With 26 billion e-mails whizzing around the world in any one given day, and the number’s rising, email compliance and archiving is a matter that many companies can no longer afford to put on the ‘back burner’. The consequences of this approach can result in: litigation, financial penalties, disgruntled employees destroying critical e-mail, HR problems and damage to a company’s reputation. Corporate governance requires organizations retain their records for a specific period of time, which by default includes e-mails. Although much legislation pre-dates the Internet, the regulations relating to e-mail are subject to the same rules as paper documents. Companies, small and large, need to be protected with an e-mail collection, preservation, retention and destruction policy. With many regulatory requirements being passed as law; Sarbanes-Oxley Act, Gramm-Leach-Bliley (GLB), HIPAA, Joint Commission on Healthcare Organizations (JCHO), ISO 17799 and the Data Protection Act this article aims to shed some light on this area and provide you with five basic rules for e-mail compliance that will protect your company from potential litigation while at the same time provide your company with some user benefits. Effective e-mail compliance does not have to be expensive.
Rule 1
The first rule is to take responsibility for managing e-mails away from the user. Don’t burden them with the decision making process of selecting which e-mail is important and which one is not, simply automate the whole process. Capture all e-mails that have been sent or received either internally or externally in their original format and archive them permanently in a secure place. Set a policy for retention and destruction.
Rule 2
Ensure that e-mails cannot be changed or deleted. By using encryption, digital signature and compression no alterations can be made and a forensically sound copy can be produced in the e-mail’s original format when retrieved from the compliance archive. This is particularly important in legal situations, as you must be able to produce the original e-mail and not one that could have or had been edited in any way.
Rule 3
The third rule is to enable any e-mail or group of e-mails to be easily and quickly found and viewed from the compliance database. You need to be able to search for content that you are likely to remember. For example: a date range, part of an e-mail address, words or phrases in the text or subject line, or specific data such as contract or invoice numbers. It is important to be able to retrieve a copy of an e-mail from the compliance archive with the original still remaining archived.
Rule 4
Ensure that the whole e-mail compliance process is auditable. Log files and counts need to be maintained as evidential proof of all actions taken relating to the e-mail compliance archive.
Rule 5
Advise your users that you have an e-mail compliance archive which captures all incoming and outgoing e-mails irrespective of whether they are internal or external. Tell them that they can access the e-mail compliance archive to find and view any e-mail that they have access rights to within Active Directory; they cannot see e-mails that they are not entitled to view.
Compliance is increasingly critical to the way in which businesses operate and by applying the above five rules you will be going a long way to taming the e-mail compliance sleeping tiger and putting a large tick in the e-mail compliance box. Ignoring e-mail compliance now could result in expensive and time consuming legal costs in the future. Remember e-mail compliance need not be costly, it should run seamlessly in the background improving day to day operations, and not inhibiting them. Please call Marc Bellack at extension 110 for more insight into e-mail compliance and the partner solutions Evolution CE is offering.