Navigation * Home / Consultancy / Is email your achilles' heel?

E-mail your corporate Achilles' heel?

E-mail’s popularity, combined with a lack of storage management, is exposing companies to a glut of legal issues. We look at how you can minimise the risk through the use of email archiving.

Email's success as a business tool has been nothing short of phenomenal. This efficient and cost-effective means of communication has taken over our working lives to such an extent that completing many of our day-to-day tasks without it seems unthinkable.

Analysts the META Group, expect email traffic to top a staggering 35 billion messages by 2005 and suggest that the amount of corporate knowledge currently communicated on email systems is already around 50%.

Yet, whilst businesses have been quick to reap the communication benefits of email, the relative neglect of electronic communication storage and management has created the potential for a legal and financial time bomb within many organisations.

The legal and regulatory minefield

The spectacular collapse of Enron and WorldCom has focused the spotlight on legislative and reporting requirements across the globe; a situation for which many companies remain worryingly under-prepared. How would your organisation cope with the following scenarios?

• You discover one of your employees has been bad-mouthing a competitor when you receive a notice of libel. The employee has tried to cover their tracks by deleting the emails from the sent and deleted items folder. Your defence will rely on finding exactly what was sent and when, but will you be able to find the offending emails?

• With the popularity and efficiency of email it is not uncommon to see contract negotiations take place via email. If this contract is disputed two years down the line, all emails detailing the negotiations will prove a vital part of your defence.

• You're an IT manager at a pharmaceutical company that is being sued over the side-effects of a drug. During the legal discovery process the plaintiff's lawyers may request to see all emails with 'drug x' and 'side-effects'. Would you be able to produce these emails without resorting to a time-consuming and painstaking search through all of your backups?

In all these cases you may think it unreasonable for any court to demand you find these emails as finding one or two messages amongst millions is a modern day hunt for a needle in a haystack. You would, however, be wise to think again.

Swiss pharmaceutical giant CIBA-Geigy attempted to contest an order to produce email documentation during a 1995 court case, arguing that is was untimely, overly broad and overly burdensome.

The pleas were waved aside and the company was forced to search through 30 million email messages. With the rise of US-style 'No win no fee' solicitors in the UK, the risk of litigation is only likely to increase.

The Enron and WorldCom scandals, meanwhile, have focused much of the world's attention on reporting and regulatory requirements. At the end of 2002, 5 US banks were fined a total of $8.25m for the inadequate retention of email communications.

The Sarbanes-Oxley Act was passed in the US as a direct result of the corporate scandals, and although no corporate scandal has yet to hit the headlines in the UK, there have still been calls for tighter regulations.

So far, the UK's Financial Services Authority (FSA) has taken a far more hands-off approach than its American counterparts, yet it already requires that records, including emails, are kept for up to six years with documents relating to transfers and opt-outs of pensions required to be kept indefinitely.

The UK Companies Act 1985 also requires companies to keep accounting records that are sufficient to show and explain corporate transactions. Public companies are required to keep this information for six years and private companies for three. Internal correspondence, which includes email, comes under these requirements.

These are just some of the multitude of legal requirements for document retention in the UK, with laws varying from industry to industry.

Backups fall short

It is tempting to think that by taking regular backups of your message store you can satisfy these regulatory and legal requirements. Whilst the bulk storage of information in the message store on backup tapes or local archives may seem like an efficient means of preserving the raw data in the short term, accessing information after longer periods of time is likely to prove problematic.

Due to the sheer quantities of data requiring storage, many organisations have a policy of recycling backup media as a means of controlling storage costs. Osterman Research surveyed 50 organisations in the US with over 500 mailboxes and discovered that, although many organisations took daily backups of their Exchange servers, the mean age for the oldest email message that could be recovered from backups was only 7.2 months.

In its white paper on email archiving, Osterman Research uses the analogy of a company where all employees write critical and non-critical information on paper and this is thrown randomly into a cardboard box. This cardboard box is replaced everyday and moved to storage, before being simply thrown away once the information is over a few months old.
Such a way of handling critical corporate data would be unthinkable in a paper-based world, but it gives a fairly accurate representation of the state of email storage within many organisations today.

What's more, there is no guarantee that the critical messages you are looking for will actually have made it on to the backup. Mailbox quotas are common in many organisations, where the IT department is locked in a battle with end users to reduce storage costs, decrease mail server recovery time and shorten backup windows.

These quotas, however, have a number of unfortunate consequences. In order for their mailboxes to function, users are either forced to delete messages or move them to .pst files which are often held on local machines - this means no central backup and if the laptop is lost, stolen or becomes corrupted then all the email stored on the machine goes with it.

If the .pst files do happen to be stored centrally, this creates an increased strain on your storage resources as you will lose the single instance storage functionality of Exchange, which keeps just one copy of each identical message and attachment.

A look at archiving

Clearly a more efficient means of email storage is needed to enable your organisation to satisfy potential legal and regulatory requirements. This is where email archiving comes in and it has a number of important differences from the backup of your message store.
The primary function of a backup is to provide a copy of valuable data that can be used in the event of failure or loss of the original. Archives, meanwhile, are designed for the collection and storage of large amounts of historical data and records. In effect the two are complementary technologies.

The movement of older email data to the archive is done automatically under policy control. Items can be selected by age, large items with attachments can be moved first, and content can be flagged so that non-important messages containing 'lunch' and 'football' are not added to the archive. Retention policies define how long to keep types of email and once outside of this period emails are automatically deleted.

As far as the user is concerned, however, very little has changed - the archived emails can be marked with an icon and are restorable from the archive with the click of a button. All functions such as reply and forward are still available and the advanced search functionality, including attachments and zip files, makes locating required emails far simpler.

Mailbox archiving provides a reliable way of storing large amounts of electronic data whilst at the same time making the information easily available to users and in the case of a legal dispute.

For industries such as financial services, where regulatory requirements dictate the retention of critical information, email archiving can help ensure compliance. Journal archiving, which can be used instead of, or alongside mailbox archiving, automatically takes a copy of a message as soon as it is sent or received and stores it in a separate journal archive, preventing tampering or user interference.

Auditors or the legal department can then be granted privileged access to search the journal archives with an audit trail keeping track of the entire process in case of regulatory review.

The importance of email retention is shown by the experience of Norwich Union. The UK insurance giant was forced into an out of court settlement of £450,000 over alleged email defamation of a competitor because the emails sent by Norwich Union staff had been deleted by the time the writ had been issued.

Moreover, whilst any email is potentially admissible in court, having an email that can be demonstrated to have been stored in a way that prevents tampering increases its evidential weight.

Horror stories, such as Norwich Union, all help emphasise the importance of effective email management and archiving, but unless an organisation has been at the wrong end of an expensive email lawsuit it is all too tempting to think 'it will never happen to us'. Legal and regulatory compliance certainly offer a less tangible ROI, but email archiving also has more definable benefits.

Centralised storage in an archive removes the need to rely on .pst files, eliminating the storage burden they create. Talbot underwriting, insurance specialists working at Lloyds, claim to have reduced 90GB of .pst files down to 19GB through the use of email archiving.

The removal of old messages to the archive means email databases are now smaller with the result that backups and restores require much less time downtime. Archiving also removes the housekeeping load from administrators, whilst users are kept happy because they no longer have to battle with unwieldy .pst files and mailbox quotas.

Email archiving is still a relatively new industry, but analysts the META Group are predicting the industry will grow from $70 million to $450 million in 2007 as companies increasingly recognise the importance of such tools. Specialist messaging analysts, The Radicati Group, predict an even larger market, reaching $1.5bn by 2007.

In the post-Enron world and at a time when society becomes evermore litigious, IT managers need to be aware of the increasing business risks associated with the management and storage of emails. Not taking the appropriate steps now has the potential to prove an expensive and embarrassing mistake a few years down the line. In the immortal words of Clint Eastwood you have to ask yourself" 'Do I feel lucky?' Well, do ya?".

For more information on news bulletins or seminars, please contact BII Compliance - info@bii-compliance.com