Intelligent Enterprise featuring Transform
START NEWS & ANALYSIS OPINION CHANNELS PRODUCT GUIDES REVIEWS TECHWEBCASTS
CONTACTS ARCHIVES ADVANCED SEARCH
Rate & Review
Letter to the Editor
E-mail Article
Print Article
May 2003

Your CEO Wants to Know ... Will Your Records Strategy Pass the Test?

by Russell Letson

Continued from [ page 3 ]

Those big fines levied in December 2002 were not about substantive corporate misbehavior, but simply the failure to maintain electronic correspondence systems in the manner outlined by regulations. Some of the companies that were fined kept emails in ordinary backup systems and overwrote some tapes (thus erasing emails) before the retention period was up. Some expected individuals to save copies of their messages on their desktop machines, but didn't have explicit procedures governing retention. In other cases, saved copies were so scattered and disorganized that they could not be easily located and accessed.

Hummingbird's Auditore sees many companies letting their employees decide what emails qualify as records, so they're doing "passive email record management." "It's like the wild west right now," he says, "and most companies are archiving all their email and considering them records. Once you get something into an RM system, it becomes very litigious because there's an audit trail attached to it."

Eisner's Rosenberg says it's a complicated issue: "Do you save every version of a message that keeps coming back and forth? The [SEC] ruling is vague. It has to be material to the audit or to the findings of the audit. Now you're into interpretations, so it's difficult to deal with."

Still, Rosenberg doesn't seem too worried about archiving emails. "We use iManage to control [email], and we'll decide soon whether every piece of client email gets put into the system with a client number."

Resources

ARMA www.arma.org

Hummingbird www.hummingbird.com

IBM www.ibm.com

Information Requirements Clearing House www.irch.com

iManage www.imanage.com

Optika www.optika.com

Select Technologies www.selectec.com

But email remains a "nightmare" to Fred Pauls. It's not that the messages can't be archived, but that the human side is difficult to control. "We're looking around to figure out what kind of document control we can place on our system that will not only affect the network but the [local] C: drives," he explains. "A lot of people, when you tell them to destroy stuff, will just put it on their C: drives."

A complete system would "require that every individual review their inventory of documents and apply it to the retention schedule," Pauls explains. "There's no way you can do it automatically — unless you really tighten up your email system to where it requires document numbers and a title to everything, and use a document control system that can also apply retention schedules. Our company hasn't wanted to do that because it's a definite infringement on the freedom of the individual."

The trouble is not so much regulation as possible litigation and the discovery process. No company wants its desktop hard drives subpoenaed in the discovery process so that opposition lawyers can go looking for items that one can't prove were not eradicated.

"The ability to proliferate a specific copy [of an email] is so enormous that there's no way I would give a deposition guaranteeing that a document didn't exist in our electronic system," says Pauls. "Email is the only [record type] that gives me nightmares... We can supply signed certificates of disposal for everything that we have destroyed or erased, but we can't certify to a negative."

"I'm not sure that anybody has put their arms around the whole thing," Pauls says. "But what I can say is that we're working at a feverish pace trying to satisfy Sarbanes-Oxley and DoD 5015.2 and HIPAA, and all the rest of it ... Email is going to take some real rigid restrictions and document control to ever get a warm feeling about having covered it. I'm not sure that there's an answer for that."

SEC and NASD Requirements in a Nutshell

IBM's Bruce Miller lists six things that the SEC rules require of a corporation:

  1. Capture all your correspondence. "No exceptions, you can't pick and choose what you're going to record."
  2. Store it twice. Duplicate everything, with indexing or metadata to organize what you're capturing.
  3. Keep one stored copy in a non-erasable format.
  4. Be able to validate that what was stored is a genuine copy of what was captured.
  5. Enforce retention periods. "Keep what you have to keep and make sure that no one has the ability to destroy what they're not supposed to destroy; you must keep everything for the prescribed period."
  6. Provide a way for the organization or a third party ("read between the lines: SEC or some legal body") to quickly search and retrieve anything from that mountain of data.

Then there are the NASD rules, which differ from the SEC's. "It's about supervision," Miller explains, "and this is where it really gets to be fun." NASD Rule 3010 dictates that a broker-dealer must:

  1. Have policies and procedures that dictate how they're going to supervise trading activities;
  2. Record those policies and prove that they are in place;
  3. Maintain a monitoring and sampling capability;
  4. Record and log the sampling — who, what, when;
  5. Keep the supervision records in a non-eraseable format.

"Everything has to be air-tight," Miller says.

"There has to be a solid evidence trail." But, he continues, compliance in this area is "the trickiest part for the technology vendors to deliver. Everything else is more or less off-the-shelf components, but the supervision thing is a new trick ... There are very few companies in the world that understand supervision, and even fewer — only four that I'm aware of — that have developed software to carry it out." -RL

[ BACK | NEXT ]



Channels
Business Process Management
Content Storage
Content Management
Compliance
Enterprise Solutions
Document Scanning & Capture
Content Delivery & Publishing
Collaboration & Knowledge Management
Search and Classification
Locate an article from our print magazine. Just enter your Locator ID Number below.
ID#


NEWS FROM THE PIPELINE

OpenOffice.org 2.0 Closes On Final

New Study Finds Steep Growth For Smartphones

PalmSource Sale Cleared By Federal Agency

CTIA Panel Examines Enterprise Security Risks

[more]





HOME | ARCHIVE | REALWARE AWARDS

A Publication of the Network Computing Enterprise Architecture Group
Brought to you by CMP Media LLC, Copyright © 2005
Privacy Statement | Your California Privacy Rights | Terms Of Service