Best Practices in Email Record Management

Best Practices in Email Record Management

David ManningPrincipal Engineer

Legato Systems, Inc.

David ManningPrincipal Engineer

Legato Systems, Inc.

Corporate ProfileCorporate Profile

Legato Systems, Inc. is a global provider of online Storage, Content, and Email data management solutions.Legato Systems, Inc. is a global provider of online Storage, Content, and Email data management solutions.

Global email growing from 9.7B/day

in 2000 to 35B/day in 2005 (IDC)

Average message size increased

192% in 2000 to 286KB (EMC)

Enterprise mailbox volume growing

at 40% annually (Gartner Group)

Typical 3,000 user email system

now handles over one terabyte

of message traffic annually (CNI)

Email’s Explosive Growth

10%

20%

30%

40%

50%

19981998 19991999 20002000

Business-Critical DataStored in Email

Business-Critical DataStored in Email

30% 33%

60%

Emails must be managed asbusiness records

The e-mails that have come to light are very distressing and disappointing to us. They fall far short of our professional standards and some are inconsistent with out policies.” (Merrill Lynch CEO David Komansky)

Even as Merrill said the e-mails were taken out of context, the ensuing controversy caused its stock to fall 20%…

(As reported in WSJ, April 29, 2002)

Escalating Litigation Targets Email

1. More $21 billion dollars paid out in last ten years – just in Securities class action settlements (April 2002, Institutional Shareholder Services)

2. Filing of US class action lawsuits increased 60% in 2001 – 511 new suits.

3. Currently, about 1000 class action lawsuits involving securities litigation remain outstanding.

4. In 2001, 171 class action suits were settled for total of $2.7bn.

5. An estimated 25 law suits against Fortune 500 companies will be settled in next 12-24 months at $500m each.• Lucent, Xerox, Coca Cola, Nortel

(All data from Financial Times, /25/2002)

Traditional Email Data Management

Internet Email Traffic

Email Servers

LAN Email Client

LAN Email Client

LAN Email Client

Manual Back-Up

Email data – messages and attachments – is stored (often duplicated) on both the email server and client workstations.

• 34.5% of organizations say they would not or could not recover emails if required for legal or regulatory discovery within next 12 months. (CNI, 2000)

• 83% of lawyers say their corporate clients are NOT prepared to retrieve and turn over electronic files. (Arthur Anderson, 2001)

• 49% of organizations have established policies regarding email retention …BUT 41% of users ignore the policy. (CNI, 2001)

• 87% of viruses enter via email.

(2000 Virus Prevalence Survey, ISCA))??

Record Management Challenge:

Risk Management

IT Challenge:

• The average email server is saturated in just 18 days. (CNI, 2000)

• IT administrators spend 8-12 hours per week on email backup and archiving. (CNI, 2001)

• IT administrators spend 5-6 hoursevery week recovering archived messages and attachments for users. (CNI, 2001)

• IT administrators spend 25% more time managing email data each time the number of email users doubles. (CNI, 2001)

Control Rising Costs

• Enterprise users now spend an average of 90 minutes daily managing their mailbox. By 2002, users will spend an average of 2.5 hours per day. (Gartner Group, 2000)

• 81% of business email end-users cannot access their own archived messages or attachments. (CNI, 2001)

• At 66% of organizations, users must work around maximum file-size restrictions(average 8-10MB) on email messages. (Ferris Research, 2000)

End-User Challenge:

Capture Productivity

Key Business Challengesto Managing Email

MessageStore

Management

SupervisionAnd Risk

Management

RetentionAnd Record

Management

• Financial Services• HR, Legal

• Government – FOIA & State “Sunshine Laws”• Regulated Industries

IT & Network Tools• Mailbox Limits• Backup• Availability• Disaster Recovery

On-server message stores need integrated record management:

• Eliminate duplicate messages, reduce storage

• Delete expired records

• Enforce corporate or regulatory retention rules

Message Store Management

Key FeaturesSlide 12 of 17

Supervision and Risk Management

• NASD rule 3010 requires supervision of correspondence

• Corporate e-policies define terms of use and unacceptable content.

• Electronic theft is growing threat.

Background on NASD Regs

• Three NASD Rule categories:• Rule 2010 – Codes of Conduct for

Marketing Advertising Correspondence

• Rule 3010 – Supervision of Correspondence• Rule 3110 – Books and Records (references

SEC Rules 17a-3 and 17a-4)

Focus on NTM 98-11

According to NASD NTM 98-11, NASD members shall:

Adopt written policies and procedures for review of correspondence.

Identify how supervisory reviews will be conducted and documented.

Identify what type of correspondence will be pre- or post-reviewed.

Identify the organizational positions responsible for conducting review of the different types of correspondence.

Specify the minimum frequency of reviews for each type of correspondence.

Periodically re-evaluate the effectiveness of the firm’s procedures for reviewing public correspondence and consider any necessary revisions.

Two requirement types:

1. Effectively monitor correspondence, show adherence to codes of conduct.

2. Record supervisory activity itselfa) Show it as

completeb) Routinely

evaluate

SEC Retention Requirements

NASD Rule 3110 and SEC Rule 17a-4 require retention and accessibility

“Every such broker and dealer shall preserve for a period of no less than three years, the first two in an accessible place…originals of all communications received and copies of all communications sent by such member, broker or dealer (including inter-office memoranda and communications) relating to his business as such.” [SEC 240.17a-4(b)]

Any or all email from email message systems – MS Outlook, Lotus Notes or UNIX Sendmail – may be captured onto the Message Center server.

• Gathers record-keeping copies into one location

• Checks all message/attachment content against business rules

• Generates/updates a full-text index

• Organizes messages and attachments* – together – into archive volumes

Record & Retention Management

Email Retention in State & Local Government

From “Government in the Sunshine Manual”, Vol 23, Florida State Office of the Attorney General

Email is a record of business: “E-mail messages made or received by agency employees in connection with official business are public records and subject to disclosure in the absence of an exemption.”

Email must be retained: “Such messages are subject to the statutory restrictions on destruction of public records.”

Email records must be accessible: “Each agency… shall provide to any person, pursuant to Ch. 119, F.S., a copy of any public record in that [electronic record-keeping] system which is not exempted by law from public disclosure.”

Record Keeping System Requirements

• To build record keeping into corporate messaging systems…• Microsoft Exchange• Lotus Notes

• What is needed?

Authenticity Usable Evidence Completeness Retention schedule Training

Chain of custody Auditing Accessibility Indexing Security

Authenticity

Challenge Record must be maintained as authentic and

‘unalterable’ from creation through disposition. Lotus/Exchange messaging don’t include controls on

access, editing of stored messages.

Response Capture and store records directly from message

store Verify accuracy of storage process (read back) Support reliable and (optionally) indelible media

(WORM, etc) Audit all access to records.

Usable Evidence

ChallengeOvercome legal objection

Routine creation Document a normal business activity Created when the underlying event took place

Response Capture incoming and outgoing email messages at time

of creation or receipt Retention rules applied systematically Application of a file plan (categories) with policies and

retention schedules.

Completeness

Challenge Record integrity depends on three attributes: content,

context, structure. Moving messages out of mail servers typically changes

one or more of these attributes. (loss of email meta-data)

Response Save complete email record and attachments, optionally

in native document format. Save meta-data as part of record.

Practices & Training

Challenge Match rigor of record-keeping science to ubiquity of

email within business/government user community Integrate record management with IT practice. Apply record-keeping to build business value.

Response Build record-keeping into email client, present file plans

as part of Outlook/Notes folder structure. Integrate retention into message stores/databases. Use volume and availability of email

Build e-business programs on email Re-use email as corporate memory.

Auditing

Challenge Little to no audit/control of message storage and access

in MS-Exchange or Lotus Notes. Messages and documents easily move from clients to

server databases, personal archives, and backup tapes.

Response Audit message/record access. Integrate “chain of custody” controls into message stores

of MS-Exchange and Lotus Notes.

Accessibility

Challenge Message access in Exchange/Notes largely based on

visual markers. Inbox Folder structure

Full text index is very ‘resource-expensive’ in Notes, and non-existent in MS-Exchange.

Users have limited access to long-term message stores (backup tapes, archives).

Response Use full-text index for secure user access to “corporate

memory” Present corporate file plan as a common folder structure. Use SQL database for programmatic access.

Security

Challenge Messages often not secure in typical messaging system.

User archives. Backup tapes. Un-audited message stores.

SMTP traffic can be seen in clear text (not encrypted) Response

Build practices, systems to control all access to message stores.

Integrate messaging directories into record-keeping system.

Adopt privacy policies, solutions for secure messaging(encryption)

Email Servers

Stored volumes contain both messages and attachments.

Disaster recovery is quick and complete thanks to Ex archive structure.

LAN Email Client

LAN Email Client

LAN Email Client

Web-basedEmail Client

EXEX

Archive as much email data as you want when you use Ex with Dx -- which supports ALL leading

secondary media including…

Integrating a Record Keeping System

• Optical

• Tape

• RAID

• DVD

• CD-ROM

Ex ServerBACKFull-Text Index

For more information about

EMAILxtender

For more information about

EMAILxtender

Visit http://legato.com

or call Legato Systems at (888) 853.4286

Visit http://legato.com

or call Legato Systems at (888) 853.4286