Email Archiving

Email archiving, is associated with a host of compliance issues. A large number of corporate laws govern the activities of companies that use email archiving processes. Let us take a look at some of the most important legal issues related to archiving:

The Sarbanes-Oxley Act is one of the most important laws related to archiving, albeit only in certain countries. Section 802 of this Act needs auditors to keep any auditing information for up to   7 years. The meaning of this information is all records that may be relevant for auditing or for a review; if auditors fail to do so, it is considered to be a crime, and there may be a jail sentence for up to 10 years.

Certain other sections of this Act are also worth a mention in this context:

1. Section 302 in Sarbanes-Oxley Act needs a CEO and CFO of a company that is public to individually attest and certify the accuracy of the financial statements of the company that are contained in the periodic reports.
2. As per Section 404, auditors have to certify the processes and controls that the companies have used to arrive at the financial result.

Both these sections have specific requirements. According to them, companies have to rope in procedures to ensure that the information is always managed and recorded in a trustful way and this also includes email. The financial information of a company must also be reliable. The records that are maintained electronically need to be managed with equal attention and care as they do with paper records – companies have to ensure this.

As companies get embroiled in investigations, audits, litigations or other formal processes, protection of business records from tampering assumes immense importance. Companies have to make sure that the management, the accounting people and the directors know about their obligation of preserving business records and data gets archived as soon as possible.

The Sarabanes-Oxly Act ordains that companies are bound legally to make sure that they retain a copy of every email communications (mostly of those departments that deal with auditing, accounting and orders) – recording must be kept of both external and internal email for up to 7 years.
In the UK, other specific laws related to mail archiving are present, but it too is also moving towards a Sarbanes-Oxley type corporate governance policy. Corporate organizations in England need to abide by two main laws:

• The Data Protection Act 1998 - applicable to both public and private sector entities
• The Freedom of Information Act – Fully implemented from Jan 2005, it is applicable to public sector entities only.

The core purpose of both the Acts is the same - to make the installation of an electronic communication archive & retrieval system essential.

 

 

This Act came into force in 1998 in the UK, and deals mostly with the need for those organizations that hold and process data to keep and maintain personal data in a secure way, restricting who can access or use it. Individuals are granted rights to know all information held about them. DPA gives these rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual. Those who process or hold any information (data controllers) are bound to follow the DPA.

 

For management of electronic data, the DPA recommends the usage of security standard BSI 7799 (ISO 17799). Incidentally, BSI 7799 is a British Standard code of practice for information security management.

 

The DPA instructs all companies to disclose information that they hold. This disclosure statement, named the “Subject Access Request” (SAR) is one of the key components of the Act. According to SAR, companies legally have to give up all data requested within 20 days. However, it is almost impossible for a company to produce ALL information held within their email system on a particular subject. Failure to follow SAR leaves a company liable to legal actions against it.

 

 

According to the FOI Act, all public bodies are bound to make available information public if anyone, any agency, any group or any company, requests for it. The information must be relevant to the requesting party.

 

Information requested can be on any event such as:

Passed on 30th November 2000, and fully implemented in January 2005, the FOI Act is retrospective too. Hence, it encompasses all information, including historical data. However, certain critical information (eg: those pertaining to national security) are not under the purview of this Act.

 

In addition to the above, European companies with US based parents or subsidiaries may also have to comply with such acts as Sarbanes-Oxley, SEC Rule 17(a)-4 & NASD Conduct Rule 3110.

 

For legal compliance, data held in emails should be stored in a secure archive, encrypted, with quick retrieval and with all events surrounding any email, fully audited. The Information Commissioner is in charge to ensure compliance, and (s)he can penalize companies for violation of these acts.