Ask Dr. E-Mail!

BY DR. E-MAIL, V.A. SHIVA

Question: What are the regulatory issues surrounding storage of e-mail?

Answer: Regulatory issues surrounding the storage of e-mail are becoming extremely important and highly relevant across all industries. Most recently, in the financial services sector, five major brokerage houses including Goldman Sachs, Morgan Stanley and Salomon Smith Barney had fines totaling $8.25 million levied against them for illegally erasing e-mail. The answer to your question has its basis in many statutes implemented in the late 1920s and early 1930s.

In 1929, Congress passed two acts designed to restore investor confidence in the markets:

1. The Securities Act of 1933

2. The Securities Exchange Act of 1934

In 1934, the Securities and Exchange Commission (SEC) was set up to enforce these laws to protect investors. The Securities and Exchange Act of 1934 includes provisions that require exchange members, brokers and dealers to maintain and preserve records of their business, including transactions, trade confirmations, communications (including interoffice memoranda) and written agreements. With the advent of computer hardware and software technologies, the SEC has updated these rules to include provisions for storage of records on electronic storage media. Under the current securities legislation and stock market regulations, broker-dealers must keep a copy of all e-mail for three years, and keep them in a readily accessible place for the most recent two years. 

In the recent e-mail fines, the five firms failed to store their e-mail per these regulations. According to a joint statement by the SEC, the New York Stock Exchange (NYSE) and National Association of Securities Dealers (NASD),  "Each firm had inadequate procedures and systems to retain and make accessible e-mail communications," the statement said. "While some firms relied on employees to preserve copies of the e-mail communications on the hard drives of their individual personal computers, there were no systems or procedures to ensure that employees did so." Some firms backed up e-mail communications on tape or other media as part of a disaster-recovery or other business plan, it said.  "However, these firms discarded or recycled and overwrote their back-up tapes and other media, often a year or less after back-up occurred.� In addition to the fines, these five firms agreed to review the way they preserve e-mails and to inform the regulators within 90 days that they were in compliance with the rules.

These recent fines are historical.  

These e-mail fines set a precedent for not only financial services, but also all other major industries relative to the storage of e-mail in compliance with government regulations. In telecommunications, where e-mail is a critical customer service tool for the industry, customers can receive their account statements, service notifications and other communication via e-mail. Federal regulations (CFR Title 47 Part 42) require the capture and retention of these records for federal auditing purposes. In the pharmaceutical industry, firms use e-mail to exchange research data, submit applications and file research reports. Physicians and healthcare institutions use e-mail to communicate with patients and colleagues. The Food and Drug Administration, through Title 21, Part 11, requires the preservation of all electronic records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA 1996, Public Law 104-191, Part 164 � Security and Privacy) defines the requirements to secure the privacy of individual health records.

As e-mail volume grows, such aforementioned e-mail fines will probably become more than just rare incidents. IDC forecasts that the number of e-mails sent daily will grow from 15 billion in 2002 to over 35 billion in 2005. Thus, the ubiquity of e-mail as a communication medium presents opportunities as well as challenges for companies who must comply with government regulations. For example, e-mail provides financial services providers such as exchange members, brokers and dealers a fast and efficient mechanism of communicating internally, with each other, with branch offices and with customers. However, this can lead to potential headaches for compliance officers, as all communications related to the business -- including internal communications -� must be retained under Rule 17a-4 (17CFR 240.17a-4). Record-keeping deficiencies are among the most common reasons that the SEC Office of Compliance Inspections and Examinations refers cases to the Office of Enforcement or to Self Regulating Organizations (SROs) for investigation.

The purpose of this article is not to provide a particular solution, but to make you aware of the landscape of existing regulations and the new regulations that will obviously develop as the e-mail industry evolves.

An e-mail is a record. 

Some estimates indicate that as much as 45 percent of business critical information is stored within the messaging system. However, much of this information is hidden from the organization as a whole, in individual user mailboxes, desktop archives or backup tapes. Nearly three-quarters of end users are unable to recover an archived e-mail without assistance from the e-mail administrator. In some cases, aged e-mail is simply not recoverable. Results of a recent survey showed that 29 percent of organizations would not be able to locate an e-mail message that was six months old (Creative Networks, Inc.).  E-mail servers are vulnerable to unplanned downtime, caused in part by overloaded message stores. However, e-mail storage technology is evolving to help manage message stores, which is good news considering recent research indicates that over half of the most serious message-related difficulties faced by IT staff focus on storage issues, including lack of disk space, the size of individual message stores and the sheer volume of message traffic. E-mail systems are also vulnerable to virus attacks, as over 85 percent of the viruses that infect organizations enter via the e-mail system (ISCA/TruSecure � 2000 Virus Prevalence Survey).

E-mail storage can be compared to an established discipline of record management. Record management traditionally deals with paper-based records, managing them throughout their lifecycle, from creation through long-term storage and ultimate destruction. Many record management concepts are applicable to e-mail storage.

Record management is the discipline of managing records to meet operational business needs and accountability. An organization uses an e-mail retention policy to define what records must be kept, how they should be stored and retrieved and how long they should be preserved. These are based on criteria defined by the organization or by regulatory requirements. In the next article, I will discuss the key elements necessary to build an effect e-mail record storage system.

V.A. Shiva is a Chairman and CEO of EchoMail, Inc. In 1979, while a sophomore in high school, Shiva created one of the world�s first E-Mail systems for which he was recognized with the prestigious Westinghouse Science Award. During 1981 to 1993, he completed his undergraduate, graduate and doctoral research at the Massachusetts Institute of Technology focused on the field of pattern recognition, earning degrees in Electrical Engineering, Mechanics and Media Arts and Sciences. Today, EchoMail, which was founded in 1994, provides advanced Business Intelligence technologies for E-Mail management. EchoMail focuses on helping Fortune 1000 companies devise strategies as well as deploy its E-Mail Management technology platform for inbound and outbound management of E-Mail. More information on EchoMail, Inc. can be found at www.echomail.com. Shiva can be reached at [email protected].