Panelists at the INBOX conference here on Wednesday laid out strategies for how companies can comply with laws ranging from the Sarbanes-Oxley Act and HIPAA (the Health Insurance Portability and Accountability Act) to U.S. Securities and Exchange Commission regulations and state rules.
Enterprises must create and communicate a clear e-mail policy, panelists agreed. But companies also must decide which e-mails to store in order to comply with laws and which parts of their organization will be responsible for ensuring compliance.
"You cannot do business without preserving information, and you must increasingly preserve information in accordance with the government," said Jeffrey Ritter, a partner at law firm Kirkpatrick & Lockhart Nicholson Graham LLP.
"As consequence, its important that you look at e-mail not for the format or medium but for the message. And if the content is legally significant about the history of your company, then it must be retained."
A messaging policy must cover more than rules about preventing viruses or other security threats, said Paul Chen, president and CEO of e-mail archiving vendor Fortiva Inc. It also must outline proper usage of corporate e-mail, set consequences for e-mail abuse and lay out rules about what e-mails need to be retained.
The responsibility for compliance needs to be shared within an organization, panelists said. Typically, IT should oversee the infrastructure for ensuring compliance, such as archiving or tracking e-mail, while a compliance or legal department should set policy and lead training, Chen said.
"It needs to be a team effort," he said.
As for employees, panelists cautioned against leaving them with the hard decision of which e-mails to retain.
"Can you allow e-mails to be deleted by employees?" asked Peter Maftieu, founder and president of PM Consulting. "Can you allow an individual to make the judgment that this correspondence that was received or sent is not required to be retained? No."
Enterprises are struggling with deciding what e-mail to keep and for how long. Maftieu, a former compliance officer at a financial services company, said that when he oversaw compliance, he opted to archive all e-mail.
"I could never get comfortable with deleting anything," he said.
But he also ran surveillance on those e-mails to look for abuse and suggested that any organizations retaining all messages do the same. Surveillance, as well as training employees, helped reduce the volume of e-mail, Maftieu said.
Other panelists warned against enterprises retaining all e-mail. Ritter said one of his clients, a 14,000-employee company, was considering keeping all of its e-mail for 10 years.
While such a retention policy would meet all compliance laws, it also carries risks and is expensive, especially if the company ever faced an audit and had to sort through the messages, he said.
"My job as adverse counsel is to find one flaw in your failure to execute your policy and administrator controls and to demonstrate that your records are unreliable," Ritter said. "When I do that, I win."
Too often, organizations decide to just keep it all because they do not have a handle on the compliance problem, Chen said. He suggested that, whether saving all e-mail or not, enterprises should categorize messages in order to determine what to keep and what is important.
"The fact that a client is even contemplating keeping all e-mail for the next 10 years is proof that e-mail archiving and compliance is going through growing pains right now," Chen said.