One major reason for organisations looking to archive email is the increasing need to comply with regulations concerning its retention and recovery upon demand. Compliance is driven by various governmental and industry regulatory demands. Legislation commonly calls for retention periods and may demand deletion after a certain term.
The common requirement for many regulations is: to record all emails relating to requisite subjects, departments or individuals; maintain a secure and auditable copy of communications; ensure this copy is inaccessible to the user; but available for fast retrieval should it be required.
While regulatory compliance means different things to organisations in different industries, countries and sectors, there is a common theme; that of copying emails to a secure archive.
We asked Dave Hunt, CEO of C2C Systems, if there are off-the-shelf e-mail compliance products?
"It’s a myth that there are “compliant” solutions you can just buy off-the-shelf. It’s up to your organization to translate the applicable regulatory requirements into processes and find out which IT solutions can help you reach your goals; only then can they be combined in a way to help you comply."
How do you know which regulations affect you?
"So, what regulations apply to your organisation? There may be hundreds of different and often conflicting requirements to be met already, and an expectation of more to come - for Europe at least. For example, employment regulations might require you to copy all e-mails from the HR department regarding employees onto a secure archive and keep them for three years - then delete them. Legislation at company level might require all of the Board’s e-mail to be saved for longer."
"Your internal policies might dictate an alternative approach for, say, your sales team - keep all their e-mails with 'quote' in the title or text for 90 days in a common team archive. If this is held on a fast retrieval storage medium for three months, then it may be appropriate to transfer the archive onto cheaper and slower longer-term storage before deleting after a year."
It is not just external regulations then. The message here is that an e-mail archiving system necessarily has a bespoke or customised element to it?
"The key is to find an archiving solution that is flexible to your needs, yet is built from the core to maintain e-mail integrity: it may prove insufficient to copy the e-mail into another ‘compliance’ system as the messaging integrity could be broken. Regulations almost certainly require that any record (including e-mail), when retrieved, can be reproduced, viewed, and manipulated in the same manner as the original. When time comes for regulatory audits, you won’t want e-mails challenged for lack of authenticity."
"It’s also important to understand why back-up of e-mail isn’t enough to meet regulatory requirements. The fast indexing and search for retrieval of e-mail is inherent to true archiving solutions. When you need to track down e-mail, you’ll no doubt need to search millions of messages and their contents in a restricted time-frame. Back-up just doesn’t allow for this to happen true archiving solutions are built for the writing away and retrieval of high volumes of e-mail, maintaining full indexes and audit trails which would stand up in a court of law."
The archive's two main attributes are that e-mails put into it are held securely and with their message sequence structure intact. Secondly, that e-mails can be retrieved easily and quickly.
"Searching and retrieving messages within a prescribed time-frame is virtually impossibly to do manually; when the requirement is to retrieve an e-mail out of millions within (say) 48 hours, this does not mean “give the request to the IT department and they must present the data within 48 hours”. This almost certainly means “your company has 48 hours in which to present the data”, so you need to get the data to the lawyer who probably needs to set it out in the context of the case and to present that within 48 hours. Realistically, the IT dept probably needs to find the data within an hour! This implies the need for a fully flexible,well-managed system."
Lawyers have a pretty demanding relationship with business. It seems to imply here that processes have to change and, obviously, storage needs go up.
"Compliance indisputably means storing more e-mail. The key for the storage manager is to do this within available resources: to work out how the need to save and manage more and more e-mail can be fitted in with the storage infrastructure and strategy already undertaken - and do so without blowing the budget on these often unforeseen storage expenses."
"The obvious approach is to make the most of the storage infrastructure you have by ensuring the appropriate e-mail can be archived to the most appropriate media for optimal cost and accessibility. It’s important to integrate the archival process with the storage management software or direct storage media that you have in place - archiving is a process, it's no good setting up the archiving solution then discovering it doesn't work with the storage software you already have. It is also essential not to waste space compress an e-mail so you make the most of the storage capacity that you have, not only in the archive but on the e-mail servers too."
Hunt says that if we follow these guidelines when looking for a compliance and archiving system, we'll find you don't have to abandon some good common sense and the worlds of storage and e-mail archiving for compliance really don't have to be a million miles apart.
A last thought: any information lifecycle management system you put in place should, logically, include e-mail storage (for compliance). That means, if Hunt is right, that the ILM product needs a customisable e-mail archiving component.