Email Archiving: Why Backups Alone Don’t Cut It

Backup and archiving are processes that solve different problems. It’s important to have a backup system in place; however, assuming your backup provides you with archiving capabilities can be a costly mistake! Backup is an application-driven technology that is not optimized for search. An archiving system is an information-driven technology that is indexed and searchable.

If your system crashes, backup can enable you to restore your entire system, including the most recently backed-up versions of files. It does this by restoring data in blocks, often huge blocks, in a process that restores not only individual pieces of data like a Word document but also application and OS files. An archive, by contrast, can be used to quickly locate specific data objects–say, 10 or 11 emails you exchanged with a client. Even if the emails are no longer on your mail server, your archive enables you to find and restore them quickly by searching for key terms, like the client’s name. Using backup to accomplish this same task would be almost unheard of because it would require a complex restoration and search process, greatly diminishing employee productivity and likely outweighing the benefits of delving into past records. An archive ensures business continuity by keeping records accessible.

Ediscovery requests often play out very differently if you rely on backup alone rather than choosing to archive. Every company that comes under litigation may be mandated to produce ESI (electronically stored information) under the Federal Rules of Civil Procedure. If you’re ordered to produce ESI that is spread across several non-indexed backup tapes, the process can become extremely expensive and disruptive for the IT Department. By contrast, an indexed archive enables you to easily place Legal Holds on documents within date ranges or with specific keywords. When you produce ESI from an archive you also know it is in its original, unaltered form. That’s because each email, attachment and document is archived the moment you click “send” — there’s no hang time between the time you send it and the time your company files are next backed up. Thus, you’re able to produce mandated information with confidence.

While business continuity and risk management are major reasons why an archive is invaluable, they are far from the only reasons. Other services backup cannot guarantee but an archive easily provides: reducing the load on your mail server by cataloging old emails in a separate location, providing a low-cost long-term storage solution for ESI, and enabling you to comply with federal, state and local data retention policies.

Email Archiving: What’s my risk if I don’t?

Archiving your company’s email, messages and texts — all forms of electronically stored information (ESI) — frees you from several risks. If, however, you decide to pass up on or postpone archiving, you leave yourself open to:

  • severe financial repercussions
  • appearing unreliable
  • appearing deliberately secretive

First, the financial risks. Just last year, LPL Financial, a brokerage firm out of Boston, was fined by the Financial Industry Regulatory Authority (FINRA) for “systemic email failures” to the tune of $7.5 million. FINRA also required LPL to create a $1.5 million compensation fund for their clients, bringing LPL’s price tag up to $9 million. LPL’s problem? Failing to retain and review emails sent out by their brokers and violating dozens of securities rules in the process (“LPL Fined $9 Million for Email ‘Failures‘,” WSJ).

Even if you aren’t regulated by an industry-specific set of rules, the financial risks of neglecting email archiving are significant. You can’t predict when or how often your company may come under litigation and the Federal Rules of Civil Procedure dictate that any company under litigation is responsible for producing all ESI ordered by the court. If you don’t have an email archiving solution in place you’ll likely be stuck using backups, which can be a costly process and one that does not allow you to produce the required information with confidence. More on backups vs. archiving in a future post.

In addition to the financial risks, not being able to produce email and other ESI in a timely manner can cause you to appear unreliable in court and in the press. Look no further than the recent case surrounding former IRS official Lois Lerner. The IRS claims to be unable to produce records of Lerner’s emails between 2009 and 2011. In the mix are Lerner’s crashed hard drive and a lack of reliable backups. Independent of the politics, these proceedings make the IRS look foolish at best, deliberately secretive and deceitful at worst. No matter the organization, if you neglect email archiving and end up in litigation, you put yourself in an indefensible position.

Email Archiving: Am I required to do it?

As of December 1, 2006… email archiving IS required. This is the date amendments to the Federal Rules of Civil Procedure (FRCP) went into effect. Amendments that require any organization subject to civil suit in a federal district court be able to produce email and electronically stored information (ESI) as evidence within 30 days of the court’s request for it.

Crucially, when providing ESI to a court, the organization must be able to demonstrate the ESI hasn’t been tampered with. Relying on a backup system is extremely risky because a backup provides a snapshot in time but CANNOT guarantee the presence or integrity of all ESI. For example, if an organization’s system is backed up nightly, a user could easily delete or alter ESI prior to the next scheduled backup. An archiving system captures information in the process of its creation and closes this loophole, protecting the organization from costly fines.

On top of this, organizations in regulated industries – e.g. education, energy, finance, government, healthcare, legal – and publicly traded companies are further governed by regulations specific to their industry that require email archiving. Some examples follow…

  • Education & Government : Freedom of Information Act (FOIA) / State “Sunshine” Laws
  • Healthcare : Health Insurance Portability and Administration Act (HIPAA)
  • Finance : Graham-Leach-Bailey Act (GLBA)
  • Public Company : Sarbanes-Oxley (SOX)

You might be asking “What’s the risk if I don’t archive my email?” That’s a GREAT question that we’ll answer in a future post!

To learn more, give us a call or register to attend one of our upcoming webinars.

3 Steps to Prepare Your Organization to Respond to FOIA Requests

If you are the person responsible for Freedom of Information Act (FOIA) or eDiscovery requests at your organization, you’re probably following the events at the EPA closely. If you’re not, you’re missing an excellent example of the potential hazards of working in a public organization and having to respond to information requests.

In short, Lisa Jackson, the EPA Chief for the past four years has announced she will step down next month. This announcement comes shortly after her admission in December 2012 to having used “Richard Windsor” as a non de plume to conduct “internal discussions” via email.

The subsequent scandal being dubbed “Windsorgate,” has highlighted the issue of employees proactively taking steps to prevent information generated by their institutions from being publicly discoverable; a process that would require them to break the law to do so.

The issue is not of accessing the information, but rather of finding the right information to comply with FOIA requests. By using an alias account, Lisa Jackson and anyone doing so, are effectively hiding emails from legitimate FOIA requests.

Fortunately for the EPA, they do use an email archiving solution and are responding to a Federal lawsuit that requires them to deliver approximately 12,000 emails related to this request in four tranches containing about 3,000 emails each.  It will be an interesting case to follow as the EPA’s initial tranche delivered 2,100 emails all of which were nebulous and none of which were To or From “Richard Windsor.”

For those of us on the outside looking in, this should serve as a wakeup call for how to manage not only our own information repositories, but also how we communicate the necessity of doing so with our employees. Below are 3 steps to prepare your organization to respond to FOIA requests and handle these types of situations if they should ever arise in your organization.

  1. Have clear policies that communicate the acceptable use of electronic communication such as email when conducting official business for your institution
  2. Make sure your employees understand these policies and that you document their acknowledgement of these policies
  3. Have the appropriate technology solutions in place to collect, archive and retrieve your electronic communications to enable the accurate, efficient and timely response to legitimate requests for information

At the end of the day, your organization’s ability to comply with information requests will depend on the lawful actions of your employees and your ability to deliver the information requested. Implementing the three recommendations outlined above however should establish a solid foundation for doing this and put you and your institution above reproach.

Understanding the Freedom of Information Act

We talk a lot about the need for email archiving with clients, but for those just looking into these tools, we often get questions about the regulations behind the technology; the Freedom of Information Act.  Understanding the Freedom of Information Act (FOIA) and how it affects businesses at all levels is not easy. Public and private organizations are impacted differently but below are the basic principles of the law.

Understanding the FOIA starts with realizing that the Act was originally signed into law by Lyndon B. Johnson on July 4, 1966. This Act gives a person the right to request access to Federal records so long as those records are not protected from release by one of nine the FOIA exemptions. The institution to whom the request has been made must then provide the information requested within 20 working days.

At the time, email wasn’t even a consideration, but because the law covers most forms of communications and hasn’t been significantly changed over the past half century, email falls under its purview. At the State level, laws of a similar nature have been adopted which are often referred to as “Sunshine” laws.

Ultimately, the goal of these laws is to make the government more transparent to the people being governed.  With the proliferation of digital communications compounding the volume of communications, this has become increasingly more complex. Email in particular presents a huge challenge because people are quick to write and send messages without thinking; and entire conversations can span dozens if not hundreds of separate emails over long periods of time.

When first enacted, our representatives never imagined the volume of data necessary. Our job now is being able to find and deliver all of this information within the 20 day window; and that’s where email archiving solutions play an important role in complying with the Freedom of Information Act (FOIA).