WHITE PAPER SPON. File Archiving: The Next Big Thing or Just Big? Published December 2012 SPONSORED BY. An Osterman Research White Paper. sponsored!!

WHITE PAPER N File Archiving: The Next Big An Osterman Research White Paper Published December 2012 SPONSORED BY sponsored SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman

EXECUTIVE SUMMARY Although many organizations still do not archive email, email archiving has become an accepted best practice at the majority of mid-sized and large organizations. Because email contains the primary record of communications and collaboration for most organizations, archiving this rich source of content is essential for compliance with regulatory obligations, legal requirements, data mining and other purposes. Interestingly, however, email is not the primary source of electronic content in most organizations. Instead, files word processing documents, spreadsheets, presentations and a wide variety of user-generated content are the most pervasive type of content retained in the typical organization. Volume of Electronic Content in the Typical Organization by Location Source: Osterman Research survey, October 2012 KEY TAKEAWAYS Organizations are at serious risk if they do not archive electronic content in compliance with regulatory, legal and industry best practices. In some respects, file content is more difficult to archive than email because it can be created and stored in a large number of venues, both within and outside of IT s control. The Bring Your Own Device (BYOD) phenomenon, coupled with rapid growth in the amount of file content being stored, is exacerbating the problem. Email is not the primary source of electronic content in most organizations. Instead, files word processing documents, spreadsheets, presentations and a wide variety of user-generated content are the most pervasive type of content retained in the typical organization. Files, as the largest single source of archivable, electronic content within most organizations should be a top priority for retention in conjunction with email. ABOUT THIS WHITE PAPER This white paper discusses best practices for archiving file-based content and offers some recommendations about how organizations should manage the increasing growth of files. This document also provides a brief overview of the sponsors of this paper and their relevant solutions: Autonomy, EMC, OpenText, Proofpoint and Smarsh. 2012 Osterman Research, Inc. 1

DRIVERS FOR ARCHIVING ELECTRONIC CONTENT While the reasons for and benefits from archiving will be different for IT than they will be for legal, compliance or other functions within an organization, archiving and related issues should be top of mind for every function that creates and/or manages electronic content. For example, IT may not be concerned about the specific legal obligations that an organization has to preserve content, but they must preserve it. Legal may not care about the specific archiving technologies in place, but their focus must be on the legal reasons behind content preservation. Similarly, users may not care about the legal obligations or technologies, but they must be involved in preserving relevant content. LEGAL CONSIDERATIONS Virtually every business will eventually become involved in a lawsuit, either as a plaintiff, a defendant or as an involved third party. According to a survey on litigation trends by the law firm Fulbright & Jaworski i, more than four out of five US companies surveyed are involved in litigation, while about one-half as many companies surveyed initiated at least one lawsuit. Consequently, the likelihood of facing an ediscovery request is quite high. When litigation is reasonably anticipated, an organization has an affirmative duty under the Federal Rules of Civil Procedure (FRCP) to preserve relevant evidence, such as emails, files, databases and other content that may be necessary to produce during the litigation process. This duty to preserve generally commences when a party knows, or reasonably should have known, that litigation may be forthcoming. When a legal hold is necessary, it is imperative that an organization retain all relevant data, such as all email sent from senior managers to specific individuals or clients, word processing documents that may contain corporate policy statements, and so forth. Significant consequences can result from a failure to preserve possibly relevant evidence. Courts have discretion to impose a variety of sanctions, including fines, additional costs for third parties to review or search for data, or even criminal charges. For example, a court found that Samsung, in its recent litigation with Apple, had a duty to impose a legal hold on relevant email beginning in August 2010. However, Samsung did not disable its email system s auto-delete capability and so was not able to produce relevant email that Apple had requested, which could have resulted in an adverse inference instruction to the jury in the case. However, the Court determined that Apple had also acted badly, and so did not provide this instruction for either party. As another example, in the case of Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 685 F. Supp. 2d 456, 470 (S.D.N.Y. 2010), the court awarded an adverse inference sanction because a party acted with gross negligence (as opposed to willfulness) in failing to preserve electronic documents. The court reasoned that contemporary standards of discovery rendered the failure to preserve and collect electronic files grossly negligent and therefore worthy of the severe sanction of an adverse inference, even without proof of intentional misconduct. At a minimum, an organization that cannot produce data when required will suffer a damaged corporate reputation. An organization has an affirmative duty under the Federal Rules of Civil Procedure (FRCP) to preserve relevant evidence, such as emails, files, databases and other content that may be necessary to produce during the litigation process. Another consideration for archiving electronic content from a legal or regulatory perspective involves senior management s and/or legal counsel s ability to conduct more formal early case assessments in response to concerns about employee behavior, allegations of wrongdoing, and the like. Having all relevant electronic content files, emails, instant messages, etc. enables reviewers to investigate issues of concern quickly and easily before the litigation process begins and may save time and money en route to the situation s most logical business conclusion defend or settle. 2012 Osterman Research, Inc. 2

Similarly, an archiving capability for all relevant electronic content enables the development of early insight into a case on an informal basis. For example, if an organization suspects that it might be involved in litigation at some point in the future, senior managers, legal counsel or even departmental managers can conduct a preliminary form of early case assessment to determine if there are issues about which to be concerned. In the absence of a robust archiving capability, conducting this sort of analysis would be difficult, if not impossible. While many organizations have an archiving capability that enables this sort of activity for email, fewer have the capability to do so for files. REGULATORY COMPLIANCE Electronic records that pertain to an organization s business activity are subject to regulatory compliance obligations, which vary widely by industry and jurisdiction. These regulations require the retention of content like financial documents, email, instant messaging and social correspondence and employee and client records. In fact, the Supreme Courts of both Arizona and Washington State have ruled that even metadata must be retained as part of the record of information archived. Among the most heavily regulated industries worldwide is the financial services industry, particularly broker-dealers and investment advisers. In the United States, regulations issued by the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) require members of national securities exchanges, brokers and dealers to preserve securities transaction records for a minimum of six years, the first two years in an easily accessible place. The new Dodd-Frank regulations related commodities/swaps and hedge funds will create similar content management requirements. As but one example of the need to archive files, NASD Rule 2210(1)(b) requires that advertisements and sales literature be filed with FINRA s Advertising Regulation Department best practice dictates that this content also be archived internally, as well. Underscoring the importance of retaining this content, the firm Hedge Fund Capital Partners, LLC and one of its registered principals were sanctioned for, among other things, failing to retain institutional sales materials ii. In Canada, records of purchase and sell orders of securities must be retained for seven years, the first two years in an easily accessible location. In the United Kingdom, investment service and transaction records must be retained for a minimum of five years. Consequences to financial services firms for failing to comply with retention obligations can be severe and typically involve the imposition of significant financial penalties. For example, FINRA imposed a $700,000 fine on brokerage firm Piper Jaffray in May 2010 when the firm failed to produce 4.3 million emails sent and received between 2002 and 2008. Consequences to financial services firms for failing to comply with retention obligations can be severe and typically involve the imposition of significant financial penalties. Brian L. Rubin, a member of the law firm Sutherland Asbill & Brennan LLP and former FINRA deputy chief counsel for enforcement, expects FINRA to maintain its attention on brokerage firms content retention processes and strengthen its examination process of brokerage firms that fail to follow up on glitches in their retention systems. It is important to note that while much of the attention from regulators focuses on email and other forms of communication, files that contain business records such as advertising literature are also subject to retention by regulators. Also heavily regulated is the healthcare industry. For example, under the privacy rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), health care providers are required to protect patients electronic health information from unauthorized users and to retain such information for six years. Noncompliance with these HIPAA requirements could result in fines of up to $50,000 per violation, or criminal penalties of $250,000 and up to 10 years in prison for violations based on intent or malice. Here again, files are just as important a consideration for retention and privacy as emails and other forms of communication. 2012 Osterman Research, Inc. 3

IMPROVED IT MANAGEMENT An organization need not have billions of files to experience significant electronic content storage growth. Because content growth is increasing at roughly 25% per year iii, a terabyte of content today will swell to more than three terabytes within five years at this growth rate. This creates enormous problems for IT administrators who must manage the growth and make the content accessible across the organization, often for long periods of time. Problems in managing such enormous growth of content include more time devoted to storage management, longer backup windows, longer restores after a server crash, and a greater proportion of the IT budget devoted to storage and storage management. The rapid growth in storing and managing files has also rendered the simple tape backup an outmoded method for meeting legal discovery and regulatory retention requirements and gaining access to electronic content stored in a typical organization s file system. Moreover, backups are more difficult to manage because they require greater IT staff involvement and create long periods of server downtime in the event of a server crash or other technical problem. The costs of sifting through content stored on backup tapes can average $500 to $1,000 per gigabyte iv, which could amount to a six- or seven-figure cost for even small organizations that could generate several terabytes of such data. Reviewing information on backup tapes is no easy task. For example, a compressed LTO-3 tape can hold 750 gigabytes of email, or approximately 56 million printed pages of text. Given these inherent limitations of backup tapes, organizations today require a more suitable solution for satisfying electronic content retention obligations. END USER SELF SERVICE The vast majority of IT staff members would agree that end-user requests for recovering missing or deleted electronic content is among the least pleasant aspects of their work. Other than the difficulty associated with recovering such content, the time it takes for IT staff to complete those tasks takes away from other tasks that they could be performing to enhance the organization s productivity. In some cases, the job of IT staff is made even more difficult when content is not stored in a centralized repository. During difficult economic times, IT departments are even more overworked and have even fewer people to handle these types of requests. A content archiving system that is accessible to end users can help them to recover their own missing content, alleviating IT from this burden and making IT staff more productive. THE PAINS OF ediscovery FOR IT Searching and restoring electronic files from various sources (PCs, servers, and backup tapes) can be a difficult and cumbersome process. Every time an organization faces a lawsuit or regulatory request for information, its IT staff must go through multiple steps to preserve and extract electronic content. These steps include initiating a litigation hold, then finding, restoring, cleansing and de-duplicating electronic content residing within every content source. These steps must be repeated for every file, backup tape,.pst file, etc. for each discovery request. This is especially burdensome since even a relatively small organization can face one or more e-discovery requests each month. The rapid growth in storing and managing files has also rendered the simple tape backup an outmoded method for meeting legal discovery and regulatory retention requirements and gaining access to electronic content stored in a typical organization s file system. FILES ARE A GROWING PROPORTION OF MOST ORGANIZATIONS CONTENT NEARLY ONE-HALF OF CONTENT IS ON FILE SERVERS An Osterman Research survey of small, mid-sized and large organizations conducted during October and early November 2012 found that nearly one-half of the typical organization s electronic content is stored on file servers (used to store electronic 2012 Osterman Research, Inc. 4

files, such as documents, videos, images, databases, etc.), while another 35% of content is stored in email systems, as shown in the following figure. Distribution of Electronic Content in the Typical Organization FILES ARE STORED IN A VARIETY OF LOCATIONS While the majority of files in most companies are stored on IT-managed file servers, many files are created and stored in the wild i.e., on devices and in applications that are not always under the direct control of IT. These file-generating sources include company-supplied mobile devices like smartphones and tablets, personally owned smartphones and tablets, social media sites and the like. Moreover, a significant percentage of many organizations files reside in repositories that are deployed and managed by individual users, such as Dropbox, Box.net, Skydrive, Google Drive, Google Docs and other cloud-based repositories. For example, an Osterman Research study of the BYOD phenomenon found that a large proportion of users employ personally owned mobile devices for work-related purposes, and that many employees use cloud-based repositories without IT s blessing, as shown in the following table and figure. While the majority of files in most companies are stored on ITmanaged file servers, many files are created and stored in the wild i.e., on devices and in applications that are not always under the direct control of IT. Penetration of Cloud-Based Applications by Organization Size As a % of Organizations Tools Status of Use Up to 99 Employees 100-999 Employees 1,000+ Employees Dropbox Used w/it s blessing 40% 21% 14% Used w/o IT s blessing 32% 49% 44% Not used 28% 30% 42% Google Docs Used w/it s blessing 24% 12% 10% Used w/o IT s blessing 19% 39% 42% Not used 57% 48% 48% YouSendIt Used w/it s blessing 18% 8% 4% Used w/o IT s blessing 14% 17% 22% Not used 67% 75% 73% 2012 Osterman Research, Inc. 5

Use of Personally Owned Mobile Devices for Work-Related Purposes by Organization Size (As a % of Organizations) MOST FILES ARE ONLY PARTIALLY MANAGED Another serious problem facing virtually every organization is that many files are only partially managed. For example, an Osterman Research survey conducted in November 2012 found that 62% of organizations permit their users to store content primarily files locally, such as on their desktop or laptop computer hard disk. However, only 33% of these local content sources are backed up to a central location where they are accessible to the entire organization on a long-term basis. Other problems in managing files include: In most organizations, there is no practical means to classify files or the content within them, meaning that there are few clues available about the relevance or importance of content without searching through each document. Most organizations have not implemented a cost-effective means to sift important files from junk content. Most organizations have no or little insight into the number of duplicate items in their file repositories. Once important files are identified, there is typically no efficient means of tracking and controlling files moving forward. 62% of organizations permit their users to store content primarily files locally, such as on their desktop or laptop computer hard disk. However, only 33% of these local content sources are backed up to a central location where they are accessible to the entire organization. While file servers are normally backed up for purposes of restoring their content in the event of an application or hardware failure, only about one-third of organizations actually archives their file content. In short, most organizations do not manage files properly in three critical respects: Files are not archived so that their content is discoverable for legal, regulatory or other purposes. Files are not classified so that decision makers can determine their relevance. Files are not de-duplicated so that storage management can be optimized. 2012 Osterman Research, Inc. 6

THE RISKS OF NOT MANAGING FILES PROPERLY TANGIBLE CONSEQUENCES ediscovery requests pose a significant challenge to an organization because the FRCP requires the production of all relevant electronic records, regardless of how backdated this content might be. The completeness and availability of requested records and the time required to extract them depends to a large extent on the organization s archival capabilities and how they manage storage. Required electronic content can be located in many different places within an organization, including file servers, desktop machines, laptops and, increasingly, on smartphones and tablets. The longer it takes an organization s IT staff to extract the required content, the longer it takes its legal counsel to access and review the content. With less time to get full command of the facts in a particular case, an organization runs the risk of the court imposing sanctions on the organization for missed deadlines or production of only a portion of the information requested. Any files produced may also have limited evidentiary weight if legal counsel cannot establish its authenticity. In fact, the litigation costs associated with ediscovery can be so great that as many as one in five businesses have settled a case simply to avoid searching through and retrieving email. WITHHOLDING EVIDENCE Among the more tangible and quantifiable consequences of not managing files properly is inadvertently withholding evidence because of the inability to find all relevant files and other information necessary to satisfy an ediscovery order or a request during a regulatory audit. This can lead to a number of consequences, including fines, sanctions, reversal of jury verdicts, higher legal costs and other serious problems. Four important cases to consider in the context of consequences that can occur if all relevant electronic content is not available: In the aforementioned case of Pension Committee of University of Montreal Pension Plan v. Banc of America Securities, LLC v, the Court issued sanctions against the parties that were not able to preserve their electronic content in a manner that met the court s requirements. In another important case underscoring the importance of managing electronic content properly, Green v. Blitz U.S.A. vi, the Court sanctioned the defendant for a variety of failures, including their representative who did not place a legal hold on relevant data, did not coordinate his work with the defendant s IT department, and did not perform keyword searches. These actions resulted in relevant documents not being produced. After key documents were not discovered in this case, but were discovered in another case one year later, the judge a) issued a $250,000 civil contempt sanction against Blitz, b) ordered the company to inform plaintiffs from the past two years about the sanction, and c) to include a copy of the sanction memorandum in every case in which it will be involved during the next five years. Among the more tangible and quantifiable consequences of not managing files properly is inadvertently withholding evidence because of the inability to find all relevant files and other information. In the case of Scentsy v. Chase et al vii, Scentsy followed a policy to delete emails after 60 days, but permitted files on desktops, laptops and shared storage systems to be retained until employees deleted them. Moreover, the company did not have a rigorous litigation hold policy in place, merely requesting that employees not delete potentially relevant content. In the case of Orrell v. Motorcarparts of America, Inc. viii, the court ordered the forensic examination of a plaintiff s home computer because it contained information that allegedly had been wiped from the plaintiff s company-supplied 2012 Osterman Research, Inc. 7

laptop computer. As shown in the figure above, while only 2% of corporate content is stored on employees home computers, storing files outside of IT s control can lead to serious consequences. LESS TANGIBLE CONSEQUENCES In addition to sanctions, fines and other tangible consequences arising from the inability to produce files and other electronic content are a number of less tangible and more difficult to quantify problems. These include loss of corporate reputation when word of sanctions or fines hits the press or the investor community, damage to an organization s brand, loss of future revenue opportunities, and a general loss of goodwill among customers, business partners and others. A SENSIBLE APPROACH TO FILE ARCHIVING Osterman Research recommends a four-step approach to implementing an appropriate file-archiving capability. As we recommend for email archiving, the initial steps need to focus on the non-technical aspects of solving the problem: understanding the legal and regulatory landscape, getting advice from legal counsel, and establishing appropriate retention policies. After these steps have been completed, we recommend implementing a robust file-archiving capability as discussed below. 1. UNDERSTAND FILE RETENTION OBLIGATIONS All of the key stakeholders in an organization IT decision makers, recommending influencers, legal counsel, and others need to stay current on legal decisions focused on the organization s electronic data retention obligations, including the types of electronic records that should be retained, how long such records should be retained and so forth. While many organizations focus on email archiving, the focus really needs to be on content archiving email, files, audio files, video files and any other relevant content that might need to be produced. Organizations that face a large number of statutory obligations or that are closely monitored by regulators, such as broker-dealers, need to understand their regulatory retention obligations thoroughly. Financial services organizations operating in the United States, for example, must fully comply with SEC and FINRA requirements for electronic data retention, supervision of content and other requirements. Energyrelated companies must comply with Federal Energy Regulatory Commission (FERC) requirements. Healthcare organizations must comply with HIPAA, Medicare and other requirements. Those with well-coordinated electronic content retention policies will be better positioned to weather the storms of litigation with minimal legal risk and harm. An organization without a coherent and thorough retention policy could find itself paying significant penalties during the ediscovery process if it produces electronic content later found to have been altered, or if it destroys information it should have retained. Osterman Research recommends a four-step approach to implementing an appropriate filearchiving capability. As we recommend for email archiving, the initial steps need to focus on the non-technical aspects of solving the problem. 2. MITIGATE RISK THROUGH SOUND LEGAL ADVICE The next phase in the process of developing an organization s electronic content retention policies is for a cross-functional team that includes IT, legal, records management, and compliance staff to establish electronic data retention policies and functions like indexing, searching, litigation holds and data immutability. IT staff, in particular, need to establish a dialogue with legal counsel and business functional user representatives to determine the latter s needs. 3. IMPLEMENT RETENTION POLICIES Every organization, regardless of their size or industry, should have as their goal the establishment of robust and thorough electronic content retention policies. One relatively easy way for decision-makers to do this is to establish content retention and deletion periods for major categories of content that will need to be retained and 2012 Osterman Research, Inc. 8

managed over several years. Different types of files will be subject to different data retention periods. For example, when records need only be retained for very short time periods, the need to implement and strictly enforce policies to delete those records can be as important as implementing policies to retain them. Therefore, retention periods should be sufficiently granular to accommodate all possible retention requirements. An organization should set minimum and maximum retention periods for files and other content to avoid over-retention, since preserving data too long can also be risky. To determine these periods, cross-functional teams can define specific maximum retention periods for each category, or establish a general policy permitting the deletion of retained data when the minimum retention period expires. After archival retention periods have been established, an organization should clearly communicate them to all users of electronic data and retention periods should be executed automatically. No matter how well informed users are about retention periods, organizations still run the risk of user error in compliance with retention period guidelines and policies. Fortunately, file archiving solutions today are capable of automatically managing content retention periods, with little to no user involvement. As a final step, IT and legal counsel should periodically revisit retention and deletion policies so they reflect changing regulatory requirements, organizational rules, and user needs for archival information. 4. DEPLOY A ROBUST FILE-ARCHIVING CAPABILITY Osterman Research recommends that any file-archiving solution should have several key capabilities, or at the very least, organizations should be on-track to implement these capabilities as their needs warrant: Classification All files, emails and other content have varying degrees of sensitivity. Some content is highly sensitive and should never be sent outside of an organization or stored on internal systems without being encrypted or access-controlled, while other information contains no sensitive or confidential information of any sort. All files have a level of sensitivity that should be managed in accordance with corporate policies. A well-designed classification system that enables users to tag content based on its sensitivity, confidentiality or other parameters or that automatically does so based on corporate policies can provide any organization with a number of useful benefits in addition to just improving archival capabilities: o Accidental leaks of sensitive data can be reduced dramatically. A well-designed classification system that enables users to tag content based on its sensitivity, confidentiality or other parameters or that automatically does so based on corporate policies can provide any organization with a number of useful benefits. o o Users become more aware of corporate policies and their obligations to protect data for purposes of legal or regulatory compliance. Systems designed to prevent loss of data can operate more efficiently and effectively simply because they have more information to use in classifying files. However, because of the large volume of content that most organizations manage, it is important to use a tagging system that can auto-categorize content in conjunction with users/record handlers tagging content manually. Tracking It is also essential to be able to track files across their entire lifecycle in terms of who has access to them, where they are sent, where they are stored, how they are modified and the like. Tracking content is important on a number of levels, 2012 Osterman Research, Inc. 9

not least of which is the ability to demonstrate how files were changed when presented for purposes of ediscovery or regulatory compliance. Control The ability to control file content is also an essential element of any file archiving solution. Both workflow processes and technologies should enable files to be held in place for purposes of legal holds, and/or should enable these files to be moved to a centralized archive for further processing or review. Disposition Finally, a proper file archiving strategy should include the ability to dispose of superfluous content in order to preserve only what is needed for long term retention. Miscellaneous files, such as temporary drafts, memos that do not contain business records, business records that have reached their retention period and the like should be disposed of in a pre-determined manner. Although the immediate benefit of having the ability to dispose of unneeded content is reduced storage, eliminating older content can also mitigate risk by deleting content that may prove harmful to the organization, and it reduces costs by eliminating content that needs to be searched during future ediscovery activities or regulatory audits. Minimize user involvement File creators and users are constantly under pressure to respond to the business demands placed on them. Regardless of how well educated users are about content retention policies, they are prone to error when manually deciding to keep or delete every file with which they interact. That is why an organization should invest in a file archiving solution that automatically manages its content retention policies. The primary benefit of such a capability is that it requires little or no user involvement, thereby increasing end-user productivity and minimizing the opportunity for mistakes and violations of corporate policy. Tamper-proofing files A file archiving solution must secure stored electronic data with safeguards, such as Write-Once Read Many (WORM) storage and, where required by law or dictated by best practice, encrypting content. It must also be tamper-proof and capable of protecting electronic records from loss, damage or misuse. As noted above, if content from the archive is accessed, the system will ideally provide an audit trail that tracks who accessed the content and when it was accessed. SPONSORS OF THIS WHITE PAPER Autonomy, an HP Company, is a global leader in software that processes human information, or unstructured data, including social media, email, video, audio, text, web pages, and more. Autonomy s powerful management and analytic tools for structured information together with its ability to extract meaning in real time from all forms of information, regardless of format, offer a unique capability for organizations seeking to derive the most value from their data. The Autonomy Consolidated Archive (ACA) is a modular, secure, and integrated solution that enables customers to leverage the same market-leading archiving technology via an on-premise, cloud-based, hybrid, or appliance-based approach. ACA provides the industry's only intelligent governance layer from which businesses can drive their compliance, ediscovery, and records management initiatives directly from archived data. The solution leverages innovative split-cell architecture that keeps two secure copies of every piece of data, single instance storage design for managing distributed sources and attachments, and hybrid architecture that couples on-site architecture with outsourced services for long-term data management. Powered by Autonomy's Intelligent Data Operating Layer (IDOL), the ACA automatically recognizes concepts and context within all forms of information, and protect.autonomy.com twitter.com/ AutonomyCorp autonomy@autonomy.com +1 44 1223 4480000 +1 415 243 9955 2012 Osterman Research, Inc. 10

injects this understanding into the company's comprehensive set of information governance modules, which include Autonomy Early Case Assessment, Legal Hold, ediscovery Review, Records Manager, Supervisor, and imanage WorkSite. The ability to understand the meaning of content in the archive transforms its value from merely protecting and storing data, to identifying patterns and leveraging its value for business purposes. EMC is the market leader in backup, recovery, and archive transformation helping our customers address their most pressing challenges -- relentless data growth, constrained budgets, compliance, and discovery. We do this through backup and archiving solutions that help organizations insure recoverability and accessibility of data, improve resource efficiency, and increase the agility of their backup and archive infrastructure. Unlike any of other vendor, EMC offers application solutions to address the unique requirements of backup and archiving while enabling our customers to leverage a consolidated IT infrastructure for their backup and archive workloads. EMC SourceOne is a highly scalable archiving software platform enabling organizations to manage the lifecycle of corporate information, inclusive of all content types, according to consistent policies based on the content s business value. EMC SourceOne solutions are designed to scale to meet large enterprise needs, yet offer a simple footprint for mid-sized customers. Our holistic but modular approach also provides organizations of all sizes a 'start anywhere - go anywhere' solution to address their most pressing archiving and discovery challenges delivering immediate business benefit and then expanding over time. EMC makes archiving and discovery actionable by enabling proactive, consistent and repeatable management of retention and disposition policies, and as appropriate, long-term preservation based on the value of the content. Additional information about EMC can be found at www.emc.com\archiving www.emc.com twitter.com/emccorp +1 866 438 3622 OpenText Enterprise Information Management (EIM) technologies and business solutions allow organizations to take full advantage of enterprise information to gain better business insight, capitalize on opportunities to positively impact the business, improve process velocity, reduce risks related to information governance, and protect sensitive information and intellectual property from internal leaks and external threats. With growing volumes and a host of formats to manage and leverage, organizations need to bring structure to the unstructured. By doing so, they will be unleashing the power of information to drive faster decision making, improved agility, strong security policies, and an increased ability to both exploit the opportunities and control the risks of enterprise information. OpenText provides solutions across the entire range of core EIM capabilities sophisticated, secure, high-value, and costeffective onsite, via mobile devices, private cloud, or in the cloud. As the archiving backbone to many of these EIM capabilities, OpenText Enterprise Information Archiving (EIA) addresses a critical situation: skyrocketing volumes of data, global requirements for regulatory compliance, a growing need for litigation preparedness, and the reality of budget constraints. OpenText EIA enables multi-faceted enterprise archiving in a single, scalable repository, which makes the solution easier to manage and less costly to operate. Tight integration with Records Management allows for optimized archiving capabilities like smart disposal of transitory items, auto-classification of records, and robust search for content. The result is a strong Information Governance framework that operates as a seamless extension of applications like email, ERP (Enterprise Resource Planning) and CRM (Customer Relationship Management). www.opentext.com twitter.com/opentext sales@opentext.com +1 800 499 6544 (North America) +800 4996 5440 (International) 2012 Osterman Research, Inc. 11

Proofpoint, Inc. ( NASDAQ : PFPT ) is a leading security-as-a-service provider that focuses on cloud-based solutions for threat protection, compliance, archiving and governance and secure communications. Organizations around the world depend on Proofpoint's expertise, patented technologies and on-demand delivery system to protect against phishing, malware and spam, safeguard privacy, encrypt sensitive information, and archive and govern messages and critical enterprise information. Proofpoint s cloud-based data protection solutions incorporate a variety of encryption technologies that help enterprises meet increasingly stringent regulatory requirements around protecting confidential information at rest and in transit. Policy-Based Email Encryption The Proofpoint Enterprise Privacy suite provides defense in depth data loss prevention for private information of all types. It protects private information in email, defends against leaks of confidential information and ensures compliance with common international, industry and US data protection regulations such as HIPAA, GLBA and PCI-DSS. This suite includes Proofpoint Encryption, a SaaS-powered, policy-based email encryption solution that can also be deployed separately. Proofpoint Encryption automatically encrypts individual messages based on an organization s policies, without requiring end-users to take any special actions. Proofpoint s flexible rules, managed dictionaries and smart identifiers accurately detect non-public information including protected health information and personal financial information and reject or encrypt messages as appropriate. http://www.proofpoint.com/encryption www.proofpoint.com twitter.com/proofpoint_inc info@proofpoint.com +1 408 517 4710 TLS Email Encryption The Proofpoint Enterprise Protection email security solution (available for SaaS, appliance, virtual appliance or hybrid deployments) also supports digital certificates and enables gateway to-gateway secure transfer and receipt of email using Transport Layer Security (TLS). http://www.proofpoint.com/protection DoubleBlind Key Architecture for Email Archiving Proofpoint Enterprise Archive, a cloud-based email, IM and file archiving solution, incorporates Proofpoint s patented DoubleBlind Key Architecture technology, which encrypts messages before transmission to Proofpoint s storage cloud, where they are stored in encrypted form. At the same time, DoubleBlind Key Architecture ensures that data remains fully searchable through the Proofpoint Enterprise Archive interface. http://www.proofpoint.com/archive Smarsh provides hosted solutions for archiving electronic content and communications, including email, instant messaging and social media. The company helps organizations enforce flexible, secure and cost-effective compliance and records retention strategies. The Smarsh platform offers robust supervision, compliance and e-discovery functionality designed to meet the sophisticated needs of highly regulated or litigious industries. The SaaS (Software-as-a-Service) delivery model enables clients to eliminate IT infrastructure costs and minimize operating burden, while benefiting from Smarsh expertise in hosting large volumes of mission-critical client data. Customizable solutions fit the needs, budgets and technological infrastructure of any business and are matched with unrivaled customer support and service. www.smarsh.com twitter.com/smarshinc sales@smarsh.com +1 866 762 7741 +1 503 946 5980 2012 Osterman Research, Inc. 12

2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. CITATIONS i ii iii iv v vi vii viii http://www.fulbright.com/litigationtrends Source: Disciplinary and Other FINRA Actions, Reported for July 2012 Source: Osterman Research surveys http://www.informationweek.com/software/information-management/e-discovery-howto-avoid-death-by-backup/224400402 2010 WL 184312 (S.D.N.Y. Jan. 15, 2010) http://civilprocedure.dbllaw.com/2011/08/past-ediscovery-errors-result-in-sanctions/ 2012 WL 4523112 (10/12/12 D. Idaho) 2007 WL 4287750 (W.D.N.C. Dec. 5, 2007) 2012 Osterman Research, Inc. 13