper LLP Canada Web site, since then, Bill 198 has resulted in, among other changes:
- Auditor reforms through the creation of the Canadian Public Accountability Board
- Modifications to the Audit Committee requirements
- Modifications to civil liability in Ontario and through the Canadian Securities Administrators (CSA)
- The requirement that CEOs and CFOs personally certify annual and interim filings pursuant to provincial and territorial securities legislation.
According to PWC, Canadian regulators are fostering a phased and delayed implementation, and this is providing companies with more time to implement the required changes.
“Although they have more time, companies should continue their certification projects to ensure they achieve compliance and many of the resulting business benefits of compliance, including stronger governance, reliable reporting and potential cost savings,” recommends PWC.
Another good reason to strive for compliance is so that you’ll be ready if your firm is involved in any litigation.
Indeed, my company, Fleximation Systems, has provided e-mail compliance software tools to customers who have subsequently received a call at 3 p.m. on a Friday and been told to do a legal discovery, with the information expected at the offices of the opposing lawyer by Monday morning. They must quickly check all of their e-mail messages for those containing certain key words, originating from certain people, under a specific date range. To have a hope of meeting such last minute requests, e-mail compliance applications must certainly be in place.Having the ability to do this might not be legally required — especially if you are a private company and not listed on any stock exchange — but it’s definitely going to be critical to your corporate protection. And such litigation is happening more and more often.
When it comes to the technology behind this searching and storing abilities, there are three basic types. You can use a software solution, a dedicated appliance, or you can go with the outsourced method.
Most smaller businesses today are using business software solutions to archive their e-mail. A vast majority of them are using an inherent e-mail structure, for example Microsoft Exchange, which has a journaling feature that can be turned on that will capture all messages sent and received internally and externally.
Both from a Lotus and Exchange perspective, the software solution seems to be accepted by many in the IT community when firms want to make sure that they control such information and have it all residing internally.
Compliance rules generally require that you have the ability to store the information in an un-chaptered format and be able to search for specific Exchange or Lotus mail files. Along with this, you should have some form of server and someone to administer the information, such as a compliance officer or e-mail administrator.
As a general rule, the data must be stored on a write-once, read-many system on the back end, so it can’t be tampered with. This is where some of the today storage area network (SAN) solutions come into play. These will allow you to store your information in a very protected environment.
Going with a dedicated appliance to archive e-mail is a slightly different way to gather the information. The appliance also gives you the ability to trap all the messages that are being sent or received both internally and externally, and to search it when required.
It’s in essence a server within a box. You assign an IP address, it’s self-contained and it processes the information internally.
This method is of special interest to many small to medium-sized businesses that may not have many internal IT resources or may already outsource their IT or e-mail administration. Most appliances offer fairly simple installation procedures.
To protect your company if you suffer a disaster that wipes out all your data, the appliance can simply give you the e-mail archiving and compliance smarts within the box, and you can point the data to a network-attached storage (NAS) device. This can be done locally, or it can be pointed to a disaster recovery site in another location.
The outsourced solution is your third option. Again, some smaller organizations will see this as a better alternative for them, based on the economics. The outsourced provider already has the hardware, software and the people to readily accept the e-mail data. Adding data from your 50 or 100 users will probably not be all that difficult or expensive. When you try to do this internally, you might have to procure some or all of those resources.
But there may be inherent policies within organizations that say all data must be kept locally, period. If that’s the case, go with Option 1 or 2. In small organizations, and often brokerage houses in the financial sector, outsourcing can be a popular choice.
When you are traded on a stock exchange in Canada, compliance with Bill 198 is essential. If you’re listed on the NYSE, Sarbanes-Oxley and/or SEC regulations will most certainly come into play as well. But if you simply get into litigation over a wrongful dismissal or contractual dispute, you may find that compliance can be just as important a tool for your ultimate corporate protection.
Wayne Simpson is president of Mississauga, Ont.-based Fleximation Systems Inc., which provides software solutions for e-mail archiving, e-mail compliance, network security and Web and network management. Contact him at: email@example.com.
Contact the editor