MICROSOFT EXCHANGE ONLINE ARCHIVING, DATA RETENTION AND RULE 17A-4 COMPLIANCE DATE: SEPTEMBER 22, 2015



Similar documents
HP StorageWorks Reference Information Storage System Designed to Assist Financial Services Organizations Comply with Retention Requirements

Abstract. SEC 17a-4(f) Compliance Assessment. Technical Report. Prepared by Cohasset Associates, Inc.

White Paper: Financial Services Compliance

orldox GX3 Cloud for Financial Services Worldox GX3 Cloud Compliance Outline The Best of both Worlds. / Whenever. Wherever.

How To Preserve Records In A Financial Institution

iternity icas Solution

Assessment of Hitachi Data Systems (HDS) Hitachi Content Platform (HCP) For Dodd-Frank Compliance

The ComplianceVault Archiving & Retrieval Appliance and the SEC a-4 Requirements

WHITEPAPER. The Companion Guide to FINRA/SEC Social Networking Compliance

ELECTRONIC RECORD AND SIGNATURE COMPLIANCE. NASD Rules 3010(d) and 3110(c)(1)(C) SEC Rule 17a-4 15 USC 7001 et. seq. (E-SIGN)

Actiance Alcatraz: Archivable compliance and ediscovery for Social Media

Solution Brief. Archiving from Office 365 for Compliance and ediscovery. 1) Capture Everything

Record Keeping and Call Recording for Dodd-Frank. A guide to regulatory compliance

Symantec Enterprise Vault.cloud Overview

Compliance Solutions FOR BROKER-DEALERS. Archiving the financial services world. message archive search message archive search message archive search

Countdown to Compliance

EMC White Paper EMC Xtender Provides Records Management for Microsoft Exchange Server 2003

archiving, compliance, and ediscovery solution designed specifically for U.S. financial services companies.

Mimecast Enterprise Information Archiving

Veritas AdvisorMail. archiving, compliance, and ediscovery solution designed specifically for U.S. financial services companies

LiveOffice AdvisorMail The Industry s Most Trusted Archiving and Compliance Solution

Spambrella Archiving Service Guide Service Guide

MICROSOFT EXCHANGE, OFFERED BY INTERCALL

Veritas Enterprise Vault.cloud for Microsoft Office 365

C. All responses should reflect an inquiry into actual employee practices, and not just the organization s policies.

White Paper. Mimosa NearPoint for Microsoft Exchange Server. Next Generation Archiving for Exchange Server By Bob Spurzem and Martin Tuip

68% Meet compliance needs with Microsoft Exchange. of companies send sensitive data via .

Symantec Enterprise Vault.cloud Overview

Planning for IM Compliance

Guidelines for the review, supervision and retention of advertisements, sales literature and correspondence

NFORMATION ONTROL OUR BLOOMBERG VAULT. An Enterprise Solutions Offering

Mimecast Archive

RECORDS TO BE PRESERVED BY CERTAIN EXCHANGE MEMBERS, BROKERS AND DEALERS SEA Rule 17a-4

Office 365 Compliance and Data Loss Prevention

MS 20342B: Advanced Solutions of Microsoft Exchange Server 2013

MANAGEMENT SOLUTIONS SAFEGUARD BUSINESS CONTINUITY AND PRODUCTIVITY WITH MIMECAST

Archiving Whitepaper. Why Archiving is Essential (and Not the Same as Backup)

Addressing Legal Discovery & Compliance Requirements

Rackspace Archiving Compliance Overview

Protezione dei dati. Luca Bin. EMEA Sales Engineer Version 6.1 July 2015

Approximately 260 PST files totaling 180GB will be included in the pilot. 2. Are the Windows XP clients running XP 64 bit or 32 bit OS?

Archiving. Mimecast Training. Student Workbook V 2.3

management solutions

EMC DATA DOMAIN RETENTION LOCK SOFTWARE

Administration GUIDE. Exchange Database idataagent. Published On: 11/19/2013 V10 Service Pack 4A Page 1 of 233

Top Technology Challenges Thursday, May 28 3:00 p.m. 4:00 p.m.

Achieve more with less

Course 20341A MCSA: Core Solutions of Microsoft Exchange Server Days

Recovering Microsoft Exchange Server Data

The Financial Advisor s Guide to Social Media Regulations

20342 Advanced Solutions of Microsoft Exchange Server

Enterprise Vault Whitepaper

Symantec Enterprise Vault and Symantec Enterprise Vault.cloud

Archiving Compliance Storage Management Electronic Discovery

Office 365 for the Information Governance and ediscovery Practitioner Part I: Office 365 Fundamentals

What are the compliance challenges of Microsoft Office 365?

Capstone Compliance Using Symantec Archiving and ediscovery Solutions

Archiving and the Cloud: Perfect Together

Why You Should Consider Cloud- Based Archiving. A whitepaper by The Radicati Group, Inc.

Addressing Archiving and Discovery with Microsoft Exchange Server 2010

Union County. Electronic Records and Document Imaging Policy

ENTERPRISE CONTENT MANAGEMENT. Which one is best for your organisation?

Cloud Relay Solution. Whitepaper

Microsoft Exchange Online Archiving and Symantec Enterprise Vault.cloud

FIVE TIPS TO ENSURE SALESFORCE CHATTER MEETS COMPLIANCE REQUIREMENTS

CA Message Manager. Benefits. Overview. CA Advantage

How To Answer A Question About Your Organization'S History Of Esi

Data Sheet: Archiving Symantec Enterprise Vault Store, Manage, and Discover Critical Business Information

SIR, IT S QUITE POSSIBLE THIS ASTEROID IS NOT ENTIRELY STABLE

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY.

C2C ArchiveOne & Microsoft Exchange Server 2013

Advanced Solutions of Microsoft Exchange Server 2013

Secure Cross Border File Protection & Sharing for Enterprise Product Brief CRYPTOMILL INC

ZL UNIFIED ARCHIVE A Project Manager s Guide to E-Discovery. ZL TECHNOLOGIES White Paper

Exchange Server 2010 & C2C ArchiveOne A Feature Comparison for Archiving

Making Sense of Archiving for Microsoft Environments

SERVICE LEVEL AGREEMENT - Shared Exchange Hosting

How To Deploy Cisco Jabber For Windows On A Server Or A Network (For A Non-Profit) For A Corporate Network (A.Net) For Free (For Non Profit) For An Enterprise) Or

Kent Cheong Regional Sales Manager GFI Software

SERVICE LEVEL AGREEMENT: Shared Exchange Hosting

Veritas Enterprise Vault Overview

Transcription:

MICROSOFT EXCHANGE ONLINE ARCHIVING, DATA RETENTION AND RULE 17A-4 COMPLIANCE DATE: SEPTEMBER 22, 2015 Executive Summary The Securities and Exchange Commission (the SEC ) requires broker-dealers and other regulated companies to retain business-related communications. This requirement applies to various types of communications such as e-mails, instant messages, faxes, and voice mails. Microsoft s Exchange Online Archiving ( EOA ), a cloud-based archiving solution, provides organizations with multipurpose electronic storage that allows the electronic retention and discovery of a wide range of data. EOA includes features that allow customers, including broker-dealers, to store data in a manner that helps them comply with the necessary requirements of various regulations. A feature that was recently added to EOA, Preservation Lock, was introduced for the purpose of allowing broker-dealers to use EOA to comply with the requirements of Rule 17a-4 under the Securities and Exchange Act of 1934 ( Rule 17a-4 ). Because of EOA s unified structure, an organization may implement a single uniform retention policy that covers e-mail, voice mail, fax messages and instant messages. Conversely, an organization can create separate retention policies for different types of messages, different folders, or even specific messages. EOA provides the flexibility that allows broker-dealers to customize document retention policies. This white paper reviews EOA from the perspective of its compliance with the data retention requirements of Rule 17a-4. In conjunction with EOA s other features, including Preservation Lock, EOA should enable broker-dealers to meet their regulatory requirements under Rule 17a-4. I. Electronic Storage Requirements of Rule 17a-4 Under Rule 17a-4, a broker, dealer or member of a national securities exchange (collectively, a broker-dealer ) must retain, for three to six years, depending on the documents at issue, originals and copies of all communications related to its business. Rule 17a-4 applies to a variety of communications, including physically-delivered written communications, e-mails, instant messages, fax messages and similar communications. Rule 17a-4(f) allows broker-dealers to satisfy their data retention requirements through the use of electronic data storage. Rule 17a-4(f) outlines specific criteria that a broker-dealer must meet in order to be able to take advantage of electronic data storage. Namely, the electronic storage media used by a broker-dealer must: (A) Preserve the records exclusively in a non-rewriteable, non-erasable format; (B) Verify automatically the quality and accuracy of the storage media recording process;

2 (C) Serialize the original and, if applicable, duplicate units of storage media, and timedate for the required period of retention the information placed on such electronic storage media; and (D) Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the SEC or the self-regulatory organizations of which the member, broker, or dealer is a member. 1 Rule 17a-4(f) also requires that a broker-dealer (1) store separate, (2) duplicate copies of all data retained, (3) organize and index all data retained, (4) make all data available for examination by the SEC at all times, and have an audit system in place for providing for accountability regarding inputting of records required to be maintained and preserved. 2 In 2001 and 2003, the SEC issued two interpretive releases regarding Rule 17a-4 (the 2001 Release and the 2003 Release, respectively). 3 In particular, the 2003 Release provided specific guidance focusing on the requirement in Rule 17a-4 that data preserved by an electronic storage system be non-rewriteable and non-erasable. The 2003 Release also noted that the storage system must have the capability to store data beyond the retention period required by the rule, in the case of a subpoena or other legal order. II. Analysis of EOA The following is a high-level summary of the application of Rule 17a-4 to EOA. a. Preservation of data - Rule 17a-4(a), (b)(4) Rule 17a-4 requires that a broker-dealer retain and preserve all communications relating to its business for a period of three to six years (depending on the documents at issue). Though communications has not been explicitly defined by the SEC, it includes communications such as e-mail, instant messaging and likely voicemails. Through configuration of the retention, In-Place Archiving and In-Place Hold features of EOA, and in conjunction with other services in the Microsoft Office 365 suite, such as Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business, EOA has the ability to preserve and retain many classes of incoming, internal and outgoing data through various Exchange mailbox items, including: 1 Rule 17a-4(f)(1)(ii)(A)-(D) under the Securities Exchange Act of 1934. 2 Rule 17a-4(f)(3)(v). 3 See SEC Interpretive Release No. 33-44238, Guidance to Broker-Dealers on the Use of Electronic Storage Media under the Electronic Signatures in Global and National Commerce Act of 2000 with Respect to Rule 17a-4, 66 FR 22916 (May 1, 2001), available at https://www.sec.gov/rules/interp/34-44238.htm; and SEC Interpretive Release No. 34-47806, Electronic Storage of Broker-Dealer Records, 68 FR 25281 (May 12, 2003), available at http://www.sec.gov/rules/interp/34-47806.htm#p20_1490.

3 inbound and outbound e-mail communications; books and records contained in e-mail form or in shared online documents; meeting requests; faxes; instant messages; documents shared during online meetings; and voicemails. Additionally, Microsoft is developing add-on features to allow data ingestion from other sources through integration with third party data capturing and management solutions. Feature availability information is available in the Office 365 Roadmap (http://success.office.com/en-us/roadmap/). Once these features are enabled, through integration with third party data capturing and management solutions, EOA will be able to extend its archiving and compliance capabilities to cover additional data sources, including: Social: Twitter, Facebook, Yammer, LinkedIn, YouTube. Instant Messaging: Yahoo Messenger, GoogleTalk, Cisco Jabber. Document Collaboration: Box, DropBox. Industry-specific applications: SalesForce Chatter, Thomas Reuters Eikon Messenger, Bloomberg Chat. SMS/Text Messaging: BlackBerry, MobileGuard. EOA s retention, In-Place Archiving and In-Place Hold features allow administrators to set messaging retention policies to archive data and set defined hold periods so that data may be retained for the required length of time. EOA also allows users to store data beyond the required retention period, in the case of a subpoena or legal order, through the creation of In-Place Hold policies. Once this additional retention requirement is no longer required, those additional In-Place Hold policies can then be removed. b. Non-rewriteable, non-erasable format - Rule 17a-4(f)(2)(ii)(A) As the focus of the SEC s most recent interpretation on the topic, this is one of the most important aspects of Rule 17a-4. As noted above, the 2003 Release provided specific guidance to broker-dealers regarding Rule 17a-4(f) that focused on the requirement that the electronic storage system preserve data in a non-rewriteable and non-erasable format. Specifically, the 2003 Release noted that [a] broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(a) of the rule if it used an electronic storage system that prevents the overwriting, erasing or

4 otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes. 4 Of key note in the above additional text is the phrase integrated hardware and software control codes. This indicates that the mechanism employed by the underlying storage system to achieve a non-rewriteable and non-erasable format can be an integrated solution where hardware is coupled with software to achieve the same end result. In the 2003 Release, the SEC also clarified, however, that electronic storage systems that merely mitigate the risk that a record will be overwritten or erased, for example by relying on access control, would not meet the requirements of the rule: The ability to overwrite or erase records stored on these systems makes them non-compliant with Rule 17a-4(f). 5 Users of a Rule 17a-4-compliant electronic storage system must not be able to delete or alter data that is preserved in accordance with the rule once it has been retained. EOA preserves permanent files of all data collected in a non-rewriteable, non-erasable format through the use of retention policies, In-Place Archiving and In-Place Hold, including Preservation Lock. Specifically: All records that are stored using the retention policies noted above are retained in a dedicated storage area out of the purview of the ordinary user. Furthermore, only authorized users can access and search these records, but cannot alter or erase them. Metadata for each item includes a timestamp that is used in the calculation of retention duration. Timestamps are applied when a new item is received or created, and cannot be subsequently modified or removed from the metadata. EOA allows users to combine different retention policies and hold actions in order to create granular retention policies to define the mailbox/folder/type of items to be immutably preserved, and the duration of such preservation. The Preservation Lock feature allows users to choose whether they want to make the policy a restrictive policy. A restrictive policy prohibits anyone from having the ability to remove, disable or make any changes to the retention policy. This means that once Preservation Lock is enabled, it cannot be disabled, and no mechanism will exist under which any data that has been collected by the retention policies in place may be overwritten, modified, erased or deleted during the preservation period. Further, the hold period set by Preservation Lock may not be shortened or decreased. It may, however, be lengthened, in the case of a legal requirement to continue retention of the stored data, as noted above. Preservation Lock ensures that no one, not even administrators or those with certain control access, may change the settings or overwrite or erase data that has been stored, bringing EOA in line with the guidance set forth in the 2003 Release. 4 Electronic Storage of Broker-Dealer Records, Interpretation, 68 FR 25281 (May 12, 2003), available at http://www.sec.gov/rules/interp/34-47806.htm#p20_1490. 5 Id.

5 c. Quality/accuracy verification - Rule 17a-4(f)(2)(ii)(B) The electronic storage media used by a broker-dealer to comply with Rule 17a-4 must automatically verify the quality and accuracy of the storage media recording process. This means that the electronic storage media must not only record and retain data; it also must perform checks to verify that the data is recorded and retained properly and accurately in the electronic storage system. EOA has a number of features that automatically verify the quality and accuracy of the storage media recording process. For example, EOA relies on a robust copy-on-write mechanism to ensure failsafe recording. For items that need to be recorded, EOA validates each recording operation, and logs accordingly. All recording operations are designed to be highly efficient from a resource consumption point of view to minimize potential resource conflicts and to ensure near-instantaneous recording. The operation of recording does not impact the item itself. Instead, metadata updates are made inline via a universally unique identifier lookup model. This universal unique identifier, MessageID, is used to identify each recorded item; this not only serves to preserve the integrity of the recorded item, but also avoid potential errors during recording caused by duplicates. d. Serialization/indexing of data - Rule 17a-4(f)(2)(ii)(C) Both original and duplicate units of stored data must be serialized and time-dated for the required retention period to be Rule 17a-4 compliant. The 2003 Release noted that this requirement was intended to ensure both the accuracy and accessibility of the records by indicating the order in which records are stored, thereby making specific records easier to locate and authenticating the storage process. As mentioned above, EOA relies on a universally unique identifier (i.e. MessageID) to identify each recorded item. This attribute is intrinsically captured as part of the metadata for every recorded item. EOA indexes recorded items based on MessageIDs primarily; this single attribute can be used to retrieve a specific item without ambiguity. Additionally, EOA also indexes recorded items based on several other attributes in the metadata (e.g. timestamps) to improve speed of retrieval by client/user applications. e. Separate storage for duplicate copies - Rule 17a-4(f)(3(iii) Duplicate copies of the records retained pursuant to Rule 17a-4, as well as duplicate copies of the indexes, must be stored in a location separate from the original record. EOA leverages the high ability principles built into the Office 365 cloud service infrastructure, a key attribute of which is redundancy. Physical redundancy is built at the disk/card level within servers, the server level within a datacenter and the service level across geographically separate data centers to protect against failures. Each data center has facilities and power redundancy, with multiple datacenters serving every region. To build redundancy at the data level, recorded data is constantly replicated across geographically separate datacenters. A core design goal is to maintain multiple copies of data whether in transit or at rest and failover capabilities to enable rapid recovery. f. Downloadable/accessible format - Rule 17a-4(f)(2)(ii)(D) Data must be downloadable onto an acceptable medium as required by the SEC or any selfregulatory organization of which the broker-dealer is a member, and data must also be available upon request for examination by the SEC or any such self-regulatory organization. Rule 17a-4 also requires that a third-party who has access to the data provide the broker-dealer s designated examining

6 authority with certain undertakings. EOA meets each of these criteria by making the data downloadable and accessible via In-Place ediscovery in industry standard formats such as EDRML and PST. EOA acts as the third-party provider and will provide the undertakings required by the SEC. g. Audit requirements - Rule 17a-4(f)(3)(v) In addition to the record retention requirements, Rule 17a-4 requires broker-dealers to have an audit system that provides accountability for the record retention system used to comply with the requirements. The results of any audits must also be preserved for the same length of time as the record retention period and they must be made available to the SEC and relevant self-regulatory organizations. EOA includes audit logging, which is designed to log every administrative command that is made to modify objects, including commands that would be used to configure retention policies (such as In- Place Hold settings), run ediscovery searches and make role-based permission changes. Such audit entries include the following information: who performed the operation (regardless of whether the operator is the customer s IT administrator or a Microsoft datacenter personnel working on behalf of the customer); when the operation was performed; details of the operation such as scope of changes (users, mailboxes, etc.) or impacted settings; actual commands that were issued for the operation; and success/error information, if applicable. Audit logging can be customized to store audit log entries for the length of the retention period and are readily available for offline analysis and examination. Through audit logging, EOA allows users to maintain a comprehensive audit trail of commands that are run directly in the Exchange Management Shell as well as operations performed using the Exchange admin center. III. Conclusion In summary, EOA provides a solid solution for regulated customers to preserve and manage a wide range of data, including email, voicemail, shared documents and instant messages, with specific abilities to address the technology compliance requirements under SEC Rule 17a-4. In particular, EOA allows customers to set global or granular messaging retention policies to store data for a defined period and beyond, in a non-rewriteable, non-erasable format. EOA verifies quality and accuracy of the recording process by identifying all recorded items by their unique ID s (i.e. the MessageID) and validating each recording operation. EOA indexes recorded items based on MessageID and other attributes of the metadata (e.g. timestamps) to ensure accuracy and speedy retrieval. In addition, through the design of Office 365, multiple copies of the recorded data are stored and replicated across geographically separate datacenters and customers can retrieve or make any recorded data accessible via e-discovery search. After analysis of EOA s services in conjunction with Rule 17a-4, we conclude that EOA includes features that enable customers, including broker-dealers, to store data in a manner that complies with Rule 17a-4.

7 DISCLAIMER: IN THIS WHITE PAPER, COVINGTON & BURLING IS NOT PROVIDING LEGAL ADVICE AND THE VIEWS EXPRESSED HEREIN ARE FOR INFORMATIONAL PURPOSES ONLY. READERS ARE ADVISED TO CONSULT WITH BOTH TECHNICAL AND LEGAL ADVISERS IN ASSESSING COMPLIANCE WITH RULE 17A-4.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information