Category Archives: Regulatory Compliance

Email Archiving: Am I required to do it?

As of December 1, 2006… email archiving IS required. This is the date amendments to the Federal Rules of Civil Procedure (FRCP) went into effect. Amendments that require any organization subject to civil suit in a federal district court be able to produce email and electronically stored information (ESI) as evidence within 30 days of the court’s request for it.

Crucially, when providing ESI to a court, the organization must be able to demonstrate the ESI hasn’t been tampered with. Relying on a backup system is extremely risky because a backup provides a snapshot in time but CANNOT guarantee the presence or integrity of all ESI. For example, if an organization’s system is backed up nightly, a user could easily delete or alter ESI prior to the next scheduled backup. An archiving system captures information in the process of its creation and closes this loophole, protecting the organization from costly fines.

On top of this, organizations in regulated industries – e.g. education, energy, finance, government, healthcare, legal – and publicly traded companies are further governed by regulations specific to their industry that require email archiving. Some examples follow…

  • Education & Government : Freedom of Information Act (FOIA) / State “Sunshine” Laws
  • Healthcare : Health Insurance Portability and Administration Act (HIPAA)
  • Finance : Graham-Leach-Bailey Act (GLBA)
  • Public Company : Sarbanes-Oxley (SOX)

You might be asking “What’s the risk if I don’t archive my email?” That’s a GREAT question that we’ll answer in a future post!

To learn more, give us a call or register to attend one of our upcoming webinars.

3 Steps to Prepare Your Organization to Respond to FOIA Requests

If you are the person responsible for Freedom of Information Act (FOIA) or eDiscovery requests at your organization, you’re probably following the events at the EPA closely. If you’re not, you’re missing an excellent example of the potential hazards of working in a public organization and having to respond to information requests.

In short, Lisa Jackson, the EPA Chief for the past four years has announced she will step down next month. This announcement comes shortly after her admission in December 2012 to having used “Richard Windsor” as a non de plume to conduct “internal discussions” via email.

The subsequent scandal being dubbed “Windsorgate,” has highlighted the issue of employees proactively taking steps to prevent information generated by their institutions from being publicly discoverable; a process that would require them to break the law to do so.

The issue is not of accessing the information, but rather of finding the right information to comply with FOIA requests. By using an alias account, Lisa Jackson and anyone doing so, are effectively hiding emails from legitimate FOIA requests.

Fortunately for the EPA, they do use an email archiving solution and are responding to a Federal lawsuit that requires them to deliver approximately 12,000 emails related to this request in four tranches containing about 3,000 emails each.  It will be an interesting case to follow as the EPA’s initial tranche delivered 2,100 emails all of which were nebulous and none of which were To or From “Richard Windsor.”

For those of us on the outside looking in, this should serve as a wakeup call for how to manage not only our own information repositories, but also how we communicate the necessity of doing so with our employees. Below are 3 steps to prepare your organization to respond to FOIA requests and handle these types of situations if they should ever arise in your organization.

  1. Have clear policies that communicate the acceptable use of electronic communication such as email when conducting official business for your institution
  2. Make sure your employees understand these policies and that you document their acknowledgement of these policies
  3. Have the appropriate technology solutions in place to collect, archive and retrieve your electronic communications to enable the accurate, efficient and timely response to legitimate requests for information

At the end of the day, your organization’s ability to comply with information requests will depend on the lawful actions of your employees and your ability to deliver the information requested. Implementing the three recommendations outlined above however should establish a solid foundation for doing this and put you and your institution above reproach.

Email Archiving: What is it?

Expanding on the definition from our friends at Wikipedia…

Email archiving is the automated process of preserving, protecting and making searchable all inbound, outbound and internal email messages (as well as attachments and metadata) in their original and unmodified form so they can be accessed at a later date should the need arise.

Why might you do this?  Top four reasons follow…

  1. Comply with regulatory requirements (e.g. FOIA, HIPAA, SOX, etc.)
  2. Recover emails that have been lost or accidentally deleted
  3. Accelerate response to audit, or in the case of litigation / internal investigations, “eDiscovery” requests
  4. Preserve the intellectual property contained in business email (i.e. Data Mining)

To learn more, give us a call or register to attend one of our upcoming webinars.