Translate this page:
Search this website:


BC/DRCloud StorageComplianceData CentresDeduplicationDisk/RAID/Tape/SSDsEthernet StorageSAN/NASTiered StorageVirtualizationSNIA & SNIA EuropeDCIM
News
SNS TV
White Papers
Products
Web Exclusives
Magazine
Events
Media Pack
Blogs
Register
Contact

 

Email ? The Compliance Sleeping Tiger

Increasing security and compliance is one of the main causes of sleep loss for CIOs today, as it brings with it the ever-present risk of legal action against the company for not having systems that are up to the demands of the regulatory standards. The risks are known, the regulations clear, but a common misconception is that compliance only applies to physical documents. Many companies do not realise or care about the consequences of insecure email storage policies, and are playing a dangerous game in the process.

 

Date: 1 Sep 2005

Until recently the consequences of email systems not meeting regulations have been largely subdued. It may seem like the sleeping issue, but as more companies take their eye off it, it becomes more of a liability. In recent months we have seen some hard-hitting consequences in the form of litigation, financial penalties, HR problems and damage to company reputation.

Legal Lessons

Modern business cannot function without the use of email; it has become a key communication tool that many organisations depend on as contracts, deals and business arrangements are being confirmed via the medium. Despite this, email retrieval and archiving is still seen by many as a low priority, and many companies need to ask questions about how to store email documents so that they can retrieve them cost effectively when required. Legal action for contract disputes can begin as much as six years after the contract ends ? would the average company know this, let alone have retained the relevant emails for this length of time?

There are also now criminal penalties for non-compliance and email is subject to the same regulations as paper documents. For instance, section 222(5) of the Companies Act 1985 states that records relating to company accounts must be retained for a minimum of six years (for public companies) or a minimum of three years (for private companies). If a company fails to comply with this regulation, the penalties for a company director or officer are a term of imprisonment of up to a maximum of two years, or a fine of up to 5,000, or both. Many companies forget that relevant financial information is contained in many emails. When a company is asked to retrieve emails for the courts, do they know how quickly they can do it, what it will cost them and can they be sure that the emails are the originals? To be fully compliant, and protected against litigation, companies need to be able to answer these questions. Unfortunately the majority can?t.

However, despite the risks, the majority of current email storage methods in use are insecure and fail to meet regulatory standards. Many organisations use back up tapes for email storage, however these tapes do not store emails in real time and do not show a true record of all email correspondence. Emails can be modified or deleted before they are saved onto the back up tapes. Emails stored in this way are usually unencrypted, access to them is unaudited and they are therefore not compliant with legislation such as the Data Protection Act 1998.

Back up tapes must only ever be used for disaster recovery purposes, to carry out any investigation compliantly on your email records, what is required is a permanent and tamper-evident repository of all email going into, out of and around an organisation; a system that is forensically compliant.

Financial Failings

Whether litigation is avoided or not, companies can still be faced with the financial consequences of ignoring email compliance. Bank of America found this out the hard way in June 2005 when two of their affiliates agreed to pay $1.5 million to settle charges that they failed to preserve email communications related to their business.

We have seen the consequences, but many companies would rather risk a fine than spend time and money on ?compliance?. Although the reality is that when companies are caught they may well end up with a fine and an order to spend the necessary time and money on compliant systems.

This is true in the case of J P Morgan Securities Inc, a subsidiary of J P Morgan Chase & Co. In February 2005, the Securities and Exchange Commission (SEC) found that J P Morgan had failed to preserve its business related email communications between 1999 and 2002 for the three year period set out in section 17 (a) of the Securities Exchange Act 1934 and Rule 17a-4. The firm was ordered to establish email retention procedures that comply with the record keeping requirements. J P Morgan was ordered to pay the SEC US$700,000. Two additional fines, each of US$700,000, were also levied against J P Morgan by the National Association of Securities Dealers, and the New York Stock Exchange.

Personnel Problems

However, email is not purely about business record keeping, some of the areas of liability employers are exposed to when using the communications network include; defamatory remarks, breach of confidentiality, using and abusing copyright material without permission, negligence in sending viruses, and sexual or racial harassment. Therefore it is imperative to have an email management system that is ordered and secure to guard against potential risks such as these, and provide evidence for HR disputes if necessary. The fact that email may need to be used as evidence in HR disputes also renders it too important to be left to the individual to store correctly.

The undoubted widespread use of company email for personal activity also creates regulatory issues, indeed the analyst organisation IDC believes that 40% of email at work is non-business related. Email and more recently Instant Messaging (IM), has become a medium for both personal and business use at the same time, which adds to the need for emails to be retained for use as business documents to meet the plethora of compliance regulation and legal doctrine around today, such as the Data Protection Act, Human Rights Act or Sarbanes Oxley.

The truth of the matter may come as a shock to some, but Email is bigger than many give it credit for and the consequences of neglecting email compliance will come back to bite companies. Disciplinary action for new technology-related offences (email and internet abuse) now exceeds the combined total for dishonesty, violence, and health and safety breaches according to the Chartered Institute of Personnel & Development, who also state that the most common single reason for disciplinary action is Internet abuse. A survey by Integralis also revealed that 32% of Fortune 1000 companies have discovered employees passing confidential information to a third party.

Reinforcing Reputation

Nevertheless, the consequences of non-compliance do not just stop here. In recent months companies are finding that ignoring the issue can have a detrimental effect on their reputation, and this was demonstrated in the ?Ketchupgate? case. In June 2005, city law firm Baker & Mackenzie was shunted into the public eye for all the wrong reasons when an email correspondence from an experienced lawyer demanding 4 dry cleaning costs from a secretary for spilling ketchup on his trousers went around the world. This story made it into the national press, but would this have happened if the firm had an email communications and storage policy that was compliant with regulation and that all staff were aware of? A policy of this nature would surely make employees think twice about conducting discourse like this over company email and allow them to resolve the matter before it reached this stage, through an alternative, unrecorded medium.

In my experience, email retention is best managed through a dual approach - a forensically compliant email repository which will store all emails sent and received, enabling the auditing of who said what and when as well as an email policy for users. This explains to everyone how and why email is being retained and how confidential information will be stored. Email is the sleeping tiger of the compliance debate, but it is now really starting to wake up and the consequences for companies are beginning to bite. Ignoring it is simply not good enough, companies need to be thinking about email compliance now, or the resulting legal, financial and HR problems and damage to their reputations could leave lasting scars.

ShareThis

Tags: Compliance

Related News

24 Oct 2014 | BC/DR

24 Oct 2014 | ICT

17 Oct 2014 | ICT

17 Oct 2014 | BC/DR

Read more News »
Related Web Exclusives

13 Oct 2014 | BC/DR

6 Oct 2014 | BC/DR

29 Sep 2014 | BC/DR

15 Sep 2014 | BC/DR

Read more Web Exclusives»

Related Magazine Articles

| Compliance

Winter 2010/2011 | Disk/RAID/Tape/SSDs

May/June 2010 | Virtualization

  • Moving to server-centric IT

    The Canton of Basel-Landschaft cut OPEX by 40% with a storage efficiency initiative, as the Head of ZID, Thomas Wenk, explains to SNS Europe. Read more

February 2010 | SAN/NAS

  • 2010 - what's in store?

    Simon Robinson, Research Director, Storage, at The 451 Group offers some thoughts on those storage technologies and topics that will keep IT professionals occup... Read more

Read more Magazine Articles»

Related Supplements

1 Feb 2009 | SAN/NAS

Networked Enterprise Storage Solutions for Business Partners

Avnet Technology Solutions (via acquisitions) helped the Fibre Channel Industry Association (FCIA) Europe put storage networking technology on the map, across Europe, more than 10 years ago. Move forward to the present day and the FCIA Europe has ?evolved? into the Storage Networking Industry Association (SNIA) Europe.

Click here to learn more »

1 Jun 2007 | BC/DR

Next Generation Backup Recovery & Archiving

The growth and heterogeneous character of the bits in the digital universe mean that organizations worldwide, large and small, whose IT infrastructures transport, store, secure, and replicate these bits, have little choice but to employ ever more sophisticated techniques for information management, security, search, and storage.

Click here to learn more »

Read more Supplements »

Recruitment

Latest IT jobs from leading companies.

 

Click here for full listings»