Sarbanes-Oxley and Email Retention

8/3/2019 Sarbanes-Oxley and Email Retention

1/5

Sarbanes-Oxley andEmail Archiving

An ArcMail Technology Research Paper

ArcMail Technology, Inc. 401 Edwards Street, Suite 1100 Shreveport, Louisiana 71101

www.arcmail.com
http://arcmail.com/http://arcmail.com/


2/5

Sarbanes-Oxley and Email Archiving

Organizations are aced with an increasing number o industry and government regulations thathave made compliance a ull-time position at many companies. While much o the compliance allson the shoulders o publicly traded organizations, the standards established by legislation such asHIPAA, Gramm-Leach-Bliley Act and Sarbanes-Oxley are having ar reaching impacts across bothprivate and public organizations. A common requirement or many companies today in order tomeet certain guidelines and to ultimately protect themselves is the concept o archiving. The truth

is most industries rom retail to health care to higher education are overwhelmed with the growingamount o data they have to manage. While the data is coming rom a variety o sources, email isone o the main reasons why organizations have to add more storage capacity to their networks orlook or archiving solutions specically to manage email.

E-mail archiving shows up as the tip o the iceberg when it comes to managing, securing,and exploiting the unstructured data within an organization.i

According to a report by International Data Corporation, The introduction o legislation such asthe Sarbanes-Oxley Act o 2002 and the Health Insurance Portability and Accountability Act [HIPAA]has signicantly increased the importance o managing, securing and storing all inormation withinthe enterprise. More specically, because o regulations such as SEC Rule 17a-4 that are veryprescriptive or the retention or email, and the numerous and very costly public lawsuits in which

an email has been the deciding actor, email has emerged as one o the most important contenttypes that need to be retained.ii

The Sarbanes-Oxley Act o 2002 was passed in response to several extremely high-prole corporatenancial scandals, such as those involving Enron and WorldCom. The Act, which is administeredby the Securities and Exchange Commission, was designed to help protect shareholders romraudulent activities and accounting blunders by making corporate executives ultimatelyresponsible or their led nancial reports. In reality, SOX is having ar-reaching eects on theentire organization. While the accounting department and c-level executives are responsible orthe nancial compliance o the act, all employees are being required to change their email anddocument storage habits, while the IT department is responsible or making sure the companycomplies with the electronic records storage requirements outlined the legislation.

The remainder o this paper will ocus on the three rules o data storage described in SOX Section802(a) and how email archiving solutions can help organizations meet compliance standards.

Rule 1

The rst rule regarding document storage ound in section 802(a) outlines the punishment odestroying, alsiying or altering records:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, alsies, or makes a alse

entry in any record, document, or tangible object with the intent to impede, obstruct, or infuence

the investigation or proper administration o any matter within the jurisdiction o any department or

agency o the United States or any case led under title 11, or in relation to or contemplation o anysuch matter or case, shall be ned under this title, imprisoned not more than 20 years, or both.

Email has become one o the most important methods o communicating internally and externallybecause o its speed, fexibility and inormal nature. Email is being used to negotiate contracts,collaborate with team members, document communications and store les that are used or allaspects o business.

A recent article in KM World magazine reported, Twenty years ago, no permanent records existedthat werent physically printed on paper, due to legal precedents. Now 60 to 70 percent o businesscritical data is, at some point, contained in email, so the need to manage, store, search and retrievethose electronic records is paramount. Email Management is now mission-critical.iii As a result o
http://arcmail.com/compliance-management/finance/http://arcmail.com/our-products/http://arcmail.com/our-products/http://arcmail.com/compliance-management/finance/


3/5


its growing importance and how it is being used, in terms o SOX and the SEC, email is treated likeany other electronic record. In the event o litigation or compliance audits, companies are beingrequired to produce email correspondence, oten more so than other documentation, either insupport o their case or in response to a plaintis request.

In the Enron case, company auditors rom Arthur Andersen were ound guilty o sending

emails requesting that employees shred documents related to Enrons nancial and accountingirregularities. It was the evidence ound in the emails that ultimately led to the demise o 82-year-oldaccounting rm. In September 2007, Morgan Stanley was orced to pay a $12.5 million ne becauseit did not provide emails requested by the plaintis, instead alsely claiming the emails weredestroyed in the 9/11 attack on the World Trade Center. Morgan Stanly was also ned $15 million in2005 to the SEC or ailing to produce emails related to a research probe.

The list o companies being ned or deleting emails or not being able to produce documentationis growing, while retention practices o data, including email archives are being continuallyscrutinized. Email archiving solutions such as the ArcMail Deender automatically capture alloriginal inbound and outbound emails and their attachments. Once the emails are stored on thedevice, they cannot be altered, destroyed or deleted.

Rule 2Section 802(a)(1) outlines the amount o time companies are required to store les:

Any accountant who conducts an audit o an issuer o securities to which section 10A(a) o the

Securities Exchange Act o 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all audit or review

workpapers or a period o 5 years rom the end o the scal period in which the audit or review was

concluded.

According to a survey conducted by the Enterprise Content Management Association o theAssociation or Inormation and Image Management (AIIM), storage consumers are basicallyignorant when it comes to archiving. The ECMA survey 1,000 organizations, and the corresponding

report said that most organizations consider archiving as a collection o massive .pst backuples. In addition 46 percent o those surveyed considered archiving the responsibility o individualemployees while only 26 percent considered it part o an overall inormation management strategy.iv

One o the main dierences between traditional back-up practices versus archiving is time.When companies backup inormation, they are condent that the inormation is being replicated.Archiving, on the other hand, is putting something in storage with the anticipation that it will beused again. Most emails programs have a built-in capability o backing up .pst les at a specicpoint in time. These programs simply take a snapshot o the inbox and other olders. When emailsare deleted rom the inbox, they are also deleted rom the next back-up. An email archiving solutiontakes data protection to another level by automatically capturing and indexing all emails, includingsubject line, body contents and attachments, as they are sent or received. Archived data is beingstored or the long-term so it is captured in such a way that it can be searched, retrieved and

restored quickly.

Section 802(a)(1) indicates that inormation should be restored or a period o ve years. A back-uple is or the short-term and can be overwritten, while archiving is about preservation. In solutionssuch as the ArcMail Deender, archiving policies can be established and enorced to meet thespecic guidelines o SOX and other regulations.

Rule 3Section 802(a)(2) outlines the types o inormation that need to be stored.

The Securities and Exchange Commission shall promulgate, within 180 days, such rules and
http://arcmail.com/http://arcmail.com/


4/5


regulations, as are reasonably necessary, relating to the retention o relevant records such as

workpapers, documents that orm the basis o an audit or review, memoranda, correspondence,

communications, other documents, and records (including electronic records) which are created,

sent, or received in connection with an audit or review and contain conclusions, opinions, analyses,

or nancial data relating to such an audit or review.

About 40% o companies cite the Sarbanes-Oxley Act as the biggest actor in archiving moreo their email, with the Health Insurance Portability and Accountability Act and other healthcareregulations also triggering adoption.v

The SEC is treating email like any other document. With the growing dependence upon electroniccommunications, email has become a prime candidate to look or a smoking gun, during thelitigation discovery and auditing processes. As a result, email retention and archiving policiesand procedures should be constantly reviewed to ensure that they are meeting the needs o thevarious areas o the organization, rom legal to accounting to IT. Unortunately, according to astudy conducted by the American Management Association and The ePolicy Institute, more than 66percent o organizations do not have policies or saving, purging and managing e-mail. This despitethe act that among the companies surveyed, 24 percent had electronic messages subpoenaed by

lawyers or regulators in 2006, compared to 14 percent in 2003.vi

Driven by the growing number o legal concerns and compliance issues, the email archiving marketcontinues to experience tremendous growth. IDC reported that the market grew by 45 percent in2006 and expects the archiving applications market to reach $1.4 billion by the 2011.viiThe RadicatiGroup expects the total email archiving market, including on-premise archiving systems and hostedservices, to reach $6 billion by 2010.viii

According to IDC, customers are increasingly demanding integrated workfows to supportdiscovery and auditing. This coupled with aggressive reductions in the cost o connectivity andstorage combined and rising awareness o new legal obligations is leading growth in the SMB andmid-market segments.ix

Finding emails on traditional tape drives and back-up applications can be dicult and expensive.With the limited amount o time allowed under SOX guidelines to respond to document requests,it is important that organizations have an email management solution that will help to retrieveall the necessary and correct emails quickly and easily. The ArcMail Deender makes it easy oradministrators or end users to nd and retrieve the inormation organizations need to complywith requests and deend their positions. The appliance automatically indexes all emails and thesolutions Web-based interace oers access to archived email rom anywhere there is a Webconnection while providing advanced search eatures, including ull-text and wild-card searches.

ConclusionSOX has made it clear that email correspondence must be securely archived or up to ve years.

Experts suggest that the best policy or email archiving is to capture anything and everything sothat in the event o litigation or a compliance audit, organizations can have condence in theirstorage strategies and make it easier or internal and external auditors to review the virtual papertrail.

The rst step in solidiying an email archiving strategy is to establish an archiving policy and thennd a solution that will help to enorce the policy. ArcMail Deender combines on-board storage,comprehensive archiving, data compression, disk management sotware, and easy to use web-based search and retrieve unctions in one network appliance. Through Deender, organizationscan enorce their archiving policies by eliminating one o the biggest challenges in the emailretention process, people. Deender manages the entire archiving process and eliminates the needor manual back-ups. Deender also automatically captures all email messages and stores them
http://arcmail.com/http://arcmail.com/http://arcmail.com/our-products/why-arcmail-defender/http://arcmail.com/http://arcmail.com/our-products/why-arcmail-defender/


5/5


in such a way that they can be quickly tracked, reviewed, searched and restored by end-users, ITadministrators or an attorney.

According to a recent survey by Osterman Research, IT departments receive an average o 36business requests, 24 regulatory or audit-related requests, and 108 end-user requests annually.x Theaverage request or retrieving raw email data or a single legal discovery request takes almost amonth.xi Companies can reduce the amount o time and costs associated with email storage anddiscovery by integrating an email archiving solution. The reliance upon email correspondence isonly going to continue to increase, which makes email archiving a business critical process or allsized organizations, particularly in an era with more litigation and strong regulatory compliancestandards.

___________________________

i http://www.inostor.com/display_article/305936/23/ARTCL/none/none/1/Focus-On:-E-mail-manage

ment-and-archiving/

ii http://accounting.smartpros.com/x46588.xml

iii http://www.kmworld.com/articles/PrintArticle.aspx?ArticleID=15409

iv http://computerworld.co.nz/news.ns/news/DDA38125EE52836FCC25723E00071A25

v http://searchcio.techtarget.com/tip/0,289483,sid19_gci1188687,00.html

vi http://www.baselinemag.com/article2/0,1540,1998112,00.aspv

vii http://www.idm.net.au/story.asp?id=8496

viii http://aiimknowledgecenter.typepad.com/weblog/2007/05/the_email_archi.html

ix http://www.idm.net.au/story.asp?id=8496

x http://www.darkreading.com/document.asp?doc_id=133079

xi ibid

Documents

Sarbanes-Oxley and Email Retention