1 / 21

Electronic Document Retention & Email Archiving

Electronic Document Retention & Email Archiving. Alex Purkiss Solutions and Strategy. Why so much confusion? . Storage is Not Management. Retention Cannot effectively classify Can’t keep everything Can’t throw everything away Access and access control How is information found

keran
Download Presentation

Electronic Document Retention & Email Archiving

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Document Retention & Email Archiving Alex Purkiss Solutions and Strategy

  2. Why so much confusion?

  3. Storage is Not Management • Retention • Cannot effectively classify • Can’t keep everything • Can’t throw everything away • Access and access control • How is information found • How do you control access to information • Retrieval • Centralized for ease of access & bolster evidentiary value • Searchability • Find it for business and legal purposes ASAP

  4. Records management challenge: Email Management • Email is used to conduct business and so constitutes a business record • Email is admissible as evidence • Email is a target for litigators • Good litigators know that standard management processes are often not applied to email and instant messaging • Email is a forum for casual communications between employees… • …With a memory • Often contextual in nature • Meaning often relies on previous messages in the email ‘thread’ and can change out of context • Easily disseminated in a short time • Not unlike a virus Source: Randolph Kahn & Barclay T. Blair ‘ Electronic Discovery, from Novelty to Common Target’

  5. Smoking Gun or Helping Hand? 'Harassed' banker sent raunchy emails Evening Standard , 2 May 2003 A City banker who claims she endured a regime of sexual discrimination in her £350K-a-year job today admitted sending raunchy emails to the boss she accuses of harassment. Giving evidence at the employment tribunal, Miss Coleman agreed with defence claims that she regularly forwarded emails containing sexually explicit material. Banker who was harassed by 'goat' jibes in line for a big pay-out The Independent, 24 April 2003 A city investment banker who was described by colleagues as a "tethered goat" - because they said she attracted male clients - has won her claim for sexual harassment and is now in line for a six figure compensation payout.

  6. Email as an Electronic Record • Companies, company directors, and users can be held liable for failure to retain documents and records • Primary liability is organisational • Liability can be ‘presumed’ for individuals • Electronic documents are admissible before a court of law (UK Civil Evidence Act 1995) • UK Applicable Laws include: • Vicarious Liability, eg • Defamation Act • Sex and Racial Discrimination Acts • Privacy • Data Protection Act • Human Rights Act • Legal Obligations • Freedom of Information • Companies Act • Etc….

  7. Obligations – General • Turnbull Report • The Turnbull Report (published in 1999) makes clear the importance to the Board of every organisation of effective internal controls and risk management. • Data Protection Act • Failure to respond to requests for personal data in a timely manner (judged to be 2 weeks) can result in criminal proceedings against company directors. • Telecommunication Acts 2000 • Duty to maintain record • Duty of care (enforcement) • Sarbanes-Oxley Act • Applies to individual Directors of US companies (including subsidiaries) • Maintain audit related records for up to 7 years • Officers attest to effectiveness of internal controls and verify accuracy and completeness of financial reports

  8. Capture internal email “working papers” to support financial decision-making Include any Instant Messaging Capture communications to and from clients Store to accepted rules of evidence Provide ready access & production of records What are email requirements from Sarbanes Oxley? … the first phase requires senior management to personally certify financial results…

  9. Regulatory Risk "Firms that fail to apply adequate resources to dealing with reforms may be exposed to legal and regulatory risks, as well as potentially missing out on business opportunities. Much of what the agency had to do in the coming year was driven by the introduction of international regulations " Callum McCarthy, FSA chairman FT Interview, January 19 2005 "Lapses in record-keeping are not the primary focus of the Financial Services Authority but very often the firms found to have inadequate record-keeping are also those whose practices have been found to be inadequate," Oliver Lodge, formerly an FSA regulator and now Managing Director of Financial Services Consulting at Beachcroft Wansbroughs

  10. Obligations – Financial Services • FSA Handbook • Principle 9 • “A Firm should organise and control its internal affairs in a responsible manner, keeping proper records…..” • Principle 5 • Records should not be kept longer than necessary – aka Data Protection Act • Principle 7 • Access should be restricted to the investigatory procedures (not unauthorised access) – aka Regulation of Investigatory Powers Act • FSA Interim Prudential Sourcebook: Investment Businesses. • Rule 5.3.1(6) requires a company to retain accounting records for a minimum of 6 years, and during the first two years these records must be stored in such a manner that they can be produced within 24 hours of a request. • IMRO Chapter VIII Rule 4.3(2)(b) states: • “Subject to any direction of the Enforcement Committee, if it appears to the Investigating Team that the Firm or any Related Company of the Firm or any Associate of the Firm or of any such Related Company, has or may have in its possession, custody, power or control, any documents, any other material or any information relating to any matter being investigated or relevant to an Investigation, the team may require the Firm, within such time as may be specified in a notice to the Firm: (b) to produce to the team any such documents and other material in the Firm's possession, custody, power or control, or to disclose to the team all such information and, if any such documents or material cannot be produced or if such information cannot be disclosed, the team may require the Firm to state, to the best of its knowledge and belief, where and in whose possession, custody, power and control they are;”

  11. CASE HISTORY – Finance Sector - UK • CSFB - 2002 • CFSB Fined $6.4mil by FSA for breaching rules requiring it to keep proper internal record and to deal openly with regulators. • RSA – 2001/2 • Royal Sun Alliance Fined £1.3 in August 2002 over pension miss-selling scandal. Failure in ‘duty of care’ of effective storage and retrieval of email. (subsequently fined £900,000 for failure to address) • Norwich Union vs Western Provident - 1999 • Successful defamation case resulted in out of court settlement of £450,000 • BOS - 2002 • BOS Fined £750,000 for various items, including “evidence of an insufficiently thorough search in response to its (FSA’s) discovery request”.

  12. Issues to consider for Government Dept and companies contracting with government • Local Councils are obligated to abide by FREEDOM OF INFORMATION ACT as of March 2003 • Evidential Value – Real time Capture • Discovery • Failure of disclosure under DATA PROTECTION ACT can lead to CEO being subject to criminal (non custodial) sentence. • eGif initiative • Government White Paper (MODERNISING GOVERNMENT 1999) obliges all that by 2004 all documents produced and stored electronically • PUBLIC RECORD OFFICE makes E-mail part of record retention policies that are to be implemented before 2005 (Must be BSi DISC-PD 0008:1999 compliant)

  13. What about Privacy Laws? UK Data Protection Act,European Union Directive 95/46 • Bottom Line Requirements: • Personal data must be connected to some definite term, beyond which storage and processing is not allowed. • Retention and disposition of email must be managed. • Individuals about whom personal data is contained in an electronic archive, have the right • to know what data is there • to correct errors in the data • Must allow individual users access to their personal data • Data must be kept secure with access limited to persons connected with the legitimate purpose for which the data was collected • Must restrict access to others

  14. Ineffective Solutions Management Issues Users Impacted Productivity impacted Email not protected Unmanageable systems Out of compliance - no legal discovery Can the Email system not do this? • Servers unable to scale • Cost of storage & management • Backup & recovery problems • Continual growth in email use • Growth of message size & attachments Email Growth • Users migrate data to PST files • Business pushes back on IT • Emails deleted automatically • User quotas reduced

  15. Search and Discover Operations Compliance Discovery Administer and Audit • User search from plug-in or Web • Administrator search for Discovery • Messages and attachments • Embedded messages • Single central archive • Tools, reports and other diagnostics • Exclusion-collection rules • Retention and disposal • Content Mgmt • Secure • Compression • Container files • Tiered storage • In real time • User selection • De-duplication • Unique ID Messaging Servers Solving Records Management Across the Enterprise 3: Combat all dimensions of the Email challenge. 1: Must retain records for xx years after engagement sign off. 2: Ensure protection of records. Compliance Management and email • Key Infrastructure Issues • Evidential weight • Defensible process • Unified policy administration • Manage “records” to a taxonomy • Usually around engagements • Event based retention • Legal place hold • Collaboration • Federated searching Compliance Infrastructure Secure Repository All Content Types Organize and Classify Archive Capture Index • Key User issues • Be able to have an “infinite” mailbox • Mobile use • Low (or no) • training • threshold EmailXtender Server

  16. Content Management Records Management Email Management Organization Technology SolutionsNot point solutions Common Client Technology such as Outlook Optional Applications provide “layers” of functionality Common Repository Repository needs to be “Storage Aware”

  17. Meeting Discovery

  18. ECI Services Overview – extending the eDiscovery • Integrate and find all contents • Monitor business critical information • Co-existence solution

  19. Research & Development Records Discovery Index Analysis SAP FileNet Adapter Static Web Adapter Adapter Regulatory Affairs Business Intelligence Adapter Databases, Content repositories Proprietary Applications Dynamic Web (forms, login) Legacy Enterprise Content Integration ECI Services extension

More Related