Microsoft Exchange Server 2010 : Getting Started with Email Archiving - Archiving

1. Introduction to Archiving

Over time, archiving products have evolved significantly. They have gone from simple storage reduction software to sophisticated enterprise content management systems that not only offer the storage management of Exchange servers, but have moved beyond email to managing file systems, SharePoint, Lotus Notes, GroupWise, and even databases. Don't be intimidated by archiving products; they can resolve many pain points in your organization and in some way they can even be seen as an insurance policy.

One of the main things to understand is that the way business communications are handled has drastically changed over the last 10 or 15 years as well. In the past, most of the communications and even business contracts were done by either fax or paper records. Nowadays over 90 percent of business communications take place by electronic means—email and instant messaging (IM), for instance—and this number is increasing on an annual basis. A couple of famous corporate failures in 2002 sparked massive lawsuits. One of the world's largest accounting firms, Arthur Andersen, collapsed due to evidence that was brought up through email in the Enron scandal.

Citibank nearly suffered a similar fate and was forced to pay some $400 million in penalties after the attorney general of New York State demanded emails that originated from stock analyst Jack Grubman and Citigroup chairman Sanford I. Weill. What had happened is that in 2004 the stock price of insurance broker Marsh & McLennan had dropped a devastating 50 percent after evidence surfaced from emails about investments they publicly praised but internally described as disasters. And the list of these cases goes on, with Merrill Lynch and PriceWaterhouseCoopers having gone through public court cases over information in emails. As a result, eDiscovery (that is, the discovery of electronic information) has become entrenched in current business because of lawsuits/litigations, external compliance investigations, and even internal human resources (HR) investigations. In the United States, all these cases have resulted in the courts finally deciding that organizations now have to retain and be able to recover emails within a "reasonable" time frame, and also to prove, when these records are provided, that the emails have not been tampered with and are complete.

To clarify this process, amendments were made to the Federal Rules of Civil Procedure (FRCP). These amended rules went into effect on December 1, 2006, and require that companies create, document, and enforce policies to retain email or dispose of them as part of operating procedures. As we mentioned earlier, one of the more important parts of the new FRCP rules is that organizations must now discover and disclose relevant information and emails within a reasonable time frame, so stalling tactics no longer work.

Archiving systems are used throughout the world in many different scenarios largely depending on industry and country. Some of the scenarios are as follows:

• Storage management of Exchange Server

• Simple compliance data capture by using journaling

• Complete data capture using journaling and archiving

• eDiscovery and litigation support

• Enterprise content management (beyond just Exchange)

2. Archiving

Archiving systems generally can be tailored or tweaked for use with specific case scenarios. Archiving generally refers to the process of removing data from one storage location and moving it to another, cheaper storage location.

2.1. Retention

These days it is an accepted fact that business email is considered a record or controlled record, and that these records need to be archived by either your corporate policy or government regulatory requirements. A defined email retention policy informs employees as to what email must be archived and for how long. For an email retention policy to be effective, you have to distribute this policy in written format to all employees. A written retention policy should include several of these options:

Effective Date

This leaves no doubt as to whether the policy is currently in effect or is an old one that should be discarded.

Last Change Date and Changes Made

This information confirms the policy's authenticity and appropriateness because regulations change over time.

Person or Department Responsible for the Policy

This gives employees or their managers someone to contact with questions regarding the policy.

Scope/Coverage

This includes the geographic limits of the policy (if any), affected departments and offices, and a definition of what company information is covered.

Purpose of the Policy/Policy Statement

This can include a company philosophy statement about the business, legal, or regulatory reasons for records retention.

Definitions

This area defines what constitutes business records and applicable exceptions.

Responsibilities

This area covers the following:

• Business units, subsidiaries, and special departments (such as the legal department)

• General employees

• Records retention coordinators

• Procedures for retention and deletion of email and attachments (if no automated email archiving system is employed)

• How the emails should be stored (usually in a personal folder storage [PST] file)

• Where those PSTs should be stored, like a network storage target or share drive; however, many would argue that PSTs are not a good form for archiving/compliance

• How often those files should be cleaned out

• How duplicate and convenience copies are treated

Consequences

This describes what happens if the policy isn't adhered to.

A manually managed email retention policy relies on employees understanding and following the email retention policy. The obvious fact is that each employee will interpret the policy a little differently, so in reality organizations will have many different email retention policies. This fact is the main reason you need to adopt an email archiving solution.

The benefits of first writing or developing and then automating your email retention policy are multifold:

Regulatory Compliance

Email retention for regulatory compliance isn't a choice but a requirement. The only choice your company will have is how you meet the requirements: manually or with email archiving automation. Creating and automating your email retention policy lowers your overall risk of noncompliance and ensures that you are keeping your email for the required time period.

Legal Risk Management

When you can show the court that you keep your email retention policy current and enforce it, you can demonstrate retention intent and that you might not have purposely destroyed information in case of litigation.

Document Retention for Corporate Governance

Businesses rely on the generation, use, and reference of data to make ongoing business decisions. The data business generates has a value to the business if that data can be used efficiently. An effective retention policy ensures that valuable information is available for some period of time, and an email archiving system allows for quick search and reference.

2.2. Discovery

One of the primary reasons United States–based organizations use archiving software is for the aid of electronic discovery, also known as eDiscovery. This refers to the process of finding electronically stored information for litigation reasons and generally isn't just restricted to searching for email. In 80 percent of eDiscovery cases, email including attachments is requested, but in at least 60 percent of the cases, general office productivity documents are also requested (which means Word and Excel files on your file server and desktops are part of the litigation). Metadata does play an important role in this process and is referred to as "chain of custody." Chain of custody is basically a verifiable process of who had access to the data, and whether the data could have been altered or changed during the eDiscovery process.

2.3. Eliminating PST Files

It is our opinion that there are no good reasons at all to have PST files in a corporate environment other than handing them over to a lawyer for review. Starting to see the trend here? Archiving systems can be your friend, but you will start working closely with your HR and legal people. PST files have become popular because of mailbox quotas, which were implemented to help curb the growth of Exchange databases. These easy-to-implement policies were for the longest time the only option an Exchange administrator had to gain some sort of control over this growth. Now the problem is that the quotas have a nasty side effect: end users who are unable to find the Delete key on their keyboards are forced to groom their inboxes for old email messages when they hit their mailbox limit.

They will then naturally create PST files. For the longest time, this approach was encouraged by Exchange administrators. These files then were created either locally on the desktop or laptop or on the file server, where they would take up valuable storage space. PST files use up more storage than the content would have used if you kept the data in Exchange in the first place. However, we could probably write an entire book on just eliminating PST files and we don't have the space for that.

Large mailboxes together with an archiving product can be one of your best allies here, helping you find the PST files and bring them back under control, which ultimately reduces the storage footprint of PST files in your environment.

2.4. Reducing Storage

Reducing the storage of production Exchange databases was the first reason archiving systems became popular. In the late 1990s, Standard editions of Exchange still had a 16 GB mailbox store limit, and having a 5 or 10 MB mailbox limit was extremely common. People were looking for other ways to offload content from their mailbox stores, not only to keep the databases in line for storage limits, but also to reduce the backup times. A reduced backup also means a reduced recovery, which is something you start to appreciate once you have gone through a full-blown Exchange disaster recovery. Archiving systems can offload email to the archiving storage system, while either leaving a shortcut behind to open up the archived email or simply removing the entire message. Doing this can reduce the size of your Exchange databases—sometimes up to 90 percent.

2.5. Compliance

Compliance makes most people cringe. Compliance, however, is a word that is misused but is something that you will need to understand. The odds are that your company is subject to some regulation that enforces you to retain records. Some industries face stricter and more complex rules than others, especially health care and finance. Regulatory compliance is just something that is either already part of your daily Exchange life or soon will be. Let's briefly go over some of the current laws that might be applicable to your organization:

Federal Rules of Civil Procedure (FRCP)

On December 1, 2006, a number of amendments to the FRCP took effect. These new revisions and additions have an impact on how companies retain, store, and produce electronic data, including email for litigation. The rules that mostly affect organizations are as follows:

Rules 16 and 26

These rules call for organizations to "give early attention to issues relating to electronic discovery, including the frequently-recurring problems of the preservation of the evidence...." This means being ready to discuss a strategy for dealing with electronically stored evidence at the very first meeting with other parties in litigation.

Rule 34(b)

This rule requires organizations to produce electronically stored information in its native format with its metadata intact and to prove chain of custody. While the duty to preserve evidence is narrowed only to relevant data, the potential repercussions are great. For example, if a defensible process is not demonstrated, opponents may be granted access to an organization's network.

Rule 37(f)

This rule provides a "safe harbor" for data destruction. Safe harbor means that organizations face no penalties for deleting electronically stored information in keeping with routine operation of IT systems if the party took "reasonable" steps to preserve it. However, any destruction must be the result of routine operation and done in good faith, a systematic framework must be in place, and this systematic framework must have integrated litigation hold procedures.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act was passed mostly in response to the front-page news headlines of corporate corruption and financial scandals (namely Enron and WorldCom) in the early part of the decade. SOX provides severe criminal penalties, including jail sentences, for corporate executives who knowingly destroy business documents and other information that is used in the daily operations of their organization. It also describes specific records that need to be retained and requires a records retention period of seven years.

FINRA (Formerly Known as SEC Rule 17a-3 and a-4)

The FINRA rules focus on brokers and traders and require these people to retain and store specific records, such as customer communications and customer account trading activities, for a specific period of time on nonrewritable electronic media and to make them ready for easy review by the SEC within a reasonable time frame, typically 24 hours.

Health Insurance Portability and Accountability Act (HIPAA)

One part of HIPAA requires that an organization's patient records and related data (including related email) be archived and retained in a secure manner that ensures privacy and content integrity for at least two years after the death of the patient.

ISO 15489 (Worldwide)

This standard offers guidelines on the classification, conversion, destruction, disposition, migration, preservation, tracking, and transfer of records.

Title 17 CFR Part 1

This regulation allows record keepers for futures trading companies to store information either on electronic media or on micrographic media. This regulation also requires that "record keepers store required records for the full five-year maintenance period" while continuing to provide commission auditors and investigators with timely access to a reliable system of records.

FERC Part 125

This rule sets specific retention periods for the public utilities industry and states the records must have a life expectancy equal to or greater than the specified retention periods.

NARA Part 1234

The National Archives and Records Administration (NARA) regulations specify which government agency records are kept, for how long, and in what form and how they are to be accessed.

Freedom of Information Act (FOIA)—for Federal Agencies

FOIA allows for the full or partial disclosure of previously unreleased information and documents controlled by the US government. The act, which relies on the NARA regulations, defines federal agency records subject to disclosure and outlines mandatory disclosure procedures, and under certain circumstances, time frames for response.

The Patriot Act

The Patriot Act requires the Secretary of the Treasury to prescribe regulations "setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution." Broker-dealers must have a fully implemented customer identification program (CIP) that includes procedures for making and maintaining a record of all information obtained.

Federal Employment–Related Regulations

Largely unknown to many Exchange administrators, many federal employment regulations exist that require some sort of records retention, and they apply to all companies with employees. Some of the better known are as follows:

• Title VII of the Civil Rights Act of 1964

• Age Discrimination in Employment Act

• Americans with Disabilities Act

• Family and Medical Leave Act

• Equal Pay Act of 1963

• Vocational Rehabilitation Act

• Employee Retirement Income Security Act of 1974

• National Labor Relations Act

• Fair Labor Standards Act

These employment regulations are good examples of employer requirements, so any company that employs people should at least consider email archiving as a way to meet these regulations.

The regulatory requirements listed are the well-known US federal government drivers for record retention and cover quite a bit, including email data. However, this is not a complete list. There are more than 10,000 records retention regulations effective in the United States alone, and many of these are state-mandated, so a review of the states' regulations your company operates in would be a great idea.

2.6. Disaster Recovery