Ninety percent of business communication is done by email, instant messaging (IM) and voicemail, all of which are electronically stored.
The main body of evidence that put Arthur Anderson out of business in 2002, after 89 years, came from email. Citigroup paid $400 million in fines after Elliot Spitzer subpoenaed emails written by stock analyst Jack Grubman. The stock price of the insurance broker Marsh & McLennan dropped by 50% in 2004 after emails showed evidence of kickbacks. In 2005, a federal judge recommended entry of a default judgment against PriceWaterhouseCoopers for deleting emails relevant to a $139M shareholder suit.
In a case brought by Ron Perelman against Morgan Stanley, Morgan Stanley lost credibility by being unable to consistently produce requested emails. The disaffected court responded by shifting the burden of proof so that Morgan Stanley had to demonstrate its innocence. This was a major factor in the 2005 judgment against Morgan Stanley of $1.58 billion. And in 2006 Morgan Stanley paid another $15 million for failing to retain e-mail messages. (In March 2007, the 2005 judgment was reversed 2:1 on appeal by Florida's Fourth District Court of Appeal. The grounds for the reversal was that Perelman had not shown what Sunbeam shares would have been worth at the time of the Coleman purchase, had there been no fraud. As a result, it said that Perelman had failed to show any "legally cognizable damage" stemming from the alleged fraud. What was NOT reversed was the trial judge's ruling that Morgan Stanley had deliberately failed to produce e-mail documents, and the judge's instruction to the jury to accept that Morgan Stanley had not disclosed Sunbeam's true financial condition to Perelman, essentially reversing the burden of proof.)
Almost all litigation will result in email discovery, whether it be external regulators, or internal matters such as harassment and discrimination. The courts have decided that companies have to keep and be able to recover emails in a reasonable time, and show that the email records are complete and not changed. The federal civil procedural changes, which went into effect Dec. 1 2006, mean litigants can be forced to either produce relevant email and other records or demonstrate that they were lost or destroyed according to reasonable, documented policies carried out in good faith. It is now essential that organizations have in place processes and procedures that can find email & IMs, monitor potential exposure from email & IMs, and understand and mitigate litigation risk.
Email is held on email servers, PCs, file and print servers, DVDs, tapes and other media. In most organizations the reliability of being able to find a specific email is not good. Attorneys are now skilled at understanding the weaknesses of email systems, and of demonstrating those weaknesses to the court.
Email archiving is a base platform on which systems that identify and mitigate risk can be built. IT will usually need to certify to one or more of a long list of interested parties (compliance groups, risk managers, internal auditors, external auditors, legal council, industry regulators, Homeland security regulators (Patriot Act) and state regulators to name but a few). The certification will attest that there are documented technology, processes and procedures to capture all emails content (emails, IMs and attachments), show that emails have not been changed, and recover any email in full quickly (for example SEC Rule 17A requires retrieval within 48 hours).
Wikibon has interviewed a number of installations who have implemented email archiving systems. For nearly all the primary business driver was risk reduction. The lead was either taken by the board or by legal. The degree of risk exposure will vary by industry, and the degree of regulation. At one end of the spectrum, highly regulated financial institutions (e.g., trading) can be shut down by regulators; non-compliance is a risk to the existence of the organization, and email archiving is a cost of doing business. At the other end, the risk reduction for a small retail organizations with razor thin margins will probably not justify an email archive system. Organizations such as pharmaceutical companies with a high potential for being sued would be in the middle. For some organizations, the requirement to keep email as proof of contracts (enabled by the Electronic Signatures in Global and National Commerce Act)could be the deciding factor.
Email archiving builds an infrastructure base for exploitation by the organization to reduce risk. IT will be a primary leader in this project, which will be an important part in reducing the risk of non-compliance with regulatory or court demands. But it is not the whole story. The organization will have to put in place many other procedures and technologies to reduce risk (e.g., compliance training, filtering email for words & phrases, e-Discovery). IT will play a part in these projects but not a leading role. This how-to note focuses on setting up the correct infrastructure to reduce risk.
Storage administration and others in IT will be under considerable pressure to introduce systems that purport to give additional benefits to the organization. They may, for example, claim additional email productivity for end-users, and may save disk space by reducing .pst files. Our recommendation is to focus email archiving on the primary objective of risk reduction; establishing a robust archive that can be a basis for exploitation by the business to reduce risk. Any other changes should be put into a future exploitation category, and funded by the line of business as a separate project. Catch-all projects are a recipe for scope-creep and delay in achieving the primary objective.
Contents |
Email archiving capability
Email archiving is a system approach to saving and protecting the data contained in email messages and IMs so it can be accessed quickly and reliably at a later date. Protection includes accidental loss and deliberate attempts to alter or delete emails. Implementations vary from simple software running on existing systems to specific dedicated hardware. Applications can be built on top of an email archive to address email legal discovery, internal and external email audit support, and many other systems.
Specific operational goals of implementing email archiving
A successful email archiving implementation will:
- Establish robust email archive procedures (much more important than fancy technology)
- Ensure that ALL emails and IMs are archived (e.g., email journaling is enabled)
- IT will be able to certify to stakeholders and the court that the email archive technology, processes and procedures capture all
- email content (emails, IMs and attachments) and show that emails have not been changed.
- Ensure that the archive system is resilient and reliable
- Ensure that data cannot be deleted before its retention period has expired (This can be up to 20 years for medical records)
- Ensure that data can be checked for readability, and migrated to new technology as it become available
- Complies with industry standards and applicable regulations.
- Allows emails to be retrieved within the statuary period (e.g., 48 hours for SEC rule 17A)
- Allow the archive to be exploited by up-stream applications to reduce risk
- Allow easier and quicker internal and external auditing of emails
- Significantly reduce the risks from “ill-advised” emails
- Allow the data to be accessed "directly" from other applications (the data should belong to the organization, not the email archiving vendor!)
- Does not degrade with the current email system (a career limiting opportunity)
- Ensure that sufficient additional resources are budgeted to deal with additional email processing (e.g., journaling) and additional bandwidth
- Can handle the company’s changing email archiving needs
- Avoid scope-creep into areas that do not reduce risk, e.g.,
- KISS, keep it simple stupid, real real simple
- Be wary of complex technologies that transform data(a simple 3rd tier tape library may be sufficient to reduce storage costs)
- Avoid committing to reducing .pst files on the file and print servers
- Avoid any email productivity changes or enhancements in Phase 1 that are not risk reduction related
- Take a good hard look at loading historical emails. These are very expensive to load, and it will be very difficult to get the end-user to cooperate. If you can't guarantee that all emails will be captured, you are probably better off keeping the current procedures for accessing old emails for discovery.
The major expected effects on the IT budget will normally include:
- An investment of ~$600,000-$1,000,000 over 3 years (~$200-$300 per mail-box), using the Standard wikibon business model and its assumptions
- This assumes an investment in the current email system to enable journaling and increase bandwidth
- Cost of additional backup capabilities for the email archive
The email archive project should be justified primarily by the reduction in risk to the organization. The only other way of justifying it is the reduction in the cost of eDiscovery. If this is the case, the legal department should be responsible for both the budget and achieving the savings
Other potential impacts on organization include:
- A possible level of email performance degradation.
- Compliance with data retention regulations.
Risks of implementing email archiving
Email archiving is now becoming more common, and the technologies better understood. However, it is still a relatively new application area, and an email archiving project is medium risk. Risks include:
- The risk to the organization are not quantified, making choices for risk reduction impossible to prioritize
- Too broad a scope for email archiving, with a wish list a mile long for email "improvements"
- Failure to separate out the basic archive from upstream technologies. The basic archive is infrastructure that should have a ten-year life. Upstream technologies that exploit the data can and should be changed frequently as the risks to the organization change
- Scope-creep during the project, especially from legal. Ensure that the question "How does this request reduce risk?" is asked for all additional functionality enhancement. If none or very little, put them into phase II, as implementing them will increase the project time-scale and increase the time the organization is at risk. Email archiving can save effort for eDiscovery clerical work, and increase confidence in the data. Saving in external council costs are rarely achieved.
- Too many chiefs with conflicting requirements (see list of possible stakeholders above). Try to get agreement that risk reduction is the primary focus of the project, and request that a single stakeholder be responsible for agreeing with the other stakeholders what the size of the risk is.
- The project is funded from IT savings only. This is the best recipe for disaster
- Changing the current email system
- Impacting the performance and availability of the current email system
- Inability of the infrastrucutre email archiving system to scale and adapt to changing email and IM archiving requirements
- Email archiving gets mixed up with an overall review of ILM strategies (organizations are strongly advised not to do this; email archiving is much simpler to implement because the meta data (who sent it to whom, date sent, etc) is included in the data, and conforms to email standards. Unstructured document management systems are much more difficult to implement and the technologies at a far lower level of maturity)
The email archiving initiative
The email archiving initiative will be implemented when the email archiving system has been designed, installed, implemented and tested to ensure that all email and IM are archived, and can be assessed quickly and efficiently. The email archive should be in a position to be exploited by additional applications.
Expectations (Out of Scope)
The following factors, although necessary for the email archiving implementation to be successful, are not within the scope of this initiative:
- A business risk management structure is in place and a key decision maker has been identified. (This will often be found in the legal department for many organizations)
- The business risks reduction initiatives
- The email archiving initiative budget has been defined.
Analyze Phase
Acceptance Test Considerations:
The analyze phase will be completed when the initial business case has been accepted by the sponsor, and agreement has been reached to proceed to the design phase or kill the project.
Key analysis milestones:
Analysis should take 6-8 weeks for most companies..
- Existing emails systems documented and understood
- Understand the current email systems, the number of email boxes, the volume and size of emails/IMs, and the growth characteristics
- Understand how emails are archived at the moment by IT and the end-users themselves
- Decision taken on historical emails (if possible avoid this phase, as it is very time-consuming, will not be 100%, will aggravate the end-users, and will delay the implementation (increase risk for to the organization)
- Does ingesting historic emails reduce risk?
- Can the current eDiscovery procedures work with historic emails?
- Is it feasible to get end-users to migrate files to archive?
- If possible, avoid
- Business case developed and presented
- Design a first-pass email retention system, and cost equipment, services, IT staff, and user staff to implement and maintain the system)
- Get agreement to the risks to the business of the current system
- Get agreement to the risk reductions to the business from an email archiving system
- Create a risk reduction business case, present to stakeholders, and get agreement to go to the design phase
Design Phase
Acceptance Test Considerations:
The design phase will be completed when the email archiving design has been accepted by the sponsor and agreed to by the key stakeholders, and agreement has been reached to proceed to the deploy phase or kill the initiative.
Key design milestones:
This phase should take about 8-16 weeks
- Primary vendor decided for base infrastructure archiving system
- Decide on vendor hardware and software technologies available and issue RFP/solicit bids
- CA, EMC, HP, IBM, Microsoft, Symantec, would be the primary vendors to consider in addition to other less well-known firms
- Strong consideration should be given to outsourcing firms such as Iron Mountain who focus on robust procedures
- Decide on vendor hardware and software technologies available and issue RFP/solicit bids
- Email archiving procedures designed
- Design email procedures round the hardware and software decided, and integrate the design with the current procedures
- Pay particular attention to procedures for ensuring that data cannot be deleted or tampered with, and to disaster recovery procedures
- Create a presentation that would be given in court of how the email archiving system and its procedures ensures compliance and is 100% dependable. Test this presentation on legal council
- Determine training requirements for operations
- Design test procedures and scripts
- Risk mitigation systems designed
- Design of legal discovery systems if required (if these do not reduce risk, they should be left to a subsequent phase)
- Design of systems to reduce risk (e.g., HR for harassment) if required
- Design of external audit systems to reduce risk (e.g., compliance with record retention statutes) if required
Deploy Phase
Acceptance Test Considerations:
The email archiving initiative will be implemented when the email archiving system has been installed, implemented and tested to ensure that users can exploit the new system, and that risk mitigation systems work. This phase should take about 4-6 months and cost about $600,000-$800,000 over 3 years. If an outsourcing agreement if chosen, this should cost in the range of $3 to $7/user mailbox/month.
- Email archiving system built
- Installation of hardware and software functionality
- Installation of any changes required to current email system (e.g., additional equipment for journaling)
- Update and creation of new process and procedures, with full documentation
- Email archiving tested
- Testing of equipment, software, and procedures on historical data
- Testing of recovery on historical data
- Testing of procedures for migration, backup, recovery, and disaster recovery
- Migration & Cut-over to email archiving completed
- User training and documentation completed
- Help desk operatives trained and documentation updated
- Risk mitigation applications implemented
- Risk mitigation applications as designed implemented and signed off by user departments
- Email archiving initiative wrapped up
- Procedures set up for monitoring compliance and implementing yearly testing (including yearly readability and reliability testing)
- Procedures set up for adding additional archive storage, storage functionality, and risk reduction applications
- Final review of documentation
- All project staff released and full hand-over to IT operations
Email archiving initiative summary
The risks of not having an effective email archiving systems are very real and very high. Exposures to litigation come from inside the organization (claims of harassment or discrimination) and from outside (customers, partners, suppliers, shareholders, regulators, and government). Putting in an effective email archiving system will be cost justified by significantly reducing the exposure of the organization to risky emails, identifying the faults to processes and procedures that allowed they emails to be produced, and correcting the overall business systems. Success of an email archiving system will come from identifying the greatest risks to the organization, and ensuring that the solution adequately and demonstrably addresses these risks.