What are the EU rules for email retention?
The necessity and challenges associated with email archiving are not exclusive to companies operating in the United States.
Like their American counterparts, organizations all around the world rely heavily on email for business communications. As such, correspondence sent through the medium contains pertinent information regarding the company and its inner workings.
European Union officials have recognized the importance of the information contained in email and handed down the Data Retention Directive on March 15, 2006. While the law contains similarities to its American counterparts, most notably the Federal Rules of Civil Procedure, it is also a decidedly different piece of legislation.
Below we’ll examine the need for EU email retention standards, the law’s actual requirements and the heavy criticisms it has faced from several member nations.
The Need
As in most parts of the globe, employees in the European Union can’t do without email. It is the primary form of communications within European businesses, used for sharing information between branches, partners, customers and clients.
Furthermore, a whitepaper from Frost & Sullivan on the subject of email archiving revealed that 80 percent of the business-critical content for a company is contained in email messages. That means nearly all their trade secrets, confidential company data and insider information is all floating through cyber space in email.
For this reason, it is clear that making a legal case either for or against a company is dependent on the information contained in email. However, that same information could also be used to fight crime and thwart terrorism plots, both of which appear to be driving forces behind the EU’s Data Retention Directive.
That differs from the U.S. requirements, which are targeted at civil lawsuits and legal proceedings.
The Requirements
Under the directive, companies, mostly Internet service providers and others in the telecommunications, must retain all customer transactions for a period ranging between six months and two years. As for the transactions covered, they include email, telephone calls and website traffic, among others.
“The bottom line for many EU organizations is that proper email life cycle management decreases outside liability potential and falls in line with modern corporate email governance procedures,” according to Frost & Sullivan’s whitepaper.
However, the directive applies to certain information concerning these channels, but not necessarily the contents of them. Companies must identify the source, destination, date, time and duration of such communications.
Also, industry regulators in specific EU member nations have taken requirements step further. For example, the U.K.’s Financial Services Authority requires companies to retain email for six years. Such measures could cause other countries to follow suit with strict mandates of their own, according to Frost & Sullivan.
The Criticism
The EU Data Retention Directive has not been received without its detractors. In fact, the German Parliament has even gone so far as to call the directive illegal.
According to the IDG News Service, the German Bundestag’s Working Group on data retention said the law is “disproportionate in the measures it requires to fight crime, as data retention increases the crime clearance rate only slightly.” Essentially, the ends don’t justify the means. And the group said it would be impossible to reword the law to bring it in line with the EU’s Charter of Fundamental Rights.
In response, the European Commission, the executive body of the EU, said the directive does walk a fine line in terms of the right to privacy, and it will consider tighter regulations for the access and use of the retained data.
In addition to EU rules, EU companies also face industry email archiving requirements as well as the need to retain and if necessary produce electronic records for tax audits.
Why .PST files are not a good archiving strategy
There are a number of ways for companies to practice email retention, including email archiving solutions and preservation policies. One method for Exchange Server users not recommended by experts is personal storage table files, or .PST files.
A .PST file is a file-access-driven method of message storage, according to Microsoft. That means the system uses special file access commands that the operating system provides to read and write data to the file.
These types of files are popular for Exchange Server users to avoid meeting the platform’s email inbox quotas. Users will convert files they wish to keep into .PST format in Microsoft Outlook and hold onto them for however long they are needed.
At first glance, it sounds like a reliable enough archiving strategy – files don’t clog users’ inboxes and are stored on the company’s local or network drives. But this may cause several major problems that will adversely affect the company, including failing to comply with email retention requirements and failing to be prepared for eDiscovery requests.
The following problems arise when users store emails in .PST files for long-term retention:
1. PST Files are not reliable
In fact, the method is so unreliable that Microsoft doesn’t recommend it practiced for email archiving. The company’s TechNet Performance Team posted an entry on its blog entitled “Network Stored PST Files … don’t do it.”
2. PST Files are vulnerable to data loss
A major issue is unintended data loss. Such files stored on a computer’s hard drive are usually without a backup. If a user’s computer is lost, stolen, hacked or the hard dive fails, the file will be lost forever.
3. PST Files can become corrupted
.PST files stored on a network drive are also vulnerable to data loss. Because the files are stored on the network, a user needs a network connection to access them, whether for eDiscovery or other purposes. According to Microsoft, “Microsoft Outlook tries to use the file commands to read from the file or write to the file, but the operating system then has to send those commands over the network because the file is not on the local computer.”
That process can’t happen should a network connection degrade or fail, which in turn will corrupt the .PST file and make it unreadable.
4. PST Files slow down the Network
Ironically, .PST files can be a common culprit behind the network slowdowns and stoppages that corrupt them. The size of a .PST file, compounded by the number of users that retain emails in such a way, places a lot of strain on a network, according to Microsoft.
In its Performance Team blog post, Microsoft gives the example of a couple hundred users who each had two or three, a low estimate, .PST files in Outlook. The users never delete the files and they continue to grow in size the longer they are stored.
Each time the user launches Outlook; the program makes a request for the two or three .PST files, which Microsoft estimates to be about 1 gigabyte each. When the 200 or so users launch outlook, that’s 600 gigabytes – 200 users, times three files each at 1 gigabyte each – worth of files being requested at once.
“That’s an awful lot of Disk & Network I/O to process simultaneously. This is a very common scenario – the file server ‘freezing’ for a few minutes at a time while it tries to service these requests,” according to Microsoft’s blog post.
5. No centralized storage of PST Files
Since PST files are stored on local drives, they can be lost and un-producible when the company faces litigation and an eDiscovery request. If so, a judge can levy sanctions and monetary fines for improper email archiving. On the flipside, PST Files can also suddenly show up when the company thought they had legitimately purged records according to their email retention policy rules. With PST files residing on many different hard drives, it is hard to keep track of all the files and to know which data you have and which data you don’t have. It goes without saying that this uncertainty is less than desirable when dealing with an eDiscovery request.
In short, storing emails in PST files is simply not a good archiving strategy and a centralized email archiving system is advised instead.
What are the potential penalties for not archiving emails?
There are plenty of reasons for deploying an email archiving solution, such as freeing up employee inboxes, keeping pertinent information on hand and improving the security of corporate information, just to name a few. But perhaps no better reason comes in the form of green paper and can number in the millions, possibly even billions.
That’s right, money is the best way to get a company’s attention when it comes to expounding the importance of email archiving. And the best way to avoid suffering such setbacks, or even facing them, may be to understand where the penalties come from and what they could potentially be.
First, we’ll highlight two of the most well known sources of penalties when it comes to email archiving – the Federal Rules of Civil Procedure and the Financial Industry Regulatory Authority. Then, we’ll highlight some real-life examples of what happens when email archiving goes awry.
Sources of penalties
Federal Rules of Civil Procedure
The Federal Rules of Civil Procedure are a set of regulations and requirements that govern how litigation is carried out in U.S. federal courts. They are also a good benchmark for companies to follow when looking to deploy compliant email archiving solutions.
The Federal Rules of Civil Procedure were revised in 2006 to take on a greater focus for electronically stored information, such as email. With the changes, eDiscovery requirements recognize all electronic communication, especially email and IMs, as now legal to request at the court’s convenience.
And the regulations are pretty clear concerning penalties. Should a company fail to produce requested Electronically Stored Information (ESI), or is found to have failed in archiving relevant data, a judge has several options. Penalties may include one or more of the following: paying for the expenses of the opposing party, contempt of court, imposing of sanctions against a case, heavy fines or even an automatic guilty verdict.
Financial Industry Regulatory Authority (FINRA)
Obviously this is a name you hear a lot about when it comes to financial organizations failing to practice proper email archiving.
Because the Financial Industry Regulatory Authority is a private corporation that acts as a self-regulatory organization, it has no standing to impose legal measures for email archiving impropriety. However, it still wields the authority to levy fines, and it isn’t shy about doing so.
In 2009, the organization handed down $50 million in fines for email archiving noncompliance.
Examples of penalties
MetLife
In November 2009, the company was fined $1.2 million by FINRA for failing to properly supervise “the review of brokers’ email correspondence with the public.”
According to the ruling, MetLife had an auditing system in place for its email archiving efforts, but failed to adequately ensure emails were forwarded properly. That allowed for the tampering of messages subject to regulation.
Piper Jaffray
Early last year, FINRA fined the investment bank $700,000 for an issue that spanned six years. As it turns out, Piper Jaffray had failed to archive more than 4 million pertinent emails during that time period.
EchoStar Satellite
The designer, developer and distributor of television set-top boxes was fined for the second time in November of last year.
New York state judge Richard Lowe concluded EchoStar “systematically destroyed evidence in direct violation of the law and in the face of a ruling.” That’s after it was previously sanctioned for deleting messages after just 21 days, against the Federal Rules of Civil Procedure mandates.
The second penalty was levied during a lawsuit in which a company was already seeking $2.5 billion in damages from EchoStar.
Holiday Phishing Scams—Avoid Being a Victim
image by pitklad
‘Tis the season, all right. Law enforcement all around the world report an increase in cybercriminal activity during the holiday seasons. Everything from scams to phishing attacks can land in your inbox and it can be very difficult to discern the legitimate from the nefarious.
One of the biggest trends surfacing this year is the proliferation of fake Twitter and Facebook promotions luring consumers into phishing traps and in some cases full-on scams. Many promotions will promise a popular product at a price that seems too good to be true—and it is. Unfortunately, the consumer won’t know that they’ve been taken by a cybercriminal until long after they’ve submitted their credit card or payment information.
There are also several reports of phishing emails coming from what seems to be retailers following up on recent purchases and banks questioning purchase histories. These emails request login information or other sensitive personal data. Unfortunately, more often than not these emails can be surprisingly deceptive and many people can fall for them.
In most cases, it’s best to call a reliable customer service number if you have any questions at all about an email. Also, recognize that most amazing deals found online aren’t worth the risk.
As a side note, many companies will find themselves at risk of security breaches as employees will often use computers for personal use during the holiday season to get shopping done or visit other non-secure sites. The best way to protect your company from this employee use is to have reliable email filter that will prevent spam, protect inboxes and check for suspicious content.
This holiday season, the best gift your can give yourself and your company is peace of mind from inbox attacks.
Are The Right Elements Motivating Your Records Management?
A recent article by Johannes Scholtes an expert over at AIIM, highlights the factors that dictate proper records management, and that really got us thinking over here at Red Earth Software. How many IT directors are truly considering all the elements and issues that go into proper records management?
Scholtes’ article illustrates issues related to minimizing legal risks and compliance. Legal obligations are major factors. Understanding eDiscovery obligations and regulations are critical for anyone deciding how records management will be handled. Additionally, continuing education and professional development is essential to keep any team responsible for records management abreast of any changes to compliance issues, laws or regulations.
While it is very important to archive and manage records with the possibility of litigation in mind, as Scholtes points out, there needs to be a level of flexibility built into your management system and policy to make room for technological advances and changes in policy.
Scholtes talks about finding “the right mix” of components for your policy and management system. He notes that it is just as important to focus on your storage components, as it is to spotlight the process of your records management.
For us, the takeaway here is that, each company, no matter what size or industry, needs to consider not only how they store records, but why. In the end, our recommendation is that companies utilize the resources available from experts like Scholtes and AIIM to reach their records management goals.
