Mike Hill explains whay it is now more critical than ever for organisations to store and be able to retrieve electronic data
Compliance is the buzz-word of the moment. For many companies in highly regulated industries such as healthcare and pharmaceuticals, it's been on their priority list for a while. But since the high-profile corporate scandals at Enron, WorldCom, Parmalat and others it's now moved onto the agenda of every organisation.
Gartner Group estimates that some large and mid-sized enterprises will spend as much as $2m each during the current year to become compliant with legislation such as Sarbanes-Oxley. Will they spend this money wisely, and how can they best benefit from the investment?
Up to now, many compliance requirements have been partially addressed by separate IT products that provide multiple separate solutions in different areas, including backup and archiving. As a result, organisations have tools that, to a greater or lesser extent, allow them to store and archive data and comply with data retention requirements, but the data is usually in multiple locations and in diverse formats. Frequently the organisation has little idea of what data is actually being retained, and what it contains.
Banks and other financial institutions are becoming increasingly regulated and are now required to store all electronic communications related to their business, and retain them for several years. This requirement may also apply to any organisation that accepts orders, changes to orders, invoices, credit notes or any similar accounting documentation electronically. Archive systems are all well and good, but there are some that require the whole of the archive to be restored in order that a single specific item can be retrieved.
The rub often comes when an organisation is asked to retrieve a particular detail, an e-mail message for example. In a recently reported case in the USA, Perot Systems claimed that it was going to cost $4.7m to retrieve some specific e-mails requested for a court case.
To make matters more complex, some legal requirements also impose a time constraint: the Data Protection Act requires that you produce requested information within 40 days of the request. The Freedom of Information Act also applies a time limit for compliance with a request. This may be 20 or 60 working days depending on the type of organisation and some other parameters.
It's of no real benefit having the world's most comprehensive archiving and storage system if you can't retrieve selected items from it quickly and easily without disrupting your normal business. Your data retention policy should specify what kinds of data are stored and what kinds are discarded. Wouldn't it make sense for your archiving and storage system to implement this automatically? That way you could ensure that you're storing only the information that is both relevant to your business and necessary to achieve legal and regulatory compliance.
There's a need for 'intelligent' storage of data. The archiving and storage system needs to understand both the type and the content of the information being stored. Then you could avoid storing unnecessary information: storage is cheap but there's no point in paying to use it if you don't have to. Furthermore you could identify business data and communications that do not need to be retained to achieve compliance; so you don't need to store it. Then, you can't be required to retrieve it: you can only retrieve information you have stored, after all.
However if you talk to your backup specialist, or your IT department, they will undoubtedly confirm that backing-up and archiving material is difficult: users tend to keep things on their local machines and it's hard to back up laptops and hand-held devices because they're never in one place long enough. And then there are those home-based telecommuters who rarely visit the office.
Perhaps the best place to monitor and record both business information and electronic communications is the network itself. Eventually almost every document, memo, spreadsheet, invoice, work order and press release your organisation generates or receives will pass, in electronic form, over your network. There are suitable systems available on the market today that simply plug into your network.
If you are going to implement one of these systems you could also use the same capability to monitor the entire organisation's electronic communications: e-mail, instant messenger (IM), web-mail, Internet downloads and so on.
IM is a terrifically useful tool. It can enable both one-to-one communications and group communications within your business. Unlike e-mail you know immediately that the other party has received your message. In stockbroking some clients found it useful to issue instructions to their broker, in real time. But sadly many organisations, particularly in financial services, believe that it's impossible to record and retain this form of communication. Because this would likely be interpreted as a breach of statutory duty, they have blocked use of IM on their systems entirely.
Head in the sand
This may be one way of achieving compliance, but in my view it's a head-in-the-sand attitude to a technology that has the capability of truly changing the way many of us communicate. Better to enable it, but to record and store it in a form that both achieves compliance and enables IM conversations to be retrieved quickly and easily. Not only are there systems available that do this, but some allow all forms of electronic communications to be monitored, recorded and searched upon in the same place irrespective of protocol, application or file type. This means that if the organisation needs to retrieve some specific records, it doesn't need to search multiple archives in multiple applications and try to string them together chronologically: it can search one system for all relevant communications whatever the protocol or application used.
If the system understands the content of all this data as it's being stored then it could even highlight, and alert upon, items as they are being stored. It's only one small step further to configure such a system to alert if the traffic appears to breach internal policies such as your internet acceptable use policy. Why might you want to do that? Well there are a number of things, loosely categorised as risks, which may be discovered, and acted upon, within the content of archives or backups. These include legal liabilities such as: employee harassment by e-mail; defamation by someone within your organisation for which your organisation may be held responsible; transmission of viruses or worms, which may be construed as negligence; and copyright infringement. Perhaps someone in your organisation is using your network to download copyright music, or pornographic material. In some jurisdictions the organisation may be liable for failing to take action to prevent the individual committing the act.
Other things you might also be able to identify include security breaches such as: transmission of confidential material from inside your organisation and illicit or illegal activities such as money laundering by a client, or by a member of staff. It is not unknown for criminals to conduct their activities at their place of work and use their employer's computer systems to do it. There were several cases last year of employees downloading paedophilic material onto their work computer systems. In one widely-reported instance the employer didn't know and was not aware until their employee's girl-friend told them.
And finally you could detect inappropriate use of your computer systems. Are your employees always working for you, or do they book their holidays or gamble at online casinos during working hours? Would you know if they were?
Because all activity is recorded you would have documentary evidence should you need to take any matter further. This might include reporting suspicious transactions to the money laundering authorities, or taking disciplinary action against an employee.
But are you permitted to do this? In most instances you are allowed, and even required, to do this for business purpose, but what if your employees also send private e-mail? Regulations such as the Regulation of Investigatory Powers Act, the Human Rights Act and the Data Protection Act appear to limit, or restrict, the right of an organisation to monitor the electronic communications of its staff. Under the Regulation of Investigatory Powers Act 2000, monitoring and storing employee's private e-mails (if you allow them reasonable private use of business systems as most organisations do) is a breach of statutory duty unless you have their consent and the consent of their correspondent.
The answer here is to monitor and record, but also to inform your employees that you are doing so; you must include this in your communications policy and state that their first use of business systems for private use will be their deemed consent to the monitoring. This allows them to make an informed decision about whether or not they want to send and receive private e-mails at work. This procedure is relatively easy for your employees, staff or students but how do you get the consent of external correspondents? Look at what the international and city firms of solicitors are doing. They put a statement at the end of all their e-mails warning that they will monitor and record e-mails and that continued e-mail correspondence with their employees in any capacity will be deemed consent to the monitoring by both parties.
The same general principle holds good in cases of your employees visiting unacceptable Internet sites.
Updating your communications policy, your Internet acceptable use policy and your employees' terms and conditions of employment may be necessary to ensure that you comply with the legislation that protects your employees' rights while you implement systems to ensure that you comply with the legislation affecting your business; and you accrue the greatest business benefit from doing so. n
Mike Hill, Vice President, Marketing, Chronicle Solutions (UK), can be contacted via tel: +44 7775 923 910 or +44 1494 672 999; e-mail: email@example.com