In-Depth

Corporate E-Mail Security: Compliance Swamps IT Staff

IT managers look to better tools, including self-service retrieval for employees

• By Mathew Schwartz
• February 7, 2006

E-mail is more than just a communications tool. Thanks to its pervasiveness, e-mail has become a crucial repository for corporate information. While that makes storing, retrieving, and searching through e-mails essential for one’s job, it also makes a company’s e-mail archive attractive to others, especially during regulatory investigations and lawsuits.

Managing corporate e-mail servers, however, isn’t easy, owing to immature tools and the nature of stored e-mail—the amount never stops growing. Yet companies face both regulatory and legal risks if they don’t have quick, thorough access to all stored e-mails, leading Osterman Research founder Michael Osterman to note in a recent report how “increasing e-mail volumes create challenges for total storage, legal discovery, and protection for compliance.”

On the regulatory front, for example, the Securities and Exchange Commission requires financial institutions to retain e-mails and instant messages for certain periods—up to seven years—and very quickly produce them upon request. As of July 2006, new Sarbanes-Oxley (SOX) reforms will impose similar requirements on public companies, at least for communications involved in SOX controls.

On the lawsuit front, courts may require companies to quickly retrieve and share e-mails relevant to a case. Doing anything less can have negative repercussions. For example, take a recently resolved case involving Morgan Stanley and its auditing client, Sunbeam Corp., over Sunbeam’s 1998 acquisition of Coleman Inc. for $1.5 billion. Much of that sale price was paid in Sunbeam stock, and after Sunbeam declared bankruptcy in 2001, the stock was worthless. When Coleman’s largest investor, Ronald Perelman, sued Morgan Stanley for fraud, a judge ordered Morgan Stanley to produce all of its e-mails relating to accounting practices at Sunbeam. Morgan Stanley ultimately failed to do so, leading the judge to rule against the firm for $1.45 billion.

The Morgan Stanley case highlights how courts can equate a company’s inability to produce e-mails with destroying evidence. To prevent this, companies need a way to archive all corporate e-mail and instant messages, then quickly search through them and share relevant results. To do that, IT managers must deploy tools for managing e-mail, and also factor e-mail archiving into their disaster recovery plans.

E-Mail Management Woes

Given the regulatory and legal landscape, “enterprises need to manage e-mail as a business record,” notes Osterman. Yet a recent Osterman Research survey of e-mail management practices at 116 companies (averaging 9,400 mailboxes each) found that many companies still face legal and compliance risks, since IT managers continue to battle a variety of e-mail-management problems.

When administering Microsoft Exchange e-mail environments, for example, IT managers say their top challenges are ensuring disaster recovery, followed by managing the volume of e-mail, safeguarding and searching Exchange (.PST) files for legal-discovery requests, restoring e-mail and e-mail boxes for users, and automatically capturing e-mail for compliance.

So it’s no surprise, says Osterman, that “the overwhelming majority of respondents indicated that they would welcome the addition of new self-service tools to empower users to manage their own needs for message recovery and search and discovery.”

In other words, IT managers want to let users help themselves—at least sometimes. “Administrators are in favor of having users perform routine recovery, and search and discovery, tasks themselves, allowing administrators more time to allocate to other important projects—such as managing Exchange for disaster recovery and storage optimization,” he says.

In addition, IT managers indicated they don’t want separate archiving tools for different types of information—the current norm, if companies even have dedicated e-mail archiving software—but rather just one product to manage archiving, search, and retrieval for e-mail, as well as such things as calendars, contacts, and Outlook notes.

Finally, IT managers report current e-mail-management tools just aren’t good enough yet. “Those with existing tools in place highlight the need for improvements in search interfaces, speed of response to respond to discovery requests, and performance and scalability as among the biggest issues they face,” says Osterman.

Related Articles:

  Regulations Driving E-Mail, Im Backup And Recovery
  Giving Users Control of E-mail Archiving for Compliance