Policy based or keep everything?

Policy based or keep everything? Well, I have been working on this for several years and have come to the conclusion that all the issues boil down to a single one – what should you do with e-mail? And I think that you have just 3 choices: Delete it all, Keep some, or Keep it all. If I were to do a straw poll of what people THINK they would like to do with e-mail most say ‘keep some’, by the end of this blog you may change your mind.Let’s take ‘Delete it all’ first: Email is sent between two parties, so there’s always two copies. If you delete yours, but the other party keeps theirs then you’ve got a real problem – so it’s probably not a great idea. How would your users feel if you deleted all of their email after a month, there is invaluable knowledge within your email system?

Are you in a regulated industry? Even if you are not, there are still regulatory requirements. For example, company financials need to be retained for 6 years and in some instances for 21 years plus. So you probably don’t have the option to delete all e-mail, unless you want to expose the organisation to huge risk and liability.

What about ‘Keep some’? Sounds fine in principle but it does suggest a sorting process. There are only two ways of sorting anything - Manually or Automatically.

Let’s start with manually? Who’s going to do it? Probably your users themselves – so lets see how that works lets imagine I work for a financial organisation, I have a range of different retention boxes, a 13 year box, 12 year, 7 years, 6 years and stuff I can get rid off straight away. I am fairly typical, I receive 30 emails a day, send about the same, I need to sort those emails into the right boxes. Policy based storage is it going to work, probably not, will I make mistakes of course.

What about the cost of that process, well £8 per day, if I work 200 days a year, that comes to £1600 in productivity cost per person.

Manual sorting is expensive, needs user training, users hate doing it, doesn’t work and is therefore not compliant.

What about automatic sorting sounds great. My organisation has lots of experience with document management systems such as Documentum and PC Docs, great for sorting structured documents, this is a purchase order, this is an invoice, this is a business letter. But the big problem with email is that it is an unstructured document.

How would it sort this email. Hi Bill, good to see you last week. I hope Eileen's got over that kidney infection and she's out of hospital. I've attached the report on that customer steering column failure. I don't think it's too much to worry about, but we should get the team together and talk about it. Let me take you to lunch next week - my treat!.

So how would you sort that email? That email contains personal data, “SENSITIVE personal data” because it is medical, it contains product liability DATA which needs to be kept for ten years after the last one comes of the production line. How would you sort that email, anyone? Automatically? What about Manually? Don’t listen to people who tell you can sort email. You can’t.

Email is special, and brings special problems. The major problem in compliance terms is that there is no method that allows accurate sorting – no method or product can possibly guarantee compliance.

You will realise by now that the only solution I think works is ‘keep everything’. So let’s look again at that financial institution with different retention periods – simply select the longest mandated period, say thirteen years, and keep everything for that time – then you KNOW you’re complying with all the laws and regulations. Best of all, you don’t have to train your users, or trust them to put the right things in the right boxes. Automatic full compliance, just pick a single retention period its simple as that.Around this point I tend to find there’s always just two objections. The first is ‘is it legal?’ – absolutely you as a company can keep every single email for as you decide is appropriate and we will be talking later how you select that period.

The second objection is ‘that’s very expensive in storage’. The cost of storing the average person’s email in Cryoserver starts at £1 pound per user – per YEAR. So that’s rather less than the £1600 per year cost of having your users sort it.

So you CAN keep everything and at the same time comply with data protection legislation. But don’t forget the three golden principles that trip most people up: ‘Protect the data. Protect access to the data. Audit any access’.

In conclusion it is a no brainer, keep everything is the right thing to do!

Why are some companies in the world not buying archiving solutions?

Why are some companies in the world not buying archiving solutions? Most common reason is cost is prohibitive! Do they not know that top legal experts in the field of email compliance have been recommending organisations cannot be using costs or no budget as an excuse. I recently heard David Ferris, from Ferris Research (www.ferris.com) state that he feels that the cost of storage is ever decreasing and today it is pertinent to keep everything as there maybe a record that you may require in years to come, which could save you and your organisation in a matter. I share these same views. Using the cost of storage can no longer be used as an excuse in my book.

Today there are many pieces of legislations encouraging us to retain records; in the world there are ten's of thousands of them. They include in the U.S. tax records – 7 years, SOX – 7 years, and elsewhere there are Marketing in Financial Instruments Directive (MiFID) – E.U and Pharma/Healthcare regulations. Majority of the records that need to be kept are likely to be found in the email system, and furthermore there is also a lot of knowledge residing in the email system which may be useful at a later date by the organisation. I am finding many of our clients are keeping records for around 84 months (7 years), based on some key financial & tax regulations. Organisations need to wake up to their responsibilities; IT departments need to involve and talk with senior management that not archiving email is potentially opening the organisation to risk or even in some serious matters a criminal offence. And if you don’t do anything, who gets locked up? Is it the CEO, Company Secretary, who has the responsibility of handling the court order when it is issued? Maybe many IT managers have it in for CEO's, Company Secretaries and want them to go to jail! I hope not.

Thank you Eliot Spitzer

Cheers could be heard from Wall Street when Eliot Spitzer fell from grace earlier this month after being exposed for his wrong doings and hypocrisy. Up until that point Wall Street had feared Spitzer, New York's 54th Governor, where he pushed for ethics and fair play within Wall Street. The financial world who have been fined heavily by Spitzer during the past decade for wrong doings have woken up to recognize that they have been funding his expensive wrong doing habits. Recent reports from my contacts on the East Coast have suggested it is now funding his therapy. On a serious note we (the archiving & compliance world) would like to thank Eliot Spitzer for his efforts for bringing to attention the importance of compliance with regulations and the law over the past decade. Notably, Spitzer supported the introduction of The US Patriot Act, brought in post the 9/11 attacks to aid law enforcement agencies to track down possible terrorist threats, as well as give powers to the US Treasury department to identify terrorist money laundering. It was this Act which helped the Feds to expose the ex-attorney general’s misdemeanors, after they were following some suspicious money transfers involving Spitzer’s bank account to 3rd party bank accounts. As ‘the 63rd Attorney General’ he was involved in exposing white collar crime, financial wrong doings and fining financial organizations heavily to the tune of over $1.5 billion dollars during his reign. These investigations conducted by the Attorney General’s team resulted in organizations implementing better compliance and record keeping procedures, including the implementations of forensic grade email archiving solutions, like Cryoserver, to aid compliance with the Patriot Act and Sarbanes-Oxley Act, to name a few… Eliot Spitzer, we look forward to reading your memoirs of your time as Attorney General and Governor, I am sure it will be an exciting read.

Email Scandals

Since returning from a well earned vacation, I have been welcomed back with yet more articles about deliberate data loss and other shocking email scandals in the press. Here are some of the highlights. The first story is headlined “Whitehouse "lost" email scandal gains traction”. The article refers to the data loss around the time the White House moved from one email system to another. And yet Federal Law dictates documents including email are handed over to the National Archives when relating to the Presidents official business, and losing a years worth of emails is not acceptable. Now the White House is facing a hefty $15 million dollar discovery project to find the lost data ! If only they had read / taken a leaf out of the experiences from one of our clients. Tayside Fire Brigade moved from one mail system to another and during the entire process they did not lose an email, as both mail systems were being seamlessly archived by Cryoserver, whilst the users were being migrated to the new mail system. Then there are the scandals happening in the UK, one titled “Ken aide quits after sexy emails fiasco". This article is about the Race adviser (Lee Jasper) to London Mayor (Ken Livingstone) where emails containing: “I want to honey glase (sic) you" and "I love you falling out of a bikini" being sent to a woman who Jasper had helped to receive over £100,000 in government grants. Jasper is currently involved in answering questions in the controversial £3.8million London Assembly investigations, undoubtedly emails will be investigated during this process. Jasper has subsequently been suspended from duties during the investigations by the Police and London Assembly. I suspect Jasper will resign, as in my next case in Houston, Texas where a soon to be retired top district attorney ( Harris County District Attorney Chuck Rosenthal ) has been disgraced in the article titled "E-mail scandal sinks Texas prosecutor". Rosenthal was exposed for misconduct with the destruction of thousands emails, incompetence for the email discussions he was having with a female employee along with drinking on the job. And these organisations / people are supposedly in power setting an example to the rest of us. I look forward to my next blog to discuss the rise and fall of Elliot Spitzer, who has been classified as a hypocrite.

E-discovery, Records Management Inseparable halves?

I have just been reading the interesting article “Microsoft calls E-discovery, Records Management Inseparable halves”. Microsoft is likely to understand this more than most with the amount of litigation cases it gets involved in each year. Over the past 6 months I am seeing more savvy businesses realising they need to manage the unstructured data that resides in every business into manageable system(s). Particularly when it comes to email, a prime example of unstructured data, can contain multiple retention periods. Some paragraphs may refer to personal information, other paragraphs might refer to product liability and whilst remaining paragraphs may refer to contractual matters. Who decides what length the email should be kept for, the employee, manager or the employer? Often this is when the mistake is made; companies need to treat the disease. One needs to recognise the email system is owned by the employer and they carry the liabilities, therefore it is up to the employer to dictate and set the policy for retention. The employer should be ensuring retention policies and appropriate technologies are in place to make certain records like these are retained and can be discoverable at a later date, whether it is 6 months, 7 years or 10 years later. Could you find every email sent and received from your organisation from 3 years ago today? If not, why not? Many organisations using Cryoserver have already treated the disease with the implementation of Cryoserver, the email compliance and archiving solution. I am aware with some clientele the Cryoserver eDiscovery interfaces have been used to fight off million dollar legal cases and they have won because they had treated the disease with the implementation of the solution years earlier and can prove categorically who said what and when.

Difference between Email Archiving and Email Compliance

In a customer meeting last week I had to explain the difference between Email Archiving and Email Compliance. In my view, Email Archiving is the management of your exponentially growing email archives onto a different storage media, this might be to a local drive, into a .pst file, printing off the email onto paper and sticking it in the client files, or possibly moving the email onto alternative storage media. Personally, I feel this is not good enough! Organisations need to also look at email compliance which requires for the emails to be kept for compliance and legislative purposes in a central repository. This central repository should not be able to be tampered with any form, any access Administrator/Supervisory Access to this central repository should form part of a formal procedure with auditing to comply with the privacy legislation, notably the Data Protection Act (DPA) and Human Rights Legislation. One solution that addresses Email Archiving and Email Compliance, are the Cryoserver Appliance Solutions, www.cryoserver.com which create evidential stores of emails and moves the data to cheaper storage media.

Law firms at the cutting edge?

I have just read this article, “Lawyers try to catch up in tech world” In my experience of helping law firms over the past 5 years I have seen only a small handful of firms at the cutting edge when it comes to email compliance and archiving. These firms are no longer printing out emails and sticking them into the client files, as they have now implemented an email archiving system. As witnessed in the court room, lawyers are now questioning the credibility of emails submitted as evidence as part of a legal case which can only be achieved by storing the forensic version, including the header information with the original email. As we all know, when you print out an email and/or delete an email the header information is lost, therefore the evidential quality is lost. As we are witnessing everyday emails are being relied upon as critical evidence as part of court proceedings. At Cryoserver we have a tool that can help law firms build an evidential repository which cannot be tampered and can be trusted come a legal case. Today I am aware of a handful of law firms who are successfully using Cryoserver to aid them in providing evidence as part of multi million pound legal cases. Lets hope more law firms ditch the quill pens and steno pads...