Protect your company with an e-mail digital archive

For most organizations today, e-mail is considered a critical business application. When it comes to e-mail, IT people think in terms of the software and servers, and the spam and malware filters. They are concerned with getting the right mail to the right people in a timely fashion, without a bunch of spam or viruses creeping in.

Compliance people, on the other hand, are more interested in preserving the e-mail as evidence of a business conversation or transaction. They view an e-mail message as a formal business record, subject to the same regulations governing quarterly reports and client communications.

There are numerous regulations that are driving companies to archive and preserve e-mail, including the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX) Section 404, Basel II, SEC 17a-3/4, and NASD 3010 (d)/3110. Companies in industries such as healthcare and finance, as well as all public companies in the U.S., are subject to compliance with one or more of the regulations. And if you do business outside the U.S., you might encounter foreign regulations as well.

The compliance burden varies by company and industry. Attorney Simon Briskman advises that companies should perform a regulatory audit to understand which particular compliance issues pertain to them. John Lovelock of the Federation Against Software Theft (FAST) lists examples of some of the compliance issues:

* E-mails must be stored in their original form.

* Records must be saved on non-erasable, non-volatile drives.

* All recipients of a message must be shown in the records.

Of course, there are plenty of other rules. If you are unsure of what they are, it might be wise to hire an expert to guide you through the maze of complexity.

These days, many organizations outsource their e-mail application. Be forewarned that outsourcing this application does not relieve you of the burden of preserving proper records. In fact, you are required to ensure that your vendor or ASP preserves the data properly. You are still liable for the information, even if your service provider doesn’t maintain it correctly. Experts advise that you provide detailed preservation instructions in your service-level agreement. For example, tell how you want the files stores, and for how long, and who can access the archived records if need be.

You don’t need to preserve absolutely every e-mail, of course – just the ones that matter. Forget the e-mails about what time the company softball league has practice, but do be sensitive about the ones that hold real business meaning. A consultant or vendor can help you set up business rules and policies that automate retention. For example, you might use a tool that searches for keywords in the message text, or pertinent information such as a client account number or patient identifier.

Numerous vendors offer e-mail archiving solutions. Companies in the financial industry might want to consider Lighthouse Global Technologies. The principal consultant at Lighthouse is Arthur Riel, who has an extensive career providing IT solutions to companies on Wall Street. Riel understands the detailed needs of financial companies, including the regulations governing these firms. He’s also quite willing to customize an archiving solution if the “off the shelf” version doesn’t quite meet your needs.

Another provider of e-mail archiving is CipherTrust. The Network World Lab Alliance has given this company top honors for “the best” messaging solution.

E-mail archiving isn’t sexy. It doesn’t even provide good ROI – unless you are audited or sued. But it’s a necessary part of doing business, sort of like insurance. You don’t ever want to need to recall your e-mail messages to present in court or to the Securities Exchange Commission, but if the circumstances arise when you must do so, you want the proper tool to handle the job.