Richard Koman of Zdnet reports that a “primitive” email archiving system could be largely responsible for the missing white house emails. When president Bush first took control of the white house, Koman writes, he disposed of an Automatic Records Management System which was used by the Clinton administration under court order. What did the president replace the system with, you might ask? Well, not a whole lot. According to Zdnet, the email retention policy implemented by Bush was teeming with security issues. “In mid-2005, a critical security issue was identified and corrected. During this period it was discovered that the file servers and the file directories used to store the retained email were accessible by everyone on the EOP network.” In the years after this, Koman adds, “the national archives tried repeatedly and failed to get the white house to comply with archival regulations.” Now in 2008, Congressional staffers recently submitted a memo to the House Oversight Committee (PDF) detailing a “mind-boggling scenario that smacks of willful violation of laws requiring presidential email archiving, IT incompetence and a strong whiff of intentional destruction of evidence.”
What goes on behind the scenes really is amazing sometimes, even though this situation has been in the making for many years. How did it not go public that the file directories used to store the retained email were accessible by everyone on the EOP network in 2005? Roles based permission access is a serious facet of any quality email archiving solution, especially in our nations highest political facility. How could the white house just refuse so many warnings and requests to update their system? How could the president just disregard laws that COMPEL him to archive email? Perhaps the best quote is right here: Stephen McDevitt, an official in the presidential CIO office, “told the committee that a new e-mail archiving system that would have addressed the problems was ready to go live on Aug. 21, 2006. But CIO Theresa Payton canceled the new system in 2006, because it would have required modifications and additional spending.” What? It was canceled for modifications and additional spending? Email archiving is a critical item for the president that is necessitated by law. It is nothing short of wild that Payton gave modifications and additional spending as a reason against its implementation.
Permalink
Leave a Comment
Ellen Messmer of Network World reports that lately hospitals have had more to worry about than just preparing for upcoming HIPAA security audits. “Health care organizations feel under increasing attack from the Internet,” Messmer writes, “while security incidents involving insiders and disappearing laptops with sensitive data are piling up.” Dr. John Halamka, CIO at both Beth Israel Deaconess Medical Center and Harvard Medical School in the Boston area, was quote as saying: “there is definitely an uptick in attacks. Privacy is the foundation of everything we do. We don’t want to be the TJX of health care.” She then turns to Don Jackson, researcher at Atlanta-based security services firm SecureWorks, who says: “health care organizations store a lot of valuable personal, identifiable information such as Social Security numbers, names, addresses, age, in addition to banking and credit-card information.” Jackson explains how cyber attacks are potentially beneficial to the pockets of criminals who obtain health insurance credentials to use in the “counterfeit document racket, especially in Central and South America.”
At least in terms of electronic communication, it might be time for some hospitals to turn to outsourced email archiving. Encryption, security, and access are all issues for health care providers right now, and these are three issues that email archiving services are well equipped to handle. It is time for hospitals to address the quality and success of their electronic patient data backup and protection. With HIPAA security audits right around the corner, the time to wait before integrating an email compliance solution is really over.
Permalink
Leave a Comment
Paul Korzeniowski of Byte and Switch reports that at least a few small to mid-sized businesses are ready to reflect on eDiscovery and the steps they have taken to successfully comply. Writing about the current state of eDiscovery preparation in American industries, Korzeniowski says: “while many firms, particularly SMB’s, continue to struggle with the FRCP mandate, the ones who’ve managed to institute policies and procedures for the speedy and accurate retrieval of electronic information have a lot to say about what works — and what doesn’t.” Korzeniowski included a section about how medical device supplier Foxhollow Technologies Inc. was forced to integrate an email archiving solution when they became involved in a federal law suit. I am posting an excerpt of this section below because I think it is an important learning opportunity for all U.S. Businesses that are on the fringe of turning to email archiving.
“When IT pros at Foxhollow Technologies Inc., a startup medical device supplier, looked to install email archiving three years ago, management forced the project to the back burner, despite a general lack of email control. “There were users who saved everything and had gigabytes – or more – of email messages,” noted Chuck Arconi, system administrator at the company. At the time, Foxhollow had about 600 employees, but its email system chewed up 400 Gbytes of storage.
Then the other shoe dropped when the company became involved in a law suit. Suddenly, funding for the email archiving project was no longer a contentious issue. ‘The legal department had no problem finding the capital needed to pay for the entire project. In fact, they gave us more than twice as much money as we needed. Before, a paralegal would have to spend two to four hours trying to find the right messages in each mail box. Now the work is done with a click of a button.”
Last month I wrote a blog entry on email insurance and I mentioned the concept of “professional disinterest.” I provided the quote of “when it happens to me, I’ll deal with it.” Foxhollow Technologies illustrates this point loud and clear, as many U.S. Companies are perfectly content waiting for something bad to happen to them before making something important a top priority. Why do they do this? I think it just really takes a wake up call to force people to make decisions most of the time. I think individual case studies are one of the best ways to get people to pay attention and I will try and provide many more of them. Stay tuned.
Permalink
Leave a Comment
I came across an interesting article earlier today on Computer Technology Review regarding the current & future expectations of an email archiving solution in light of modern FRCP eDiscovery requirements. William Tolson has compiled an expert list of capabilities to be considered when choosing an email archiving solution that I feel all U.S. Businesses should review. I am posting an excerpt of his writing below along with the capabilities he feels are pertinent in meeting the demands of regulatory and legal compliance:
“Email archiving solutions should address critical customer requirements around email information archiving, eDiscovery, regulatory compliance, business continuity, and storage optimization. Enterprise-class solutions provide legal search work flow, immediate mailbox and message recovery, disaster recovery, email archiving, and self-service search and access in one solution. By leveraging cost-effective storage, these solutions also optimize email storage and reduce overall infrastructure costs. Next generation email archiving solutions deliver rapid, comprehensive search across millions of emails for litigation ready production and provide the following capabilities:
Rapid eDiscovery: Auditors and legal staff must be able to quickly perform sophisticated search and discovery across centrally managed mailboxes to meet compliance requirements.
Automated, Exchange Disaster Recovery: Reliably protect Exchange information through non-invasive, continuous application shadowing. This process preserves the consistency and integrity of Exchange data and enables “one-click” full email data and service recovery when needed.
Mailbox Storage Management: Reduce storage requirements on the Exchange Server by migrating or “extending” attachments based on policies of age, document size, or mailbox size.
Self-service search of archived data: Seamless self-service access to end-user archived data, enabling them to find potentially lost or deleted messages without IT assistance.
Enhanced support for Exchange 2007: Live Communication Server (IM) and 64 bit Servers – extends content management to include instant messaging and takes advantage of new Exchange 2007 features for disaster recovery, folder level retention, and mailbox level journaling.
Automated PST File Archiving: New “crawler” automatically searches and retrieves PST files from servers, desktops, and laptops based on administrator-defined policies.
Active Directory Integration: Leverages roles defined in Active Directory and provides a version history of Active Directory, including distribution lists. Contents of distribution lists are viewed as they appeared when an email was originally sent or received.
Public Folder Archiving: Performs archiving and continuous data protection for Public Folders and allows auditors to search all Public Folder content and re-create chain-of-custody for compliance and legal discovery.
Scalable Storage & Reduced Archive Storage Requirements: Designed to deliver improved scalability and performance for the archive server with support for multiple databases and extensible storage volumes.
Each of the above criteria is highly relevant in ensuring a smooth email litigation process should such a situation arise. However, does relevancy equal necessity? Which of these factors are truly “business critical”? How essential is having support for Exchange 2007? Does a company need public folder archiving? When does storage really become a problem? Are the above capabilities best used in an in-house or an outsourced email archiving solution? I believe it is important for a business to understand what they need to comply with corporate regulations and legal requirements without spending money and time on things that are simply not necessary. What are the intricate parts of an email archiver that you truly NEED to satisfy compliance? I would like to address this topic in full soon. Stay tuned.
Permalink
Leave a Comment
Simplicato's Weblog 