Question: What
are the regulatory issues surrounding storage of e-mail?
Answer:
Regulatory issues surrounding the storage of e-mail are becoming extremely
important and highly relevant across all industries. Most recently, in the financial services
sector, five major brokerage houses including Goldman Sachs, Morgan
Stanley and Salomon Smith Barney had fines totaling $8.25 million levied
against them for illegally erasing e-mail. The
answer to your question has its basis in many statutes implemented in the
late 1920s and early 1930s.
In 1929,
Congress passed two acts designed to restore investor confidence in the
markets:
1. The
Securities Act of 1933
2. The
Securities Exchange Act of 1934
In 1934, the
Securities and Exchange Commission (SEC) was set up to enforce these laws
to protect investors. The Securities
and Exchange Act of 1934 includes provisions that require exchange
members, brokers and dealers to maintain and preserve records of their
business, including transactions, trade confirmations, communications
(including interoffice memoranda) and written agreements. With the advent of computer hardware and
software technologies, the SEC has updated these rules to include
provisions for storage of records on electronic storage media. Under the current securities legislation
and stock market regulations, broker-dealers must keep a copy of all
e-mail for three years, and keep them in a readily accessible place for
the most recent two years.
In the recent e-mail fines, the five firms failed to store their e-mail
per these regulations. According to
a joint statement by the SEC, the New York Stock Exchange (NYSE) and
National Association of Securities Dealers (NASD), "Each firm had inadequate
procedures and systems to retain and make accessible e-mail
communications," the statement said. "While
some firms relied on employees to preserve copies of the e-mail
communications on the hard drives of their individual personal computers,
there were no systems or procedures to ensure that employees did so." Some firms backed up e-mail
communications on tape or other media as part of a disaster-recovery or
other business plan, it said. "However,
these firms discarded or recycled and overwrote their back-up tapes and
other media, often a year or less after back-up occurred.” In addition to the fines, these five
firms agreed to review the way they preserve e-mails and to inform the
regulators within 90 days that they were in compliance with the rules.
These recent
fines are historical.
These e-mail
fines set a precedent for not only financial services, but also all other
major industries relative to the storage of e-mail in compliance with
government regulations. In
telecommunications, where e-mail is a critical customer service tool for
the industry, customers can receive their account statements, service
notifications and other communication via e-mail. Federal regulations (CFR Title 47 Part
42) require the capture and retention of these records for federal
auditing purposes. In the
pharmaceutical industry, firms use e-mail to exchange research data,
submit applications and file research reports. Physicians and healthcare institutions
use e-mail to communicate with patients and colleagues. The Food and Drug Administration, through
Title 21, Part 11, requires the preservation of all electronic records. The Health Insurance Portability and
Accountability Act of 1996 (HIPAA 1996, Public Law 104-191, Part 164 –
Security and Privacy) defines the requirements to secure the privacy of
individual health records.
As e-mail volume
grows, such aforementioned e-mail fines will probably become more than
just rare incidents. IDC forecasts
that the number of e-mails sent daily will grow from 15 billion in 2002 to
over 35 billion in 2005. Thus, the
ubiquity of e-mail as a communication medium presents opportunities as
well as challenges for companies who must comply with government
regulations. For example, e-mail
provides financial services providers such as exchange members, brokers
and dealers a fast and efficient mechanism of communicating internally,
with each other, with branch offices and with customers. However, this can lead to potential
headaches for compliance officers, as all communications related to the
business -- including internal communications - must be retained under
Rule 17a-4 (17CFR 240.17a-4). Record-keeping
deficiencies are among the most common reasons that the SEC Office of
Compliance Inspections and Examinations refers cases to the Office of
Enforcement or to Self Regulating Organizations (SROs) for investigation.
The purpose of
this article is not to provide a particular solution, but to make
you aware of the landscape of existing regulations and the new regulations
that will obviously develop as the e-mail industry evolves.
An e-mail is a
record.
Some estimates
indicate that as much as 45 percent of business critical information is
stored within the messaging system. However,
much of this information is hidden from the organization as a whole, in
individual user mailboxes, desktop archives or backup tapes. Nearly three-quarters of end users are
unable to recover an archived e-mail without assistance from the e-mail
administrator. In some cases, aged
e-mail is simply not recoverable. Results
of a recent survey showed that 29 percent of organizations would not be
able to locate an e-mail message that was six months old (Creative
Networks, Inc.). E-mail
servers are vulnerable to unplanned downtime, caused in part by overloaded
message stores. However, e-mail
storage technology is evolving to help manage message stores, which is
good news considering recent research indicates that over half of the most
serious message-related difficulties faced by IT staff focus on storage
issues, including lack of disk space, the size of individual message
stores and the sheer volume of message traffic. E-mail systems are also vulnerable to
virus attacks, as over 85 percent of the viruses that infect organizations
enter via the e-mail system (ISCA/TruSecure 2000 Virus Prevalence
Survey).
E-mail storage
can be compared to an established discipline of record management. Record management traditionally deals
with paper-based records, managing them throughout their lifecycle, from
creation through long-term storage and ultimate destruction. Many record management concepts are
applicable to e-mail storage.
Record
management is the discipline of managing records to meet operational
business needs and accountability. An
organization uses an e-mail retention policy to define what records must
be kept, how they should be stored and retrieved and how long they should
be preserved. These are based on
criteria defined by the organization or by regulatory requirements. In the next article, I will discuss the
key elements necessary to build an effect e-mail record storage system.
V.A. Shiva is a Chairman and CEO of
EchoMail, Inc. In 1979, while a sophomore in high school, Shiva created
one of the world’s first E-Mail systems for which he was recognized with
the prestigious Westinghouse Science Award. During 1981 to 1993, he
completed his undergraduate, graduate and doctoral research at the
Massachusetts Institute of Technology focused on the field of pattern
recognition, earning degrees in Electrical Engineering, Mechanics and
Media Arts and Sciences. Today, EchoMail, which was founded in 1994,
provides advanced Business Intelligence technologies for E-Mail
management. EchoMail focuses on helping Fortune 1000 companies devise
strategies as well as deploy its E-Mail Management technology platform for
inbound and outbound management of E-Mail. More information on
EchoMail, Inc. can be found at www.echomail.com.
Shiva can be reached at Dr.E-Mail@EchoMail.Com.
|
