1. Introduction to Archiving
Over time, archiving products have evolved
significantly. They have gone from simple storage reduction software to
sophisticated enterprise content management systems that not only offer
the storage management of Exchange servers, but have moved beyond email
to managing file systems, SharePoint, Lotus Notes, GroupWise, and even
databases. Don't be intimidated by archiving products; they can resolve
many pain points in your organization and in some way they can even be
seen as an insurance policy.
One of the main things to understand is that the way
business communications are handled has drastically changed over the
last 10 or 15 years as well. In the past, most of the communications
and even business contracts were done by either fax or paper records.
Nowadays over 90 percent of business communications take place by
electronic means—email and instant messaging (IM), for instance—and
this number is increasing on an annual basis. A couple of famous
corporate failures in 2002 sparked massive lawsuits. One of the world's
largest accounting firms, Arthur Andersen, collapsed due to evidence
that was brought up through email in the Enron scandal.
Citibank nearly suffered a similar fate and was
forced to pay some $400 million in penalties after the attorney general
of New York State demanded emails that originated from stock analyst
Jack Grubman and Citigroup chairman Sanford I. Weill. What had happened
is that in 2004 the stock price of insurance broker Marsh &
McLennan had dropped a devastating 50 percent after evidence surfaced
from emails about investments they publicly praised but internally
described as disasters. And the list of these cases goes on, with
Merrill Lynch and PriceWaterhouseCoopers having gone through public
court cases over information in emails. As a result, eDiscovery (that
is, the discovery of electronic information) has become entrenched in
current business because of lawsuits/litigations, external compliance
investigations, and even internal human resources (HR) investigations.
In the United States, all these cases have resulted in the courts
finally deciding that organizations now have to retain and be able to
recover emails within a "reasonable" time frame, and also to prove,
when these records are provided, that the emails have not been tampered
with and are complete.
To clarify this process, amendments were made to the
Federal Rules of Civil Procedure (FRCP). These amended rules went into
effect on December 1, 2006, and require that companies create,
document, and enforce policies to retain email or dispose of them as
part of operating procedures. As we mentioned earlier, one of the more
important parts of the new FRCP rules is that organizations must now
discover and disclose relevant information and emails within a
reasonable time frame, so stalling tactics no longer work.
Archiving systems are used throughout the world in
many different scenarios largely depending on industry and country.
Some of the scenarios are as follows:
Storage management of Exchange Server
Simple compliance data capture by using journaling
Complete data capture using journaling and archiving
eDiscovery and litigation support
Enterprise content management (beyond just Exchange)
2. Archiving
Archiving systems generally can be tailored or
tweaked for use with specific case scenarios. Archiving generally
refers to the process of removing data from one storage location and
moving it to another, cheaper storage location.
2.1. Retention
These days it is an accepted fact that business
email is considered a record or controlled record, and that these
records need to be archived by either your corporate policy or
government regulatory requirements. A defined email retention policy
informs employees as to what email must be archived and for how long.
For an email retention policy to be effective, you have to distribute
this policy in written format to all employees. A written retention
policy should include several of these options:
Effective Date
This leaves no doubt as to whether the policy is currently in effect or is an old one that should be discarded.
Last Change Date and Changes Made
This information confirms the policy's authenticity and appropriateness because regulations change over time.
Person or Department Responsible for the Policy
This gives employees or their managers someone to contact with questions regarding the policy.
Scope/Coverage
This includes the geographic limits of the
policy (if any), affected departments and offices, and a definition of
what company information is covered.
Purpose of the Policy/Policy Statement
This can include a company philosophy statement about the business, legal, or regulatory reasons for records retention.
Definitions
This area defines what constitutes business records and applicable exceptions.
Responsibilities
This area covers the following:
Business units, subsidiaries, and special departments (such as the legal department)
General employees
Records retention coordinators
Procedures for retention and deletion of email and attachments (if no automated email archiving system is employed)
How the emails should be stored (usually in a personal folder storage [PST] file)
Where
those PSTs should be stored, like a network storage target or share
drive; however, many would argue that PSTs are not a good form for
archiving/compliance
How often those files should be cleaned out
How duplicate and convenience copies are treated
Consequences
This describes what happens if the policy isn't adhered to.
A manually managed email retention policy relies on
employees understanding and following the email retention policy. The
obvious fact is that each employee will interpret the policy a little
differently, so in reality organizations will have many different email
retention policies. This fact is the main reason you need to adopt an
email archiving solution.
The benefits of first writing or developing and then automating your email retention policy are multifold:
Regulatory Compliance
Email retention for regulatory compliance isn't
a choice but a requirement. The only choice your company will have is
how you meet the requirements: manually or with email archiving
automation. Creating and automating your email retention policy lowers
your overall risk of noncompliance and ensures that you are keeping
your email for the required time period.
Legal Risk Management
When you can show the court that you keep your
email retention policy current and enforce it, you can demonstrate
retention intent and that you might not have purposely destroyed
information in case of litigation.
Document Retention for Corporate Governance
Businesses rely on the generation, use, and
reference of data to make ongoing business decisions. The data business
generates has a value to the business if that data can be used
efficiently. An effective retention policy ensures that valuable
information is available for some period of time, and an email
archiving system allows for quick search and reference.
2.2. Discovery
One of the primary reasons United States–based
organizations use archiving software is for the aid of electronic
discovery, also known as eDiscovery. This refers to the process of
finding electronically stored information for litigation reasons and
generally isn't just restricted to searching for email. In 80 percent
of eDiscovery cases, email including attachments is requested, but in
at least 60 percent of the cases, general office productivity documents
are also requested (which means Word and Excel files on your file
server and desktops are part of the litigation). Metadata does play an
important role in this process and is referred to as "chain of
custody." Chain of custody is basically a verifiable process of who had
access to the data, and whether the data could have been altered or
changed during the eDiscovery process.
2.3. Eliminating PST Files
It is our opinion that there are no good reasons at
all to have PST files in a corporate environment other than handing
them over to a lawyer for review. Starting to see the trend here?
Archiving systems can be your friend, but you will start working
closely with your HR and legal people. PST files have become popular
because of mailbox quotas, which were implemented to help curb the
growth of Exchange databases. These easy-to-implement policies were for
the longest time the only option an Exchange administrator had to gain
some sort of control over this growth. Now the problem is that the
quotas have a nasty side effect: end users who are unable to find the
Delete key on their keyboards are forced to groom their inboxes for old
email messages when they hit their mailbox limit.
They will then naturally create PST files. For the
longest time, this approach was encouraged by Exchange administrators.
These files then were created either locally on the desktop or laptop
or on the file server, where they would take up valuable storage space.
PST files use up more storage than the content would have used if you
kept the data in Exchange in the first place. However, we could
probably write an entire book on just eliminating PST files and we
don't have the space for that.
Large mailboxes together with an archiving product
can be one of your best allies here, helping you find the PST files and
bring them back under control, which ultimately reduces the storage
footprint of PST files in your environment.
2.4. Reducing Storage
Reducing the storage of production Exchange
databases was the first reason archiving systems became popular. In the
late 1990s, Standard editions of Exchange still had a 16 GB mailbox
store limit, and having a 5 or 10 MB mailbox limit was extremely
common. People were looking for other ways to offload content from
their mailbox stores, not only to keep the databases in line for
storage limits, but also to reduce the backup times. A reduced backup
also means a reduced recovery, which is something you start to
appreciate once you have gone through a full-blown Exchange disaster
recovery. Archiving systems can offload email to the archiving storage
system, while either leaving a shortcut behind to open up the archived
email or simply removing the entire message. Doing this can reduce the
size of your Exchange databases—sometimes up to 90 percent.
2.5. Compliance
Compliance makes most people cringe. Compliance,
however, is a word that is misused but is something that you will need
to understand. The odds are that your company is subject to some
regulation that enforces you to retain records. Some industries face
stricter and more complex rules than others, especially health care and
finance. Regulatory compliance is just something that is either already
part of your daily Exchange life or soon will be. Let's briefly go over
some of the current laws that might be applicable to your organization:
Federal Rules of Civil Procedure (FRCP)
On December 1, 2006, a number of amendments to
the FRCP took effect. These new revisions and additions have an impact
on how companies retain, store, and produce electronic data, including
email for litigation. The rules that mostly affect organizations are as
follows:
Rules 16 and 26
These rules call for organizations to "give
early attention to issues relating to electronic discovery, including
the frequently-recurring problems of the preservation of the
evidence...." This means being ready to discuss a strategy for dealing
with electronically stored evidence at the very first meeting with
other parties in litigation.
Rule 34(b)
This rule requires organizations to produce
electronically stored information in its native format with its
metadata intact and to prove chain of custody. While the duty to
preserve evidence is narrowed only to relevant data, the potential
repercussions are great. For example, if a defensible process is not
demonstrated, opponents may be granted access to an organization's
network.
Rule 37(f)
This rule provides a "safe harbor" for data
destruction. Safe harbor means that organizations face no penalties for
deleting electronically stored information in keeping with routine
operation of IT systems if the party took "reasonable" steps to
preserve it. However, any destruction must be the result of routine
operation and done in good faith, a systematic framework must be in
place, and this systematic framework must have integrated litigation
hold procedures.
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act was passed mostly in
response to the front-page news headlines of corporate corruption and
financial scandals (namely Enron and WorldCom) in the early part of the
decade. SOX provides severe criminal penalties, including jail
sentences, for corporate executives who knowingly destroy business
documents and other information that is used in the daily operations of
their organization. It also describes specific records that need to be
retained and requires a records retention period of seven years.
FINRA (Formerly Known as SEC Rule 17a-3 and a-4)
The FINRA rules focus on brokers and traders and
require these people to retain and store specific records, such as
customer communications and customer account trading activities, for a
specific period of time on nonrewritable electronic media and to make
them ready for easy review by the SEC within a reasonable time frame,
typically 24 hours.
Health Insurance Portability and Accountability Act (HIPAA)
One part of HIPAA requires that an
organization's patient records and related data (including related
email) be archived and retained in a secure manner that ensures privacy
and content integrity for at least two years after the death of the
patient.
ISO 15489 (Worldwide)
This standard offers guidelines on the
classification, conversion, destruction, disposition, migration,
preservation, tracking, and transfer of records.
Title 17 CFR Part 1
This regulation allows record keepers for
futures trading companies to store information either on electronic
media or on micrographic media. This regulation also requires that
"record keepers store required records for the full five-year
maintenance period" while continuing to provide commission auditors and
investigators with timely access to a reliable system of records.
FERC Part 125
This rule sets specific retention periods for
the public utilities industry and states the records must have a life
expectancy equal to or greater than the specified retention periods.
NARA Part 1234
The National Archives and Records Administration
(NARA) regulations specify which government agency records are kept,
for how long, and in what form and how they are to be accessed.
Freedom of Information Act (FOIA)—for Federal Agencies
FOIA allows for the full or partial disclosure
of previously unreleased information and documents controlled by the US
government. The act, which relies on the NARA regulations, defines
federal agency records subject to disclosure and outlines mandatory
disclosure procedures, and under certain circumstances, time frames for
response.
The Patriot Act
The Patriot Act requires the Secretary of the
Treasury to prescribe regulations "setting forth the minimum standards
for financial institutions and their customers regarding the identity
of the customer that shall apply in connection with the opening of an
account at a financial institution." Broker-dealers must have a fully
implemented customer identification program (CIP) that includes
procedures for making and maintaining a record of all information
obtained.
Federal Employment–Related Regulations
Largely unknown to many Exchange administrators,
many federal employment regulations exist that require some sort of
records retention, and they apply to all companies with employees. Some
of the better known are as follows:
Title VII of the Civil Rights Act of 1964
Age Discrimination in Employment Act
Americans with Disabilities Act
Family and Medical Leave Act
Equal Pay Act of 1963
Vocational Rehabilitation Act
Employee Retirement Income Security Act of 1974
National Labor Relations Act
Fair Labor Standards Act
These employment regulations are good examples of
employer requirements, so any company that employs people should at
least consider email archiving as a way to meet these regulations.
The regulatory requirements listed are the
well-known US federal government drivers for record retention and cover
quite a bit, including email data. However, this is not a complete
list. There are more than 10,000 records retention regulations
effective in the United States alone, and many of these are
state-mandated, so a review of the states' regulations your company
operates in would be a great idea.
A city in the Midwest was using Microsoft Exchange
for the city's email communication infrastructure. However, due to
ever-increasing messaging volume, the network was slowly starting to
become unmanageable. One of the reasons was that employees were
retaining all of their historical email dating back to the early 1990s
outside of their mailbox in PST files. This resulted in backups and
storage capacity being strained to the limit. Because many state and
local governments do business electronically, and with the paperless
initiatives taking off, the problem was only getting worse. Any efforts
to bring the PST sprawl back under control manually by asking employees
to clean up were futile, and because end users continued to save all
their email in local PST files, the problems reached a boiling point
when the PST files started to experience corruption and monopolized
costly storage space on file shares, desktops, and laptops.
To ensure that data was preserved, retained, and
protected properly, the city government decided to move ahead and
implement archiving. A project was initiated to locate all the PST
files in the environment and bring them back under centralized control.
This strategy ensured that Legal, General Counsel and city officials
could perform retention management and search all the email content
easily for discovery when the city got a request for public records.
This allowed the city to comply with the US Department of State Freedom
of Information Act (FOIA) requirements.
|
2.6. Disaster Recovery
You are probably wondering what disaster
recovery has to do with archiving products. Well, the whole idea is
related to storage management. Probably 90 percent of the data stored
in Exchange databases is never accessed again by end users; however,
this data is backed up daily to either tape or disk and in case of a
disaster this data will also have to be restored. Archiving can help us
remove this 90 percent of data and therefore reduce not only the backup
time but also the amount of time it would take to recover a database.