In-Depth

Regulations Driving E-mail, IM Backup and Recovery

Thanks to a variety of regulations, businesses must retain e-mail and instant messages, creating an information glut. Here’s how to manage it.

As the use of e-mail and instant messaging (IM) for business communications has grown, so too has another problem: storing and managing all that content.

Thanks to a variety of regulations, industry memorandums, and the ever-present threat of having business records subpoenaed as part of a court-ordered discovery process, more organizations must now ensure copies of all messages are captured, stored securely, and able to be retrieved quickly.

The need to store so many things, and search and retrieve them quickly, has repercussions. In a 2004 survey conducted by Osterman Research, for example, 62 percent of organizations said the growth in messaging storage was “a serious or very serious problem, second only to the problem of spam.” Simply put, notes Osterman, “the increasing use of electronic documents and processes is creating a glut of information for most organizations and a storage nightmare for IT organizations.”

To manage that glut, “businesses must begin building an e-mail archive for legal discovery and migration of older messages to lower-cost, but searchable, media,” notes a Gartner Dataquest report from earlier this year. Increasingly, those archives also include instant messages, even if “IM” isn’t written explicitly into a regulation.

So far, however, organizations are behind the curve. According to a new study sponsored by AIIM (an enterprise content-management association) and ARMA International, 49 percent of 2,100 records and information managers surveyed at companies and government agencies say their organization has not adopted any e-mail records retention policy. Furthermore, 53 percent of organizations don’t think electronic communications count as part of legal orders to hold records, and 68 percent don’t have a plan for migrating electronic communications to new media over time. According to AIIM and ARMA, “these failings continue despite serious issues raised about corporate record keeping over the past two years.”

“Good business and good records management go hand in hand,” notes ARMA’s executive director and CEO, Peter Hermann. “Good governance requires compliance and the proper management of records and information—regardless of the media on which they are created or stored—and is the key to any organization’s compliance efforts.”

Managing Content, But Not With a CMS

If the need to search and retrieve large amounts of text seems to have a lot in common with another enterprise application—content management systems (CMS)—experts would agree. “You might, very reasonably, argue that e-mail archiving and retention products are really just a niche in the enterprise content management space,” says David Ferris, president and senior analyst of Ferris Research. “In principal, this seems correct. After all, e-mail documents are just one type of data structure.”

Today’s content management systems, however, can’t effectively manage an enterprise’s e-mail archives, and while future CMS probucts will probably include such capabilities, Ferris estimates it won’t happen for another five years. So for now, “e-mail message stores will still be specialized, obscure technologies,” which for already overworked IT managers, “will keep e-mail archiving and retention technologies as an annoyingly separate category.”

Even so, Gartner Dataquest warns regulated organizations to master the technology now. “The e-mail active archiving market is fragmented, but companies may need to purchase a product now as a tactical solution while a broader enterprise content management (ECM) strategy, including records and document management, is defined.”

Weighing IM Storage

Beyond storing e-mails, should businesses also retain IMs? According to Forrester Research analyst Erica Rugullies, consider IM archiving if your organization meets one of two criteria: First, is it a financial services firm? If so, regulations from the Securities and Exchange Commission (SEC), the National Association of Securities Dealers (NASD), and the New York Stock Exchange (NYSE) may cover you.

Second, is your company covered by Sarbanes-Oxley (SOX)? While that law doesn’t explicitly mandate e-mail or IM retention, Forrester advises that in these early days of compliance, play it safe: archive. In particular, the law “says that any client of a public accounting firm may be required to produce documents related to audits or investigations,” notes Rugullies. In the future, “it is conceivable that these items could include e-mails and IMs.”

Overall, things are more clear-cut for financial services firms, especially when it comes to individual brokers’ and dealers’ e-mails and IMs. Per NASD Conduct Rule 3010, financial firms must archive them. Then according to SEC Rule 17a, financial firms must keep all business records—which the NYSE defines as including e-mails and IMs—readily accessible for at least two years, and all transaction-related communications for seven years. Organizations must also produce such communications quickly as part of a court-ordered discovery process.

While companies covered by SOX are still, for the most part, in a gray zone when it comes to accountability, many other financial regulations are already being enforced. Earlier this year the NASD “fined a research analyst at Fulcrum Global Partners for circulating rumors about a company via IM and phone calls, while simultaneously short selling that company’s stock,” notes Rugullies.

For simplicity of storage, management, and retrieval, she also recommends organizations archive IMs in the same place they store e-mail message archives. “This enables a consistently applied policy, a single place in which to perform supervision activities, a reduced number of locations for search and discovery, and reduced training requirements, as well as standardization of storage management practices.”

The Future of E-mail Archiving

According to Ferris, the e-mail archiving market, which began about five years ago and so far lacks integration with existing CMS software, is still in its infancy. Even so, notable changes are occurring. “Hitherto, most e-mail archiving purchases have been tactical—motivated by either storage management or regulatory compliance.”

Today, things are shifting slightly. “Discovery and archiving for compliance have now become the main purchase drivers,” he notes. With compliance, end users’ requirements are simple: get it running. As a result, “functional considerations generally take a back seat to acquisition and implementation costs as decision criteria.”

Once organizations get their compliance-related archiving systems up and running, however, end users’ priorities will change. In fact, by 2008 or 2010, expect to see a much more strategic approach to e-mail and IM archiving, says Ferris. “E-mail will be seen as just another content type with Word documents, Web pages, and perhaps even voice and video content.”

Related Articles:

Giving Users Control of E-mail Archiving for Compliance
http://esj.com/Security/article.aspx?EditorialsID=1473

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles