The boundaries of email archiving: Bush draws the line?
March 3, 2008 at 9:22 pm (5095152, Email Archiving, George Bush, Missouri Sunshine law, archive email, business, data retention, electronic communication, electronic privacy, email backup, email management, email retention, esi, legal, message archiving, news, personal stuff, politics, president, privacy, thoughts, white house)
Mitch Ratcliffe of Zdnet Rational Rants reports that President Bush was quite insightful in providing information about his administration’s email retention policy. “I don’t want you reading my personal stuff,” President Bush told the press when asked about why his administration has failed to comply with records-retention laws during his time in office. Ratcliffe then adds: “Unfortunately, Mr. President, nothing you can do at your desk, or in the airplanes, cars and buildings we give you to use as president, is ‘your personal stuff.’ It is the property of the people. As voters, we must demand greater accountability of the next president.”
I think Ratcliffe is right on. There is a fine difference between the use of personal records and public records. Electronically stored information (ESI) which relates directly to the President and his job as head of the United States, is PUBLIC information. I am sure there are limited exceptions and so on and so forth, but his “personal stuff,” the way he phrased it, is not at all accurate. Email archiving solutions, especially in the case of political activity, are truly important measures to have in place to make sure that there is nothing going on that shouldn’t be. Governot Matt Blunt of Missouri has made the news recently in EXACTLY the same way. I agree with Ratcliffe that we cannot let this kind of activity slide. It is time that email archiving be taken seriously.
White House still under scrutiny for email retention policy [part 2]
March 3, 2008 at 5:55 pm (Email Archiving, George Bush, archive email, bill clinton, business, data retention, electronic communication, email backup, email compliance, email management, email retention, email storage, governance, legal, national archives, news, politics, thoughts, white house)
Richard Koman of Zdnet reports that a “primitive” email archiving system could be largely responsible for the missing white house emails. When president Bush first took control of the white house, Koman writes, he disposed of an Automatic Records Management System which was used by the Clinton administration under court order. What did the president replace the system with, you might ask? Well, not a whole lot. According to Zdnet, the email retention policy implemented by Bush was teeming with security issues. “In mid-2005, a critical security issue was identified and corrected. During this period it was discovered that the file servers and the file directories used to store the retained email were accessible by everyone on the EOP network.” In the years after this, Koman adds, “the national archives tried repeatedly and failed to get the white house to comply with archival regulations.” Now in 2008, Congressional staffers recently submitted a memo to the House Oversight Committee (PDF) detailing a “mind-boggling scenario that smacks of willful violation of laws requiring presidential email archiving, IT incompetence and a strong whiff of intentional destruction of evidence.”
What goes on behind the scenes really is amazing sometimes, even though this situation has been in the making for many years. How did it not go public that the file directories used to store the retained email were accessible by everyone on the EOP network in 2005? Roles based permission access is a serious facet of any quality email archiving solution, especially in our nations highest political facility. How could the white house just refuse so many warnings and requests to update their system? How could the president just disregard laws that COMPEL him to archive email? Perhaps the best quote is right here: Stephen McDevitt, an official in the presidential CIO office, “told the committee that a new e-mail archiving system that would have addressed the problems was ready to go live on Aug. 21, 2006. But CIO Theresa Payton canceled the new system in 2006, because it would have required modifications and additional spending.” What? It was canceled for modifications and additional spending? Email archiving is a critical item for the president that is necessitated by law. It is nothing short of wild that Payton gave modifications and additional spending as a reason against its implementation.
Hospitals get ready for HIPAA security compliance [part 3]
February 29, 2008 at 6:29 pm (Email Archiving, HIPAA, archive email, business, cms, corporate, data retention, electronic communication, electronic document retention, electronic privacy, email backup, email compliance, email management, email retention, email security, email storage, health care, health information, health records, healthcare, hipaa compliance, hipaa privacy, hipaa security, medical records, message archiving, news, privacy, thoughts, tony trenkle)
Ellen Messmer of Network World reports that lately hospitals have had more to worry about than just preparing for upcoming HIPAA security audits. “Health care organizations feel under increasing attack from the Internet,” Messmer writes, “while security incidents involving insiders and disappearing laptops with sensitive data are piling up.” Dr. John Halamka, CIO at both Beth Israel Deaconess Medical Center and Harvard Medical School in the Boston area, was quote as saying: “there is definitely an uptick in attacks. Privacy is the foundation of everything we do. We don’t want to be the TJX of health care.” She then turns to Don Jackson, researcher at Atlanta-based security services firm SecureWorks, who says: “health care organizations store a lot of valuable personal, identifiable information such as Social Security numbers, names, addresses, age, in addition to banking and credit-card information.” Jackson explains how cyber attacks are potentially beneficial to the pockets of criminals who obtain health insurance credentials to use in the “counterfeit document racket, especially in Central and South America.”
At least in terms of electronic communication, it might be time for some hospitals to turn to outsourced email archiving. Encryption, security, and access are all issues for health care providers right now, and these are three issues that email archiving services are well equipped to handle. It is time for hospitals to address the quality and success of their electronic patient data backup and protection. With HIPAA security audits right around the corner, the time to wait before integrating an email compliance solution is really over.
White House still under scrutiny for email retention policy
February 22, 2008 at 5:25 pm (Colleen Kollar-Kotelly, Email Archiving, Kollar-Kotelly, archive email, business, citizens for responsibility and ethics, company email policy, corporate, data retention, electronic communication, electronic document retention, email backup, email compliance, email management, email retention, email security, freedom of information act, legal, message archiving, news, politics, white house)
Brian Fonseca of Computerworld reports that “District Court Judge Colleen Kollar-Kotelly this week issued an order enabling the Washington-based Citizens for Responsibility and Ethics watchdog group to perform limited questioning of White House officials.” The group had filed suit against the White House Office of Administration last May “seeking access to White House e-mail under the federal Freedom of Information Act.” The discovery ordered by Kollar-Kotelly was issued to “determine whether the Office of Administration is subject to the Freedom of Information Act.” This will be a situation to keep an eye on as the office contends “it is not subject to FOI requests.” Additionally, Fonseca provided insight from Mike Osterman, president of Black Diamond, Wash.-based Osterman Research Inc., who said: “many businesses operate under the false assumption that e-mail is not a business record. A lot of people are not implementing e-mail archiving [processes]; they’re saving e-mail, but not in a cohesive or consistent way. Companies can say ‘Yes, we need to archive,’ but [the process] must be policy driven and taken out of users’ hands.”
Even though I probably shouldn’t, I still find it fairly remarkable that the White House simply cannot respond about the whereabouts of many missing emails. With the advent of internet technology there seems to be this general attitude that electronic communication does not have to be held up to the same standard as traditional paper documents. Many corporate executives and government officials seem to think they can pretend conversations never happened by simply deleting email backup tapes. In theory paper copies could just be burned up, but it seems that the ease of conveniently “losing” emails is what makes it so much more noticeable. It does not require a lot to act as if nothing ever happened. However, with industry regulations and legal expectations tightening the grip on corporate behavior, abusing the age of email messaging is only going to get harder to do. It is high time for all organizations to integrate an email archiving solution, especially when the center of the American universe is being thrown into the grand spotlight for this exact reason.
Cayman Islands to host seminar on email archiving and disaster recovery
February 21, 2008 at 5:04 pm (Email Archiving, archive email, business, cayman islands, corporate, data retention, disaster recovery, e-discovery, eDiscovery, edd, electronic communication, electronic data discovery, electronic discovery, electronic document retention, email backup, email compliance, legal, message archiving, news, politics, seminar, thoughts, white paper)
Caymanian Compass, the Cayman Islands’ leading newspaper, reports that a seminar on email archival and disaster recovery will take place on February 21st at the UCCI (University College Cayman Islands) Executive Training Center. According to Rob Eyers, responsible for enterprise business development at Kirk iSS, “Public and private sector organizations in the Cayman Islands are facing similar challenges to their counterparts in other offshore jurisdictions.” He then adds: “the increased use of technologies such as email, sms, instant messaging, Microsoft Office and a range of other types of electronic communications have resulted in substantial growth in data within the enterprise and in turn created a significant data management problem for the IT Department. With 83% of business communication now being electronic, organizations need a solution to reduce the cost of storing, managing, and discovering this electronic tidal wave of business information.”
There are a couple of points I would like to make here. Firstly, there has been a recent surge in the amount of educational resources regarding eDiscovery and email archiving. Within the past month alone I have written about professional research papers, legal guidelines, reports, conferences, and even a judicially acclaimed reference on the topic. What is the significance here? I believe that both industry leaders and experts are finally recognizing the sheer volume of companies that are simply unprepared to deal with the pressures of satisfying an ever strengthening corporate & legal governance. Education and integration of email archiving solutions will continue to be a process, but there is little doubt that progress is being made. Secondly, the geography of email archiving and the locations that might be subject to email compliance regulations in the near future will be interesting to keep an eye on. That this seminar is taking place on the Cayman Islands, a British overseas territory, is a sign of society and corporate governance moving in a specific direction.
Email Archiving: in-house solution or outsourced service? [part 1]
February 15, 2008 at 10:10 pm (Email Archiving, archive email, business, data retention, electronic communication, electronic data discovery, electronic document retention, email audit, email backup, email compliance, email management, email retention, email security, message archiving, news, politics, thoughts)
In this entry I would like to focus on the cost of an in-house email archiving solution versus that of an outsourced service. Firstly, which one is more cost efficient? This question is an important one for most small to mid-sized businesses as they need to keep email archiving within a tight IT budget. Organizations will be pleased to know that the answer is an outsourced service, and it is usually by a significant amount. But why? Why are in-house solutions so much more expensive? It all comes down to the sheer amount of work that is required to keep the in-house solution up and running. The IT team is responsible for monitoring all incoming and outgoing electronic communications, maintaining email archiving appliances, and ensuring proper systems integration. There is also the issue of storage space, which could add up in a hurry if your business has thousands of emails entering and leaving the archive daily. Outsourced services retain all of your email messages for you and present you with advanced search options to quickly retrieve specific emails that have been captured in the archive. However, the big question that I am posing here is: are there any distinct advantages to an in-house email archiving solution that would justify the high cost to maintain and integrate? Why do some organizations PREFER the higher cost?
In one word, the answer is trust. Companies simply do not feel comfortable trusting an outsourced email archiving service to sift through their email and have access to private information. But is that really what happens? Do email archiving services take such advantage of their clients? No, they don’t. Why not, you might ask? Roles based permission access, industry regulation authorities, and business reputation are three critical factors that ensure outsourced email archiving safety. Are there any distinct advantages to an in-house email archiving solution that would justify the high cost to maintain and integrate? There are some loose arguments to be made in favor of an in-house solution, but stay tuned for part II for more information.
NY LegalTech panel takes a look at in-house and outsourced electronic data discovery
February 11, 2008 at 9:46 pm (Email Archiving, archive email, business, data retention, e-discovery, eDiscovery, edd, electronic communication, electronic data discovery, electronic discovery, electronic document retention, email backup, email compliance, email management, email retention, email security, frcp, legal, message archiving, news, politics, thoughts)
Legal Blog Watch reports that on February 5th Claire Duffet of Law Technology News attended a morning session of the NY LegalTech panel entitled: “Actionable E-discovery: Finding the Right Balance of In-house and Outsourced Resources.” According to Duffet there were 300 attendees in the room who had to answer the poll question: which step in the eDiscovery process is most concerning? 43% said that this step is in the processing review and analysis, 33% said that its in preservation and collection, and 13% said information management with identification, production, and presentation rounding out the rest of the responses.
Duffet mentioned the presence of several significant eDiscovery figures including: attorney Marie Lona, partner and chair of the e-discovery and electronic information practice group at Winston and Strawn, Tom Hall, managing attorney for discovery and litigation technology at Cleary Gottlieb Steen & Hamilton, Mikki Tomlinson, litigation support manager for Chesapeake Energy Corp, and moderator Kelli Brooks, principal of forensic technology services at KPMG. Tom Hall discussed the serious sanction handed down in the Qualcomm Inc v. Broadcom Corp by saying “My risk aversion advice: Don’t do that.”
EDD (electronic data discovery), as evident by the 46,000 missing electronic documents in Qualcomm, is an extremely important business continuity measure in the year 2008. Panel discussions such as the one above are instrumental in the education process for U.S. Businesses to learn about the dangers of avoiding email compliance and email archiving solutions. Perhaps the question is: is it better to retain electronic correspondences using in-house or outsourced solutions? This depends largely on the finances of a company, but there is a strong argument to be made for an outsourced service. They are generally more cost efficient, provide IT relief, and automatically provide you with regulatory and legal compliance.
New white paper by Osterman Research sheds light on email archiving
February 11, 2008 at 6:30 pm (Email Archiving, FINRA, Financial institution, HIPAA, Osterman Research, archive email, business, data retention, e-discovery, eDiscovery, electronic communication, electronic discovery, electronic document retention, email backup, email compliance, email management, email retention, email security, frcp, gramm-leach-bliley, health care, healthcare, hipaa compliance, message archiving, news, politics, sarbanes-oxley, thoughts, white paper)
The Portland Daily Business News reports that Osterman Research has published a new white paper entitled: “A Guide to Messaging Archiving.” According to the press release, Osterman Research “indicates that support for regulatory and legal compliance obligations and growing storage requirements are among the reasons for companies to deploy a messaging-archiving solution, and that any one of those rationale can often justify the entire cost of the archiving capability.” Michael Osterman, president of Osterman Research, said that “having a messaging-archiving system in place is becoming increasingly critical in today’s business environment. We’re seeing an increasing number of examples of companies paying a massive price for a failure to produce electronic documents and e-mails.
The study includes the following factors as significant reasons to implement an email archiving solution:
Regulatory compliance. Industries that are heavily regulated, such as financial services or health care companies, must meet a variety of statutory requirements with regard to records retention.
Legal compliance. Dec 2006 revisions to the Federal Rules of Civil Procedure (FRCP) require organizations to manage their data in such away that it can be produced in a timely and complete manner when necessary, such as during legal discovery proceedings.
Reducing the impact of storage. Roughly 60% of decision-makers cite growth in messaging storage as a serious or very serious problem. Messaging storage, driven by increasing use of e-mail, larger attachments and the like, is growing at an average of 35% annually. By migrating data from storage on messaging servers to archival storage, companies overall storage costs can be reduced, while improving their messaging server performance and expediting recovery from downtime incidents.
My thoughts: at this point there is certainly no shortage of reasons to archive email. This white paper only highlights the list of issues facing both enterprises and businesses in relation to integrating an email compliance solution. With HIPAA, SOX, GLB, NYSE, NASD, AND SEC laws firmly in place, the monitoring and enforcement of corporate email retention is a top priority for U.S. industry regulators. FRCP eDiscovery proceedings have only placed the necessity to archive email on a grander scale, as harsh sanctions and criminal prosecution are legitimate possibilities facing those companies who cannot produce email evidence in a timely fashion. Additionally, the strain placed on an in-house server to retain the thousands upon thousands of in-coming and out-going emails that are accumulated daily has also enhanced the attraction of outsourcing an email archiving service.
HOWEVER, is this really what will get the corporate world to archive their email? I think that Osterman Research has done a great job, but I think that the benefits to email archiving are out there and have been out there. With so many laws, requirements, and IT concerns already established will a new white paper citing what is already known really make a difference? For some it might, but for many it wont. In a recent series of posts about Email Insurance I said that cost, complexity, satisfaction with email backups, apprehension about an unfamiliar corporate practice, and professional disinterest were big reasons why email archiving has not risen to the top of the business agenda. What the U.S. business world needs is the following three factors to help push email archiving into the corporate spotlight: Education. Momentum. Trust. I want to elaborate much more on these three factors in subsequent blog entries but for now I am going to focus on education.
“A Guide to Messaging Archiving” sounds like a nice tool for a CEO or CIO willing to invest the time to learn about email archiving, but will they? Who reads white papers? White papers are academic endeavors designed to provide a degree of expertise in a given topic. Most business professionals are simply too busy to be bothered with reading a white paper no matter how beneficial it might be for their business operation. This seems a strange scenario. People are taking the time to draft comprehensive analyses of important topics and nobody is reading them? I wouldn’t say nobody here, but unless someone is seriously considering a purchase it is not a common phenomenon. How can education about corporate email archiving become more appealing? How do you make people WANT to get what they SHOULD get in the first place? I believe this is where attorneys come in. I believe this is where the news comes in. I believe this is where word of mouth comes in. Sometimes it depends on WHO is doing the educating. Might a white paper be more informative then listening to an attorney speak? Sure. Might it not? Sure. That is up to the individual person doing the listening. But what I do know is that hearing what you need to do from someone that you perceive to be in the right position to make a judgment call will win over reading a white paper almost every time. Our society is governed by law. People trust the law. U.S. Businesses trust the legal practitioners that represent the law. If email archiving is to be taken seriously it must come at least partially come from attorneys.
Is there something wrong with a new white paper on email archiving by Osterman Research? There is nothing WRONG in the traditional sense, but I feel that corporate America is just waiting a different form of education, one that they feel more comfortable with. When is this change coming? Is this change coming? I would like to do some more writing on these issues soon. Stay tuned.
Did a Texas Sheriff violate email compliance laws? [part 2]
February 4, 2008 at 7:13 pm (Email Archiving, archive email, business, data retention, email backup, email compliance, email management, email retention, email security, legal, message archiving, news, politics, texas, thoughts)
UPDATE: I have some more news to add to my January 21st post regarding Texas sheriff Tommy Thomas violating the states email compliance laws. Charles Kuffner reports that Willie Mata of the sheriff’s email admin wrote a letter to the editor of the Houston Chronicle disputing some of the assertions made in a story about the sheriff’s new email retention policy.
Mata wrote: “I must take issue with the comment that the sheriff overnight erases thousands of e-mails all on his departments computers without warning. In actuality, I moved 5 1/2 months worth of e-mail from nearly 4,000 mailboxes onto archive tape. At no time were e-mails erased from computers as Casey asserts, and all of these e-mail messages, attachments included, are recoverable. It must also be noted that no investigative information has been lost, as suggested by some deputies, and the deputies who have made such suggestions are not assigned to investigative functions.
Casey was correct in his statement that the users were given no warning. Let me explain why. As our public information officer, Capt. John Martin, has stated to the media on numerous occasions, we have a critical storage problem on our servers. If I had taken the time towarn our users, they would have off-loaded their email from the mail servers to our file servers. As both mail and file operations are served by the same storage system, there was insufficient storage to allow this. The storage system, placed into operation in March 2006, was sized to serve us for approximately two years before needing an expansion.”
My thoughts: Why couldn’t the sheriff respond himself? This is the first problem I have with Mata’s letter to Rick Casey of the Houston Chronicle. This might have been taken more seriously if it appeared legitimate. Secondly, if there really is an email archiving system in place, why has there been no mention of it before? Lastly, was it really necessary for the sheriff to keep all of his users in the dark about what was going on? Was it worth all of the bad press? There might indeed be a critical storage problem in the sheriff’s department, but this was handled terribly. I think Charles Kuffner summed this situation up best on his website, and I am going to post what he wrote here:
“If Sgt. Newby is typical, then the users didn’t understand what was happening. And I suspect he was typical, because as Mark Bennet shows, the memo and accompanying information (both PDF’s) that Sgt. Newby and his coworkers would have received makes no mention of moving emails to archive tape, where presumably it can be retrieved as needed. It baldly says: ‘Please consider this memorandum as authorization for the immediate deletion of all departmental email that is, as of the date of this menorandum, older than 14 days.’ There may have been some confusion here about what the sheriff’s office was doing, but I don’t think it was Rick Casey who was the cause of it.”
Message Archiving needed by the White House?
January 22, 2008 at 10:08 pm (Email Archiving, email backup, message archiving)
Did you hear the latest news regarding missing emails? No, it wasn’t some large corporation being sued for antitrust by another large corporation. No, it was not a revelation made during a discrimination or harassment trial. The missing emails seem to be some of the White House’s. Questions were initially raised when the White House, under court order to disclose, had to admit that it had recycled some of its email backup tapes. This revelation has heightened speculation that some email may be lost or destroyed. How could this happen, you may ask?
Backing up data is an important business continuity measure against something like a failed hard disk. If such an event were to occur, email backup can be used to restore the most current condition of a hard drive. This can be done in a relatively short amount of time and afford a business the opportunity to get back to normal quickly. But using email backup to preserve data is another matter entirely. The more critical the role that email plays in everyday business, the more stringent the protective measures that need to be in place to ensure preservation. Email backup technology that is widely in use today cannot guarantee that email will remain in its authentic form. This means that a message can be removed from an email backup tape, altered, and restored to the same location from where it was received with little or no notice. And how do you prove it is the original message that is in question, especially when that is in dispute? Even forensics have trouble answering that one. Moreover, the data on an email backup tape is not permanent. It can be overwritten, which sometimes happens when trying to control cost and manage tape rotations. Once the tape is overwritten you effectively remove previously recorded data.
The best way to protect against lost, altered, and unauthorized access to email is by using a message archiving system. One whose sole responsibility is to serialize each incoming and outgoing message, protect against deletion, alteration, and limit access to only authorized individuals. An effective message archiving system uses a medium that is similar in efficiency to disk technology, but with a combination of email security measures that ensures the integrity of the data stored will never be compromised.
