Compliance: the hazards of e-mail

"For a long time, the penalty for not retaining e-mails was less than those that resulted from disclosing the information they contained," Bookwalter adds, "but that is changing now."

AXS-One has a long history in digital records management that focuses on large volume and rapid search of information, and now offers the AXS-One Compliance Platform as its archival solution.

"There are several drivers for managing e-mail," says Marie-Charlotte Patterson, VP of market strategy for AXS-One. "Regulated industries need to demonstrate compliance with the law, and all industries are contending with excessive volume and the threat of litigation." In the long run, organizations will need to account for all of their corporate communications, whether they are in one of the highly regulated industries or not.

One diversified financial services company began using AXS-One's solution for archiving e-mails in order to reduce storage costs, which were predicted to double within the next two years. The company has 40,000 employees in 1,000 locations, and uses IBM Lotus Domino. The company's security trading desk had stopped deleting any messages in order to comply with SEC and NASD retention requirements. Demands were being placed on the system for internal audits and discovery. A legal case that was settled prior to going to court made the company aware that it needed better management of its e-mails.

The company brought in a range of stakeholders, including compliance, legal counsel and HR, and then began developing policies for retention. Considerable effort was required to bring together groups with varying perspectives on the optimal retention strategy, but the company was successful in doing so. After the AXS-One solution was implemented, its client projected that cost savings over the following two years would reach $1 million as a result of improved operations. But the potential savings from being able to respond to requests for information in a timely fashion were even greater, and the system substantially reduced corporate risk.

Room for IMprovement

It is not surprising that so many of AIIM's respondents reported complete chaos in managing their e-mail, because a significant number of companies have not established policies. In a Webinar hosted by Sendmail and Osterman Research, 36 percent of participants reported that they had no e-mail or instant messaging (IM) policies in place. The companies were mostly large enterprises with IT budgets of more than $1 million--organizations that might be expected to have a plan.

IMs are particularly vulnerable to misuse because they seem so transient to the user. According to a study by the American Management Association and the ePolicy Institute, half of the IM users in the workplace send or receive content that is risky. Only a small fraction of companies archive IM content, which has reached record levels. The Radicati Group states that the number of instant messages being sent each day on enterprise IM networks is 1.9 billion.

For the highly regulated industries, such as broker/dealers, IMs are managed just as e-mails are. SEC Rule 17a-4 mandates the retention of all communications, including IMs. In other industries, IM usage is often unmonitored and outside the context of enterprise applications. Organizations are likely to move toward improved management because of the potential risks, but as in the case of e-mail, will have to cope with a tremendous volume of messages.

Managing the flow

The Sendmail Mail Transfer Agent (MTA) is the most widely used technology for routing Internet e-mail. Up to 70 percent of the world's Internet e-mail messages are estimated to go through a Sendmail open source or commercial server. The company has a broad line of enterprise products and services for e-mail security, e-mail processing and policy management.

"Our compliance solutions deal with the entire spectrum of processing an e-mail, from discovery to capture, control and reporting," says Glen Vondrick, senior VP of worldwide field operations for Sendmail. Compliance policies and lexicons that tag key words and content associated with a problem e-mail can be deployed out-of-the-box or customized based on the customer requirement.

A number of Sendmail's products are designed to eliminate unwanted messages, including spam and improperly addressed e-mails. The Radicati Group estimates that by the end of the year, 71 percent of e-mail messages sent worldwide each day will be spam, increasing to 79 percent by 2010, so eliminating them is essential.

Fiserv provides information management systems and services to financial and health benefits industries. The company is using Sendmail's Flow Control to manage e-mails that come through disparate systems that resulted from multiple corporate acquisitions.

"We are using Flow Control to protect against activities such as directory harvest attacks, which compromise privacy by extracting addresses from e-mail servers," says Michael Kastern, lead systems engineer at Fiserv. "We have about 70 companies within our parent company, and handle large numbers of e-mail transactions."

E-mail is a headache because it mixes together a lot of problems. It is being used for a broad range of purposes--most of which it were not anticipated, there is a lot of it, and messages are often composed without careful thought, producing content that might be incriminating. But solutions are available that will result not only in improved compliance, but also in better business practices.