Challenges Faced by Organization with Exponential Growth of Email Data
Each day, organizations face numerous and increasing challenges in areas of compliance audits, responding to pending lawsuits and court inquiries, dealing with continuity in business knowledge, wrestling with operations for employee turnover and downsizing, as well as adhering to email data retention policies.
Regulatory compliance and responding to electronic discovery requests are mandatory, yet often imprecise, and the question remains of how best to satisfy these requirements and minimize risk.
Meanwhile, IT organizations are being asked to contain, reduce, slice, and dice costs, while maintaining IT service levels for core applications such as email messaging.
All of these painful challenges bring significant costs and risks to the organization, placing even more demand on email administrators’ limited time and their ability to service end users’ needs.
1. Regulatory Compliance
Organizations needs to implement not only long-term data-retention and aging policies, but must demonstrate secure information storage and easy, online access to the information to become compliant.
If you’re concerned with The Sarbanes-Oxley Act (SOX), The California Security Breach Notification Act, Gramm-Leach-Bliley Act (GLBA), Basel II, NASD Regulations, The Federal Information Security Act, and the Health Insurance Portability and Accountability Act (HIPAA), you should be even more concerned about your enterprise’s vulnerability regarding email archiving, compliance, and security.
To comply with SOX, an organization’s email system must authenticate senders, encrypt confidential information, track and log message traffic, and support the indexing, archiving, and retention of messages. Ideally, one could implement email policies to filter communications between the executive team and accountants and archive those communications for a future review of accounting practices.
Meanwhile, NASD Regulations consider email to 25 or more prospective retail customers as sales literature. Therefore, it must be approved prior to use by a registered principle of the company, then archived as part of the company’s records for three years from the date of last use.
The Federal Information Security Act of 2002 (FISMA), developed by the National Institute of Standards and Technology (NIST) in 2002, requires all federal agencies and their partners to establish, consistent, risk-based security processes. Because every agency relies on email to support operations and assets, agencies must address email security in order to comply with FISMA.
HIPAA, The Health Insurance Portability and Accountability Act of 1996, has evolved into a far reaching bill that calls for the protection and management of all patient health information. The HIPAA Privacy Standard, Section 142.308 of Subpart C, Security and Electronic Signature.
Standards sets forth requirements for “technical security services that guard integrity, confidentiality, and availability.”
Most regulations have requirements in areas such as:
- Retaining data for a certain number of years
- Aging or purging policy around the data
- Encrypting data for privacy
- Tamper-proofing or proof of data integrity
- Ability to selectively identify information to never be deleted
- Having data that is easily searchable and accessible, and
- Gaining restricted access to the data through email archiving.
In the past, users attempted to use existing backup/restore solutions to fulfill data retention and purging policies, but the increasing requirements listed above underscores how backup/restore falls far short in meeting today’s challenges.
2. Electronic Discovery, Lawsuits, and Records Requests
Your organization doesn’t need be in the middle of a lawsuit in order to feel the pain and pay the costs of producing all “relevant information.”
Records requests are served daily upon local, state, and federal agencies. Higher educational institutions and K-12 districts not only have records disclosure policies, but sensitive areas regarding children and young adult communications including harassment and discrimination.
Corporations must manage ex-employees smoothly during resource transitions. When in doubt, requesting parties will request “everything” available and legally permissible –– in order to fish for useful information.
Unfortunately, too often, this causes very expensive efforts by the responding party.
When any of these events occurs, organizations must be able to produce relevant records such as email in a timely fashion and typically while under legal pressure. However, according to Baseline.com, approximately two-thirds of companies live on the edge with no policies in place for proactively saving, purging, managing or archiving their email files.
3. Data Preservation, Retention Policies and Audits
Responding to audits is costly, and demonstrating “due care and diligence” is often subjective.
In today’s economy, whether you are IT staff in an enterprise trying to demonstrate that email retention policies are implemented effectively or a service professional such as a physician in a medical practice concerned about showing compliance with HIPAA requirements to store three years of email, your goal is to decrease the time and money spent on internal or external audits while increasing confidence in the results.
Today’s pain stems from the significant time spent by expensive resources (IT administrators or physicians) responding to audits with very laborious manual procedures, e.g. restoring email servers from backup tapes, or browsing and reading through emails in an email client like Microsoft Outlook.
With external regulatory audits, this also does not include any legal or staff costs associated with court appearances to obtain/access public records, and the accompanying exposure to local, state or federal authorities.
4. Email Server and Storage Growth
Email server management is expensive. Data is growing relentlessly.
Disks, including SANs, fill up ever quicker, and email quotas on the server can help, but at the cost of end-user productivity. Expanding SAN storage and its cascading costs such as longer backups and maintenance can put today’s limited IT budgets quickly into the red.
Beyond storage costs, email servers are faced with ever-greater processing loads that come from higher email volumes, increasing quantities of junk mail, and default email searches that bog down both the email client and server (imagine searching for last year’s email across all your folders in Outlook and Exchange).
5. Intellectual Property and Data Preservation
With the ongoing explosion of email, companies often have crucial business information that is financially or legally binding stored in email.
This may include supplier quotes and promotions for retailers, customer service inquiries and responses for airlines, reservations for restaurants, trading confirmations for financial institutions, or the latest version of a legal agreement or business contract.
It is vital to be able to store this business information efficiently, then quickly search and retrieve it in order to manage the top and bottom lines of the business. However, yesterday’s approaches are no longer acceptable because they may:
- Ignore or miss crucial business information because it gets lost in the email inbox,
- Spend significant time and money in buying/implementing/building/using software applications with support staff to translate or enter business information from email to an application, database, or alternate system.
6. Changing Landscape of Technology and Business
IT organizations must be nimble to support today’s business needs as well as tomorrow’s changes in business direction.
The email infrastructure used today will be different tomorrow. You may need to migrate among Lotus Domino, Microsoft Exchange, Google Gmail, and other hosted email (Software-as-a-Service) options, or change the underlying infrastructure such as operating systems (from Windows to Linux). How can this be managed at low-cost and high reliability and at a quick pace to support the current business goals?
To address constantly changing technologies, to support business agility, to prevent proprietary vendor lock-in, one needs open standards and protocols, ability to import/export all data from a solution, to avoid reliance on a particular vendor’s design/implementation, and to avoid multiple point solutions that require integration work to ultimately solve related problems (e.g. compliance, e-discovery, email server management, business information mining).