IT Compliance Institute, August 3, 2004:

Best Practices

Turn E-mail Compliance to Your Advantage

The answer isn't to back up everything, but to back up strategically. Here's one approach.

By Mathew Schwartz

Companies required to retain e-mail must take no shortcuts. A variety of regulations (including HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley) dictate companies retain some or all e-mail communications. Organizations may be taking a wait-and-see attitude, but in 2002 the Securities and Exchange Commission, the New York Stock Exchange, and NASD fined five banking giants (including Goldman, Sachs; Morgan Stanley; and Salomon Smith Barney) a total of $8.25 million for not retaining their e-mails on backup media.

Retention is a corporate mandate. New technologies, however, let organizations go beyond “must do” to “can do.” Now organizations can ease the burden on their e-mail servers (why keep old e-mails there if they’re already backed up?) or automatically archive critical information onto high-speed backup for easier searching and retrieval. While organizations can search everything in storage, it’s faster and easier to find information if it’s already been separated out.

To talk about e-mail regulation and storage trends, ITCi spoke with Dave Hunt, CEO of e-mail lifecycle management software vendor C2C Systems, based in Reading, U.K.

How are companies coming to grips with e-mail retention regulations?

I think they are extremely confused, because they have the need to find information and to even remove information [here in Britain]—if people request it—all under the auspices of the U.K. Data Protection Act, the Freedom of Information Act, the Personal Information Protection Act … We’ve seen multinational agencies really struggling with what to keep. The IT people look at this problem and say, “Exclamation mark, exclamation mark; we’ll keep the lot.”

So is e-mail retention all-or-nothing?

The compliance market is where you just put away a copy of every e-mail onto a storage technology, and you hope that you can search and find it later on. That’s usually written at the lowest possible [storage-quality] level … Of course, the volume is huge, and the storage size needed immense.

There are other approaches [however]… you [may] want to keep selected information, say for seven years. Perhaps appraisals or documents. You can [just] write that away and keep it …

The difference between the two approaches is, you’re keeping massive amounts of information that you search rarely, or you just keep what you need.

Do many companies take both approaches?

Plenty. Anyone in the financial services market has to do the legal compliance, and they write that away at the lowest possible level, and just take the hit on writing it away. But the data then can be removed from the e-mail environment, which [frees e-mail server storage]. And for [this approach], if you’re lucky, you can [add] it onto the compliance part of the budget—under the chairman.

The second approach is [for] information kept selectively, which you really want to keep closer at hand, to control the size and capacity … [This approach] has the greatest impact on capacity … because disk storage is more expensive and you’re trying to keep so much information on hand.

For the first approach, storing everything, is retrieval time a concern?

Retrieval time is hours, if not minutes. There are laws around that, that say you must produce the information in seven days, and if it says seven, probably six days of that is your lawyer writing the brief that goes around the [information]. So … that’s the slow storage medium.

The fast-access medium is where you can retrieve it in seconds, rather than minutes. That’s a disk-based storage device or at worst, a DVD jukebox.

When companies selectively keep information, what do they often target?

A lot of it has to do with the company, and the capacity of its e-mail system, and … [decreed] limits on e-mail mailbox sizes … It’s only the last two or three years that companies have gotten their head around the fact that … the time taken to clear a mailbox or clean information can be huge. I’ve seen companies [with] highly paid analysts—earning $100,000 or more—[spending] a few hours [every] Friday afternoon just to clear their mail systems.

The majority of companies have [also] realized they cannot impose upon their worker to remove information, because if they remove it, where do they remove it to?

What are some different approaches to retention?

First of all, you can try and say (as a rule of thumb), "We’ll archive all messages over a certain size to reduce capacity." But the more interesting side is you can automatically archive data that relates to a certain subject. This is something C2C is very good at … [our software] can actually keep e-mail relating to one subject or another.

Just for example, if we were a firm of lawyers, we might want to keep all information that relates to Enron, or a particular client. We as a firm of lawyers could be dealing with Enron not just on one or two subjects, but on every possible one—human resources, acquisition, finance, corporate law … So we could have a dozen different lawyers in a dozen different departments working with Enron, and we could archive every e-mail sent or received or dealing with Enron … to a separate repository.

As opposed to being a compliance headache, is there a potential benefit from selectively retained information?

It’s just enormous. I don’t think people understand the full power of what they’re keeping. Really, I think what they’re looking for initially is extensions to people’s mailboxes, so people are allowed to keep more information and search on it quickly.

What about giving employees the ability to search beyond their own mailbox?

Depending upon the selected type of information, you can give permissions for a team of lawyers, say, to go and search that information. We actually have a feature … where you can take all that information, write it to a DVD , and present it to a court as part of your submission.

Can your software offload older information to less-expensive storage?

There’s HSM—hierarchical storage management, the ability of a storage management product to move [information], and for us to track the move—and that’s pretty smart stuff. That’s where we’ve been working with people like Computer Associates … [whose software management software] allows the data to be moved from one technology to another, we don’t need to know anything about it. All we need … is to know it’s been moved, oh yes, thanks for telling us. When we ask for the information, we’ll know [how to find it] …

So the [HSM] software will allow you to move data between different disks and active types, and that allows the data after 30 days to be moved to a slow disk, after 90 days to a slower disk, after 180 days to be moved to an even slower disk, and after 360 days to tape.

What archiving abilities should companies expect in the future?

The ability to archive on a far more granular criteria, [beyond] the example about Enron. I think most people today are archiving purely based on the e-mail user, and the approach we’ve taken is to allow them to archive on those grounds, and on specific criteria as well. You’ll see more of that criteria …

Also there are some industries, [for example] insurance in the U.S., that say e-mail must be kept five years beyond the life of the policy holder. So as time goes on, if we’re forced into keeping e-mail for five, seven, 10, or 25 years, then I’m going to want to search [very old] information … and that’s something we as an industry are going to have to learn to deal with.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.