04:25 PM
What Banks Don’t Know About E-mail Archiving Can Hurt Them
Overflowing e-mail in-boxes are more than just annoyances -- now, they're also liabilities. Financial institutions increasingly are being judged on the way they manage their e-mail, and they're getting hit hard if they're found to be doing it the wrong way.
For example, in September, Wachovia Capital Markets, the parent group of Charlotte, N.C.-based Wachovia Bank ($504 billion in assets), was fined $2.25 million by the New York Stock Exchange for failing to comply with rules relating to electronic communications in violation of Section 17(a) of the Securities Exchange Act of 1934. According to the NYSE, "From January 1999 through April 2006, and in certain subsequent periods, the firm ... failed to retain certain e-mail by carrying out appropriate backups of files on the computer servers on which their communications systems ran, to appropriately monitor or supervise the backup process and/or to take due care to ensure that certain records could be retrieved. With regard to certain e-mail and instant messaging systems, the firm failed to review such electronic communications." >>
While Wachovia ultimately will be required to pay just $600,000 of the fine as part of a settlement, the reputational damage already has been done, as the decision made headlines across the country. While the institution remains mum on how it is amending the situation, a spokesman for the company says the organization "is addressing and has been addressing the issue."
The Wachovia ruling follows a number of other high-profile cases that have brought increased attention to the issue of e-mail management at financial institutions. Earlier this year, Morgan Stanley agreed to pay a $15 million fine to settle a Securities and Exchange Commission investigation over the firm's failure to save e-mail properly -- added on to the $1 billion it was required to pay for failing to produce e-mail evidence in a timely manner as part of the discovery phase of a highly publicized civil trial. In addition, Merrill Lynch was fined $2.5 million by the SEC in March for failing to properly archive its e-mail.
Adding to companies' e-mail management concerns are amendments to the (FRCP) that go into effect on Dec. 1. These rules govern legal discovery and mandate how e-mail and other electronic data must be produced for litigation. The new FRCP amendments will require companies to prove that they are taking action to protect data, to know where it is located and to produce a plan for retrieving it.
The new rules draw further attention to the challenges banks face as a result of the growing use of e-mail and other types of messaging, including instant messaging (see related sidebar, page 26). As e-mail grows in volume, the urgency for devising new and better ways of dealing with it also becomes more intense.
The amount of e-mail that an average business user receives is growing by 30 percent annually, leading up to a current average of 75 e-mails per day, according to Debra Logan, vice president of research for Stamford, Conn.-based Gartner, who spoke recently at an executive briefing on e-discovery in New York. "We've let unstructured content grow completely out of control," she told attendees.
Each employee at Woodsville Guaranty Savings Bank ($289 million in assets) in Woodsville, N.H., receives between 50 to 100 e-mails each day, and each sends out between 25 to 30, relates Bob Miller, vice president and information systems officer for the bank. And, consistent with the overall average, 80 percent of the e-mail the bank receives is spam, he says.
The most difficult aspect of managing messaging for Woodsville Guaranty Savings Bank to control is storage, according to Miller. "E-mail archiving is the buzz topic right now," he says. "Regulators want it. Legal wants it. It's a case of the pen is mightier than the sword."
Archiving e-mail involves automatically placing e-mail-based records into secure archival storage where they can be easily retrieved. Although e-mail archiving is a top-of-mind concern for many banks, there are financial institutions that still are indifferent to the requirement, says Richard Purdy, global financial services marketing and solutions development leader for EMC Corp., a Hopkinton, Mass.-based provider of products, services and solutions for information management and storage.
Organizations mistakenly think that if they back up e-mail, then they're accountable for it, and if they don't, then that information can't incriminate them, explains Purdy. But that is just not the case, he stresses, pointing to recent litigation as prime examples of companies that already have been hurt by what they don't have.
If effective message archiving isn't on the mind of bank executives, it should be, adds Woodsville's Miller. "We are probably one of the few banks in our area that are [using archiving] right now," he says. Other banks in the area -- apart from the largest national and regional financial institutions -- still are using tapes, he contends. In fact, according to a September white paper from Black Diamond, Wash.-based Osterman Research, most organizations don't archive their e-mail, instead relying on backup tapes to preserve data.
With such outdated methods, trying to retrieve just one e-mail could take a couple of hours compared to less than one minute with Woodsville's archiving system, which is hosted by Norwalk, Conn.-based managed e-mail-archiving provider Fortiva, Miller says. That's not something that will fly when litigation calls for information to be discovered in a timely matter.
"Judges are increasingly disinclined to be lenient for bad information management," Gartner's Logan asserts, adding that at least three-fourths of all companies will be involved in legal action that will require a systematic approach to legal discovery. "You will need to be proactive about getting this stuff together for the judge," she says. In fact, 24 percent of organizations have had employee e-mail subpoenaed, and 15 percent of companies have gone to court to battle lawsuits triggered by employee e-mail, according to a July survey from the American Management Association (New York).
However, according to Logan, "There isn't a corporation in the U.S. -- or in the world for that matter -- that has an effective records-retention policy across the board."
"This is a hot item because everyone is getting burned. You're only saving e-mails to protect you," says Maureen Caplan Grey, founder and principal analyst for Grey Consulting (Kent Lakes, N.Y.) an electronic messaging research and advisory firm. "The fact is that any type of document that is deemed to be a record -- media independent -- is a record," she adds.
"This means the industry cares about how those records in total are going to be managed," continues Grey, who is the author of the report, "E-Mail Management: An Oxymoron?" In the report, Grey predicts that over the next few years, e-mail archiving will become just another part of an organization's overall enterprise content management strategy. She recommends that organizations develop a governance body that has oversight for all records -- paper and electronic -- including e-mail messaging.
Experts say the first step to creating a successful message archiving system is to integrate all the departments involved, including business, IT and legal, as well as the end users. Organizations need to take a cross-functional approach to better understand the policies that need to be put in place, according to EMC's Purdy. "It's a whole new set of conversations," he says. It's the legal group's charge, but IT has to execute it, Purdy explains.
Forrester Research (Cambridge, Mass.) also recommends a cross-functional team in light of the fact that message archiving is part of enterprise content management and storage. The IT group should get together with legal representatives, risk managers, records managers and e-mail administrators, even though they each may have different agendas, says Erica Driver, principal analyst for Forrester. Legal usually wants to keep everything forever, records managers want to get rid of everything and e-mail administrators would like to move everything out of their systems because of the expense, she notes.
So if keeping all e-mail is a bad idea, and throwing it all away is an even worse idea, how does a bank know what to keep and for how long? Financial institutions constantly are dealing with these questions, says Dave Hunt, CEO of Berkshire, England-based e-mail lifecycle management provider C2C. Some say save everything; others are more selective, he offers. Some companies even are selective when it comes to which departments' e-mails they decide to archive, Hunt adds. But because of SEC regulations, all e-mails from investment departments are archived, he states.
"We archive everything," Woodsville's Miller says. "It's the easiest approach." Because the bank finds it hard to pick and choose what to archive, it archives everything -- besides spam, which is dropped after 30 days -- for four years. The bank will soon extend its archive to seven years, Miller relates.
Bowie, Md.-based The Washington Savings Bank ($451 million in assets) also archives every e-mail that its employees receive, although two filters separate spam and attachments from the archive systems, relates Bruce Smith, the bank's VP of information systems. The bank's current archive system is set to keep e-mails for 10 years, he says.
And while legal discovery remains a major impetus behind e-mail archiving -- and the most costly -- it's not the only driver of the e-mail storage market. According to Forrester's Driver, regulatory compliance, mailbox management, information management strategies and IT cost savings are the other main drivers. The SEC and the National Association of Securities Dealers (NASD), for example, require message archiving for at least three or seven years, depending on the type of organization/message, she points out. Driver recommends archiving any e-mail having to do with audits for seven years.
According to C2C's Hunt, two-thirds of the vendor's sales are a result of companies that are dealing with the sheer capacity of their systems, those that want to take e-mail out of their primary systems. The remaining one-third of C2C's sales are from those companies that need to meet compliance requirements, he says.
"This is a type of regulation that auditors are taking very seriously," observes Paul Chen, CEO of Fortiva. The key challenge is that for a company of about 10,000 people, the firm needs to be able to store about 1 billion e-mails over three years, he says. "That's a lot of information, and this is a large infrastructure to manage."
Managing that information and ensuring that it can be retrieved when you need it is not an easy task. On-demand servers hosted by third parties make sense for this type of customer and this type of information, Chen asserts. And he has some research-backed figures to back up his claims about hosted solutions.
The Osterman Research white paper provides a breakdown of cost per user of an internal archiving system compared to Fortiva's hosted system. Total cost of ownership (TCO) -- factoring in up-front costs, maintenance fees and labor costs over three years -- for internal archiving is $4.53 per user per month, according to Osterman. Based on Fortiva's pricing, the cost of a hosted archiving solution for a mid-size organization is $3.58 per user per month. Osterman's research found that the top three most time-consuming activities for IT staff are providing support to end users, backing up the archive and administering archive users.
"Traditionally, outsourcing e-mail archiving has been seen as more cost-effective for small and midsize companies," said Michael Osterman, president, Osterman Research, in a release. "What this research proves is that even for enterprises for 10,000 users or more, there may not be a strong TCO argument for in-house solutions."
What's going to happen next is companies will have these big archives and they are going to have to figure out what to do with them, Forrester's Driver says. "Rather than look at it as just a cost, they will figure out how to get value out of it -- mining that repository for customer service. Mine it for ideas for new products." **
Just a few years ago, e-mail security centered around viruses and spam. Now that those threats have been somewhat contained, banks are more concerned about keeping the "good stuff" in and keeping the "bad stuff" out, says Rick Caccia, senior director of product management and messaging and Web security solutions for information-security provider Symantec (Cupertino, Calif). One of the main ways financial institutions can ensure that they don't leak any information out is through encryption, he offers.
The Stillwater National Bank & Trust Company ($2.1 billion in assets) in Stillwater, Okla., uses Palo Alto, Calif.-based PGP's Universal Gateway e-mail encryption to protect all of the confidential information that is shared among employees, customers and partners via e-mail, says Jacob Mays, the bank's assistant vice president. Prior to implementing the universal solution from PGP, the bank relied on the vendor's desktop encryption solution, but discovered through an audit that very few employees actually were using it to send out sensitive information.
"It wasn't a good solution for an everyday user," Mays says. When data breaches at financial institutions began to be a regular feature in the news, Mays adds, he knew he needed to find a more efficient way to ensure that sensitive information was being sent in a secure manner. The bank was looking for a centralized solution with rules that it could set, he explains.
Stillwater's encryption system is triggered by a tag that appears in the subject line. By typing the word "secure" in an e-mail's subject line, the e-mail is automatically encrypted, according to Mays.
According to Andrew Krcik, VP of marketing for encryption provider PGP, the driving forces behind e-mail encryption are regulatory requirements, including the Sarbanes-Oxley Act and customer notification laws, which exist in 30 states. Those laws mandate that if a company loses or mishandles confidential information, it must inform the people who are affected, Krcik says.
The PGP encryption platform consists of a server that sits in Stillwater's e-mail gateway. The server applies policies that say what can or can't leave the building, and what should and should not be secured, Krcik describes.
"We want to be able to service the customer in any communication means that is best for them," Stillwater's Mays says, adding that the bank has numerous customers, including students, who don't keep normal hours, so they use e-mail to conduct their banking business. And, "Our employees love it," he continues. "In a recent audit, we saw a huge increase in usage with a very minimal exception rate." --N.F.
Turn Down the Volume
Protect Yourself
The Business Case
Encrypted Messages: For Your Eyes Only