E-mail records have played an important role in many of the corporate governance scandals of recent years, from the collapse of Enron to the earlier government investigations surrounding Microsoft. In the wake of such corporate governance issues, the U.S. has a host of new and existing regulations — Sarbanes-Oxley Act, SEC Rule 17a-4 and NASD Conduct Rule 3010 — that demand more corporate transparency and better document retention. In Canada, legislation such as PIPEDA and industry specific rules have put companies on notice that e-mail is to be treated as important and sensitive corporate documents.
“Depending on the contents, (e-mail) may constitute a legal business document or record,” said Alan Gahtan, an attorney with Gahtan Law Office in Toronto.Businesses need to treat e-mail in the same manner they treat other forms of business communications or business documents.Alan Gahtan>Text He is also the author of Electronic Evidence (1989). “Businesses need to treat e-mail in the same manner they treat other forms of business communications or business documents.”
This means e-mail can be considered a business document if that e-mail contains business information, is part of a business transaction or can be used to defend a business from a claim, Gahtan added.
Because e-mail is a business document, companies need to manage e-mail so important e-mails can be found quickly and easily if ever a time comes when such e-mails need to be discovered for legal or regulatory reasons.
Daniel Shap, a partner with Gardiner Roberts LLP in Toronto said the first step in managing e-mail is for a company to sit down and carefully examine what e-mails it must retain. The decision as to what is an important e-mail will often be set by what industry the business is in, what regulatory and legislative measures affect the business and what internal compliance measures a company has in place.
For example, a securities firm will likely have to keep all e-mail correspondence between its brokers and customers, while another firm may only have to keep correspondence involving transactions or actual business.
In some cases, a company may decide the best option is to save everything so that there can be no questions as to what has to be retained.
“One large investment bank customer we have archives even all of its spam,” said Mike Speiser, vice-president of product marketing and product management for Veritas Software Corp. in Mountain View, Calif. “The rational for that is that if the spam filter gets one thing wrong, or the company finds any problem with its spam filtering, they are worried that the business could get in trouble for losing an important e-mail.”
Whatever policy rules are finally decided upon, effective policies can greatly cut down on the number of e-mails and make managing those e-mails much easier, suggested Shap.
An effective policy also helps in better deploying and using e-mail and document management solutions.
Knowing what kinds of e-mails need to be retained, a company can set its management solutions to only retain those needed e-mails and possibly add additional meta-information to the e-mails so that different kinds of searches can be done later. Veritas’ Enterprise Vault 6.0 has in place flexible search methodologies allowing for searches on such meta-data and it can even do searches along compliance and regulatory lines.
Joe Kvidera, president of Procedo Inc. in Minneapolis, Minn. recently helped a Canadian financial institution set up Enterprise Vault so it could do searches on archived e-mail along legal issues.
“(This organization) had some two million e-mail messages a day and had some legal discoveries in the past where they had to go back and find specific e-mails,” Kvidera said.
But knowing what to keep is just one step in e-mail management. Just as important to know is what e-mails to delete and when to deleted them. By having a policy that clearly states how long e-mails are to be kept and when those e-mails are to be deleted not only cuts down on the volume of e-mails needed to be stored, but can protect a company from possible legal questions around e-mails that have been deleted.
Shap said companies run into problems when they don’t set clear policies or deviate from those policies for how e-mails are to be deleted after a set period of time.