What are the regulatory issues surrounding storage of e-mail?


Regulatory issues surrounding the storage of e-mail are becoming extremely important and highly relevant across all industries. Most recently, in the financial services sector, five major brokerage houses including Goldman Sachs, Morgan Stanley and Salomon Smith Barney had fines totaling $8.25 million levied against them for illegally erasing e-mail. The answer to this question has its basis in many statutes implemented in the early 1930s.

After 1929, Congress passed two acts designed to restore investor confidence in the markets: The Securities Act of 1933 and The Securities Exchange Act of 1934.

In 1934, the Securities and Exchange Commission (SEC) was established to enforce these laws to protect investors. The Securities Exchange Act of 1934 includes provisions that require exchange members, brokers and dealers to maintain and preserve records of their business, including transactions, trade confirmations, communications (including interoffice memoranda) and written agreements. With the advent of computer hardware and software technologies, the SEC has updated these rules to include provisions for storage of records on electronic storage media. Under the current securities legislation and stock market regulations, broker-dealers must keep a copy of all e-mail for three (3) years, and keep the mail in a readily accessible place for the most recent two (2) years.

In the recent e-mail fines, the five firms failed to store their e-mail per these regulations. According to a joint statement by the SEC, the New York Stock Exchange (NYSE) and the National Association of Securities Dealers (NASD), "Each firm had inadequate procedures and systems to retain and make accessible e-mail communications. While some firms relied on employees to preserve copies of the e-mail communications on the hard drives of their individual personal computers, there were no systems or procedures to ensure that employees did so." The statement said that some firms backed up e-mail communications on tape or other media as part of a disaster-recovery or other business plan. The statement continues, "However, these firms discarded or recycled and overwrote their backup tapes and other media, often a year or less after backup occurred." In addition to the fines, these five firms agreed to review the way they preserve e-mails and to inform the regulators within 90 days that they were in compliance with the rules.

These recent fines are historical. They set a precedent not only for financial services, but also for all other major industries relative to the storage of e-mail in compliance with government regulations. In telecommunications, where e-mail is a critical customer service tool for the industry, customers can receive their account statements, service notifications and other communication via e-mail. Federal regulations (CFR Title 47 Part 42) require the capture and retention of these records for federal auditing purposes. In the pharmaceutical industry, firms use e-mail to exchange research data, submit applications and file research reports. Physicians and healthcare institutions use e-mail to communicate with patients and colleagues. The Food and Drug Administration, through Title 21, Part 11, requires the preservation of all electronic records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA 1996, Public Law 104-191, Part 164 ­ Security and Privacy) defines the requirements to secure the privacy of individual health records.

As e-mail volume grows, such e-mail fines will probably become more than just rare incidents. IDC forecasts that the number of e-mails sent daily will grow from 15 billion in 2002 to more than 35 billion in 2005. Thus, the ubiquity of e-mail as a communication medium presents opportunities as well as challenges for companies who must comply with government regulations. For example, e-mail provides financial services providers such as exchange members, brokers and dealers a fast and efficient mechanism of communicating internally, with each other, with branch offices and with customers. However, this can lead to potential headaches for compliance officers, as all communications related to the business ­ including internal communications ­ must be retained under Rule 17a-4 (17CFR 240.17a-4). Record- keeping deficiencies are among the most common reasons that the SEC Office of Compliance Inspections and Examinations refers cases to the Office of Enforcement or to Self-Regulating Organizations (SROs) for investigation.

The purpose of this column is not to provide a particular solution, but to make you aware of the landscape of existing regulations and the new regulations that will obviously develop as the e-mail industry evolves.

An e-mail is a record. Some estimates indicate that as much as 45 percent of business-critical information is stored within the messaging system. However, much of this information is hidden from the organization as a whole in individual user mailboxes, desktop archives or backup tapes. Nearly three-quarters of end users are unable to recover an archived e-mail without assistance from the e-mail administrator. In some cases, aged e-mail is simply not recoverable. Results of a recent survey showed that 29 percent of organizations would not be able to locate an e-mail message that was six months old (Creative Networks, Inc.). E-mail servers are vulnerable to unplanned downtime, caused in part by overloaded message stores. However, e-mail storage technology is evolving to help manage message stores, which is good news considering recent research indicates that more than half of the most serious message-related difficulties faced by IT staff focus on storage issues, including lack of disk space, the size of individual message stores and the sheer volume of message traffic. E-mail systems are also vulnerable to virus attacks, as more than 85 percent of the viruses that infect organizations enter via the e-mail system (ISCA/TruSecure – 2000 Virus Prevalence Survey).

E-mail storage can be compared to an established discipline of record management. Record management traditionally deals with paper-based records, managing them throughout their life cycle, from creation through long-term storage and ultimate destruction. Many record management concepts are applicable to e-mail storage.

Record management is the discipline of managing records to meet operational business needs and accountability. An organization uses an e-mail retention policy to define what records must be kept, how they should be stored and retrieved, and how long they should be preserved. These are based on criteria defined by the organization or by regulatory requirements. In the next column, I will discuss the key elements necessary to build an effective e-mail record storage system.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access