21 Mar 2003 11:45
Over the years, I've noticed that many small to midsize companies do not save e-mail communication properly. They are typically concerned with being able to restore a failed system and don't pay any attention to retention. However, in the light of new regulations, such as the US Sarbanes-Oxley Act , your company could be at fault for knowingly replacing old backups and not saving them for possible future investigations.
The Act will have an effect outside the US, because your company and its partners may well be doing business in the US, or with US companies. The Act applies to companies that wish to remain listed in the US. Even if Sarbanes-Oxley does not affect your company, it seems likely that similar laws will eventually appear in Europe. Frits Bolkestein, the European commissioner for internal markets and taxation, has called for equivalent European legislation.
To help you make sense of this act, I will discuss how Sarbanes-Oxley and similar legislation will affect IT managers.
Sarbanes-Oxley overview
The Sarbanes-Oxley Act on corporate responsibility for financial reporting was passed in the US in 2002, in response to the WorldCom and Enron debacles, to protect investors. It is intended to improve the accuracy and reliability of corporate disclosures. The Act amends mail and wire fraud infractions with harsher punishments and imposes fines and prison sentences of up to 20 years for anyone who knowingly alters or destroys a record or document with the intent to obstruct an investigation. Due to the availability of reliable technology, most responsible companies have already regulated themselves, and the Act merely sets the tone for proper corporate conduct.
Most provisions of the Act focus on financial records. Section 302 requires certification of financial statements by both the CEO and the CFO. This means that all future financial reporting must be thoroughly verified by management with more acuity than ever before. No doubt the IT department supporting financial systems will also have to ensure the accuracy of these records.
The implications of the act are clearly not meant to stop with financial records, however. For example, during an investigation, discovery requests can be submitted to IT departments. In addition, such requests could require access to all e-mail communication.
E-mail messages as business records
Although trivialised by mixed personal and business content, e-mails are, in fact, corporate documents and should be preserved. The courts will treat e-mail messages and attachments as business records that must be retained to achieve regulatory compliance. Most large companies have a policy on e-mail communication retention. But is this common practice? The answer may come from a PricewaterhouseCoopers survey titled "Digital Discovery and its Importance on the Practice of Litigation." Surprisingly, respondents stated that their clients rarely act upon notice of litigation to stop automatic overwriting processes. In another section of the survey, almost 50 percent of the respondents said that e-mails are the most requested electronic data.
The scenario is common: A company gets a new Microsoft Exchange server, and the users are happy with the Outlook calendar and Internet e-mail capabilities. Messages go in and out, but there is no archival process. Backups are sent to tape, which are rotated weekly and overwritten. However, according to Sarbanes-Oxley, if your network administrator is instructed to overwrite the tapes, then your company knowingly allows potential evidence to be destroyed. Depending on your business risks, this scenario could become a malpractice time bomb. In addition, a simple backup of the Information Store with all the mailboxes in your Exchange server will not give you all the e-mails going in or out. So you are at risk when users delete messages, especially if they are engaged in some kind of misconduct.
Arthur Andersen's document-shredding trouble has made many companies aware of the importance of a sound document retention and destruction policy that includes both paper-based and electronic documents. Recently, the Securities and Exchange Commission fined six securities firms a total of $10 million for failing to produce e-mails requested in the course of an investigation.
The retention period must be reasonable and clearly set in the policy. A good retention policy cannot be selective -- all documents should be saved. The policy must be well known and understood by the employees and applied evenly across the company. Also, the storage type may vary as long as one can produce the evidence. For instance, courts may accept e-mail hardcopies as evidence, but such documents may lack necessary additional information, such as Internet header and routing information. Ideally, e-mail messages must be archived in their original form, which may reduce the potential liability for e-mail communication.
However, there are many problems with managing e-mail archives. E-mail consumes a great deal of digital storage. E-mail communication is expected to increase not only in number of messages, but also in size per message due to attachments. Companies must acknowledge the importance of e-mail retention -- and the role that storage plays. In 2002, there were 24 billion e-mails sent per day in the world, with 40 percent attributed to North Americans. According to the IDC, it is estimated that over 36 billion messages will be sent daily in 2005. Many companies will experience e-mail storage growth of more than 50 percent in one year.
Education is critical
The effects of the Sarbanes-Oxley Act of 2002 reach further than just companies publicly listed in the US. If you do business with US public companies, you may have already been asked to become compliant. Thus, it is difficult to quantify the ripple effect of the Act on how we will do business in the years to come. Most IT managers do not really understand the importance of the new regulations, and I think that ethical discussions and education on the topic will be the key for achieving compliance.
For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter.
Tell us what you think in the Enterprise Mailroom.
Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.