Company leaders must make sure a system can archive all of its unstructured data and do so in a way that adheres to rules laid out by relevant authorities.

All You Need to Know About Compliance and Email Archiving

Most business owners today are aware of certain responsibilities they have for email archiving under compliance legislation, but aren’t sure what the point of compliance is or how to ensure it. Simply put, compliance legislation is a set of legal rules governing the protection and preservation of enterprise data, including electronically stored information. This means that data (like email data) should be protected from unauthorized access and also stored for a certain amount of time before it can be disposed of, in case it is required for any kind of legal purpose.

Meeting compliance requirements is a joint effort

Compliance with federal, state and industry regulations is an involved, complicated effort that requires attention from a wide variety of employees, supervisors and executives. With a number of different rules that need addressing and a wide potential for variation from industry to industry, it can be difficult to keep track of all obligations. Sometimes, considerations like archiving digital communications may fall behind needs perceived as more immediate or wide-ranging, despite the sheer volume of messages and conversations that flow back and forth on a daily basis.

Every day, important business decisions and commitments are communicated by email and confidential financial documents are sent as email attachments. Precisely because email constitutes a valid email record, companies are required by law to preserve email correspondence. The penalties can be severe if compliance regulations are not closely followed. In 2006, Morgan Stanley was fined 15 million dollars by the Securities and Exchange Commission when the SEC alleged that Morgan Stanley delayed handing over emails, destroyed others and wasn’t forthcoming about the nature of the communications. In 2005, a 1.57 billion dollar judgment was upheld for non-compliance, but was later overturned.

Fines and penalties

Companies around the globe are coming under increasing pressure to ensure data compliance as more stories of corporate failure and fraud come to light. From the likes of Enron to Shell and WorldCom to Nortel, companies haven’t been taking data protection and compliance very seriously and are now paying the price. Particularly in the US and the UK, businesses can be overwhelmed by the many different compliance requirements that exist for data retention and archiving. Here are a few recent cases:

• Inappropriate emails sent by employees caused embarrassment for a top UK law firm. After the scandal, the media bombarded their head office for weeks.
• In the UK, the Inland Revenue office took action against around 200 employees in relation to misuse of email.
• A total of 5 Wall Street brokerages had to pay $8.25 million because they had discarded email related to customer transactions.
• In the UK, a bank was fined £2.3 million for failing to adhere to compliance regulations.

Regulatory compliance remains the number one reason to implement an email archive. Businesses that put unstructured data archiving in the back seat are setting themselves up for failure. Recognizing the complete spectrum of compliance means placing the appropriate amount of attention and level of respect on unstructured communication data. Email is often primary evidence in high-profile legal cases, especially sexual harassment and antitrust claims and discrimination actions that crop up in the news every day. It’s a headache for most employers, who are often held responsible for the email communications exchanged by employees.

Email: The Cause of Potential Compliance Issues

The Sarbanes-Oxley Act (SOX) affects all industries and imposes penalties on any organization which tampers with or alters email or other forms of electronic communication with the intention of fraud. The Act makes it clear that all businesses must keep their emails for at least 5 years and contains some ominous statements: “Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies or makes a false entry in any record, document…shall be fined under this title, imprisoned for not more than 20 years, or both”. Additionally, any European companies with U.S. listings are also required to keep the emails for 5 years.

Apart from regulations that affect all organizations in the public sector, there are laws that are industry-specific. For instance, the healthcare industry has its own set of rules that are covered under the Health Insurance Portability Accountability Act (HIPAA). Likewise, the financial sector must adhere to SEC Rules 17a-3/a-4 and NASD Rules 3010/3110 which oblige broker/dealer organizations to maintain and store all emails pertaining to their trading activity for a minimum period of six years.

Supporting complete compliance

While communications like emails, instant messages and SMS seem like informal and often inconsequential pieces of data, a wide variety of industries require businesses to retain them for a given period of time. A lack of appropriate data archiving measures opens businesses up for regulatory issues, including fines and penalties that can significantly harm business effectiveness.

A truly complete compliance strategy includes measures to save digital conversations and messages, ensuring this aspect of records retention is never overlooked. While the drive towards email archiving is on the increase, a large number of companies still don’t have a functional and clearly defined email management policy that should specify the following:

• During retention periods, organizations have to ensure that their data is available, searchable, secure and quickly recoverable.
• During legal proceedings, harassment cases and eDiscovery requests, access to email archives is often required for evidence.
• The integrity of email is vital so that it can be used as evidence in court cases.

It’s also worth noting that a simple understanding of unstructured data archiving often isn’t enough to meet all compliance requirements. Not only must organizations retain this information, but also do so in a way that meets specific requirements about formatting, time spent in storage and other concerns. Businesses must make sure all of these small details are addressed appropriately, or else a well-intentioned compliance effort can fail and lead to issues with regulators. Therefore, selecting the right archiving system is crucial. Company leaders must make sure a system can archive all of its unstructured data and do so in a way that adheres to rules laid out by relevant authorities.

Email archiving is the key to compliance

Archiving doesn’t have to be an insurmountable task or a source of worry, however. Advanced solutions that automate much of the process reduce the obligation for employees and ensure a high level of compliance. When there’s no room for human error in compliance efforts, they’re more likely to be successful. Businesses must find secure, comprehensive and effective solutions to ensure they remain compliant with all aspects of relevant regulations in their industry.

If you’re not aware or unsure of the rules which govern your particular industry, you should get your legal team or external experts to explore the relevant legislation and set up email and social media archiving. Email archives are far superior to data backups because of storage capacity, search functions, eDiscovery features and many other reasons.

When there’s no room for human error in compliance efforts, they’re more likely to be successful.

Archiving email protects customers and companies

Remember that the data of most businesses contains not only sensitive information about the business itself but about clients and customers. It is vital that this customer data is kept private, which is one of the reasons that compliance legislation exists. If an organization decides to sue your business or vice versa, all records must be kept intact and unmodified in case they are required as evidence.

Even if you’re running a small business, it is vital that all data relating to accounts, transactions and customers is securely archived for later auditing if it is required. Failure to correctly archive sensitive data opens up businesses to legal action, reputational damage and fines. Compliance really affects the core of IT departments and IT infrastructure within an organization.

It can require some amount of work to develop a data compliance policy and this can take up valuable resources, especially if your IT department is small or a one-man show. The best way to start is to investigate secure data archiving options and ask the following questions:

• Will the archived content remain secure and unaltered for the appropriate time frame?
• How does this technology stay updated?
• How quickly can your organization retrieve data from the solution in the event that a legal request for data is received?
• Are there varying options of archiving solutions available to cater for small businesses and their growth?

Jatheon is a global leader in email, social media and mobile communications archiving and eDiscovery with 15 years of experience with on-premise archiving for regulated industries. We’ve just launched a next-generation cloud archiving solution. To learn how Jatheon can help you choose and implement the right archiving solution for your business, contact us or schedule your personal demo.

Originally published at jatheon.com on November 26, 2018.