Compliance: the hazards of e-mail
Why is the e-mail part of compliance such a headache? Each message is usually a short and simple document, with predictable metadata--To, From, Date, Subject. Yet management of those files lags far behind that of most other electronic documents. In a study conducted by AIIM, only 11 percent of users reported that their compliance with respect to e-mail was completely under control. Nearly 25 percent described their e-mail management as "complete chaos."
According to AIIM President John Mancini, "The key thing that has changed is that in many organizations, e-mail has become the central way in which business and decisions are discussed, made and documented. Yet most organizations continue to treat e-mail as informal or ad hoc ‘conversation.'" Differentiating between e-mails that have sustaining business value is a central information management challenge facing most organizations, Mancini believes. From a compliance viewpoint, managing e-mail proactively has become critical.
The volume and pervasiveness of e-mail have both become major problems. The Radicati Group (radicati.com) estimates that the average e-mail user sends and receives a total of 16.4 MB of data per day. And e-mail is part of nearly every business process.
"E-mail serves as the de facto system of record," says Aaref Hilaly, CEO of Clearwell Systems (clearwellsystems.com), which provides e-mail intelligence solutions. Because it is used throughout the enterprise in so many functional areas, e-mail is the central focus for many legal and compliance investigations.
"When questions are asked regarding who knew what and when, the answer is often documented by e-mails," adds Hilaly. A significant number of recent cases, including Enron and Vioxx, hinged on the timing and content of e-mails. Compliance includes responding to those questions within a specified amount of time, as well as managing the e-mail records properly in the first place.
Rapid response Pooley & Oliver uses the Clearwell Email Intelligence Platform to assist its clients in e-mail review and analysis in litigation related to patents. Using Clearwell, legal professionals can quickly and easily classify e-mails into those that are responsive vs. non-responsive, privileged and "hot," meaning those that are critical to the case and almost certain to show up in court. Placing the e-mails in those four categories expedites the review process considerably, according to Scott Oliver, partner at Pooley & Oliver.
"We can easily generate a privilege log because the appropriate e-mails can simply be checked off, and a file of them is then automatically created," Oliver says.
One of the features that Oliver values most is Clearwell's ability to connect messages that are part of threads that provide information about the timing and participants in a discussion.
"Jurors like timelines because they can see the sequence of events laid out clearly," says Oliver, "and the threading feature helps generate this." In addition, by eliminating duplicate messages, Clearwell can reduce the number of e-mails to be analyzed by 25 percent to 40 percent.
Clients of Pooley & Oliver have responded very favorably to the new approach. "Not so long ago, this review process was done manually," recalls Oliver, who estimates that the e-mail portion of responding to a discovery request typically accounted for 20 percent to 30 percent of costs. Using Clearwell's platform, the time to complete the review is reduced, which not only saves money for clients, but also helps ensure that they will comply with deadlines for producing the information, thereby avoiding penalties.
Anticipating and preventing e-mail violations is an approach that is proving attractive to a growing number of companies. Orchestria offers a family of products oriented toward ensuring corporate governance of electronic communications. Orchestria's solutions include software that categorizes messages for archiving, provides review and audit capabilities, and provides real-time monitoring. The Real-Time Prevention product can be configured to use an active policy management (APM) approach that prevents users from sending e-mails that fall outside of corporate guidelines.
In many cases, non-compliance is not intentional but occurs because users are not familiar with corporate policies or do not know how to comply.
"According to one study," says Paul Johns, VP of global marketing for Orchestria, "87percent of non-compliant activity is inadvertent. People are sometimes not up to speed on changes in regulations, for example, or on their company's policies. The ‘post and hope' strategy for educating users about policies is often ineffective."
Orchestria maintains a library of 250 policies to cover key rules and regulations put out by the SEC, NYSE and NASD. "We have built up a lot of domain knowledge," says Johns. "We can tell our clients what the latest changes are in regulations."
A key component of Orchestria's solution is automated categorization of e-mail messages, which helps identify those that may be in violation of regulations. Messages containing information that should not be released publicly (for example, quiet periods during an IPO) can also be targeted. Response options include blocking the message, giving a warning to the sender or redirecting it for review. Categorization simplifies the review process in cases where human intervention is required.
Orchestria also supports products from Oracle and IBM to integrate its governance products with leading content management products. It will support Oracle's Oracle Content Database (Oracle Content DB) and Oracle Records Database (Oracle Records DB) by automating categorization of content. Orchestria's software also is interoperable with IBM Content Manager and CommonStore for Messaging.
Resistance is futile
Some firms have dodged the e-mail issue because they believe the potential liability is greater in keeping messages than in deleting them.
"There has been a fair amount of resistance to capturing and controlling e-mails," says Thomas Bookwalter, an expert in compliance for AXS-One, "because organizations thought they were safer not having them." But for every message that is sent, there are one or more recipients, so eliminating them at the source does not eradicate them. Moreover, the fines for deleting messages that should have been retained are now as intimidating as those for incriminating content.