Compliance is enforced in many countries by crippling penalties following well publicised cases of bankruptcy, injury and fraud, and staff dismissals. Legislation such as Sarbanes-Oxley and Basel II are there to prevent disasters where Company Law is circumnavigated and transparency is lost. In the publicly funded sector, a variant of the Freedom of Information Act exists in most countries to ensure transparency of decision making with taxpayers resources. A common factor in many damaging situations reported in the last decade in both finance and health and safety is the loss of records, including emails. Hence the emphasis on email archiving.
The retention periods required by law can vary from country to country but are also likely to require deletion on or after expiration of the retention period. The usual requirement is that all emails relating to subjects, departments or individuals be archived within the given organisation’s system before a user can manipulate or delete information, ensuring a fully secure, accurate and auditable record of email activity. Software solutions to ensure compliance generally work behind the scenes, incorruptible by the end-user and with the archive copies only accessible to authorised executives.
The need to comply with regulatory standards across the public and private sectors, is increasing the pressure on these organisations to find a cost effective system which meet the archive needs of the law.
If you are a director of a company or public sector organisation, you will need to balance the risk of crippling penalties against the small regular costs of ensuring compliance. Paper and electronic documents need to be kept for many years.
Emails in particular:
Non-compliance with regulations can and does have serious consequences for organisations with potential fines running into millions, loss of revenue and in worst case scenarios the personal prosecution of the directors, CEO and or COO.
To be compliant it is vital to find an archive solution that ensures email integrity is maintained and can be authenticated. This means that if under audit any record held (including emails), must when required, be retrieved, reproduced, viewed and used as in the original.
Is this the same as Email back up
When email systems are backed up, they only hold the emails on the shared server at that time. Such back ups hold what was available to be backed up at the time the back up process starts. They do not hold:
- Emails deleted by staff for tidying up or more ulterior motives
- Emails in personal space archived by staff on their own PC.
This is one of the main reasons why email back-up is not sufficient for legal requirements. Fast indexing and search for email retrieval is a pre-requisite of archiving solutions. Finding an email will mean the need to potentially search millions of emails and their contents in a very short space of time. Back-up won’t allow this, and manual retrieval is impossible, whereas archiving solutions are designed to store and retrieve high volumes of email, whilst ensuring full data integrity and audit trails accepted in a court of law.
What else should I consider?
- The regulatory reasons for compliance
- Other legal factors pertaining to data retention
- That the data is tamper-proof
- Who has access and who must be able to retrieve the emails and their attachments securely.
- A sound method of sampling and review
- Logs & audit trails of archive searches
- The hierarchy of IT, Security and/or Compliance Officers
- The abilities of the organisation to manage this data
- The ability to prove that you have undertaken all of these and more
- The involvement of all aspects of management ensuring that the compliance project is not just left to IT
So what do you do if regulations don’t yet apply to your organisation?
Legislation is already here. If experience is our guide, regulation will spread, it is simply unacceptable in court to say that electronic data cannot be retrieved. It is therefore sensible to begin now the process of email archiving that could be seen as company records: be it human resource management or commercial management.
AXLR8 will help you manage legal risks & compliance issues
To help you meet regulatory requirements such as Sarbanes-Oxley, ISO, HIPAA, Basel II and others, AXLR8 can extract and store a copy of every email sent or received every second of the day without human intervention or corruption.
By archiving internal and external email to secure, indexed repositories, you can ensure you will be able to find critical message content rapidly and with full, demonstrable records of every email transaction suitable for audit requirements.