Some organizations believe that minimizing the retention time of historical email reduces their business risk. They make it a routine practice, and in certain instances attempt to set company-wide policies, to delete old electronic communications, assuming that the messages will not be needed nor recoverable in other places.
With a Sarbanes-Oxley Act compliance deadline recently passed and others looming in the years to come, the question about what the statute mandates with regard to email retention is called into question. Seemingly routine business practices to minimize business risk may indeed be leaving organizations at greater risk, exposing these organizations to severe long-term legal repercusions.
The Sarbanes-Oxley Act imposes some strict penalties for the destruction, alteration and falsification of business records. Email and Instant Messages, given their transactional nature, are considered to be viable business records that are subject to legislation prohibiting their intentional destruction. The Act states that companies and their accounting firms must maintain records of their company audits (audit documents) for at least seven years. This requirement is stipulated by the Public Accounting Oversight Board. To comply, many firms keep their records in paper format, but the massive amounts of electronic data generated make it impossible to store this data for the required 7-year retention timeframe.
But, the Act is clear in that destruction of electronic records, including deletion, carries with it some stiff penalties. Section 802 of Sarbanes Oxley imposes fines of up to $1,000,000 and prison terms of up to 20 years for knowingly deleting an email with the intent to impede, obstruct or influence a current or future federal investigation. Section 103 mandates that audit work papers must be retained for more than five years and a failure to do so is punishable by up to 5 years in prison and/or a fine.
Although SOX fines and penalties have not been levied, the Securities and Exchange Commission is showing that it is serious regarding enforcement of other related email acts. For example, the SEC has hit a number of companies with fines for improper message retention. Further sections of the Act outline more penalties for deleting email business records under the charges of obstruction of justice. Specifically, the alteration, destruction or concealment of any records with the intent of obstructing a federal investigation carries an unspecified fine amount and/or jail time of up to 10 years.
Federal penalties for publicly-traded companies under the Sarbanes Oxley Act are stiff, and it is only a matter of time before the first penalties are introduced. To avoid being a victim of the long arm of the law, companies can implement one of several models for message retention.
First, companies can choose to not save any email. The 'delete everything' policy is cheaper in short run but the approach requires the loss of information valuable to the business. The expense of this approach is most evident during an audit or legal proceeding where email has to be produced upon request. In addition, employees will subvert any attempt to "delete everything" in the short term, as they want their own personal records of their activities, contacts, and transactions.
Second, what most companies implement is a 'selective deletion' policy, requiring the retention of selected documents and the deletion of others. This risky process puts the onus of deciding what to retain, squarely on the public company, exposing the company to significant risk. If the wrong email is deleted, companies can be prosecuted under Sarbanes Oxley's penalties for work record destruction. In addition, controlling who has copies of an email that was supposedly deleted is impossible. Email, unlike other forms of records, are saved in multiple locations, from personal workspaces, CDs, removable storage etc. Deletion policies do not remove the risks associated with email. They add to the risks.
Third, the flip side of 'selective deletion' is 'selective retention,' requiring companies to designate what needs to be retained and not govern by policy what needs to be deleted. The policy appears feasible in theory, as the process helps organize what's important, but it still exposes companies to risks associated with employees saving documents in locations outside of a centralized retention environment. During an audit, selective retention becomes expensive as auditors will invariably ask for the production of emails that are not part of the central archive as part of the stated retention policy.
The best defense is being proactive. Companies are advised, as part of best practices, to apply a policy to save nearly all email and documents in an intelligent and easy-to-retrieve archive. The smartest, conservative companies believe that retaining all email as a business record is the safest, most cost-effective approach to managing email as it protects against both Federal audits and lawsuits. The approach of retaining all email removes the difficulty of pinpointing exactly what constitutes a work record and what needs to be archived.
Public companies need to preserve information. Any destruction of potential evidence, including deleting emails, could be seen as obstruction of justice. Companies have tried to work around mandatory retention with stated corporate policies, only to find these policies null and void because an employee has copied or moved their email to a location where it can be retrieved after it has been supposedly deleted. If an organization is asked to produce email in discovery for a lawsuit or as part of a federal audit, it must assess all locations where messages might exist; often, leaving a firm to sift through backup tapes, personal storage folders, file cabinets, desktop and laptop computers and other forms of offline media such as CD-ROM and USB key fobs. The task can be enormously expensive and time consuming. Many companies have chosen to settle lawsuits because they could not provide adequate defense information in a reasonable time frame, even though the information resided somewhere within their organization.
A further danger can be realized if a disgruntled employee or an embittered partner uses their creative talents to alter or fabricate a message to read favorably in a lawsuit or dispute against an organization. Without a verified and complete copy of the original message in its possession, as well as the context and surrounding messages, the organization is unable to dispute the authenticity of a message.
The Sarbanes-Oxley Act outlines some distinct guidelines to help companies preserve investor confidence and protect themselves from civil litigation. It is a business best practice to implement a company-wide message retention policy based on the use of a third-party electronic archiving service to store and retrieve all communications on-demand. A third-party service removes the burden of building and maintaining an on-site message archiving system, and also provides a better arms-length relationship for non-tamperability than an in-house system.
The regulatory drivers warrant that a message archiving solution includes:
Retention Policies – The service should allow organizations to enforce retention rules for all electronic communications.
Accessible Archive in Redundant Systems -- The service should allow organizations to keep archived messages online and in fully redundant systems.
Complete and Tamper-Proof Archive – The solution should commit and preserve all electronic messages to verifiably tamper-proof media.
Supervisory System – The solution should enable organizations to establish and maintain a supervisory system that includes regular review of incoming and outgoing electronic correspondence based on statistical sampling, as well as predictive and ad hoc surveillance capabilities.
Streamlined Search and Retrieval – The solution requires more than simply having all electronic messages preserved online; flexible and efficient ad hoc search and retrieval tools must be available to dramatically reduce the amount of human effort needed to meet a discovery or audit request.
Electronic communications are a de facto business register. As such, in the eyes of Federal auditors, email and instant messages are subject to the same retention policies as printed records. Regulated organizations should consider electronic message archiving services as part of an overall company strategy for retaining and protecting valuable electronic records.
Managed electronic message archiving services simplify the process of demonstrating compliance for most companies, and these services require no additional hardware and software expenses for the organization. Additionally, a service transfers the burden of application support to the vendor expert, rather than placing this burden on an already overworked, undermanned IT staff. The result is lower costs to the organization and better use of IT resources for strategic initiatives.
As more regulation deadlines loom, it is wise to evaluate your entire electronic message retention policy and consider what kind of electronic message archiving service is the best option for achieving compliance for your organization.
The author is national manager of regulatory compliance services FrontBridge Technologies.