Q&A: Balancing E-Mail Security and Compliance

How quickly can you search and retrieve e-mail and instant messages relevant to a regulatory inquiry or court-ordered discovery process?

How quickly can you search all of your company’s archived e-mails and instant messages (IMs) and retrieve those relevant to a regulatory inquiry or court-ordered discovery process? Failure to produce such communications in a timely manner can lead to regulatory sanctions or lost court cases. Morgan Stanley, for example, announced last week that it will pay the Securities and Exchange Commission a record $15 million to settle an inquiry into its inadequate e-mail-retention practices.

Implementing an effective message-archiving system, however, requires a trade-off between securing information and making it available for easy retrieval. Enterprise Strategies spoke with John Brigden, senior vice president, general counsel for Symantec Corp., to learn more.

What big issues do companies face when they consider how to best archive their electronic communications?

All of this information has a much longer life to it than anyone would have thought of earlier on. Then you throw in the context of litigation, regulation, and all the ways that information might be relevant after the fact, and … companies are running into the problem of having to capture it, examine it, retrieve it, [and] secure it. …

How do companies balance those concerns?

Well, it’s hard. Those are questions that we’re still struggling with as an industry or a society—privacy concerns, security concerns, regulatory and compliance priorities. Technology really can enable a lot of different things, but by itself it doesn’t do a good job of balancing those requirements. So you can have a lot of things that do a good job of maintaining compliance but don’t do a good job of maintaining security. Or things can be more secure but not good for compliance.

What’s an example of the security-versus-compliance tradeoff?

Take encryption. That can make things very secure, but also—for content—very difficult to tag and manage for compliance purposes. On the other hand, it may give you a sense of privacy or security. That’s the battle going on now, incidentally, about being able to put wiretaps on VoIP. Of course, that battle also went on, with voice, 10 to 15 years ago, over wireless telephone sets, and privacy, and the police being concerned.

When archiving, should companies ideally be cataloging the information they capture or just storing it en masse?

If that content [is] captured more intelligently at the outset, tagged, and a little more content-aware strategy used … then the actions you take based on the information can be done sooner, or taken earlier, to better manage liability.

On the retrieval front, when companies try to satisfy regulators’ or courts’ requests for messages, how much leeway do they have if they can’t produce complete records?

Courtrooms are much less forgiving now on the complexities and the costs of the technology, and if you’re a company that hasn’t made the investment or equipped yourself with the technology—whether tagging the information, or putting it in a storage environment that allows you to manage it more efficiently or archive it—it sometimes becomes cost-prohibitive to deal with that information, once an issue comes up. …

You need to invest money to save money. … [Some] customers say, why do I want greater visibility into my data, isn’t it better to not know if I have a problem? Because if I do it, then haven’t I just made my data more readily accessible and created [a problem]?

Does deniability ever work for a defense?

I think courts generally are responsive to practical, and reasonable, defenses. I just think we’re starting to see less patience by the courts for those [“we didn’t know”] arguments. So the expectations [around corporate messaging] for what gets searched, and how long that takes, are definitely increasing.

Are expectations different for regulatory inquiries versus civil cases?

If it’s Eliot Spitzer that’s asking, the expectations are very different than if you’re in a civil dispute.

Where are most companies when it comes to how they use archiving systems?

There’s a growing awareness that companies need to think about the systems they’re deploying, and the compliance purpose they meet. For instance, as a company rolls out a disaster-recovery solution, it might be very good at disaster recovery, but it might not be very good at archiving data … [yet] investing in archiving at the same time might let you use both more effectively.

Are you recommending organizations apply dedicated technology to solve discrete problems such as disaster recovery and retention?

Yes—they need to understand that different technologies are good for different things. A disaster-recovery solution might be good for disaster recovery, but it might not give you what you need to manage information from an archival standpoint. So maybe you should be looking at archival solutions [too], which are really only good at restoring your data, but not your systems. … You really need to balance the right system for the right purpose. It seems like common sense, but it’s hard.

Another area that’s a real trend is around what I sometimes refer to as litigation hold or regulatory hold … where you say, “I believe I’m on notice now [to preserve all information relevant to an inquiry], and I need to retain that information. I need to ensure it doesn’t get intentionally or unintentionally deleted.”

Building a system to ensure that can be difficult. Systems are distributed, there are PDAs, voice mail systems, backup tapes. If you read the law literally, you might find yourself being second-guessed—if you haven’t taken all reasonable steps to secure and lock down the information quickly, so being able to put the right hold technologies in place to secure information is really, really important. …

Looking forward, with the corporate move toward using VoIP telephones, have you seen any attempts to archive phone conversations?

I’m not aware of any customers or others that are looking to start to build VoIP monitoring, other than maybe the financial institutions [that] are regulated to monitor those communications. …

In fact, I think most companies are still trying to get their arms around e-mail and their policies around managing e-mail, and IM is adding a lot of difficulty to that. They’re really not even in a position to consider the bandwidth and other implications of [retaining] VoIP [conversations].

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.