What Are Your Obligations to Retain Email and Other ... Are Your Obligations to Retain Email and...

What Are Your Obligations to Retain Email and Other Electronic Content?

sponsored by

An Osterman Research White Paper Published October 2010

SPONSORED BY

!!

!!

!!!!!

!"#$!#%&'()*(!

!"#$!#%&'()*(Osterman Research, Inc. • P.O. Box 1058 • Black Diamond, Washington 98010-1058

Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected] www.ostermanresearch.com • Twitter: @mosterman

!

(

!

(

!

(

!

(

!


©2010 Osterman Research, Inc. 1

Executive Summary In recent years, email has emerged as the primary channel of business communication for organizations in every industry. Email contains enormous amounts of important and useful content, including contracts, proposals, presentations, policy decisions and other business records. However, a growing number of repositories – including Microsoft SharePoint®, Quickr® file servers, collaboration tools and various other application databases – also contain important electronic content. The explosive growth in business records being stored electronically means that “data retention” or “content retention” has increasingly come to mean “electronic data retention” or “electronic content retention.” IT decision makers, recommending influencers and other business decision-makers need to understand that retaining email and other electronic content is necessary to satisfy litigation and regulatory compliance requirements, not to mention the growing demand for valuable business knowledge constantly being mined by an organization’s employees. THE BIG IDEA The process of retaining, storing and managing larger and larger volumes of electronic content is not without its risks. If an organization does not manage its electronic content properly, it can waste valuable time, money and IT resources reactively responding to litigation and regulatory requests, resulting in severe consequences of noncompliance. IT, legal and business decision-makers must work together to develop formal electronic content retention policies to reduce litigation and regulatory risks, while enhancing end-user productivity. The bottom line for the vast majority of organizations is not if – but when – they will need to produce records for legal or regulatory purposes. Legal and Regulatory Activities in Mid-Sized and Large Organizations

Activity % We have been ordered, as part of a legal action, to produce employee email 69% We have referred back to our archive or backup tapes to support our innocence in a legal case 57% We have been ordered as part of a regulatory audit or similar event to produce employee email 54%

We have used archived content for pre-discovery purposes (i.e. to determine in advance whether or not to settle or fight a lawsuit) 49%

We have been ordered, as part of a legal action, to produce employee instant messages 14% We have been ordered, as part of a regulatory audit or similar event, to produce employee instant messages 14%

We have been ordered, as part of a regulatory audit or similar event, to produce employee social networking content (e.g., employee Twitter or Facebook posts) 6%

We have been ordered, as part of a legal action, to produce employee social networking content (e.g., employee Twitter or Facebook posts) 3%

Source: Content Archiving Market Trends, 2010-2013, An Osterman Research Industry Analysis Report, Published July 2010.



ABOUT THIS WHITE PAPER This white paper discusses what drives organizations in heavily regulated and less regulated industries to retain email and other electronic content. It explores the content retention challenges faced by those organizations in the midst of stringent litigation and regulatory compliance demands. And it recommends that organizations take a proactive approach to address those challenges. Finally, it offers an overview of four vendors that can help organizations retain email and other electronic content: Astaro, C2C, The Linux Box and Proofpoint.

Why Should Organizations Retain Email and Other Electronic Content? In most jurisdictions, organizations in heavily regulated industries, such as financial services, healthcare and government, must comply with stringent electronic content retention regulations. Consequently, they are faced with significant financial and legal risks of noncompliance. These risks may include the imposition of significant monetary fines – and, in certain cases, even imprisonment. Unlike their regulated counterparts, organizations in so-called “non-regulated” industries tend to believe that their electronic content retention obligations are minimal at best. They believe electronic content should be deleted regularly to reduce the risk of liability in the event of a lawsuit or regulatory audit. They fear such content may contain “smoking guns” that might reveal poor judgment by organizational decision makers or rogue employees. They also favor purging electronic records on a regular basis to avoid the perceived high costs of retaining those records. For them, doing nothing is perceived to be their best defense. Contrary to what such decision-makers may think, no organization operating in the United States, regardless of size or industry, is immune from the obligation to retain electronic content in accordance with the Federal Rules of Civil Procedure (FRCP). The FRCP are a body of rules and procedures that govern civil lawsuits in United States district courts. The FRCP create obligations on the part of all organizations to locate, preserve, and produce, in a timely manner, electronic information relevant to the subject matter of a lawsuit.

DEFINING TERMS A litigation hold is a process used by organizations to advise their employees of anticipated litigation and ensure that relevant records are not destroyed. Legal discovery is part of the pre-trial phase in a lawsuit. During legal discovery, the parties can request documents and other evidence from the opposing side. They can also compel the production of evidence by using discovery devices such as requests for production and depositions of witnesses. Spoliation is the accidental or intentional destruction or significant alteration of evidence or the failure to preserve property for use as evidence in pending or foreseeable litigation. If a party cannot present relevant evidence at trial because the opposing party failed to preserve it or destroyed it, an adverse inference instruction from the court permits a jury to infer that such evidence would have been harmful to the opposing party.



KEY DEMAND DRIVERS FOR ELECTRONIC CONTENT RETENTION As previously mentioned, some of the factors driving the demand for electronic content retention include legal discovery and regulatory obligations. Additional drivers include organizational data mining and knowledge management, as discussed below. LEGAL DISCOVERY Nearly all business organizations eventually become implicated in lawsuits, either as a plaintiff, a defendant or as an involved third party. According to a survey on litigation trends conducted in 2009 by the law firm Fulbright & Jaworski, 83% of US companies surveyed had at least one lawsuit commenced against them, while 43% of US companies surveyed initiated at least one lawsuit. Consequently, the likelihood of facing an e-discovery request is very high. When a lawsuit occurs, an organization has an affirmative duty under the FRCP to preserve relevant evidence. This duty to preserve generally attaches when a party knows, or reasonably should have known, that material in its possession may be relevant to potential litigation. When a litigation hold on data is required, it is imperative that an organization preserve all relevant data, such as all email sent from senior managers to specific individuals or clients, word processing documents that may contain corporate policy statements, and so forth. Severe consequences can result from failure to preserve potentially relevant evidence. Courts have discretion to impose a variety of sanctions, including fines, additional costs for third parties to review or search for data, or even criminal charges. At a minimum, an organization that cannot produce data when required will suffer a damaged corporate reputation. In its 2010 mid-year Report on Electronic Discovery and Information Law, the law firm Gibson Dunn found that of the 21 cases in which courts imposed some kind of sanction, costs and fees were awarded in 14 of them. It also found that the most notable and widely reported cases involving sanctions concerned the imposition by courts of “adverse inference” jury instructions.

CASE ON POINT Victor Stanley, Inc. vs. Creative Pipe, Inc., Civil No. MJG-06-2662 (D. Md. 2010). In a recent federal district court case out of Maryland, the defendant, Creative Pipe, Inc., a private California company with annual estimated sales of only $500,000 to $1,000,000 (according to manta.com), was found liable for willfully failing to preserve and deleting electronically stored information, failing to implement a litigation hold and repeatedly misrepresenting to opposing counsel and the Court the completeness of its discovery production. In his opinion, Paul W. Grimm Chief United States Magistrate Judge stated that the defendant’s violations "...constitute the single most egregious example of spoliation that I have encountered in any case that I have handled or in any case described in the legion of spoliation cases I have read in nearly fourteen years on the bench." The court was so outraged by the defendant’s conduct that it imposed a harsh sanction of two years in prison for spoliation unless and until the defendant paid the plaintiff’s award of substantial attorney fees.



A recent federal court case confirms Gibson Dunn’s finding on adverse inference. In Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 685 F. Supp. 2d 456, 470 (S.D.N.Y. 2010), the court awarded an adverse inference sanction because a party acted with gross negligence (as opposed to willfulness) in failing to preserve electronic documents. The court reasoned that ‘‘contemporary standards’’ of discovery rendered the failure to preserve and collect electronic files ‘‘grossly negligent’’ and therefore worthy of the severe sanction of an adverse inference, even without proof of intentional misconduct. Id. at 471. REGULATORY COMPLIANCE All electronic records that pertain to an organization’s business activity are subject to regulatory compliance obligations, which vary by industry and jurisdiction. These regulations require the retention of content such as financial documents, email correspondence between organizations and employee and client records. In fact, even metadata must be preserved – the Supreme Courts of both Arizona and Washington state have ruled that metadata must be preserved. One of the most heavily regulated industries worldwide is the financial services industry. In the United States, rules of the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) require members of national securities exchanges, brokers and dealers to preserve securities transaction records for a minimum of six years, the first two years in an easily accessible place. In Canada, records of purchase and sell orders of securities must be retained for seven years, the first two years in an easily accessible location. And in the United Kingdom, investment service and transaction records must be retained for at least five years. The consequences to financial services firms of not complying with these retention regulations can be severe and typically involve the imposition of severe financial penalties. For example, FINRA imposed a $700,000 fine on brokerage firm Piper Jaffray in May 2010 when the firm failed to produce 4.3 million emails sent and received between 2002 and 2008. Brian L. Rubin, a member of the law firm Sutherland Asbill & Brennan LLP and former FINRA deputy chief counsel for enforcement, expects FINRA to maintain its attention on brokerage firms’ email retention processes and strengthen its examination process of brokerage firms that fail to follow up on glitches in their retention systems. Another heavily regulated industry is healthcare. For example, under the “privacy rule” of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), health care providers are required to protect patients’ electronic health information from unauthorized users and to retain such information for six years. Noncompliance with these HIPAA requirements could result in fines of up to $50,000 per violation, or criminal penalties of $250,000 and up to 10 years in prison for violations based on intent or malice. A sampling of these and other electronic content retention requirements and consequences of noncompliance, which vary by industry type and jurisdiction, can be found in the Appendix to this white paper.



DATA MINING / KNOWLEDGE MANAGEMENT An organization’s email and other electronic content constitute its business knowledge repository. This content contains vast quantities of useful employee-generated information vital to an organization’s profitability, competitive advantage, innovativeness and continuous improvement. To feed this constant demand for business information, employees rely heavily on email, collaboration tools and other electronic content repositories as the primary tools they use to do their work. For example, an employee may need to locate stored emails quickly so he or she can review their own email correspondence or other content, such as attachments in email. Alternatively, a new employee may have to trace back email and other electronic content between his or her predecessor and a customer. Employees are constantly extracting the business and corporate “intelligence" from electronic content. This makes the preservation of that content extremely important. An organization that does not preserve its email content adequately risks the loss of information that it has paid employees to produce.

What Challenges Do Organizations Face When Retaining Electronic Content? Organizations that are obligated to retain email and other electronic content face numerous challenges. These include high costs in time and money of responding to legal discovery and regulatory requests for information, high costs of storing and managing the growth of electronic content and overburdened and overextended IT staff resources. RESPONDING TO DISCOVERY REQUESTS IS TIME-CONSUMING AND PRONE TO ERROR Legal discovery requests pose a major challenge to an organization because the FRCP require the production of all relevant electronic records, regardless of how backdated such content might be. The completeness and availability of requested records and the time required to extract them depends heavily on the organization’s email storage management. Electronic documentation can be located in many different places within an organization, including email servers, .PST files, desktop files, laptops, smartphones, backup tapes and removable media. The longer it takes an organization’s IT staff to extract the required content, the longer it takes its legal counsel to access and review the content. With less time to get full command of the facts in the litigation, an organization runs the risk of the court imposing sanctions on the organization for missed deadlines or production of only a portion of the information requested. The electronic content produced may also have limited evidentiary weight because legal counsel would have no way to prove that content was not deleted or tampered with. In fact, the litigation costs associated with discovery can be so great, that as many as one



in five businesses have settled a case simply to avoid searching through and retrieving email. Distribution of Electronic Content by Platform/Location

Source: Content Archiving Market Trends, 2010-2013, An Osterman Research Industry Analysis Report, Published July 2010

THE HIGH COST OF STORING ELECTRONIC CONTENT AND MANAGING ITS EXPLOSIVE GROWTH An organization does not have to have billions of emails and other documents to experience significant electronic content storage growth. According to an Osterman Research report on content archiving published in 2010, email storage is growing at just over 25% annually. This growth is driven by increasing use of email and larger attachments sent through email, creating enormous problems for IT administrators. Such problems include more time devoted to storage management, longer backup windows, longer restores after a server crash, and a greater proportion of the IT budget devoted to storage. The explosion in storing and managing electronic content has also rendered the simple tape backup as an outmoded method for meeting legal discovery and regulatory retention requirements and gaining access to electronic content stored in a typical organization’s messaging system. Furthermore, backups are more difficult to manage because they require more IT staff involvement and create long periods of email downtime in the event of a server crash or other technical problem.



According to published reports, the costs of sifting through content stored on backup tapes can average $500 to $1,000 per gigabyte, which could amount to a six- or seven-figure cost for even small organizations that could generate several terabytes of such data. Reviewing information on backup tapes is no easy task. For example, a compressed LTO-3 tape can hold 750 gigabytes of email, or approximately 56 million printed pages of text. Given these inherent limitations of backup tapes, organizations today require a more suitable solution for satisfying electronic content retention obligations. OVERUTILIZED AND OVERBURDENED IT STAFF RESOURCES Most IT staff in an organization would wholeheartedly agree that end-user requests for recovering missing or deleted emails and other electronic content is among the less pleasant aspects of their jobs. Aside from the difficulty associated with recovering such content, the time it takes for IT staff to complete those tasks takes away from other tasks that they could be performing to enhance the organization’s productivity. In some cases, the job of IT staff is made even more difficult when email is not stored in a centralized repository. Further complicating the issue is the fact that during difficult economic times, IT staffs are even more stressed and have even fewer resources to do their work. Searching and restoring electronic content from various sources (PCs, servers, and backup tapes) can be a difficult and cumbersome process. Every time an organization faces a lawsuit or regulatory request for information, its IT staff must go through multiple steps to preserve and extract electronic content. These steps include initiating a litigation hold, then finding, restoring, cleansing and de-duplicating electronic content residing within every content source. These steps must be repeated for every backup tape, .PST file and email server – for each discovery request. This is especially burdensome since even a relatively small firm can face one or more e-discovery requests each month.

A Proactive Approach to Electronic Content Retention Organizations will not succeed in overcoming the challenges they face with retaining electronic data if they continue to use outmoded email storage approaches and act reactively to legal and regulatory information requests. To overcome these challenges, organizations must proactively develop formal content retention policies and deploy electronic content archiving solutions to implement and enforce those policies. DEVELOP ELECTRONIC CONTENT RETENTION POLICIES Step 1: Understand the Organization’s Litigation Discovery and Regulatory Compliance Obligations IT decision makers, recommending influencers and other business decision-makers need to stay current on legal decisions focused on the organization’s electronic data retention obligations, including the types of electronic records that should be retained, how long such records should be retained and so forth.



Heavily regulated organizations need to understand their regulatory retention obligations. Financial services organizations operating in the United States, for example, must fully comply with SEC and FINRA requirements for electronic data retention, supervision of content and other requirements. Energy-related companies must comply with Federal Energy Regulatory Commission (FERC) requirements. Healthcare organizations must comply with HIPAA, Medicare and other requirements. Organizations with well-coordinated electronic data retention policies will be positioned to weather the storms of litigation with minimal legal risk and harm. An organization without coherent retention policies could find itself paying major penalties during the discovery process if it produces electronic content later found to have been altered or destroyed. Step 2: Advice of Internal and External Legal Counsel The next step in the process of developing an organization’s electronic content retention policies is for a cross-functional team that includes IT, legal, records management, and compliance staff to define electronic data retention policies and functions such as indexing, searching, litigation holds and data immutability. IT staff in particular need a dialogue with legal counsel and business functional user representatives to determine the latter’s needs. Step 3: Start With Basic Retention Policies All organizations, regardless of their size or industry, should have as their goal the establishment of sound electronic content retention policies. One relatively easy way for decision-makers to do this is to establish content retention and deletion periods for major categories of content that will need to be retained and managed over several years. Different types of business records will be subject to different data retention periods. For instance, when records need only be retained for very short time periods, the need to implement and strictly enforce policies to delete those records can be as important as implementing policies to retain them. Therefore, periods should be sufficiently granular to accommodate all possible retention requirements. An organization should set minimum and maximum retention periods to avoid over-retention, since preserving data too long can also be risky. To determine these periods, cross-functional teams can define specific maximum retention periods for each category, or establish a general policy permitting the deletion of retained data when the minimum retention period expires. Once archival retention periods are established, an organization should clearly communicate them to all users of electronic data. Retention periods should also be executed automatically. No matter how well informed users are about retention periods,

“The vast majority of mid-sized and large organizations in North America have established email retention policies. However, despite the fact that virtually every organization has an obligation to retain business records and that a large proportion of these records are stored in email, more than one quarter of the organizations surveyed has not yet established policies focused on retaining email.” Content Archiving Market Trends, 2010-2013, An Osterman Research Industry Analysis Report, Published July 2010



organizations still run the risk of user error in retention period compliance. Fortunately, data archiving solutions today are capable of automatically managing content retention periods, with little to no user involvement. Finally, IT and legal counsel should periodically revisit retention and deletion policies so they reflect changing regulatory requirements, organizational rules, and user needs for historical information. Step 4: Calculate Scalability Requirements How scalable does an organization’s electronic content retention solution need to be? That depends in large part on the amount of electronic content generated, received and stored by users in an organization and how long the content must be stored. For example, assume that each individual in an organization of 5,000 users sends and receives 25,000 emails annually, 40% of those emails must be retained for seven years, and each user generates two gigabytes of non-email archivable electronic content each year that also must be retained for seven years. Based on these assumptions, an organization will need to archive 350 million emails and 68.4 terabytes of content over those seven years. That represents an enormous amount of content that will require a very robust and scalable archiving system to manage. DEPLOY A PROACTIVE ELECTRONIC CONTENT ARCHIVING SOLUTION Depending solely on organizational policies to retain electronic content often results in less-than-complete compliance. Individual users will interpret policies differently. Email and other electronic records could be lost, or simply be made more difficult to locate in user-created .PST files. Inadvertent disposal can result in serious adverse consequences for an organization involved in a legal action. Reactively searching, collecting, and processing each item of content adds expenses upfront and creates even greater legal review costs downstream. A proactive approach to electronic content retention means that an organization deploys the right email archiving solution to enforce its document retention policies. Otherwise, the organization runs the serious risk of not being able to produce electronic data that a court might rule it had an obligation to preserve. The right email archiving solution allows IT managers, compliance officers and legal counsel to develop and enforce policies on an ongoing, evolutionary basis in an effort to stay ahead of specific legal obligations. Instead of being forced into a defensive posture each time a lawsuit occurs, legal counsel can employ a proactive content retention strategy, armed with better and more complete information. In short, email archiving permits organizations to automatically preserve and delete electronic data, while eliminating the need to search for personal archives on each and every local machine whenever litigation support is requested. Archiving is also a useful tool in reducing the volume of storage on email servers and in other electronic repositories, such as SharePoint® or Quickr®. One way to use archiving as a storage management tool is through the use of “stubbing,” in which email messages are replaced with “stubs” – roughly 10Kb links that point to content that has been migrated from users’ mailboxes to the archive. When a user clicks on a stub, the



email message and attachment are retrieved from the archive and presented to the user as though the message was still in their mailbox. Another option is to stub only attachments, leaving the message itself intact and replacing the attachment with a link. Then, when a user clicks on the link, the attachment is retrieved from the archive. BENEFITS OF DEPLOYING AN ELECTRONIC CONTENT ARCHIVING SOLUTION As more companies are hit with the high costs of legal discovery requests and regulatory audits, the benefits and advantages to an organization of a proactive email archiving approach become clear. These benefits include: • Lower costs

An archive with advanced search functionality can reduce the overall cost of discovery by tens- or even hundreds-of-thousands of dollars.

• Reduced litigation risk exposure

By automatically capturing all email, an archiving solution can act as an easily searchable, central repository that meets evidentiary standards, complies with FRCP and eliminates the risk of spoliation.

• Consistent electronic content retention policy enforcement

A policy-driven archive solution ensures that electronic data retention policies are being followed on an ongoing and near real-time basis. This allows an organization to monitor employee behavior for potentially actionable statements or activities and adjust data retention policies on the fly to minimize the potential for legal action.

• Improved response times

As a centralized repository with search functionality, an archiving solution can eliminate the need to mine multiple sources of electronic data in order to meet a legal discovery request. Advanced search tools can also dramatically reduce the time it takes to complete a request – in some cases from weeks or months to just minutes or hours.

• Early case assessment

Easy search access allows legal counsel to evaluate the merits of a case before investing substantial time, money and effort in electronic records retrieval. This makes it easier for legal counsel to make better decisions about whether to fight or settle a lawsuit.

• Email storage management benefits

Many archiving solutions provide the added benefit of allowing IT to greatly reduce data storage burdens on email servers, enabling improved email server performance and delivering significant email storage management benefits.

• Enhanced end-user productivity

An effective archiving solution allows IT staff to put end-users in charge of recovering their own missing or deleted content, freeing IT from the burden of doing



this for them. This can result in significant cost savings, as well as recovery of IT time that otherwise would be spent on this important, but unproductive, task.

What to Look for in an Electronic Content Archiving Solution When searching for a vendor capable of deploying a proactive email archiving solution that will implement your organization’s electronic content retention policies, be sure to consider the following requirements: • Reduced dependence on user involvement

Users of electronic data are constantly under pressure to respond to the business demands placed on their organizations. Regardless of how well educated they are about content retention policies, users are prone to error when manually deciding to keep or delete every incoming and outgoing email. That is why an organization should invest in an email archiving solution that automatically manages its content retention policies. The primary benefit of such a capability is that it requires little or no user involvement, thereby increasing end-user productivity.

• Indexing of all content and robust search capability

To respond quickly to a legal discovery request or regulatory audit, or to simply allow managers or legal counsel to conduct preliminary searches, search performance must be robust and needs to demonstrate the ability to scale to perform as the volume of archived data grows. Watch out for archiving solutions that do not employ sufficiently robust search technology, since they will not be able to perform complex searches or meet timeframes in which results are needed.

• End-user access to the archive

Because IT staff members cannot always satisfy all requests to recover old content from backup tapes, allowing end-users to access this information can significantly reduce the workload for IT staff and make archived information more easily available.

• Protection of archived data from tampering

An archiving solution must secure stored electronic data with safeguards, such as encryption capabilities. It must also be tamper-proof and capable of protecting electronic records from loss, damage or misuse. If content from the archive is accessed, the system will ideally provide an audit trail tracking who accessed the content and when it was accessed.

• Flexible storage media options

Because different regulations may require the use of different types of storage media, it is important for any archiving solution to provide flexibility in the type of media in which the archive is stored, including

The Bottom Line The benefits of a comprehensive email archiving solution can provide cost savings greater than the cost of the system itself. Savings in IT staff time, reduced expenditures for external legal counsel, lower Tier 1 storage costs, reduced backup costs, and faster migrations to new platforms can result in rapid payback for the email archiving system and a net gain for the organization.



magnetic, tape and optical. Cloud-based storage approaches should also be considered as an option to provide scale with reasonable total cost of ownership (TCO).

• Enforcement of corporate electronic data retention policies

A key provision of many retention requirements is that content be retained for a minimum period, but not for longer than a maximum period proscribed by statute. An archiving system will ideally permit all electronic data to be kept as long as necessary, allowing data to be removed from the archive easily and in accordance with applicable content retention policies. It must also be flexible enough to address any changes in retention policies.

Summary In today’s highly regulated business environment, all organizations, regardless of size or industry, have electronic content retention obligations. All organizations are at risk of court-imposed sanctions if they do not preserve and produce electronic data in compliance with applicable court rules, case law and regulations. Many organizations continue to struggle with the challenges of having to retain large volumes of email and other electronic content. All too often, IT staff is stretched to the limit and expend valuable time reactively responding to legal discovery and regulatory requests. Furthermore, the high cost of storing and managing the growth of electronic content using traditional methods such as backup tapes has become highly inefficient and outmoded. Fortunately, the deployment of an electronic content archiving system provides an organization with many important benefits, including litigation support, regulatory compliance and sufficient storage capacity. Although there are many issues to consider when deploying an archiving system, an organization’s failure to do so can lead to serious legal consequences. By taking a proactive approach and implementing email archiving solutions provided by vendors like C2C, Astaro, The Linux Box and Proofpoint, organizations can reduce their business and legal risks while complying with electronic discovery requests and regulatory requirements on time, within budget, and without internal disruption.



Sponsors of This White Paper Astaro offers the most complete and easy to use Internet security appliances available, combining best breed applications and enterprise level performance. Astaro's award-winning products provide the latest protection with the best total cost of ownership. Software, hardware and virtual appliance offerings provide users the flexibility to meet a wide variety of deployment scenarios. Distributed by a growing worldwide network of more than 2,500 partners, Astaro products protect over 100,000 networks across 60

countries. Astaro is headquartered in Wilmington, Massachusetts, USA and Karlsruhe, Germany. The Astaro Mail Archiving Service is a cloud-based e-mail archiving service exclusively available as a Software as a Service (SaaS) solution. It can be setup in less than 15 minutes, accessible from everywhere and its infinite scalability offers an on-demand infrastructure that fits email archiving demands for businesses of all sizes. Astaro Mail Archiving allows users to find e-mails instantly, preserve emails indefinitely and in accordance with organizational retention policies and avoids scalability issues by providing unlimited storage in the archive.

C2C has pioneered Email and Electronic Content Archiving solutions since its founding in 1992. Noted for its “No User Training Required” approach to its solution, its ArchiveOne™ product suite serves organizations from small businesses to Global 100 corporations. Unlike traditional archiving products, ArchiveOne does not require you to preserve and index all emails prior to a discovery requirement. If the data is still in the live mailbox, public folder, PST file or a windows file store the same granular

search criteria can be used to easily find and secure these items into a temporary or permanent archive. This enables an organization to act quickly in response to an investigation request and not be dependent upon IT to preserve all data in the system.

Astaro Corporation 260 Fordham Rd Wilmington, MA1887 +1 978 974 2600 www.astaro.com

C2C Systems 134 Flanders Road Westborough, MA 01581 +1 508 870 2205 www.c2c.com



The Linux Box Corporation was established in 1999 with the goal of providing regional, national and international customers with professional, commercial services for open-source technology, helping organizations to:

• Reduce IT costs

• Gain competitive advantage

• Increase control over IT where many software packages are bought, but few are used effectively

Enkive is an open source email archiving, retrieval and reporting software solution that captures e-mail messages as they arrive or are sent to ensure they are retained before a worker can delete them in an e-mail client. This feature helps organizations address the issues of

compliance with laws and regulations governing communications, as well as litigation support. It permits recovery of e-mail in full support of an organization’s retention policies.

In addition, storage costs are reduced by eliminating the capture of redundant messages and attachments. Enkive permits searching in all email and inside attachments while reducing storage costs through de-duplication of messages and attachments.

For eight years, Proofpoint has focused exclusively on solving the unique challenges posed by enterprise email. Our best-of-breed solutions combine multiple innovative security features into a single platform with a three-part mission: Improve security and compliance. Minimize ongoing costs. Simplify the management of it all.

Proofpoint Enterprise Archive is an on-demand email archiving Software-as-a-Service

(SaaS) solution that can be up and running in days, with minimal upfront capital costs and planning. Proofpoint Enterprise Archive’s policy engine allows an organization to create, maintain and consistently enforce a clear corporate email retention policy. Proofpoint Enterprise Archive

offers users the following advantages:

!

The Linux Box 206 South Fifth Ave. Suite 150 Ann Arbor, MI 48104-2280 +1 734 761 4689 www.linuxbox.com

!

Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94089 +1 408 517 4710 www.proofpoint.com!



• Mitigates discovery risk by preserving a copy of every message and improves efficiency in managing the discovery hold process.

• Permits users to systematically review selected email, to help simplify the compliance audit process, and foster compliance with SEC and FINRA regulations for email.

• Securely archives a copy of every internal and external email in Proofpoint’s

state-of-the-art data centers and provides customers with easy access to their messages at all times.

Because every enterprise is unique, flexibility defines Proofpoint solutions, deployments and support. We lead the way with SaaS-based email solutions, but also specialize in appliance, virtual appliance and unique hybrid deployments. And we back it all up with a commitment to customer service where exceptional is the rule. Headquartered in Sunnyvale, California, Proofpoint has offices around the globe including Canada, Japan, the United Kingdom, Asia Pacific, Europe and Mexico.



Appendix Selected Content Retention Obligations

Industry Statute/Regulation Retention

Requirements/ Periods Consequences of Non-Compliance

Financial services -- securities broker-dealers, investment advisors

Securities and Exchange Commission (SEC) Rules 17a-3, 17a-4, 204-2, and FINRA/NASD Rule 3110.

Certain securities transaction records must be retained for three to six years. For the first two years such records must be kept in an easily accessible place.

Monetary penalties in the millions of dollars and sanctions, such as censure or cease and desist orders.

Energy – electric and natural gas utilities

Federal Energy Regulatory Commission Order 717

Certain non-public electronic transmission function information exchanged between transportation and marketing function employees must be retained for a five-year period.

Monetary penalties of up to $1 million a day per violation.

Healthcare The “Privacy Rule” under the Health Insurance Portability and Accountability Act of 1996

Health plans (i.e. HMOs), health plan clearinghouses and healthcare providers (i.e. doctors, clinics, nursing homes) must retain electronic health records for six years from the date of its creation or the date when it last was in effect, whichever is later.

Monetary penalties of $100 to $50,000 or more per violation; criminal penalties of up to $50,000 and up to one-year imprisonment, or up to $100,000 and five years imprisonment if violation involves false pretenses, or up to $250,000 and 10 years imprisonment if violation involves intent to sell information for personal gain or malicious harm.

Medicare Program 42 CFR Subparts B, F and H: Conditions of Participation: Comprehensive Outpatient Facilities, Critical Access Hospitals, Clinics, Rehabilitation Agencies and Outpatient Public Health Agencies.

In most cases, clinical records must be retained for five to six years from date of discharge or last entry.

Penalties may include sanctions and fines from state and federal agencies, as well as negligence lawsuits from patients and their legal representatives.

Food and drug, pharmaceuticals

Food & Drug Administration 21 CFR Parts 11, 58, 107, 123, 312.

Records related to food receipt, release and processing must be retained from six months up to two years; records related to nonclinical lab studies must be retained from two to five years; records related to drug receipt, shipment and disposition must be retained for two years after a marketing application is approved for the drug, or if an application is not approved, until two years after shipment and delivery of the drug for investigational use is discontinued.

Monetary fine of $1,000 or up to one year in prison; monetary fine of up to $10,000 or up to three years in prison, or both, if the violation is committed after a prior conviction has become final, or the violation is committed with intent to defraud or mislead.



Selected Content Retention Obligations (cont’d.)



Publicly-held corporations in all industries and their accounting firms

Sarbanes-Oxley Act of 2002; Rule 2-06(a) of SEC Regulation S-X.

Accountants of publicly-held corporations must retain certain records and workpapers relevant to the audit or review of such corporations’ financial statements for seven years.

Substantial monetary penalties or up to 10 years in prison, or both.

All industries 42 USC 12112(d) - Americans with Disabilities Act of 1990 (ADA); Title VII of the Civil Rights Act of 1964 (CRA); 29 CFR 1602.14

Employers must retain documents related to hiring, promotion, demotion, transfer, layoff or termination for one year from the date of record making or the personnel action involved, whichever occurs later. If a charge of discrimination has been filed, or a civil action brought against an employer, the employer must retain all personnel records relevant to the charge or action until final disposition.

Monetary penalties, unfavorable evidentiary rulings or legal inferences by courts in civil actions where an employer did not retain records because they were adverse to the employer's position.

All industries California Government Code Section 12946 (California Fair Employment and Housing Act)

Employers must retain documents related to applications, personnel, membership, or employment referral records for two years from the date of record creation or the personnel action involved, whichever occurs later. If a complaint has been filed against an employer, the employer must retain all records relevant to the complaint until final disposition.

Any person who willfully violates Section 12946 concerning recordkeeping is guilty of a misdemeanor, punishable by imprisonment in a county jail, not exceeding six months, or by a fine of up to $1,000, or both.

All industries Federal Rules of Civil Procedure

No mandated length to which records must be retained. Responding party must respond within 30 days of a request for data is issued. Parties must present data as they are kept in the ordinary course of business. Rule 34(a)(d)(1)(B).

Court-ordered sanctions are available for failing to preserve e-mails relevant to anticipated or ongoing litigation.

Financial services -- securities broker-dealers, investment advisors

Investment Industry Regulatory Organization of Canada (IIROC) Universal Market Integrity Rule 10.12-1

A record of each order to purchase or sell securities must be retained for a period of seven years from the date the order record was created, and for the first two years, such record must be kept in an easily accessible location.

Penalties may include any of the following: a reprimand, a fine not to exceed the greater of $1,000,000 and an amount equal to triple the financial benefit which accrued to the person as a result of committing the contravention, or the restriction, suspension or revocation of access to a recognized Canadian stock exchange or quotation and trade reporting system.



Selected Content Retention Obligations (cont’d.)



Food and drug, pharmaceuticals

Part C, Division 5 of the Food and Drug Act and Regulations [C.05.012]

An individual, company, institution, or organization that sponsors a clinical trial of a drug for human use must retain records related to such trial for 25 years.

Penalties may include any of the following: injunction, prosecution, forfeiture, public warning or advisory, letters to trade and regulated parties, regulatory stop-sale, search and seizure, seizure and detention, suspension or cancellation of marketing or product licenses.

Financial – banks, and certain investment firms and credit institutions

United Kingdom (UK) Financial Services Authority SYSC 9.11 and 9.12

Orderly business, internal organization, investment service and transaction records must be retained for at least five years.

Imposition of substantial financial penalties and public censure.

Investment services and activities

European Union (EU) Markets in Financial Instruments Directive (MiFID) Article 25(2)

Investment firms must keep the relevant data relating to all transactions in financial instruments which they have carried out, whether on their own account or on behalf of a client, for at least five years.

Imposition of administrative sanctions, as determined by MiFID member states (i.e. UK, France, Germany).

All corporations in all industries

UK Companies Act 2006 Records of corporate resolutions, meetings and decisions must be kept at least 10 years from the date of the resolution, meeting or decision (as appropriate). Accounting records must be preserved by a private company for three years from the date on which they are made and by a public company for six years from the date on which they are made.

Substantial monetary fines for violation of corporate records retention requirement. For violations of accounting records retention requirement, penalties can be (a) imprisonment for up to two years or a fine (or both) if convicted on indictment, (b) in England and Wales on summary conviction, imprisonment for up to one year or a monetary fine up to the statutory maximum, or both, and (c) in Scotland or Northern Ireland on summary conviction, imprisonment for up to six months or a monetary fine up to the statutory maximum, or both.

Any users that control the collection, holding, processing or use of personal data, including government entities

Hong Kong Personal Data (Privacy) Ordinance

Data users are required to ensure that personal data is accurate, up-to-date and kept no longer than necessary. Data users must also keep a log book that tracks their refusals to access or correct personal data, and each such record of refusal must be kept for four years after they were entered.

Civil or criminal penalties, including monetary fines of up to HK$50,000 and a two-year jail term.



Selected Content Retention Obligations (concluded)



Consumer credit card Hong Kong Code of Practice on Consumer Credit Card Data Clauses 3.2 - 3.4

A credit reference agency may retain consumer account data for which there is no material default for five years from the date of creation. If such data reveals a material default, a credit reference agency may retain such data for up to five years from date of final settlement or discharge in bankruptcy, whichever is earlier.

Same as above.

All private sector business operators of personal data

Japan Personal Information Protection Act Article 19

A business operator handling personal information shall endeavor to maintain personal data accurate and up to date within the scope necessary for the achievement of the purpose of utilization of personal information.

Penalties for noncompliance are at the discretion of the government minister responsible for enforcing the Act upon the violator.

Summary of Government-Mandated Information Retention Requirements for Employers

Type of Information Retention Period Applicable Statute(s) Job orders submitted by employers to employment agencies, or labor organizations for recruitment of employees.

One year from date of personnel action.

29 USC §626;29 CFR §1627.3 (Age Discrimination in Employment Act)

Job advertisements and notices to the public or to employees regarding job openings, training programs, promotions, and opportunities for overtime.



Written training agreements, summaries of applicants’ qualifications, job criteria, interview records and identification of minority and female applicants.

Duration of training program plus three years.

29 USC §206(d)(1); 29 USC §211; 29 CFR §516.5 (Fair Labor Standards Act and National Labor Relations Act

Test appears and results from employment test.



Results from physical examinations. One year from date of personnel action.

29 USC §626; 29 CFR §1627.3 (Age Discrimination in Employment Act)

Promotion, demotion, transfer, selection for training, layoff, recall or discharge.



Hiring documents, including job applications, resumes, job inquiries, and records of refusals to hire.



Application forms and other pre-employment records of applicants for temporary positions.

One year after personnel action.

29 USC §626;29 CFR §1627.3 9 Age Discrimination in Employment Act)



Summary of Government-Mandated Information Retention Requirements for Employers (cont’d.)

Type of Information Retention Period Applicable Statute(s) All personnel or employment records including application forms, resumes, other hiring records; records regarding promotion, demotion, transfer, layoff, discharge, pay rates, or other compensation terms.

One year from date records made or personnel action taken, whichever is later.

42 USC §2000e8c; 29 CFR §1602.14 (Title VII of the Civil Rights Act of 1964)

INS form I-9 Employment Eligibility Verification Form.

Three years after date of hire or one year after date of termination, whichever is later.

8 USC §1324a (Immigration and Nationality Act).

EEO-I Form (for employers having 100 or more employees).

Copy of most recent report for each reporting unit must always be retained.

42 USC §2000e8c; 29 CFR §1602 (Title VII of the Civil Rights Act of 1964)

Payroll records, collective bargaining agreements, including any changes, individual contracts, written agreements under the FLSA, sales and purchase records, and certificates and notices of the Wage and Hour Administrator.

Three years 29 USC §206(d)(1); 29 USC §211; 29 CFR §516.5 (Fair Labor Standards Act and National Labor Relations Act)

Supplementary basic records including basic employment and earnings records; wage and rate tables utilized to calculate straight time and overtime work schedules; work-time schedules; order, shipping and billing records; records of additions to, or deductions from wages paid; records used for determining costs; and records explaining basis for payment of any wage differential to employees of the opposite sex.

Two years 29 USC §206(d)(1); 29 USC §211;29 CFR §§516.6 and 1620.32 (Fair Labor Standards Act and National Labor Relations Act)

Certificates of Age Until termination of Employment.

29 USC §206(d)(1); 29 USC §211; 29 CFR §570.6 (Fair Labor Standards Act and National Labor Relations Act)

Payroll or other records containing name, address, birthdate, occupation, pay rate and weekly compensation.

Three years 29 USC §626; 29 CFR §1627.3 (Age Discrimination in Employment Act)

Payroll records including name, address, job category, pay rate, weekly number of hours worked, deductions made, and wages paid.

Three years from completion of contract.

40 USC §276a; 29 CFR §5.5 (Davis-Bacon Act)

Employee benefit plans (such as pension or insurance plans); seniority and merit systems which are in writing.

Duration of plan and for at least one year after plans’ termination.


Basic information supporting plan descriptions including vouchers, worksheets, receipts, applicable resolutions and participants’ elections and deferrals.

Six years after filing date of documents.

Employee Retirement Income Security Act of 1974 §107



Summary of Government-Mandated Information Retention Requirements for Employers (cont’d.)

Type of Information Retention Period Applicable Statute(s) Retain a signed and dated notation in each employee file (a) documenting the dates on which the employee was given each required reporting and disclosure document relating to an employer-sponsored benefit plan; and (b) the manner of delivery. Keep in a master file (instead of in each employee file).

Indefinitely Employee Retirement Income Security Act of 1974 §209

Beneficiary designation and distribution election forms for retirement plans

For distribution to participants, three years following distribution. For distribution to a beneficiary, indefinitely.

Employee Retirement Income Security Act of 1974

Any correspondence, inquiries or notes relating to individual eligibility determinations

Indefinitely Employee Retirement Income Security Act of 1974 §209

Wage and hour records for the purpose of determining retirement benefits

Indefinitely; alternatively six years following date of lump sum distribution.

Employee Retirement Income Security Act of 1974 and the Fair Labor Standards Act

Copies of each document for referral purposes. Examples of reporting and disclosure documents are COBRA notices, summary plan descriptions and summary annual reports.

Indefinitely Employee Retirement Income Security Act of 1974

Log and summary of occupational injuries and illnesses (OSHA form No. 200).

Five years following end of year to which records relate.

29 USC §657; 29 CFR §1904.2 (Occupational Safety and Health Act)

Supplemental record for each occupational injury or illness (OSHA form No. 101).

Five years 29 USC §657; 29 CFR §1904.4 (Occupational Safety and Health Act)

Annual summary of occupational injuries and illnesses.

Five years 29 USC §657; 29 CFR §1904.5 (Occupational Safety and Health Act)

Records of medical examinations required by law.

Duration of employment plus thirty years, unless OSHA requirements provide otherwise.

29 USC §657; 29 CFR §1910.1020 (Occupational Safety and Health Act)

Records of monitoring exposure to hazardous materials.

Thirty years 29 USC §657; 29 CFR §1910.1020 (Occupational Safety and Health Act)

Manufacturers, processors, or distributors of any chemical substance must retain records of employees’ “significant adverse reactions” to health or the environment.

Thirty years from date such adverse reaction first reported to or known by person maintaining record.

15 USC §2607 (Toxic Substances Control Act)

Any other records of such adverse reactions.

Five years from date first reported to or known by person maintaining the record.


Consumer allegations of personal injury or harm to health, reports of occupational disease or injury and reports or complaints of injury to the environment submitted to the manufacturer, processor, or distributor from any source.

Thirty years for employee claims of occupational disease or occupational health problems.




Summary of Government-Mandated Information Retention Requirements for Employers (concluded)

Type of Information Retention Period Applicable Statute(s) Personnel records concerning any discrimination charge brought by any agency or individual (e.g., records about charging party and all other employees holding similar positions, application forms, or test papers completed by all applicants for same position).

Until final disposition. 42 USC §2000e8c; 29 CFR §1602 (Title VII of the Civil Rights Act of 1964)

An action brought against employer, any personnel records concerning employee or applicant

Until final disposition. 29 USC §626; 29 CFR §1627.3 (Age Discrimination in Employment Act)

Records concerning complaints of handicap discrimination, (in programs and activities receiving or benefiting from federal financial assistance) and relevant employment records of charging party and employees in similar positions.

Three years 29 USC §793 41 CFR §60-741.81 (Rehabilitation Act of 1973)

Any personnel or employment record made or kept by an employer concerning an individual with a disability (e.g., request for reasonable accommodation, application forms, and other records having to do with hiring, promotion, demotion, transfer, layoff or termination, rates of pay or compensation, and selection for training or apprenticeship).

One year from the date the record is made or the personnel action involved is taken, whichever occurs later.

29 CFR §1602.14 (Americans with Disabilities Act)

Personnel records of an individual whose employment has been involuntarily terminated.

One year from the date of the termination.


Personnel records concerning a charge of discrimination filed or an action brought against an employer under Title VII or the ADA.

Until final disposition of the charge or the action (the date of expiration of the statutory period within which the aggrieved person may bring an action in U.S. District Court or the date such litigation is terminated).


All records pertaining to compliance with FMLA’s leave requirements, including dates and hours (if less than a full day) of FMLA leave; copies of employer notices, documents describing premium payments and employee benefits and records of disputes with employees over FMLA benefits.

Three years 29 USC §2616; 29 CFR §825.500. (Family and Medical Leave Act of 1993)

Documents describing FMLA notices and copies of employer’s FMLA policy.

Three years 29 USC §2616; 29 CFR §825.500. (Family and Medical Leave Act of 1993)

Source: Jennifer L. Suich, Lindquist & Vennum, P.L.L.P. (Used with permission)



Selected Miscellaneous Content Retention Requirements

Regulation Rules

California Education Code The code mandates a minimum of four-year retention policy for records but one year for emails.

California amendment to FRCP

California has a different view to the judge in the Zubulake case who ruled that electronic information could be deemed inaccessible if the cost of recovery is too high and if the resulting information may not be useful. California's e-discovery amendments appear to presume that all ESI is accessible, leading lawyers to note: "California's deviation from the federal rules […] indicates California's recognition that Zubulake is outdated due to technological advancements."

California Fair Employment and Housing Act (FEHA)

Code 12946 of this act requires employers and employment agencies to maintain and preserve any and all applications, personnel, membership or employment referral records and files for a minimum of two years. Also, companies involved in employment-based legal complaints are not permitted to destroy records until all appeals or related proceedings are terminated.

Florida 119.01(1)(e)

“Providing access to public records by remote electronic means is an additional method of access that agencies should strive to provide to the extent feasible. If an agency provides access to public records by remote electronic means, such access should be provided in the most cost-effective and efficient manner available to the agency providing the information.”

Louisiana Public Records Act Public records include “information contained in electronic data processing equipment”.

Massachusetts SPR Bulletin No. 1-99, last revised May 21, 2003

The commonwealth requires all its government officials to retain all business-related email messages and metadata and that such messages are considered public records. Massachusetts also requires retention of the message's metadata. Messages must be retained and printed and filed in accordance with the agency’s paper filing procedures. Large messages should be stored electronically.

Missouri Sunshine Law A request can be made of any email record if the email requested was focused on public business and was sent to two or more recipients.

Ohio Publics Records Act

Requesters can ask to see public records kept by government agencies. Such records can be stored in a variety of media including email, voice mail and video. The requester has the right to choose the medium -- paper, film, electronic file, etc -- they would like the record to be duplicated. This means the agency has to organize and maintain its records so the request can be fulfilled promptly and at no cost during regular business hours, or to provide copies at cost within a reasonable period of time. The Ohio Supreme Court determined that a public office has a duty to recover contents of deleted emails and provide access to them.

Oregon ORS 192.410(6) Includes email as a public record for purposes of the states open records statutes, but voicemail is specifically excluded as a public record.



© 2010 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

What Are Your Obligations to Retain Email and Other ... Are Your Obligations to Retain Email and...

Documents

Transcript of What Are Your Obligations to Retain Email and Other ... Are Your Obligations to Retain Email and...