Record Management Challenge
advertisement
Best Practices in Email Record Management David Manning Principal Engineer Legato Systems, Inc. Corporate Profile Legato Systems, Inc. is a global provider of online Storage, Content, and Email data management solutions. Email’s Explosive Growth Global email growing from 9.7B/day in 2000 to 35B/day in 2005 (IDC) Average message size increased 192% in 2000 to 286KB (EMC) 60% 40% 30% 30% 33% 20% Enterprise mailbox volume growing at 40% annually (Gartner Group) Typical 3,000 user email system now handles over one terabyte of message traffic annually (CNI) 50% 10% 1998 1999 2000 Business-Critical Data Stored in Email Emails must be managed as business records The e-mails that have come to light are very distressing and disappointing to us. They fall far short of our professional standards and some are inconsistent with out policies.” (Merrill Lynch CEO David Komansky) Even as Merrill said the e-mails were taken out of context, the ensuing controversy caused its stock to fall 20%… (As reported in WSJ, April 29, 2002) Escalating Litigation Targets Email 1. More $21 billion dollars paid out in last ten years – just in Securities class action settlements (April 2002, Institutional Shareholder Services) 2. Filing of US class action lawsuits increased 60% in 2001 – 511 new suits. 3. Currently, about 1000 class action lawsuits involving securities litigation remain outstanding. 4. In 2001, 171 class action suits were settled for total of $2.7bn. 5. An estimated 25 law suits against Fortune 500 companies will be settled in next 12-24 months at $500m each. • Lucent, Xerox, Coca Cola, Nortel (All data from Financial Times, /25/2002) Traditional Email Data Management Internet Email Traffic Email Servers Manual Back-Up LAN Email Client LAN Email Client LAN Email Client Email data – messages and attachments – is stored (often duplicated) on both the email server and client workstations. Record Management Challenge: Risk Management • 34.5% of organizations say they would not or could not recover emails if required for legal or regulatory discovery within next 12 months. (CNI, 2000) ? • 83% of lawyers say their corporate clients are NOT prepared to retrieve and turn over electronic files. (Arthur Anderson, 2001) • 49% of organizations have established policies regarding email retention …BUT 41% of users ignore the policy. (CNI, 2001) • 87% of viruses enter via email. (2000 Virus Prevalence Survey, ISCA)) IT Challenge: Control Rising Costs • The average email server is saturated in just 18 days. (CNI, 2000) • IT administrators spend 8-12 hours per week on email backup and archiving. (CNI, 2001) • IT administrators spend 5-6 hours every week recovering archived messages and attachments for users. (CNI, 2001) • IT administrators spend 25% more time managing email data each time the number of email users doubles. (CNI, 2001) End-User Challenge: Capture Productivity • Enterprise users now spend an average of 90 minutes daily managing their mailbox. By 2002, users will spend an average of 2.5 hours per day. (Gartner Group, 2000) • 81% of business email end-users cannot access their own archived messages or attachments. (CNI, 2001) • At 66% of organizations, users must work around maximum file-size restrictions (average 8-10MB) on email messages. (Ferris Research, 2000) Key Business Challenges to Managing Email IT & Network Tools • Mailbox Limits • Backup • Availability • Disaster Recovery • Financial Services • HR, Legal Message Store Management Supervision And Risk Management Retention And Record Management • • Government – FOIA & State “Sunshine Laws” Regulated Industries Message Store Management On-server message stores need integrated record management: • Eliminate duplicate messages, reduce storage • Delete expired records • Enforce corporate or regulatory retention rules Key Features Slide 12 of 17 Supervision and Risk Management • NASD rule 3010 requires supervision of correspondence • Corporate e-policies define terms of use and unacceptable content. • Electronic theft is growing threat. Background on NASD Regs • Three NASD Rule categories: • Rule 2010 – Codes of Conduct for Marketing Advertising Correspondence • Rule 3010 – Supervision of Correspondence • Rule 3110 – Books and Records (references SEC Rules 17a-3 and 17a-4) Focus on NTM 98-11 Two requirement types: 1. Effectively monitor correspondence, show adherence to codes of conduct. 2. Record supervisory activity itself a) Show it as complete b) Routinely evaluate According to NASD NTM 98-11, NASD members shall: Adopt written policies and procedures for review of correspondence. Identify how supervisory reviews will be conducted and documented. Identify what type of correspondence will be pre- or post-reviewed. Identify the organizational positions responsible for conducting review of the different types of correspondence. Specify the minimum frequency of reviews for each type of correspondence. Periodically re-evaluate the effectiveness of the firm’s procedures for reviewing public correspondence and consider any necessary revisions. SEC Retention Requirements NASD Rule 3110 and SEC Rule 17a-4 require retention and accessibility “Every such broker and dealer shall preserve for a period of no less than three years, the first two in an accessible place…originals of all communications received and copies of all communications sent by such member, broker or dealer (including inter-office memoranda and communications) relating to his business as such.” [SEC 240.17a-4(b)] Record & Retention Management Any or all email from email message systems – MS Outlook, Lotus Notes or UNIX Sendmail – may be captured onto the Message Center server. • Gathers record-keeping copies into one location • Checks all message/attachment content against business rules • Generates/updates a full-text index • Organizes messages and attachments* – together – into archive volumes Email Retention in State & Local Government Email is a record of business: “E-mail messages made or received by agency employees in connection with official business are public records and subject to disclosure in the absence of an exemption.” Email must be retained: “Such messages are subject to the statutory restrictions on destruction of public records.” Email records must be accessible: “Each agency… shall provide to any person, pursuant to Ch. 119, F.S., a copy of any public record in that [electronic record-keeping] system which is not exempted by law from public disclosure.” From “Government in the Sunshine Manual”, Vol 23, Florida State Office of the Attorney General Record Keeping System Requirements • To build record keeping into corporate messaging systems… • Microsoft Exchange • Lotus Notes • What is needed? Authenticity Usable Evidence Completeness Retention schedule Training Chain of custody Auditing Accessibility Indexing Security Authenticity Challenge Record must be maintained as authentic and ‘unalterable’ from creation through disposition. Lotus/Exchange messaging don’t include controls on access, editing of stored messages. Response Capture and store records directly from message store Verify accuracy of storage process (read back) Support reliable and (optionally) indelible media (WORM, etc) Audit all access to records. Usable Evidence Challenge Overcome legal objection Routine creation Document a normal business activity Created when the underlying event took place Response Capture incoming and outgoing email messages at time of creation or receipt Retention rules applied systematically Application of a file plan (categories) with policies and retention schedules. Completeness Challenge Record integrity depends on three attributes: content, context, structure. Moving messages out of mail servers typically changes one or more of these attributes. (loss of email meta-data) Response Save complete email record and attachments, optionally in native document format. Save meta-data as part of record. Practices & Training Challenge Match rigor of record-keeping science to ubiquity of email within business/government user community Integrate record management with IT practice. Apply record-keeping to build business value. Response Build record-keeping into email client, present file plans as part of Outlook/Notes folder structure. Integrate retention into message stores/databases. Use volume and availability of email Build e-business programs on email Re-use email as corporate memory. Auditing Challenge Little to no audit/control of message storage and access in MS-Exchange or Lotus Notes. Messages and documents easily move from clients to server databases, personal archives, and backup tapes. Response Audit message/record access. Integrate “chain of custody” controls into message stores of MS-Exchange and Lotus Notes. Accessibility Challenge Message access in Exchange/Notes largely based on visual markers. Inbox Folder structure Full text index is very ‘resource-expensive’ in Notes, and non-existent in MS-Exchange. Users have limited access to long-term message stores (backup tapes, archives). Response Use full-text index for secure user access to “corporate memory” Present corporate file plan as a common folder structure. Use SQL database for programmatic access. Security Challenge Messages often not secure in typical messaging system. User archives. Backup tapes. Un-audited message stores. SMTP traffic can be seen in clear text (not encrypted) Response Build practices, systems to control all access to message stores. Integrate messaging directories into record-keeping system. Adopt privacy policies, solutions for secure messaging(encryption) Integrating a Record Keeping System Web-based Email Client Archive as much email data as you want when you use Ex with Dx -- which supports ALL leading secondary media including… Email Servers • Optical • Tape • RAID • DVD • CD-ROM LAN Email Client LAN Email Client E X X Stored volumes contain both messages and attachments. Disaster recovery is quick and complete thanks to Ex archive structure. LAN Email Client Ex Server Full-Text Index BACK For more information about EMAILxtender Visit http://legato.com or call Legato Systems at (888) 853.4286
