Protecting the Paperless Trail

With e-mail a staple in businesses across the world, IT professionals typically spend countless hours, dollars, and resources keeping e-mail systems up and running.

After all, if e-mail becomes unavailable for even part of the work day, or if e-mail messages become exposed to and compromised by malicious code or attackers, it doesn’t take long before everyone—from C-level executives to middle managers to the troops in the trenches—make crystal clear their frustration and dissatisfaction.

But the importance of e-mail does not stop at its daily functionality. Today, e-mail is used as evidence in courts around the globe. In fact, a 2004 ePolicy Institute survey of U.S. companies found that 21% of respondents had their employee e-mail and instant messaging subpoenaed as part of a lawsuit or regulatory investigation—up from 14% in 2003.

And what if companies do not or cannot comply with such requests? They can be hit with millions of dollars in fines, damages, and sanctions. Just ask Morgan Stanley or PricewaterhouseCoopers or UBS Warburg or Philip Morris USA. Clearly, the failure to deliver the right e-mail messages at the right time can make or break many lawsuits.

The trouble is traditional backup and recovery methods and technologies fall short of meeting the stringent and time-sensitive demands of e-discovery. That’s why organizations should begin now to develop a proactive e-mail retention and discovery policy that is enforced and supported by e-mail archiving and discovery software tools.

These technologies offer an automated, streamlined solution for ensuring that e-mail records are not only retained in a secure repository but are easily identified and accessed.

Email Avalanche

Unfortunately, there are far too many stories of tech-savvy companies whose e-mail retention and recovery efforts failed to satisfy courts’ demands. Why? Because e-mail is typically backed up every day, week, or month, creating volumes and volumes of unindexed messages and attachments that are kept on tapes and stored off-site. And companies that generate hundreds of thousands of backup tapes a month often resort to recycling existing backup tapes just to save money.

What’s more, not all backup tapes end up at the right storage location; some wind up sitting on shelves or in warehouses where they might or might not be found should they be needed as evidence in a court of law.

But finding the tapes is just one challenge. The next is being able to quickly find relevant e-mails and attachments based on the context of the information requested, which might include the sender, recipient, or date, as well as the content of the information requested. This might include key words or subject lines and specific attachments.

There’s also the issue of restoring the data. This could take anywhere from days and weeks to months, depending on the size and scope of the request. And if .pdf files are to be searched, they must first be converted to text-searchable files.

Worse yet, the cost of all of these time-consuming efforts falls not on the party making the request but on the company whose records have been requested. Some experts put the cost of e-mail restoration at about $2 per message. That adds up fast, particularly if a plaintiff requests millions of e-mails.

Securing the E-Trail

So much for the alarming news. The good news is that by following three simple steps, organizations can develop a cost-effective e-mail retention and recovery solution that helps eliminate the risk of failing to respond appropriately to e-discovery requests.

The first step is to establish which e-mails should be retained, and then determine for how long they should be kept. Depending upon the laws and regulations with which the company must comply, an organization might choose to save the e-mail messages of its C-level executives or another employee segment or to retain all e-mails that are considered real business records.

Next, the organization should put in place an e-mail archiving system that automatically archives and indexes messages and stores them, unaltered, for the specified retention period in a centralized repository. The system should also keep e-mails protected against accidental or intentional alteration or deletion.

The final step is to implement a software system that enables the easy identification and retrieval of stored e-mails by authorized reviewers. Specialized tools can assist in the capture, search, and review processes of legal discovery.

With e-mail now considered a legally discoverable record and a critical component in lawsuits and regulatory investigations both in the United States and abroad, organizations must be ready to respond with efficient and accurate e-mail retention and recovery policies, practices, and tools.

While no silver bullet exists to keep an organization out of court, leveraging innovative systems and procedures that ensure long-term e-mail security and accessibility is an effective and proactive defensive strategy that will likely yield considerable financial returns the longer it is used.

Mark Egan is Symantec’s CIO and vice president of IT. He is responsible for the management of Symantec’s internal business systems, computing infrastructure, and information security program. Egan is author of “Executive Guide to Information Security: Threats, Challenges, and Solutions” from Addison Wesley and was a contributing author to “CIO Wisdom.”