Tens of thousands of e-mails pass through the offices of Friedman, Billings, Ramsey Group Inc. every month.
The Arlington, Va.-based financial services holding firm had stored e-mails on tape, but CIO Jerry Carlsen recently was given the task of upgrading that storage system to one that has the ability to index and archive e-mails.
So Carlsen dedicated 60 hours of his IT staff’s time each week for four months to work with SJ Technologies LLC, a global systems integrator in Phoenix, to develop the new e-mail storage system. The system required six new servers and uses EmailXtender software from Legato Systems Inc. Carlsen is still assessing what the best storage media will be.
With new hardware and software in place, Friedman, Billings, Ramsey has a system that’s capable of storing and indexing e-mails from 450 employees at 16 locations worldwide. Now if employees or regulators want to retrieve an e-mail, they can use the date, user, topic or other identifiers to find it.
Such attention to e-mail might seem excessive, but executives in industries across the board are realizing that properly storing messages has become serious business as courts, government officials and industry regulators increasingly order expensive searches and issue stiff fines for lost or poorly stored e-mails.
Consider this: Securities regulators recently fined five Wall Street firms – Goldman Sachs & Co., Salomon Smith Barney Inc., Morgan Stanley, Deutsche Bank Securities Inc. and Piper Jaffray Inc. – a total of $8.25 million for not keeping certain e-mails for the required period of time. Regulators said the five firms violated securities rules by failing “to preserve for three years, and/or to preserve in an accessible place for two years” such office memoranda as e-mails related to their exchange, brokerage or dealer businesses.
Companies must follow legal and regulatory requirements that dictate what records to keep and for how long. These rules generally don’t speak to the media on which those records originated; instead, they usually apply to all records, whether they’re papers, e-mails or electronic attachments.
Brokerages often have the tightest regulations when it comes to archiving records, experts say. For example, the U.S. Securities and Exchange Commission requires that they keep securities transactions for seven years. But brokerages aren’t the only ones working under record-keeping requirements. Lenders must keep Home Mortgage Disclosure Applications – whether on paper or in e-mail – for three years. Human resources departments must keep personnel records, including e-mailed applications and responses to job ads, for one year from the date of personnel action.
“It’s a technology nightmare, and it’s going to get worse as the years go on and the e-mails build up,” said Mark E. Schreiber, a partner in the labour and employment department at Boston law firm Palmer & Dodge LLP.
Companies that don’t keep required documents, including e-mails, could face more than fines, said Mickey C. Andrie, a sales manager at SJ Technologies. Under the SEC regulation known as 17a-4, financial services firms could be hit with censure or with license suspension or revocation as well.
Firms that fail to archive e-mails so they’re easily and quickly retrievable also face the high cost of trying to recover one or two messages demanded by a regulator or a judge, for example.
Winston Krone, managing director in the San Francisco office of SafirRosetti, a security consulting, investigation and intelligence firm, has worked on cases where he had to sort through 150GB of information to find required e-mails. A midsize company with a couple of venues could spend up to US$500,000 combing through corporate e-mails to find one or two messages, he said.
Certainly, companies had to cope with records retention for decades prior to e-mail, and many employed compliance officers or lawyers to oversee records management. But executives have had less experience in dealing with archiving e-mail, experts say, and that has led to some of the confusion on the issue today.
“E-mail exploded on the scene with no traditional solutions,” said Deborah Baron, director of product marketing at Zantaz Inc. in Pleasanton, Calif. Zantaz provides digital archiving and records management tools as well as electronic discovery to meet the regulatory, audit and legal compliance needs of financial services firms, energy companies and government agencies.
And with the SEC getting tough on e-mail archiving after finding incriminating e-mails during recent scandals like the one that took down Enron Corp., companies are now paying closer attention to the topic.
In light of that, experts agree that technology personnel shouldn’t be the only ones devising e-mail storage policy. Companies should have legal counsel, regulatory managers, human resource executives and IT personnel formulate a strategic plan for storing, archiving and managing the data.
They should start by defining their goals, said Laura Harrison, project manager for SJ Technologies’ messaging business division. SJ has partnered with Mountain View, Calif.-based Legato, a provider of online data storage management and data access products, and with Oracle Corp., to design and implement enterprise-wide content management systems as well as customized storage applications.
Companies must decide whether to keep all e-mails or only specific ones. Most companies, after doing a risk analysis, decide to keep them all, even those that just say “Let’s meet for lunch,” rather than risk deleting a crucial e-mail that might later be required, Harrison said.
Next, IT staffs should examine the number of employees and the volume and size of the average e-mail, experts say. They should also consider what needs to be kept near-line or online, how often stored messages will be accessed, and who will access them. In general, simply adding more disk capacity to existing backup storage systems won’t be sufficient to meet legal and regulatory requirements, said Baron.
The Security Angle
Baron advises companies to also consider security when devising e-mail storage systems. “E-mails stored on backup tape leave room for tampering. That’s why real-time archiving is critical to meet legal and regulatory requirements,” she said.
Consider U.S. Food and Drug Administration regulation 21 CFR Part 11, which establishes the criteria under which electronic records and signatures are considered equivalent to paper records and hand-written signatures. It requires in part that access to electronic records be restricted to only authorized personnel and that companies must be able to retrieve stored data for the same length of time as equivalent paper records, which can mean up to 10 years or longer.
“When companies are not fully compliant with 21 CFR Part 11, the FDA makes a case-by-case evaluation as to whether or not to pursue regulatory actions. Non-compliance might lead to regulatory exposure, costly rework and downtime, compromised product quality, and even fines, prison sentences and sanctions,” according to the Web site of Princeton Softech Inc., a Princeton, N.J., company focused on data management products and services.
Experts say e-mail storage usually involves investing in new hardware, such as network-attached storage or storage-area networks; software to manage it; networking equipment such as routers, switches and firewalls; and a database administrator.
A company would pay approximately $100,000 for hardware and another $100,000 for software for a 5TB protected configuration, according to estimates provided by EMC Corp. in Hopkinton, Mass.
Companies can expect a total e-mail storage system to cost six to eight times as much as the base storage hardware (for example, a RAID storage system or optical disks) on an ongoing basis, Baron adds. So if a company spends $1,000 per month for storage hardware, it should budget $6,000 to $8,000 per month to manage the system.
But Christopher Laping, vice-president and CIO at Denver-based GMAC Commercial Holding Capital Corp., said costs are often secondary to meeting the evolving regulatory and legal requirements for e-mail storage.
As SJ Technologies president and CEO Ian Singer said, “It’s more an issue of compliance.”