Email Archiving – A Must for Ensuring Legal Compliance
Today, many small to mid-sized businesses (SMBs) do not have a suitable email archiving solution in place, which results in increases in legal and regulatory risks and increases in the overall cost of storage management. The primary reasons for not having a reliable system in place can be attributed to:
Decision makers not believing that preserved content could be used in a legal action or a regulatory audit. They do not realize that it is riskier than deleting that content.
Many believe that archiving content will create unmanageable storage problems and cost too much to manage, so they delete content for fear of creating additional storage management difficulties.
Many mistakenly believe that their nightly or other regular backups actually represent an archive of their important corporate content.
Need for Email Archiving
Email and other electronic content stores contain a growing proportion of business records that must be preserved for long periods of time. Also, this content is most likely to be frequently requested during discovery proceedings because of the Federal Rules of Civil Procedure (FRCP) and state versions of the FRCP. As a result, it is critical that all relevant electronic content be made available for e-discovery purposes, in large part because of the frequency with which this information is requested during legal actions.
When a hold on data is required by the legal system, it is highly imperative that an organization immediately be able to begin preserving all relevant data, such as all email sent from senior managers to specific individuals or clients, word processing documents that may contain corporate policy statements, spreadsheets with auditors’ opinions and so on.
Archiving Software
An email archiving system allows organizations to immediately place a hold on data when requested by a court or on the advice of legal counsel and ensure email compliance as well. There is reliable and robust archiving software that directly addresses these issues. Such email archiving software can offer:
A solution that archives all email content and thus reduces the risk of non-compliance with legal, regulatory and other obligations to preserve critical business content.
A solution that will actually reduce storage management costs by eliminating redundant content and migrating content from email servers to lower cost archival storage.
This clearly shows that archiving email is a critical best practice for any organization that is considering staying legally compliant and is also looking to expand its horizons beyond national boundaries.
: Clear and simple guidance for managing your email infrastructure Email is the dominant form of c
Email is the dominant form of communication within many organizations so it’s essential to set out the rules for how it should be used.
Chief Information Officers and IT managers in the highly regulated health and financial industries or in large, publicly traded organizations are usually well aware of what is required for email compliance. For privately held or smaller companies and non-regulated industries, email compliance is often unclear and the apparent complexity and serious consequences for violators can make the task of complying seem daunting.
The concern is largely unjustified. According to the definition of compliance opposite, for most organizations, compliance is achieved by operating under a formal set of clearly defined guidelines that ensure adherence both to formal legislation and to accepted ethical standards and best practices. These guidelines should also cover how to handle deviations, accidental or otherwise. In the absence of guidelines it becomes extremely difficult to respond positively and effectively to an audit (or “eDiscovery”), or worse, a legal inquiry. This document looks at compliance in relation to email, giving clear and simple guidance for managing your email infrastructure*.
1. Establish clear rules about email usage
Email is the quintessential communications tool with much of an organization’s day-to-day life dependent on it for both internal and external communication. Email can contain as much as 80% of a company’s business records so setting out the rules for how it should be used is essential.
The starting point is to define a clear and transparent framework for behavior, setting down what’s acceptable and what isn’t when it comes to using email. An explicit, organization-wide Acceptable Use Policy (AUP), accompanied by the ability to audit its use and enforce its rules is a simple first step in demonstrating the intention to meet regulations and goes a long way toward avoiding liability. As an example, typical clauses might be:
don’t forward or send email containing pornographic images
do limit attachment sizes to 5MB.
With the AUP in place, you can then focus on ensuring that your practices are compliant with the wide range of local, regional, national and international laws that extend into email communications.
A wide range of online examples is available from industry analysts such as Forrester, IDC and Gartner.
2. Prevent data loss via email
The data that you hold in your systems is valuable business information. It must be guarded carefully from accidental or deliberate disclosure of confidential information to parties outside and, on occasion, within your organization. Some of the processes will be covered by your AUP, but new employees, leaving employees, distracted employees and disgruntled employees can all inadvertently (or maliciously) threaten the security of your data.
It is essential to put in place an automated, centrally managed mechanism to prevent data loss regardless of intention or the goodwill of your employees. This solution should be able to:
block emails by the filetypes of their attachments
scan messages for keywords
add disclaimers and banners to mail in all directions
encrypt messages so that only the intended recipient can read them
ensure that your email system is not being abused by unknown and/or malicious users.
3. Maintain visibility over and access to current and past traffic
You need to make sure that you are aware of – and can account for – the email coming into, going out of and circulating around your organization. This means you must:
Retain accessible records of relevant email communications, including log information that can show who sent what to whom and when.
Copy and/or archive sensitive messages, both internal and external.
Be able to intercept and re-route violating messages to those responsible for enforcement so that potentially damaging incidents can be avoided and remedial efforts can take place.
It is important to recognize that not every email contains sensitive data, so not everything needs to be archived and/or encrypted. Depending on your jurisdiction, there are also limits on how long you must retain copies of email communication.
In fact, the cost of storing and accessing large volumes of email requires you to be deterministic when it comes to what needs archiving or encryption, and how long you should be storing.
4. Eliminate spam, phishing and malware
One of the main ways that virus writers get malware onto your users’ computers and into your systems is through email. Spam campaigns that rapidly change in order to attempt to evade detection use a variety of methods – such as dropping keylogging Trojans or linking to malicious websites – to steal confidential business and personal information.
You must ensure, and be able to demonstrate, that your email infrastructure is protected against malware, viruses, spyware and other threats to system and data integrity. For this you need a solution that blocks malware, spam, Denial of Service attacks, and harvesting of email addresses.
By blocking threats at the perimeter right through to your internal mail servers and desktops, you will eliminate most of the external risk associated with data loss. Your AUP will go a long way toward covering the remaining internal risk.
*Disclaimer: this is not intended to replace professional/legal guidance on compliance issues that your organization may face. We strongly suggest that you seek advice from recognized compliance experts to determine your needs.
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.
Next-generation Email Compliance and Legal Discovery Software
Email archiving has become an increasingly complicated task companies which need to complete in order to comply with compliance laws, while internal data archiving may be considered something exclusive of banks and financial institutions, laws have been enacted to regulate several other industries.
The following list briefly shows the industries and laws which are to be kept:
Healthcare: The Health Insurance Portability and Accountability Act (HIPAA) 1996, which involves patient health data encryption during transmission throughout a network.
Hedge Funds: The U.S. Securities and Exchange Commission (SEC) 2006 regulations on private investment pools, this involves archiving and securing all electronic communication.
Pharmaceutical: 21 CFR Part 11 by the FDA (1997) which involves rules for the use of electronic signatures and records.
Accounting: The Sarbanes-Oxley (SOX) Act, 2002. This law sets strict regulations about the retention and maintenance of records.
Banking: The Gramm-Leach Bliley Act, 1999. This law was enacted to protect customer’s information while in transit or in storage by strict encryption measures.
Securities: SEC 17a-4 and NASD 3010. Both regulations set strict standards on electronic communications which involves emails.
As stated above, businesses operating within these industries are expected to comply with information archival, encryption and maintenance regulations. The problems with these laws is that they require strict classification of internal data which can’t be accomplished using traditional email applications such as Microsoft Outlook or any other mail client.
The fact that a company can gather hundreds of thousands and even millions of emails and electronic communications is overwhelming, not to mention that if the company in question is inspected, owners and managers have to sort and classify all of these records within a short period of time since inspectors won’t wait weeks or months to have all this information sorted out.
Managing and classifying this information is one requirement which is hard to accomplish but these laws also require heavy encryption to make sure data won’t be leaked or modified from the network and fall into the wrong hands. As you can see there are many guidelines which need to be kept so it is imperative to use software tools which can be managed by one person quickly and efficiently, these law compliance tools should provide features such as:
* Accurate Search platform
* Find and collect all electronic communication within the network with a single operation
* Classification of all incoming and outgoing emails through automatic global policies
* Extremely Strong Internal Controls for Compliance
* Verified and unalterable logs
* Full auditing of all searches, email reviewed, and logons
* Powerful data collection tools
* Data loss protection
As you can see all of these tasks are so complex and time intensive that even if assigned to an entire division of a company, it couldn’t be accomplish quickly, securely and accurately; that is why special electronic communication management software is required. It is extremely important to keep in mind that the use of this technology is not a luxury but the LAW. Using these tools can help you keep your business going without worrying about communication compliance laws.
Can you imagine living without email? How would you communicate your business needs, information and messages? All businesses across all industries use email systems to send and receive messages and communications. This form of communication has provided quicker response times making it easier to get our jobs done. Most companies depend on email as their primary form of communication and are more efficient because of it. However, email can also cause problems for businesses that don’t use it the right way. The abundance of email communication has caused the government to step in and take action against unlawful email actions. Now more than ever, it is vital for corporations to manage their email systems and ensure they are meeting government standards and regulations.
Recent government regulations affect all businesses–large and small companies alike. The Government is focused on regulating and protecting confidential customer information, corporate governance, law enforcement investigations, and overall proper corporate email management. Here are a few of the issues involving email in business today: Policy development and management, Email retention, Employee monitoring, Patch management, Spam, Legal liabilities, Confidentiality of intellectual property and Data integrity.
There are many companies that offer email records management solutions, but Estorian’s LookingGlass stands out above all. It provides one of the more seamless knowledge based email management solutions for corporate messaging. Estorian has developed an innovative solution that addresses the complex worlds for managing corporate email and messaging systems. Estorian’s LookingGlass e-mail records management system helps organizations meet the growing challenges of enforcing email use policies, controlling growth and resource costs, complying with federal and state email retention requirements, easy access and retrieval, and identifying misuse and abuse of corporate email systems.
For more information, go to http://www.estorian.com
www.jatheon.com – Email Compliance Odds are very high that your organization or firm is subject to some regulation on how to retain records. Some industries face stricter rules than others ie. health care organizations are governed by different rules than the financial sector as they need to adhere to HIPAA guidelines. Regulations are something that just about any organization has to deal with. However, the real challenge is to know which guidelines to adhere to and to keep up to date as they are constantly changing. Common regulations that organizations adhere to include: * The Freedom of Information Act * FDA 21 CFR Part 11 * HIPAA * SEC 17a (3, 4) * NASD Rule 3110 & NYSE Rule 440 * IDA 29.7 (Canada) * Investment Advisors Act * Sarbanes-Oxley * PIPEDA (Canada) * Gramm-Leach-Bliley * FRCP *this is not a complete list of compliance regulation for the above specified industries. Compliance How It Works Organizations form all industries or services have the daunting task of monitoring electronic messages to ensure the strict adherence to regulatory or corporate policies. Jatheons Plug n Comply™ appliances offer the ability to set policies that messages are compared to in real-time. Messages received by the archive are compared to the user created polices and any messages that violate the established policy will have a pre-determined action triggered. This action may include notifying the offender directly; notify the offenders manager, or notifying the organizations … Video Rating: 0 / 5
Email has become the most prominent form of correspondence with great value attached to its use. Email can be used for external and internal purposes and is extremely vital in the daily commercial activities of a business. Email is the equivalent of paper documentation and is considered legal and valid proof for litigation purposes. Email is documentation of conditions agreed upon by two parties and can be used as supportive evidence when implicating another or while defending one’s integrity.
Since email messages are legally approved documents that need to be provided in case of a lawsuit, there is a need to store them in a secure place and ensure all security measures are in place to prohibit any tampering attempts. The storing of email is called archiving, and it locates any specific email at any time in a secure environment. The electronic discovery service helps in simple management of email and compliance with an efficient e-discovery and often times archiving strategy.
Why Email Compliance?
Organizations should implement a robust compliance system that will record all logs and activities of users as well as audit and encrypt data to retain it in its original form. Deliberate attempts to destroy data can prove to be potent litigation evidence. Ediscovery solutions can help identify relevant dat, but that data cannot be identified if it has been deliberately deleted. In legal cases, if the parties involved are incapable of furnishing relevant email evidence, fines may be imposed by the courts and cases can potentially be lost. .
Determining Ediscovery Factors for Email Compliance
It is not an easy job for organizations to maintain email compliance standards given the steady stream of correspondence everyday. Ediscovery can help management handle compliance issues. Here are some factors that need to be taken into account to maximize the use of ediscovery solutions for email compliance.
1. An efficient ediscovery solution uses an integrating approach that takes care of all processes while creating no complications. In due course, organizations will be faced with situations where they need to add applications. A good ediscovery solution should be capable of providing the integrating facilities to avoid additional costs in the future. Archiving is achievable only when an integrating facility is provided.
2. To maintain records and secure compliance, ediscovery tools should be able to manage different types of data within a single archive. Having a single system to handle various data formats eliminates the creation of multiple archives.
3. To save on storage space and ensure simple archiving administration, the ediscovery tool needs to ensure there is no duplication of data and convert several copies into a one to make the process smooth.
4. The structural design of electronic discovery service should be such that processing is not concentrated at one single point, which can slow down the pace of the searching and indexing processes.
5. The main purpose of archiving is to make search easy. Ediscovery search should have the capacity to bring up successful search results with little delay when keywords are used. Searching for exact results should be possible in a transparent manner.
Litigation cases can be rendered useless without enough proof to validate statements, resulting in heavy financial and reputation losses. The ediscovery solution promotes an efficient system of searching, producing data through a flexible and transparent system.
www.jatheon.com – Why Archive Email? Jatheon Plug n Comply appliance is a complete solution that allows organization to comply with government regulation with a simple, secure and integrated product. Plug n Comply is the industry leading appliance that effectively captures, indexes and stores all email and instant messaging enabling you to enhance email management and achieve regulatory compliance needs. Maintaining a sole record or email communication is mission critical to business today. In addition companies must be prepared act quickly in the case of litigation or compliance regulations. Jatheons email archiving solutions are being used by companies all over the world across all industries. Whether it be law firms, banks, insurance companies, engineering firms, health care agencies, and municipal and federal agencies, all companies no matter what the size, see a need for the Jatheon email archiving solution. The Jatheon solution helps organizations meet their storage space management, compliance, legal discovery, mail platform migration and policy management requirements. Overall, Jatheon offers a comprehensive, cost effective and easy to deploy archiving appliance that requires minimal IT support and simple management of corporate data, making it a suitable solution for companies of all sizes. Jatheons email archiving appliance has a number of different ROI characteristics that make the decision making process a relatively easy one. * Reduced overall capital …
3 Things Businesses Need to Know About Email Compliance
In today’s business world, we are nothing without our email. Now, we don’t even need to be sitting in our office to hear the ding of our inbox, alerting us that yet another message has arrived; we live in a time where smart phones are everywhere and we can have our email with us at all times. With all this new technology though, there has also come an onslaught of laws that are designed to keep email compliant with things like customer privacy, law enforcement investigations, and corporate governance. In short, the purposes of the laws are to make sure that email is being used, and managed, properly.
If you work for a doctor’s office, you certainly know about HIPAA. The two rules that affect email compliance are the Privacy Rule and the Security Rule. Of the two, the Security Rule is more in-depth and essentially mirrors the Privacy Rule; its purpose is to focus on information and security best practices and revolves around the security cornerstones of confidentiality, integrity, and availability. The Security Rule focuses on everything from workstation management of information to facility access and transmission security. It is vital that any information you send via email, not speak of the patient’s identity or the problem they are facing; many offices will use initials when speaking about patients via email.
In the financial industry, email compliance is governed by the Gramm-Leach-Bliley Act. Also known as GLBA, it is basically the same law as HIPAA, just for a different type of business. It is designed to ensure the privacy and security of non-public personal information as it relates to individuals financial information. GLBA’s rules apply to mortgage lenders, banks, stock firms and others of the like. Within GLBA, the financial company is charged with several things: to designate an employee or employees to coordinate the information security program, to identify reasonably foreseeable risks to non-public information, to make sure their suppliers are also using safeguards, and to monitor all of the above.
On top of these two rules, there are also others. The Sarbanes-Oxley Act, also known as SOX, is watched over by the U.S. Securities and Exchange Commission. This act was designed in response to the various, and highly publicized, bogus financial reporting in the early 2000s. SOX discusses what information may leave an organization and how long the industry should keep information on file; it requires that financial companies keep emails on file for six years. Likewise, the SEC Rule 17a-4 and NASD Rules 3010 and 3110 affect email communications within the financial industry.
This is just the tip of the iceberg. When it comes to email compliance, there are rules everywhere, and your business needs to know which apply to you and how to handle them. There are several ways to handle these issues, most of which include hiring at least some type of IT security firm to develop a total information security plan that will comply with recent, and future, government email regulations.
Richard Bliss is an Internet Security Expert and VP of Marketing with with worldwide GroupWise compliance software provider GWAVA. Visit them online and see why GWAVA is the #1 software provider for Novell GroupWise.
Email has become the standard method of correspondence used by businesses sending important and sometimes confidential messages. Such sensitive information needs to be archived for possible future use in order to comply with eDiscovery requests, specific regulations as well as the company’s email compliance policies.
Email correspondence is used for both internal and external affairs therefore it is important that a copy of all emails is archived for possible future needs relating to legal, compliance and human resource issues. A company must also be in a position to respond to eDiscovery requests at short notice.
Why a company needs email archiving
Existing regulations such as Sarbanes-Oxley, HIPAA and the FRCP treat emails as being equal to paper-based documents in terms of valid and legal documentation presented in a court of law and are therefore admissible during an eDiscovery request.
eDiscovery is the process of locating, securing and using documentation from a company’s archives in a legal setting, so a company must have the ability to procure the necessary documents with the confirmation that these have not been tampered with. Failure to abide by procedures could result in court fines and other financial burdens, as well as a failing reputation.
How email archiving should be implemented
For security, maintenance and resource reasons, email archives should not be archived on the mail server but should have their own localized server that is specific to the task.
Having your emails archived on a separate database ensures more protection for the archives should the server crash, as well as lightening the load on the server. When archiving is another process that the email server is meant to handle, its resources are being stretched to capacity risking poor performance in both tasks. A dedicated email server and a dedicated archiving server render the upkeep of both machines a simpler and cleaner process.
Moreover, separate backups of both servers ensure a safer environment, as by having the archived emails on a separate server, should the email server crash all is not lost since the archived emails would be accessible and easily recoverable meaning that work can be resumed from a certain point.
Email archiving compliance
In industries and countries where regulations require organizations to monitor user activity and keep audit trails, a system that records, logs and retains a database of user activity, or other secure methods such as encryption will ensure that emails have not been tampered with as this would render them inadmissible in a court of law. An auditing facility is also important for compliance purposes.
Log files and counts must prove that all emails (including their attachments) are being captured and can be searched for, found and viewed in their original format. Advising users that their emails are being recorded and archived will act as a deterrent to any abuse of the system.
Email archiving is becoming a standard practice in today’s businesses as the implementation of a successful email compliance policy could save a company a lot of time, money and resources, and provide guarantees that it is in a position to respond to eDiscovery processes and fulfil the requirements of compliance regulation which the company must adhere to.
Jesmond Darmanin is a freelance writer who is passionate about business IT issues and recommends the use of email archiving software for email compliance and eDiscovery requirements.
