E-mail archiving and management: From niche to core component

Mimosa Systems
Mimosa Systems began shipping in May 2005 and has more than 40 customers to date. Some of its major customers are AAA Insurance, Virtua Health, Fosters Beverage and Washington State University. Mimosa concentrates only on the Microsoft Exchange marketplace, and Mimosa NearPoint uniquely captures 100 percent of Microsoft Exchange e-mail data via a technique called Application Shadowing, without impact on the Exchange Server (unlike other solutions that use MAPI and Microsoft Exchange Journaling). NearPoint captures the data in a bulk method and transforms the raw data "off-host" for the purposes of recovery (database, mailbox, message), archival (retention, search/discovery) and for storage management.

Open Text
Major Open Text customers include UBS, Merck, Hitachi Data Systems and the U.S. Treasury. In the past year, Open Text has worked to tighten integration between its records management and archiving products. For example, as soon as an e-mail is classified as SEC 17a-4 relevant, it automates the process of storing that e-mail on the required WORM device in an organization's mixed storage environment. The next release of a new suite of e-mail and archiving solutions in May will build on those capabilities.

To meet the increased need for rigorous classification of records, Open Text has partnered with Trusted Edge to extend its RM Edge product suite in its offerings. Open Text has also developed a sampling and supervision extension to its e-mail archiving and management offerings, which allows customers to select a random sampling of e-mail from a user's mailbox, and route it to the appropriate review staff. Open Text has partnered with litigation support specialist TCDI to provide seamless access to all content stored within the Open Text records management system, meaning that duplicate copies of content do not need to be created and exported into the litigation support system.

Postini
Postini is a hosted solution that processes 1 billion messages daily through its data centers for 9.1 million users. Some larger customers include Merrill Lynch, BASF, Circuit City, Lloyds of London, KPMG, Perrier, United Technologies and Corning. Postini filters and manages mail in real time, delivering only legitimate e-mail, while blocking or quarantining spam and viruses. The company archives or encrypts messages based on customers' policies

Postini introduced its Integrated Message Management (IMM) solution suite in September 2005. IMM builds on its success since 1999 in providing e-mail security, giving customers security and protection for both their e-mail and IM. It provides anti-spam, anti-virus, content management, inbound and outbound filtering, archiving, encryption and continuity services.

What's the rush? The law is coming!

What's driving the rush to implement e-mail archiving/management software? One big reason is that an estimated 60 percent to 70 percent of business-critical data resides in e-mail, but there is also a bigger stick: compliance. The law has become a strong motivator for businesses, especially in this era of increased government scrutiny resulting in lengthy court cases, fines or even jail time.

Some of the regulations apply to a broad swath of firms, such as Sarbanes-Oxley (commonly referred to as SOX), which applies to all public firms and regulates financial auditing, quality control and independence standards, requiring executives to certify the veracity of their financial reporting. SOX mandates that public companies save all business records, including electronic records and messages, for no less than five years, and relevant audit-related documentation (including e-mail records) must be retained for seven years.

Other regulations are specific to vertical markets, most especially the financial services, investment brokerage and banking segments. Many financial services and related firms are upgrading existing systems to improve their ability to quickly search and find relevant e-mail records when discovery requests are made. Here are some key laws impacting the retention, preservation, searchability and production of e-mail records for financial services entities:

Financial services firms
Gramm-Leach Bliley Act
Financial institutions must ensure the security of non-public personal information; as such, they are required to maintain and store those communications in compliance with the SEC's Rule 240.17a-4 and NASD's rules 3010 and 3110 (all e-mails must be preserved for a period of not less than six years, with the first two years in an easily accessible place).

Investment broker dealers
Securities & Exchange Commission (SEC) 17a(3,4) Records of Certain Exchange Members, Brokers & Dealers
A broker or dealer must preserve records and documents for three to six years, the first two years of which they must be in an accessible place. All documents and records must be time-stamped, stored in a non-rewritable/non-erasable format, organized and indexed, with a duplicate copy stored separately from the original. The indexes should be duplicated and stored separately from the original, and they should be available for examination and preserved as long as the documents and records.
NASD 2210--Communications with the Public
All sales literature and correspondence made available to customers or the public (including e-mail) must be maintained for three years from the date of each use including the name of the person who prepared the literature and/or approved its use. Any communications (including e-mail) that deal with the performance of past recommendations or actual transactions should be stored at a place easily accessible for the accounts or customers involved.
NASD 2711
All research reports--including any written or electronic communication that includes an analysis of equity securities of individual companies or industries and that provides information reasonably sufficient upon which to base an investment decision--must be retained for three years following its publication.
NASD 3010
A system should be established and maintained to supervise activities of all registered representatives, including the use of e-mail and Web sites. Written procedures must be developed for the review of any written and electronic correspondence with the public relating to investment banking or securities business. If an electronic or manual pre-use review is not done, appropriate supervisory procedures should be developed, as well as monitoring and testing the procedures, educating employees on the procedures and documenting the education of the employees. All correspondence relating to investment banking or securities business should be retained along with the names of the people who prepared and reviewed the correspondence, and the retained records should be readily available to NASD.
NASD 3110
All books, accounts, records, memoranda and correspondence should be retained in the same format as stated in SEC Rule 17a-4 (i.e. non-rewritable, non-erasable, and time-stamped). All e-mails and Internet communications that relate to the broker/dealer's business must be retained for at least three years, the first two years in an easily accessible place.
IDA 29.7 (The Investment Dealers Association of Canada)
All client correspondence and related documents, including e-mails, must be retained for five years from the date of creation.

Banks
Office of the Comptroller of Currency (OCC) Advisory: Electronic Record-Keeping
Banks should implement an electronic record retention system to allow litigation, audits, bank supervision and compliance with laws and regulations. Systems should also prevent external access by third parties, and provide backup, internal controls, record destruction and record retention.
Federal Deposit Insurance Association (FDIC) Advisory: Information Technology Risk Management Program
It requires encryption of electronic customer information while in transit or in storage.
Basel II
Banks must create internal processes to control, supervise and enforce risk management practices, including those involving internal communications (e-mail).

In the second part of the article, we'll review some other leaders in this explosive and critical marketplace.