Clearly, allowing individual users to determine when to delete or how to archive their own email records could place a company in breech of all of these requirements. Equally, they will struggle to respond to requests for information which legislation such as the Freedom of Information Act requires companies to provide within a specific period of time.
In addition to data protection legislation, which applies to all organisations, most companies are also subject to sector-specific legislation. For example, the financial services industry already has to demonstrate due diligence in respect of anti-money laundering regulations and ‘know your customer’ audit trails, and MiFID legislation will increase record keeping requirements even further.
While a demonstrated failure to meet compliance requirements may be embarrassing and commercially damaging for any organisation, the potential impact of an inability to access relevant emails in respect of a law case can be catastrophic.
Law courts increasingly recognise the evidential importance of email and are likely, where litigants fail to produce relevant email evidence within usually very short time scales, to authorise opposition lawyers to investigate the email archive themselves. Not only could this expose confidential information to unfriendly parties, it could also give them new and unexpected perspectives on the issues they are pursuing.
Conclusion: Best-practice Guidance
The importance of email management is not in doubt, but organisations face a complex challenge in determining how best to approach it. The requirements are clear – they need to: Minimise data storage requirements and costs; and Eliminate multiple, user-defined data retention policies.
End-to-end email management, retention, maintenance and archiving solutions enable organisations to achieve this, but the market is full of competing products which appear to do this and companies are left without clear guidance on how to choose between them.
None of these solutions can deliver automatic regulatory compliance, but they can help organisations to position themselves to do so. As a code of practice, ISO 17799 recommends that organisations select controls on the basis of risk assessment and that investment in technology should contribute directly to achieving those controls.
From the perspective of multiple, sometimes conflicting regulatory compliance requirements, any organisation that implements international best-practice recommendations such as those laid out under ISO 17799, ISO 1549, BIP 0008 and MoReq, can be confident that it has taken the most appropriate action to meet its legal obligations.
Zantaz is exhibiting at Storage Expo 2006 UK