Regulatory Requirements

Finance, pharmaceutical, healthcare, telecommunications and government-related firms must observe strict electronic document retention requirements. Regulations aren't strict for nothing: Email retrieval was key to the government's case in the Enron scandal (Andersen's shredding party notwithstanding). For instance, the SEC insists that American securities firms retain their electronic documents for five years--and be sure they can search and restore specific messages and threads in a short turnaround. Elizabeth Schnitzer of Iron Mountain noted that nearly 10,000 brokerage firms must keep all correspondence regarding a stock trade for six years, while email related to general business issues must be kept three years. And in companies whose analyst and investment banking divisions may have grown too cozy, the government closely analyzed email communications to build its cases.

Last year the SEC, NY Stock Exchange and NSAD forced five major, Wall Street firms to cough up over $8 million in non-compliance fees. What did they do--or not do--that cost them $1.65 million a firm?

The firms backed up email as part of their regular backup routines. However, they discarded, recycled and overwrote the backup tapes and other media, often a year or less after backup occurred.

Each firm had spotty procedures and systems around retaining and restoring email data. Some firms simply assumed users would retain all their email on their own hard drives. Many users did, but the firms could not efficiently search these emails in time to satisfy the investigators.

There were no formal policies in place for users to retain their emails. When a user left the company IT erased his hard drive, deleting the email along with it.

The irony of the huge fines is that unlike bad guys Enron or WorldCom, the securities firms didn't do anything differently than most firms do with their email. That is why Boulder's President Lesley Taufer commented, "It's unclear if their processes were haphazard. That's why the fines were so significant." The firms may have been acting within traditional acceptable boundaries for email management. But what used to be acceptable will no longer do.