Flood of E-Mail Makes Compliance a Tricky Business

By Matthew Hicks  |  Posted 2005-06-02 Print this article Print

As enterprises face more rules about storing their information, they must decide how to manage e-mail compliance and how to figure out which messages matter, say panelists at the INBOX conference.

SAN JOSE, Calif.—The days when managing e-mail meant keeping a server up and running are long gone as enterprises increasingly must figure out how to comply with government regulations affecting messaging. Panelists at the INBOX conference here on Wednesday laid out strategies for how companies can comply with laws ranging from the Sarbanes-Oxley Act and HIPAA (the Health Insurance Portability and Accountability Act) to U.S. Securities and Exchange Commission regulations and state rules. Enterprises must create and communicate a clear e-mail policy, panelists agreed. But companies also must decide which e-mails to store in order to comply with laws and which parts of their organization will be responsible for ensuring compliance.
"You cannot do business without preserving information, and you must increasingly preserve information in accordance with the government," said Jeffrey Ritter, a partner at law firm Kirkpatrick & Lockhart Nicholson Graham LLP.
"As consequence, its important that you look at e-mail not for the format or medium but for the message. And if the content is legally significant about the history of your company, then it must be retained." A messaging policy must cover more than rules about preventing viruses or other security threats, said Paul Chen, president and CEO of e-mail archiving vendor Fortiva Inc. It also must outline proper usage of corporate e-mail, set consequences for e-mail abuse and lay out rules about what e-mails need to be retained. The responsibility for compliance needs to be shared within an organization, panelists said. Typically, IT should oversee the infrastructure for ensuring compliance, such as archiving or tracking e-mail, while a compliance or legal department should set policy and lead training, Chen said. "It needs to be a team effort," he said. Click here to read about how compliance concerns are driving the e-mail archiving market. As for employees, panelists cautioned against leaving them with the hard decision of which e-mails to retain. "Can you allow e-mails to be deleted by employees?" asked Peter Maftieu, founder and president of PM Consulting. "Can you allow an individual to make the judgment that this correspondence that was received or sent is not required to be retained? No." Enterprises are struggling with deciding what e-mail to keep and for how long. Maftieu, a former compliance officer at a financial services company, said that when he oversaw compliance, he opted to archive all e-mail. "I could never get comfortable with deleting anything," he said. But he also ran surveillance on those e-mails to look for abuse and suggested that any organizations retaining all messages do the same. Surveillance, as well as training employees, helped reduce the volume of e-mail, Maftieu said. Click here to read more about products emerging to help manage compliance. Other panelists warned against enterprises retaining all e-mail. Ritter said one of his clients, a 14,000-employee company, was considering keeping all of its e-mail for 10 years. While such a retention policy would meet all compliance laws, it also carries risks and is expensive, especially if the company ever faced an audit and had to sort through the messages, he said. "My job as adverse counsel is to find one flaw in your failure to execute your policy and administrator controls and to demonstrate that your records are unreliable," Ritter said. "When I do that, I win." Too often, organizations decide to just keep it all because they do not have a handle on the compliance problem, Chen said. He suggested that, whether saving all e-mail or not, enterprises should categorize messages in order to determine what to keep and what is important. "The fact that a client is even contemplating keeping all e-mail for the next 10 years is proof that e-mail archiving and compliance is going through growing pains right now," Chen said. Check out eWEEK.coms for more on IM and other collaboration technologies.
Matthew Hicks As an online reporter for eWEEK.com, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for eWEEK.com. Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel