E-mail archiving provides compliance insurance

Choosing an e-mail protection strategy is like buying hurricane insurance for your house. The cost of full protection may seem high -- unless disaster strikes.

Chu Abad, vice president of IT at Seattle Northwest Securities Corp., has good reason to be grateful that he implemented message archiving: It protected the company when the government got serious about regulatory compliance five years ago.

The financial firm implemented iLumin Software Services Inc.'s Assentor Enterprise when the SEC Exchange Act Rule 17a-4(f) went into effect in 1999. The act requires that investment firms preserve records, including e-mail, for three years in a readily accessible format.

Assentor Enterprise automatically captures, indexes and stores all outgoing and incoming e-mail on disk. This makes it easy to retrieve samplings of e-mail records for SEC auditing purposes, Abad notes. And if a litigator requests, for example, all e-mails over the past six years that contain the words "profit" and "China," that's easily done with a keyword search.

Abad can thus feel confident that his company won't join the growing roster of major financial firms that have paid heavy financial penalties for failing to comply with information requests by litigators and government regulators.

"Just recently, Morgan Stanley spent millions just to retrieve e-mail because of a lawsuit," Abad says. "There have been a lot of events lately that are forcing financial companies our size to think seriously about implementing an electronic messaging archive system."

Increasing e-mail archiving interest

Indeed, 60% of respondents to a recent Osterman Research survey said that e-mail archiving was either "desirable" or "very desirable," although only 15% said they had actually deployed such a system, according to Michael Osterman, president of Osterman Research.

"Most industries do not have the same level of data retention requirements as financial services or health care," he says. "The vast majority of businesses still use tape backup to preserve e-mail records over time, if they do it at all."

However, that's likely to change over the next few years. The Radicati Group, a market research firm in Palo Alto, Calif., predicts that revenues for enterprise-level active archiving and storing will grow to $1 billion by 2007. Demand will be driven not only by regulatory compliance but also by businesses' internal need to access crucial e-mail documents over time while managing rapidly proliferating message files more effectively.

The typical corporate e-mail account sends and receives about 7MB a day, which is expected to rise to 14.7MB per user, according to a Radicati Group report titled "The E-mail Archiving Industry Report 2003-2007."

Meanwhile, the message archiving market is maturing. Small companies are being bought up by major players, and vendors like Veritas/K-Vault (KVS), EMC/Legato, iLumin and Opentext/Ixos have been rolling out new products and features designed to take much of the cost and complexity out of message archiving.

Several leading products now support hierarchical storage management (HSM), which enables users to lower storage costs by automatically moving e-mail records to cheaper storage media as those records age.

The North Bronx Health Network experience

According to Daniel Morreale, CIO at the North Bronx Health Network in New York, HSM is a key feature of the hospital's e-mail archiving system. Working in concert with EMC's ControlCenter, Microsoft Exchange 2003 automatically moves records from a SAN to a NAS to content-addressable storage at six-month intervals.

"We're aging messaging records slowly, because we don't have any numbers yet on how often people go back and look at old stuff," Morreale explains.

Products like KVS's Enterprise Vault also help conserve storage capacity through "single-instance storage," which ensures that only one copy of a message makes it into the archive, no matter how many people received it.

KVS and iLumin have recently introduced modules that manage archiving processes such as discovery and message sampling in compliance with specific government regulations like the Sarbanes Oxley Act or HIPAA.

For instance, Assentor flags certain keywords, like guarantee or total loss, so a compliance officer can check the e-mails before they go out, Abad explains. The software also keeps track of how many messages are reviewed by a compliance associate.
Even with increasingly sophisticated software tools, setting up message archiving is far from easy, IT managers agree. One of the biggest challenges is coming up with a set of policies for message retention and then educating end users on their usage and implications.
"Figuring out what to keep for how long and what to throw away is an issue that won't go away for a long time," Morreale says. His staff is now in the process of educating end users to selectively delete messaging data that's not important. Simply getting them to delete junk mail will recover close to a quarter of a terabyte of the 1.5 terabytes of messaging data now on the hospital's SAN, Morreale estimates. "And that's not counting the space saved by deleting outdated and non-essential e-mail like your spouse asking you to get home by 6:30," he says.

City struggles with user education
Mike Sherwood, CIO for the city of Oceanside, Calif., maintains that user education has been the most challenging piece of the city's e-mail archiving installation.
"We need employees to know that anything they send or receive can be discovered," Sherwood notes, adding that some employees have been threatening not to use e-mail anymore rather than risk having it revealed to the public.
Difficulties aside, the potential long-term benefits of having e-mail archiving "insurance" outweigh the costs, according to Osterman. For one thing, the probability of getting sued is high for big companies. And if you look at the potential for getting sued or of having compliance requests, he says, "implementing e-mail archiving is cheaper for most companies than the cost of one discovery action."
Courts are increasingly assigning the brunt of discovery costs to whoever owns the information. And if a company has all its e-mail on tape backup, those costs can be major. In one case, a court ordered the defendant to bear 60% of the total $605,000 estimated cost of paying a consultant to restore, search and eliminate duplicate copies of 124 sample backup tapes (Medtronic Sofamore Danek, Inc. v. Michelson, W.D. Tenn., May 13, 2003).

For the city of Oceanside, e-mail discovery is a routine expense item. The Freedom of Information Act requires all government agencies to fulfill requests for public records. In addition, the state of California requires municipal agencies to fill requests for any internal documents used regarding a specific project. "Most of that information is transmitted by e-mail," Sherwood says.
Until the late 1990s, the city preserved its e-mail through piecemeal backup on tapes. "Users deleted their e-mails during the day, and there'd be no record of what happened that we could use to restore them at night," Sherwood says. Furthermore, when a citizen made a request such as, "all e-mail regarding project X," restoring and searching each tape could take weeks. "All we could charge them for was paper and CDs," he says.
The city's solution was K-Vault's Enterprise Vault, a server-based archiving platform that automatically captures and indexes all incoming and outgoing e-mail in near-real-time, enabling keyword searches. As a result, "we're talking minutes instead of hours or days" to retrieve requested e-mail data, Sherwood comments.

Tapping into the treasure troves of information
In the end, companies will implement message archiving for business as well as compliance reasons. With electronic messaging increasingly becoming the business communications medium of choice, message archives have become treasure troves of information that end users increasingly need to call up in a timely fashion.
"Say a marketing manager is leaving," notes Osterman. "You can call up all the e-mail memos she sent about your key clients and use that to bring her successor up to speed."
And even without a clear business ROI, message archiving makes sense, purely as disaster insurance. Says Abad: "Based on the potential financial hit we could take from being found in noncompliance, archiving potentially saves us millions."

Elisabeth Horwitt is a freelance writer based in Waban, Mass.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon