Risk & Compliance

Beware the ”Trash” Folder

Companies are grappling with the questions of which E-mail messages to save, how to save them, how long to save them, and what it will all cost.
John McPartlinJune 22, 2004

As more and more business becomes documented in E-mail rather than memos and reports, document retention becomes a challenge on several levels. Whether it’s compliance with the Sarbanes-Oxley Act of 2002, Securities and Exchange Commission regulations, or laws governing the handling of patient data in the health-care industry, most companies are grappling with the questions of which E-mail messages to save, how to save them, how long to save them, and what it will it all cost.

Ignorance of regulations — whether at the federal, state, or industry level — is not bliss: the risks of noncompliance can be severe. In March the SEC fined Banc of America Securities $10 million for stalling on providing evidence in an investigation: the company had claimed it would take too much effort to produce the required archived E-mails. In December 2002, the commission fined Wall Street brokerage firms Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, Salomon Smith Barney, and U.S. Bancorp Piper Jaffray more than $8 million for failing to retain E-mails for the proper SEC-mandated retention period.

While some of these regulations are new, companies can’t claim to be blindsided by the need to hang on to E-mail; as far back as 1998, Procter & Gamble was fined $10,000 for not properly storing E-mail messages relevant to an ongoing court case.

According to a study last year by Osterman Research Inc., fewer than 50 percent of companies keep critical E-mail-based data long enough. Most firms fall into one of three categories: those that delete all E-mail regularly (usually after 90 days), those that hang on to everything, and those that keep only E-mail that may be of legal import.

RW Smith & Associates, a brokerage firm based in Kirkland, Washington, has taken the “catch everything in the net” approach to E-mail retention. “We don’t really need to keep everything, but we chose to save everything by default,” says Richard G. Smith, director of IT. “Stuff that we deem disposable at a later date can be easily filtered out.” Smith has also tweaked his company’s E-mail-retention application so it can flag any message that violates the company’s internal E-mail policies, including messages that could potentially violate sexual-harassment policies. “A copy of the [offending] mail is flagged automatically, and is moved to a folder that is searched and viewed by our compliance officer,” he says. “Anything deemed inappropriate is dealt with accordingly.”

While brokerage firms may understandably want to err on the side of caution, some analysts (and even some vendors) think many companies are overreacting to E-mail compliance issues by trying to save every message that runs across their servers. “People don’t know what to do with E-mail, so they just say, ‘Archive everything and we’ll figure it out later,’ ” says Alan Weintraub, senior director of solutions marketing for Hummingbird Ltd., an enterprise software company focusing on content and E-mail management.” Keeping everything is not a good thing. As you enter into discovery, [having everything archived] can really open up a can of worms.” (Read more in CFO IT’s article “Priority: Mail.)