Like diamonds, e-mails are forever. Or at least, it would seem like forever for companies required to implement e-mail archiving – for three to five years – to comply with regulatory and legal requirements.
First Associates Investments Inc., a Toronto broker and investment dealer, recently turned to Toronto’s Fortiva Inc. for an e-mail archiving system to comply with a bylaw implemented by the Investment Dealers Association of Canada (IDA). The regulation requires financial services companies to store their full range of electronic communications, from e-mails to instant messages.
Similar regulations have emerged on both sides of the border as part of the fallout of the Enron collapse, forcing companies like First Associates to turn from traditional storage methods like tape back-ups to more robust, and user friendly, technologies.
Brian Erdelyi, First Associates’ information security officer, said retrieving e-mails from the tape backup – which seldom happened – was a time consuming and tedious process. But with IDA now requiring periodic reviews of electronic communications by internal compliance officers, the company decided it was time for a change.
“We were actually very open-minded about what solution we were going to wind up with,” said Erdelyi.
The company started with an overview of the e-mail archiving market from research company Gartner Group, then considered commercial, off-the-shelf products and managed offerings from companies like Veritas Software, KVS, EMC Legato and E-Vault.
Erdelyi said a number of companies were invited to demonstrate their products for a team that included First Associate’s vice president of human resources, legal counsel, IT staff and most importantly, the compliance officers who would be the primary users.
“It was the encryption that sold me on Fortiva,” said Erdelyi. “But we also put the decision primarily in the hands of the business users.”
Fortiva’s user interface – similar to the Outlook environment the users were familiar with – as well as the search capabilities it offered were the convincing factors, according to Erdelyi.
To fulfill the audit requirements, the Fortiva software can randomly select a sample percentage of messages for the compliance officers to review, and can also highlight specific messages based on selected keywords. Erdelyi said the browser-based interface is similar in feel to Outlook Web Access.
From an IT perspective, the migration and implementation went smoothly thanks to a previously planned upgrade to Microsoft Active Directory, said Erdelyi. The process involves a Fortiva-supplied appliance that connects to the mail server, grabs messages through Active Directory’s journaling function, encrypts them, and sends the data to Fortiva’s data centre for indexing and storage.
“It was fairly large, in the sense. We were fairly cautious and spent a lot of time designing the infrastructure. But once it was in place, the actual roll-out was very quick,” said Erdelyi. “Not too much tuning or customization, it was pretty much out of the box.”
Fortiva’s CEO Paul Chen said his company’s encryption system sets its offering apart. Dubbed, Double Blind encryption, the encryption key resides on the appliance in the customer’s server room.
“That allows us to indemnify our customers that we can never see their e-mails, even though we’re storing all their data for them, and at the same time make all their data searchable for them,” said Chen.
Between its Canadian data centre, co-hosted with Q9 in Toronto, and its US data centre in Houston, Fortiva archives 20 million customer e-mails a month, and counting, said Chen.
He said while regulatory compliance is a major consideration, he sees the risk of litigation as an even bigger driver.
“A lot of companies find it’s much easier to settle a lawsuit than try to find the e-mail as part of the legal discovery process,” said Chen. “So, either [the companies] pay the settlement each time or decide to put a proper e-mail archiving system in so they can properly defend themselves.”