Until recently the consequences of email systems not meeting regulations have been largely subdued. It may seem like the sleeping issue, but as more companies take their eye off it, it becomes more of a liability. In recent months we have seen some hard-hitting consequences in the form of litigation, financial penalties, HR problems and damage to company reputation.
Modern business cannot function without the use of email; it has become a key communication tool that many organisations depend on as contracts, deals and business arrangements are being confirmed via the medium. Despite this, email retrieval and archiving is still seen by many as a low priority, and many companies need to ask questions about how to store email documents so that they can retrieve them cost effectively when required. Legal action for contract disputes can begin as much as six years after the contract ends ? would the average company know this, let alone have retained the relevant emails for this length of time?
There are also now criminal penalties for non-compliance and email is subject to the same regulations as paper documents. For instance, section 222(5) of the Companies Act 1985 states that records relating to company accounts must be retained for a minimum of six years (for public companies) or a minimum of three years (for private companies). If a company fails to comply with this regulation, the penalties for a company director or officer are a term of imprisonment of up to a maximum of two years, or a fine of up to £5,000, or both. Many companies forget that relevant financial information is contained in many emails. When a company is asked to retrieve emails for the courts, do they know how quickly they can do it, what it will cost them and can they be sure that the emails are the originals? To be fully compliant, and protected against litigation, companies need to be able to answer these questions. Unfortunately the majority can?t.
However, despite the risks, the majority of current email storage methods in use are insecure and fail to meet regulatory standards. Many organisations use back up tapes for email storage, however these tapes do not store emails in real time and do not show a true record of all email correspondence. Emails can be modified or deleted before they are saved onto the back up tapes. Emails stored in this way are usually unencrypted, access to them is unaudited and they are therefore not compliant with legislation such as the Data Protection Act 1998.
Back up tapes must only ever be used for disaster recovery purposes, to carry out any investigation compliantly on your email records, what is required is a permanent and tamper-evident repository of all email going into, out of and around an organisation; a system that is forensically compliant.
Whether litigation is avoided or not, companies can still be faced with the financial consequences of ignoring email compliance. Bank of America found this out the hard way in June 2005 when two of their affiliates agreed to pay $1.5 million to settle charges that they failed to preserve email communications related to their business.
We have seen the consequences, but many companies would rather risk a fine than spend time and money on ?compliance?. Although the reality is that when companies are caught they may well end up with a fine and an order to spend the necessary time and money on compliant systems.
This is true in the case of J P Morgan Securities Inc, a subsidiary of J P Morgan Chase & Co. In February 2005, the Securities and Exchange Commission (SEC) found that J P Morgan had failed to preserve its business related email communications between 1999 and 2002 for the three year period set out in section 17 (a) of the Securities Exchange Act 1934 and Rule 17a-4. The firm was ordered to establish email retention procedures that comply with the record keeping requirements. J P Morgan was ordered to pay the SEC US$700,000. Two additional fines, each of US$700,000, were also levied against J P Morgan by the National Association of Securities Dealers, and the New York Stock Exchange.
However, email is not purely about business record keeping, some of the areas of liability employers are exposed to when using the communications network include; defamatory remarks, breach of confidentiality, using and abusing copyright material without permission, negligence in sending viruses, and sexual or racial harassment. Therefore it is imperative to have an email management system that is ordered and secure to guard against potential risks such as these, and provide evidence for HR disputes if necessary. The fact that email may need to be used as evidence in HR disputes also renders it too important to be left to the individual to store correctly.
The undoubted widespread use of company email for personal activity also creates regulatory issues, indeed the analyst organisation IDC believes that 40% of email at work is non-business related. Email and more recently Instant Messaging (IM), has become a medium for both personal and business use at the same time, which adds to the need for emails to be retained for use as business documents to meet the plethora of compliance regulation and legal doctrine around today, such as the Data Protection Act, Human Rights Act or Sarbanes Oxley.
The truth of the matter may come as a shock to some, but Email is bigger than many give it credit for and the consequences of neglecting email compliance will come back to bite companies. Disciplinary action for new technology-related offences (email and internet abuse) now exceeds the combined total for dishonesty, violence, and health and safety breaches according to the Chartered Institute of Personnel & Development, who also state that the most common single reason for disciplinary action is Internet abuse. A survey by Integralis also revealed that 32% of Fortune 1000 companies have discovered employees passing confidential information to a third party.
Nevertheless, the consequences of non-compliance do not just stop here. In recent months companies are finding that ignoring the issue can have a detrimental effect on their reputation, and this was demonstrated in the ?Ketchupgate? case. In June 2005, city law firm Baker & Mackenzie was shunted into the public eye for all the wrong reasons when an email correspondence from an experienced lawyer demanding £4 dry cleaning costs from a secretary for spilling ketchup on his trousers went around the world. This story made it into the national press, but would this have happened if the firm had an email communications and storage policy that was compliant with regulation and that all staff were aware of? A policy of this nature would surely make employees think twice about conducting discourse like this over company email and allow them to resolve the matter before it reached this stage, through an alternative, unrecorded medium.
In my experience, email retention is best managed through a dual approach - a forensically compliant email repository which will store all emails sent and received, enabling the auditing of who said what and when as well as an email policy for users. This explains to everyone how and why email is being retained and how confidential information will be stored. Email is the sleeping tiger of the compliance debate, but it is now really starting to wake up and the consequences for companies are beginning to bite. Ignoring it is simply not good enough, companies need to be thinking about email compliance now, or the resulting legal, financial and HR problems and damage to their reputations could leave lasting scars.