Email archiving
What are the EU rules for email retention?
The necessity and challenges associated with email archiving are not exclusive to companies operating in the United States.
Like their American counterparts, organizations all around the world rely heavily on email for business communications. As such, correspondence sent through the medium contains pertinent information regarding the company and its inner workings.
European Union officials have recognized the importance of the information contained in email and handed down the Data Retention Directive on March 15, 2006. While the law contains similarities to its American counterparts, most notably the Federal Rules of Civil Procedure, it is also a decidedly different piece of legislation.
Below we’ll examine the need for EU email retention standards, the law’s actual requirements and the heavy criticisms it has faced from several member nations.
The Need
As in most parts of the globe, employees in the European Union can’t do without email. It is the primary form of communications within European businesses, used for sharing information between branches, partners, customers and clients.
Furthermore, a whitepaper from Frost & Sullivan on the subject of email archiving revealed that 80 percent of the business-critical content for a company is contained in email messages. That means nearly all their trade secrets, confidential company data and insider information is all floating through cyber space in email.
For this reason, it is clear that making a legal case either for or against a company is dependent on the information contained in email. However, that same information could also be used to fight crime and thwart terrorism plots, both of which appear to be driving forces behind the EU’s Data Retention Directive.
That differs from the U.S. requirements, which are targeted at civil lawsuits and legal proceedings.
The Requirements
Under the directive, companies, mostly Internet service providers and others in the telecommunications, must retain all customer transactions for a period ranging between six months and two years. As for the transactions covered, they include email, telephone calls and website traffic, among others.
“The bottom line for many EU organizations is that proper email life cycle management decreases outside liability potential and falls in line with modern corporate email governance procedures,” according to Frost & Sullivan’s whitepaper.
However, the directive applies to certain information concerning these channels, but not necessarily the contents of them. Companies must identify the source, destination, date, time and duration of such communications.
Also, industry regulators in specific EU member nations have taken requirements step further. For example, the U.K.’s Financial Services Authority requires companies to retain email for six years. Such measures could cause other countries to follow suit with strict mandates of their own, according to Frost & Sullivan.
The Criticism
The EU Data Retention Directive has not been received without its detractors. In fact, the German Parliament has even gone so far as to call the directive illegal.
According to the IDG News Service, the German Bundestag’s Working Group on data retention said the law is “disproportionate in the measures it requires to fight crime, as data retention increases the crime clearance rate only slightly.” Essentially, the ends don’t justify the means. And the group said it would be impossible to reword the law to bring it in line with the EU’s Charter of Fundamental Rights.
In response, the European Commission, the executive body of the EU, said the directive does walk a fine line in terms of the right to privacy, and it will consider tighter regulations for the access and use of the retained data.
In addition to EU rules, EU companies also face industry email archiving requirements as well as the need to retain and if necessary produce electronic records for tax audits.
What are the potential penalties for not archiving emails?
There are plenty of reasons for deploying an email archiving solution, such as freeing up employee inboxes, keeping pertinent information on hand and improving the security of corporate information, just to name a few. But perhaps no better reason comes in the form of green paper and can number in the millions, possibly even billions.
That’s right, money is the best way to get a company’s attention when it comes to expounding the importance of email archiving. And the best way to avoid suffering such setbacks, or even facing them, may be to understand where the penalties come from and what they could potentially be.
First, we’ll highlight two of the most well known sources of penalties when it comes to email archiving – the Federal Rules of Civil Procedure and the Financial Industry Regulatory Authority. Then, we’ll highlight some real-life examples of what happens when email archiving goes awry.
Sources of penalties
Federal Rules of Civil Procedure
The Federal Rules of Civil Procedure are a set of regulations and requirements that govern how litigation is carried out in U.S. federal courts. They are also a good benchmark for companies to follow when looking to deploy compliant email archiving solutions.
The Federal Rules of Civil Procedure were revised in 2006 to take on a greater focus for electronically stored information, such as email. With the changes, eDiscovery requirements recognize all electronic communication, especially email and IMs, as now legal to request at the court’s convenience.
And the regulations are pretty clear concerning penalties. Should a company fail to produce requested Electronically Stored Information (ESI), or is found to have failed in archiving relevant data, a judge has several options. Penalties may include one or more of the following: paying for the expenses of the opposing party, contempt of court, imposing of sanctions against a case, heavy fines or even an automatic guilty verdict.
Financial Industry Regulatory Authority (FINRA)
Obviously this is a name you hear a lot about when it comes to financial organizations failing to practice proper email archiving.
Because the Financial Industry Regulatory Authority is a private corporation that acts as a self-regulatory organization, it has no standing to impose legal measures for email archiving impropriety. However, it still wields the authority to levy fines, and it isn’t shy about doing so.
In 2009, the organization handed down $50 million in fines for email archiving noncompliance.
Examples of penalties
MetLife
In November 2009, the company was fined $1.2 million by FINRA for failing to properly supervise “the review of brokers’ email correspondence with the public.”
According to the ruling, MetLife had an auditing system in place for its email archiving efforts, but failed to adequately ensure emails were forwarded properly. That allowed for the tampering of messages subject to regulation.
Piper Jaffray
Early last year, FINRA fined the investment bank $700,000 for an issue that spanned six years. As it turns out, Piper Jaffray had failed to archive more than 4 million pertinent emails during that time period.
EchoStar Satellite
The designer, developer and distributor of television set-top boxes was fined for the second time in November of last year.
New York state judge Richard Lowe concluded EchoStar “systematically destroyed evidence in direct violation of the law and in the face of a ruling.” That’s after it was previously sanctioned for deleting messages after just 21 days, against the Federal Rules of Civil Procedure mandates.
The second penalty was levied during a lawsuit in which a company was already seeking $2.5 billion in damages from EchoStar.
Are The Right Elements Motivating Your Records Management?
A recent article by Johannes Scholtes an expert over at AIIM, highlights the factors that dictate proper records management, and that really got us thinking over here at Red Earth Software. How many IT directors are truly considering all the elements and issues that go into proper records management?
Scholtes’ article illustrates issues related to minimizing legal risks and compliance. Legal obligations are major factors. Understanding eDiscovery obligations and regulations are critical for anyone deciding how records management will be handled. Additionally, continuing education and professional development is essential to keep any team responsible for records management abreast of any changes to compliance issues, laws or regulations.
While it is very important to archive and manage records with the possibility of litigation in mind, as Scholtes points out, there needs to be a level of flexibility built into your management system and policy to make room for technological advances and changes in policy.
Scholtes talks about finding “the right mix” of components for your policy and management system. He notes that it is just as important to focus on your storage components, as it is to spotlight the process of your records management.
For us, the takeaway here is that, each company, no matter what size or industry, needs to consider not only how they store records, but why. In the end, our recommendation is that companies utilize the resources available from experts like Scholtes and AIIM to reach their records management goals.
Email Retention Checklist: Eight Questions You Need to Ask for Your Retention Policy
As regulatory email compliance becomes more commonplace throughout all industries, many organizations are examining their email archiving policies. There are many reasons for this, not the least of which is that in the event of a lawsuit, archived emails can become a vital part of the eDiscovery process. Whether you are addressing this for the first time or already have a policy in place, below is a useful checklist to determine your organization’s email retention needs:
1. Is your company required to preserve emails to comply with industry regulations? If so, for how long?
2. Is there a possibility that an auditor might visit your premises and request the relevant information to be presented on site, and/or will you need to produce data on external media?
3. Should you retain all corporate emails in one central place for easy access and discovery for company objectives? What are the pluses and minuses in doing this?
4. Which employees will need access to other employees’ emails?
5. Are there certain emails that must be kept longer for company use, or will the company retain all emails for the same length of time?
6. Are you looking to reduce the load on your mail server (for instance the Exchange Server Information Store) by archiving emails onto another system?
7. Does your company need to be prepared for any eDiscovery requests in view of the Federal Rules of Civil Procedure?
8. What is your current email archiving policy, if any?
By discussing the answers to these questions with a cross-functional team with all relevant departments submitting input, your organization will have a better idea of its email archiving needs. Based on this you can draft an email archiving policy and select the appropriate email archiving solution for your company needs.