IT Compliance Institute, December 7, 2004:

Best Practices

Coping with SEC E-mail Retention Guidelines

Meeting electronic discovery or regulatory requests for information with rapid e-mail retrieval

By Mathew Schwartz

How can organizations rapidly produce information requested by auditors, regulators, or a court? While most organizations have a well-honed backup regimen employing such low-cost media as tape, that approach alone won’t fly these days. Restoring multiple, serial backup sessions from tape, then searching for requested information, can take days or weeks—longer than the “reasonable” response period dictated by regulations.

To comply with today’s regulations, organizations need to create a special team to determine what to archive specifically for compliance purposes, then use dedicated technology to keep it at the ready. To discuss archiving best practices for regulatory compliance, ITCi spoke with Laura DuBois, director of product management for Cambridge, Mass.-based archiving software vendor Permabit Inc.

How are organizations getting their feet wet with regulatory related archiving?

Financial services firms are typically starting with their e-mail. The SEC 17a-4 rule [for brokers and dealers] stipulates they must store their specific records, that are account transactions, for a specific period of time. In terms of retention, the regulation stipulates three years, but see a best practice being seven years … and generally what customers are driving for.

[Also] the rules stipulate the data has to be stored on a medium where it can’t be changed, or modified, or deleted, for the set period.

Why does e-mail archiving get so much attention?

The interest in e-mail is because it’s an easy way for folks to get a hold of their records. More and more business transactions are happening via e-mail … from contract approvals to pricing information. More and more of the core business uses e-mail, which is increasingly replacing other types of communications. Also, given the nature of e-mail, you have multiple copies, so putting polices in place to manage those multiple copies just makes good business sense. You want to control where those copies are going …

Then there’s electronic-record discovery … E-mail is really one of the number-one targets for litigators looking to find a smoking gun or evidence.

So those are some strong reasons customers are starting with e-mail, but customers we talk to want a solution that can span not just e-mail but other systems as well … So for example, financial institutions might have electronic paper-scanning processes for images of checks … or even just general books and records output from larger output systems, that they need to retain.

Is it essential to retain that data in a specialized system with fast search and retrieval?

You need to tuck away the things you might want to produce in 24 hours … [So] you have to have a system that can index all your records and categorize your records from a variety of search criteria. [For example] the SEC might come in and say I want to see all e-mail for list brokers, for 25 different stock tickers. You need a system that can … search based on all those parameters … So you’re really going to want to have a specific e-mail archiving application that’s designed for that kind of retrieval, then the kind of media [best suited to work with it].

How does your software accomplish that?

The software we have runs on a processing system and we create a specific write-only, read-many volume [on magnetic disk] so we’re able to lock down that volume … We [also] enforce the retention period, but we don’t let any users delete or modify the record.

What storage media do you work with?

Magnetic disk, the same kind of disk that would be in your PC, for example. So the benefit of that is a customer is able to respond quickly to audits—whether external audits or internal audits. What customers had done before this type of technology was available was to use tape, which is serial in fashion, and typically very slow in storage and recovery time … or optical disc, which is also slow.

How does your technology scale, especially since keeping hands off the information is so crucial to staying compliant?

In terms of scalability, one of the key benefits is it’s self-managing and self-healing … [and] as [customers] need more capacity, they just add another [server]. As it’s added, [the servers] just talk to each other and communicate, and the disk space just becomes available …

Now in many cases these regulations might stipulate records need to be stored for 20 or 50 years, and saving that data for maybe longer than the [storage] technology curve. So the critical thing is … our system was designed to support future architectures.

How quickly do organizations need to turn around requests for data?

The rule states that it needs to be within a “reasonable” time period … But it’s generally understood that it needs to be in a day or less … Anywhere from 24-72 hours is what we see people trying to aim for.

How can magnetic disk decrease the time it takes to do that?

One of our customers, at Essex Investment, before implementing the technology that we have … conducted an internal audit, and it took him well into three weeks to respond to [an information request] and pull up over 10,000 records. Then he implemented our technology and he was able to do that same retrieval for a particular stock ticker in 24 hours. Then he put that data retrieval set on a CD and gave it to his compliance officer. Going from weeks to hours [like that sends] a really strong message about good corporate responsibility, and it’s a good response to auditors.

Is magnetic disk affordable enough to employ for this?

Cost is always a factor when people are exploring technologies, but … the price for ATA [disk] technology is getting to the point where there’s relatively little difference between disk pricing and other technologies, such as tape. But the benefit of disk is the relative ease of management.

How do organizations know what data to back up?

Just to clarify, we’re seeing customers [view] compliance records, and the need to archive those compliance records, as a distinct function from data backup. So while they still want to do data protection, and will do that in a variety of ways … they’re creating separate archive repositories for their electronic records that need to be stored for a specific period of time to respond to compliance regulations.

So these regulations aren’t new. But what is new is the fact that regulators are now monitoring and enforcing these regulations … We’ve also seen an increase in the number of firms undergoing electronic data discovery … and that obviously is for firms that are under litigation or pending litigation.

Beyond technology, what are best practices for regulatory information retention?

This whole notion of electronic records getting stored for legal or litigation purposes, it really is not something that’s just done in a vacuum, or just by IT. We’re seeing customers form compliance teams. That compliance team would include a records manager, a compliance manager, someone from legal, IT, and someone from the business units—someone who’s responsible for, and owns, the data.

That team is formed and they put together a project plan for where they’re going, what the requirements are for the [retention] product, and what the requirements are for the regulation. And those teams are critical, because records-retention technology has to serve a variety of people in an organization.

So the first step [for organizations] is to understand the industry and related regulations, then understand their record types, then map … [appropriate] record retention. Obviously, it also helps to have support from the top, and support from executive leadership is another best practice we’re seeing.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.