Legal Considerations for E-mail Archiving Why implementing an effective e-mail archiving solution can help reduce legal risk



Similar documents
4.0. Offline Folder Wizard. User Guide

Quest InTrust for Active Directory. Product Overview Version 2.5

Gain Control of Space with Quest Capacity Manager for SQL Server. written by Thomas LaRock

8.3. Competitive Comparison vs. Microsoft ADMT 3.1

Implementing Database Development Best Practices for Oracle

Pragmatic Business Service Management

Achieving Successful Coexistence Between Notes and Microsoft Platforms

File Shares to SharePoint: 8 Keys to a Successful Migration

2.0. Quick Start Guide

Quest ChangeAuditor 4.8

Ten Things to Look for in a SharePoint Recovery Tool

formerly Help Desk Authority Quest Free Network Tools User Manual

2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

Quest SQL Optimizer 6.5. for SQL Server. Installation Guide

How To Send E Mail From An Exchange 2007 To A Domain Name Address Book On A Domain Address Book (For A Domain) On A Pc Or Mac Xp (For An Ipod) On An Ipo (For Windows 2007) On Your Ip

Storage Capacity Management for Oracle Databases Technical Brief

Big Brother Professional Edition Windows Client Getting Started Guide. Version 4.60

Quest Management Pack for AS400. Written by Quest Software, Inc.

Technical Brief. Unify Your Backup and Recovery Strategy with LiteSpeed for SQL Server and LiteSpeed Engine for Oracle

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

10 Simple Steps for Boosting Database Performance in a Virtualized Environment

Quest Collaboration Services How it Works Guide

Defender Delegated Administration. User Guide

8.7. Resource Kit User Guide

4.0. Attribute Mapping Rules

Web Portal Installation Guide 5.0

Quest Collaboration Services 3.5. How it Works Guide

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

Spotlight on Messaging. Evaluator s Guide

FOR WINDOWS FILE SERVERS

Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Quest vworkspace Virtual Desktop Extensions for Linux

DATA GOVERNANCE EDITION

White Paper. Getting Your Macs Under Control with System Center Configuration Manager Really?

Foglight. Managing Java EE Systems Supported Platforms and Servers Guide

Enterprise Reporter Report Library

Adaptive Management to Achieve Java Application Service Levels

10.2. Auditing Cisco PIX Firewall with Quest InTrust

Quest Privilege Manager Console Installation and Configuration Guide

formerly Help Desk Authority Upgrade Guide

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Microsoft Active Directory Backup and Recovery in Windows Server written by Shawn Barker Product Manager, Quest Software, Inc.

Quest Management Agent for Forefront Identity Manager

Archiving, Retrieval and Analysis The Key Issues

Spotlight Management Pack for SCOM

Introduction to Version Control in

Desktop Authority vs. Group Policy Preferences

Dell InTrust Preparing for Auditing Cisco PIX Firewall

Archive Legislation: archiving in the United States. The key laws that affect your business

Ensuring a Successful Migration, Consolidation or Restructuring

Quick Connect Express for Active Directory

System Requirements and Platform Support Guide

formerly Help Desk Authority HDAccess Administrator Guide

Foglight Experience Monitor and Foglight Experience Viewer

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

Defender 5.7. Remote Access User Guide

Foglight for Oracle. Managing Oracle Database Systems Getting Started Guide

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

Enterprise Single Sign-On 8.0.3

5.5. Change Management for PeopleSoft

Spambrella Archiving Service Guide Service Guide

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

10 Point Plan to Eliminate PST Files

Dell One Identity Manager 7.0. Help Desk Module Administration Guide

Dell Unified Communications Command Suite - Diagnostics 8.0. Data Recorder User Guide

Death to PST Files. The Hidden Costs of

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

White Paper. Better Together: Auditing with Microsoft Audit Collection Services (ACS) and Quest Software

Quest Site Administrator 4.4

10 Steps to Establishing an Effective Retention Policy

New Features and Enhancements

6.7. Quick Start Guide

The Disconnect Between Legal and IT Teams

Eight Ways Better Software Deployment and Management Can Save You Money

Dell Migration Manager for Enterprise Social What Can and Cannot Be Migrated

Getting the Most From. Your Help Desk

Foglight Cartridge for Active Directory Installation Guide

Navigating the NIST Cybersecurity Framework

Best Practices in Instant Messaging Management

Go beyond basic up/down monitoring

Top 10 Most Popular Reports in Enterprise Reporter

Foglight. Foglight for Virtualization, Enterprise Edition 7.2. Virtual Appliance Installation and Setup Guide

Add the compliance and discovery benefits of records management to your business solutions. IBM Information Management software

10 Point Plan to Eliminate PST Files

An Introduction to Toad Extension for Visual Studio. Written By Thomas Klughardt Systems Consultant Quest Software, Inc.

NetVault LiteSpeed for SQL Server version Integration with TSM

Foglight. Dashboard Support Guide

Enterprise Vault.cloud. Microsoft Exchange Managed Folder Archiving Guide

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Best Practices for an Active Directory Migration

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

Eradicating PST Files from Your Network

CA Message Manager. Benefits. Overview. CA Advantage

Spotlight Management Pack for SCOM

formerly Help Desk Authority HDAccess User Manual

The Legal Advantages of Retaining Information

Solving the Security Puzzle

Transcription:

Legal Considerations for E-mail Archiving Why implementing an effective e-mail archiving solution can help reduce legal risk Written by: Quest Software, Inc. Executive Summary

Copyright Quest Software, Inc. 2007. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com e-mail: info@quest.com U.S. and Canada: 949.754.8000 Please refer to our Web site for regional and international office information. Updated May, 2007 1

ABSTRACT This document helps explain why implementing an effective e-mail archiving solution can help reduce legal risk even if an organization has yet to decide what sort of e-mail retention and disposal policies are appropriate for them. 2

DISCLAIMER This document is not intended to provide legal advice. Quest recommends professional legal advice is sought before considering or implementing any of the information in this document. Quest is not responsible for any loss or damage which may be caused as a result of using information provided in this document. 3

CONTENTS ABSTRACT... 2 DISCLAIMER... 3 CONTENTS... 4 INTRODUCTION... 5 LEGAL CONSIDERATIONS FOR MANAGING E-MAIL... 6 WHAT E-MAIL SHOULD BE KEPT?... 6 ARE DELETED MESSAGES REALLY DELETED?... 6 HOW BAD CAN IT BE?... 7 YOU RE PROBABLY KEEPING ALL YOUR E-MAIL ANYWAY... 7 PSTS ARE LANDMINES... 8 UNDERSTANDING HOW E-MAIL ARCHIVING CAN HELP... 9 TAKE CONTROL OF E-MAIL... 9 MANAGING RETENTION...10 SUMMARY... 12 ABOUT QUEST SOFTWARE, INC.... 13 CONTACTING QUEST SOFTWARE...13 CONTACTING QUEST SUPPORT...13 4

INTRODUCTION Recent litigation and legislation have combined to raise the profile of the importance of e-mail, and impose burdens on organizations of most sizes, in most industries. Illustrated in Table 1 below, high profile cases involving institutions such as Morgan Stanley, Bank of America, Phillip Morris and JP Morgan have resulted in multi-million dollar fines, setting the stage for enforced e-mail management. Offending Company Case Penalty Judgment Morgan Stanley Coleman Holdings v. Morgan Stanley (2005) Bank of America SEC Settlement (2004) Philip Morris United States v. Philip Morris USA Inc. (2004) $1.45B Failure to produce e- mail evidence $10M Failure to produce e- mail evidence $2.75M Spoliation (deletion of 60-day old e-mail for 2 years) J.P. Morgan SEC, NASD, NYSE Settlement (2005) $2.1M Spoliation of e-mail Table 1. Examples of violations in e-mail retention. But despite the potential penalties, organizations affected by the myriad of legislation are struggling to determine how to address their compliance requirements everything from not doing anything with e-mail to not dealing with it properly. Implementing an e-mail archiving system helps organizations address compliance requirements by ensuring there are mechanisms in place to capture and locate e-mail information. Often, in addition to helping with compliance requirements, these systems have operational benefits, such as reducing overall e-mail storage requirements and centralizing the control of the e-mail system to improve performance and realize better use of limited resources. But once implemented, organizations also need to ensure that the policies controlling the e-mail archiving solution meet the requirements of the business. In many cases, though, organizations have been so daunted by the many options available to them that they have either done nothing and delayed deployment of a solution, or not purchased a solution at all. This technical brief helps explain why implementing an effective e-mail archiving solution can help reduce legal risk even if an organization has yet to decide what sort of e-mail retention and disposal policies are appropriate for them. 5

LEGAL CONSIDERATIONS FOR MANAGING E- MAIL From a legal perspective e-mail is fraught with risk and many legal departments would prefer e-mail was not used at all. However, the reality is that e-mail is now the predominant form of business communication and while e-mail is simple to use, its ramifications for business are significant. Additionally, the hesitancy of the legal department to agree to, or implement, an e-mail archiving system can have a detrimental effect on other parts of the business that want to take advantage of the operational benefits these systems provide. A number of companies have delayed deploying an e-mail archiving solution because they believe that until they have formulated appropriate policies, keeping e-mail in an archive will expose them to increased risk. In an ideal situation, a business would retain all e-mails that are beneficial and dispose of those that are harmful within the bounds of the law. There are a number of reasons while this seemingly simple requirement is virtually impossible to achieve. What e-mail should be kept? E-mails are context poor, in that it is often very difficult to decide the importance of an e-mail based purely on its content. Furthermore, many e- mails contain office banter and important information. Events often determine the importance of an e-mail and so an e-mail that may have been deemed to have no value can take on a whole new meaning in the context of an event such as a sexual harassment case. Individuals can t be expected to classify e-mail as to their importance not just because of the above but also because the typical volume of e-mail makes this impractical. No one would keep an e-mail that was damaging to them even if it was important to their organization. Are deleted messages really deleted? Like a fax machine transaction there is always more than one e-mail: the sender s copy, and anyone who receives the message. E-mail exists in peoples sent items folders and in multiple inboxes both internally and externally. Completely deleting an e-mail is often impossible. Even if you manage to delete it within your organization it could exist outside of your corporate boundaries. This is further complicated by the use of offline stores or personal stores where an e-mail is no longer contained in the corporate mail 6

system but exits on a local computer drive that is effectively beyond the control of an organization s IT department. All of these repositories could be searched as part of a legal discovery exercise even though it is a complex and expensive process. How bad can it be? In the event of litigation where e-mail is involved (which is most litigation) it is vital to know what the potential exposure is to the organization. If you can t search and discover across your own e-mail repository how can you formulate a strategy to deal with the situation? Modern e-mail platforms are optimized to send and receive e-mail. However they lack the ability to effectively search and manage the data they contain and, as previously mentioned, e-mail data is often stored outside of the e-mail system. The defense of not having the systems in place to search e-mail is no longer an acceptable reason to not produce e-mail in a timely manner. For example, in early 2007 Intel said it may have lost e-mail correspondence relevant to an antitrust lawsuit brought by rival Advanced Micro Devices (AMD). The company's document-retention program, which was used around the time of the AMD suit, possibly did not preserve potentially relevant messages. AMD accused Intel of apparently allowing the destruction of evidence. You re probably keeping all your e-mail anyway Most organizations will find that regardless of any formal retention and disposal policies, end users retain almost all of their e-mail messages. Usually these messages are kept in the personal stores mentioned earlier. End users retain most of their e-mails because they believe they have to in order to perform their jobs, or in some cases they do so for personal protection. Remember: E-mail is now the most widely used form of business communication. As a result, organizations will unwittingly be keeping significantly more e-mail than it knows about or controls, increasing the likelihood of non-compliance. Most organizations force people to keep their e-mail outside of the corporate mail system E-mail systems are not designed to store e-mail long-term and so most organizations have e-mail quotas whereby users are limited to a certain size of store in the e-mail system. When a quota is reached or exceeded a user is forced to delete e-mails to reduce storage before they can send or receive new messages. To avoid being interrupted by these messages, users either move e-mail to a personal store and/or randomly delete e-mail (usually starting with the largest ones) to get below their quota limit. 7

This has two serious implications: Once e-mail is outside of the corporate e-mail system they are no longer in corporate control and this presents a serious risk as they exist but cannot easily be searched and accessed by the organization. If users are randomly deleting e-mail to stay under their quota the risk to the organization increases. Not only are the deleted e-mail of potential business value, they may also be important from a compliance perspective. Organizations need a way of ensuring the right information is retained, and that the organization not end users manage this. PSTs Are Landmines Some organizations work to limit e-mail-based liability by aggressively deleting e-mail out of the mail server, believing that if does not exist it cannot be discovered. These same organizations often do not have an effective means of controlling, deleting, or retaining e-mail messages that reside in personal stores. Because e-mail that exists in personal stores is certainly discoverable and open to subpoena, yet is mostly invisible to the organization as it is not centrally stored nor managed, PSTs are essentially legal landmines that undermine an organization s effort to decrease liability. Only through the collection and proactive management of all these personal stores and all other e-mail data can an organization be prepared to deal with the e-mail-related legal issues that are bound to arise. 8

UNDERSTANDING HOW E-MAIL ARCHIVING CAN HELP In this situation, the risk is not keeping all of your e-mail messages; it s not knowing what you have, nor being able to manage it. E-mail archiving solutions have been designed to help organizations control and manage their e-mail, not only helping them to address their compliance requirements, but also reducing overall e-mail storage utilization, assisting with mailbox management and increasing the performance of the mission critical e-mail server. Often, the needs of the wider organization are considered less significant than those of the legal team, who understandably need to understand the pros and cons of implementing such systems, and make recommendations accordingly. Regardless of the size of the company, or the industry in which it operates, understanding these issues can be a challenge. As a result, the implementation of such a system often stalls. The question the lawyers want answered is: Why should we implement an e-mail archiving solution if we haven t formulated retention and disposal policies? There are several rational reasons why implementation is important, and the factors identified in the previous section can be addressed. Take Control of E-mail One of the primary objectives of any e-mail archiving project must be to gain some level of control over the e-mail in your organization. In this case, control doesn t only mean being able to manage the new messages being sent and received, but also includes all of the other e-mail which is stored across the organization in file shares, on local hard disks, in Microsoft Outlook personal store (PST) files, etc. Retention and disposal policies are worthless if they cannot be effectively applied and managed and if e-mail is stored in disparate locations it is impossible to apply such policies. An effective archiving solution can import all the e-mail from personal stores and the corporate e-mail system, regardless of where this data is located. E-mail also needs to be managed on an ongoing basis. Even once it s been collected, it is important that users are either no longer able to, or no longer need to, keep e-mail in personal stores. Given that users need access to old e- mails in order to perform their jobs, their e-mail quota needs to be effectively removed. Quest Archive Manager provides two powerful features to address this issue: the ability for end users to search their e-mail, and the ability to manage the size of the originating message store. 9

End users can have direct and secure access to their archived e-mail, and can use the powerful search tools to quickly locate the information they need. Below, Figure 1 depicts the standard web-based search screen that Archive Manager provides, including the results of a sample search. Messages can be opened directly from this results grid. Figure 1: Archive Manager Search Screen Archive Manager can also help manage the corporate e-mail store so users can effectively have an unlimited e-mail quota without putting the corporate e-mail system at risk, and in doing so maintains access to the e-mail for end users including those who access e-mail using Microsoft Outlook. Reducing the size of the store also improves the performance of the store, and reduces the amount of data that needs to be backed up. Once all e-mails are centrally captured and managed retention and disposal policies (once formulated) can be applied retrospectively. It is expected that an organization will evolve their policies over time to keep pace with changing business and legislative requirements. Managing Retention Retention will allow organizations to determine how long to keep e-mail messages for, both at a global and a partial level once the retention period has passed, then the e-mail messages are removed from the archive. Laws and regulations specify that, for some industries, e-mail messages must be kept for a specific period of time, in some cases ranging from one year to 10+ years. The retention policies and the rules which are implemented supporting those policies must be sufficiently precise in order to increase the likelihood of compliance. 10

As this is an emerging area, there are few examples of organizations being fined for mismanaging their retention rules the e-mail-related cases that have occurred have been related to not keeping e-mail in the first place. By ensuring the e-mail messages are kept, and that appropriate classifications are used, organizations can use Archive Manager s flexible retention policies to control the retention and disposal of e-mail. Figure 2 below shows how organizations can create flexible retention policies to suit their specific needs. Figure 2: Archive Manager Retention Policy Editor 11

SUMMARY Most organizations now have to comply with laws and regulations relating to e- mail and how it is managed. The penalties for non-compliance are significant, and for that reason e-mail archiving solutions are being adopted to help organizations address their compliance requirements. By relying on the status quo and not implementing a solution, organizations are exposing themselves to unnecessary risk and effort as their e-mail data will not be controlled, managed or able to be located in a timely way. Implementing an e-mail archiving system ensures organizations gain control of their e-mail data, and in conjunction with appropriate people, processes and technologies, can significantly increase the likelihood of compliance being achieved. Organizations will also benefit from the operational benefits such systems also deliver. Quest Archive Manager enables e-mail to become a true asset for the organization by capturing, indexing, and storing messaging data for mailbox management, compliance, and knowledge sharing. 12

ABOUT QUEST SOFTWARE, INC. Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and Windows infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 50,000 customers worldwide meet higher expectations for enterprise IT. Quest s Windows Management solutions simplify, automate and secure Active Directory, Exchange and Windows, as well as integrate Unix and Linux into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone: 949.754.8000 (United States and Canada) E-mail: info@quest.com Mail: Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Web site www.quest.com Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/pdfs/global Support Guide.pdf 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information