NETWORK DATA SECURITY: Swearing upon E-storage

VoicenData Bureau
Updated On
New Update

“Regulators fined five of the nation’s (the US) largest brokerage firms yesterday for failing to preserve and produce in regulatory investigations internal e-mail communications as required under securities laws.”


Wall Street Journal, Dec 3, 2002

“Federal securities regulators have demanded copies of e-mail messages and other documents from 12 large Wall Street firms and dozens of their managers, including current and former chief executives, as they open a new phase of investigation into stock research. The regulators are seeking e-mail messages about analysts and their ratings on companies, as well as any evaluations of the analysts written by their superiors.”

New York Times, June 3, 2003


Beware! If your business lacks a strict policy governing e-mail behavior, you could be putting yourself at risk of facing legal action in most places in the world. That’s because e-mail in the workplace now qualifies as a business record, a new survey points out.

Even after 33 years of the Internet, e-mail remains to be the most used application (about 80 percent). No one application justifies the importance of data volume and value better than corporate e-mail. Today e-mail has become a major means of business communication. Ferris Research says that the number of corporate e-mails increased by 50 percent over the past year and an increase of 35—50 percent is on the cards next year. Overall, the volume of e-mail is growing from 4 PB in 2000 to 230 PB in 2003 at a CAGR of 300 percent. IDC has forecast that the number of e-mails sent daily will grow from 9.7 billion in 2000 to over 35 billion in 2005.

Record Keeping

We all keep records, whether bills, receipts, letters, statements or pay slips. Why? Because they are proofs of our actions and tracks of our daily lives to be presented as evidence in events of disputes. In businesses, it is even more important to keep records as they form a part of normal business practice, and are used to document the way businesses are run. Customer records, in particular, are important because they contain valuable information about their buying habits, responses to advertising campaigns, and the demographic makeup of the customer base.


Year 2003 has been a year of startling revelations into bad record keeping. Cases like Enron, Arthur Anderson, Xerox and The New York Times forced businesses to re-examine their record-keeping habits. Good record-keeping practice demands that records be carefully managed to ensure that they remain authentic, complete and secure, yet accessible. With paper records, organizations have implemented careful procedures to control business records. Electronic record keeping requires better controls, as well as an understanding of the source of various types of electronic information. Since electronic information can be, by its very nature, easily transmitted and modified, hence electronic records need to meet a high standard of control to ensure authenticity and integrity.

In the past, most businesses were conducted on paper. Now e-mail has become the vehicle of choice to communicate about all types of business events, and regularly contain word documents, presentations, reports, spreadsheets, contracts and other confidential business documentation. Given its ease of use and lower costs, more and more external business communications that previously would have been conducted via paper letters or faxes are being conducted using e-mail.

Surveys show that people in large corporations receive an average of 175 messages per day. Topping the list is e-mail, surpassing voice mail, faxes and telephone messages as the most frequent type of message received.


E-messaging Risks

No doubt, e-messaging is a very critical business tool, but few companies have considered setting rules, policies and systems necessary to safeguard their interests. All important information including transaction details, business secrets, and confidential documents contained within messages are business assets with serious legal and financial implications. Anything that comes in and goes out of a company network is the company’s responsibility and needs to be handled very carefully with well-defined rules.

Whether you are a company of one part-time worker or 100,000 full-time professionals, any time employees access the e-mail system, the organization’s assets, future, and reputation are at risk. As the US data suggests, 78 percent of employers report employees abusing e-mail and the Internet. If you think you’re immune to security breaches, accidental or intentional, think twice. Ninety percent of large corporations and government agencies suffered computer security breaches in 2002, with 80 percent reporting financial losses as a consequence.

The message: manage your electronic liabilities today or risk an e-disaster tomorrow.


Organizations need to set up a strategic approach to electronic risk management. They should use written e-mail policy to notify employees that e-mail messages, electronic documents, and computer passwords belong to the organization, not the individual. Theft of proprietary information has increased as just about any document can be attached to e-mail and sent outside the organization. In a recent survey, a whopping 79 percent of employees admit to using e-mail to share confidential information with others–innocently or otherwise. In fact, insiders, greedy or disgruntled employees and ex-employees, are actively involved in data theft. E-mail is legal evidence in most of the countries now.

The IT Act 2000 in India makes e-mail legal proof, and so designing and implementing effective e-mail policies is very important for any organization. Every e-mail message sent by an employee reflects on the organization’s credibility and the writer’s professionalism. Mobility has raised another big concern for data security.

Related Retention Laws

Companies have not implemented e-mail policies in the last two years, even as the importance of various regulations has become clear. Businesses have been slow to learn the lessons of effective e-mail management as a preparation for possible litigation.


E-mail has quickly conquered the previously paper-centric world of business. Industry analysts report that at least 80 percent of all corporate information is contained in e-mails. However, much of this information is hidden from the organization as a whole, in individual user mailboxes, desktop archives or backup tapes. Nearly 75 percent of end users are unable to recover an archived e-mail without assistance from the e-mail administrator. In some cases, aged e-mail is simply not recoverable.

Results of a recent survey showed that 29 percent of organizations would not be able to locate an e-mail message that was six months old. Organizations need to recognize the fact that with the increasing flurry of electronic correspondence also comes the need to regulate it.

Numerous regulatory agencies around the world have instituted requirements for e-mail retention for the various types of enterprises they monitor. And they’re levying significant fines against organizations that fail to comply. For example, in December 2002, the Securities and Exchange Commission (SEC), the New York Stock Exchange, and National Association of Securities Dealers (NASD) took joint action against five brokers/dealers for violations of record-keeping requirements concerning e-mail communications. The firms received fines totaling $8.25 million, and were required to amend their procedures to ensure future compliance with record-keeping statutes and rules.


In May 2003, the US securities regulators have also put the onus on financial firms to keep records of their

business and supervise them, this time focusing on the increasingly popular form of communication known as

instant messaging. The National Association of Securities Dealers informed its roughly 5,300 brokerage-firm

members that they must retain their IM records for at least three years.

In Australia too, e-mail records of companies can be legally summoned and used as evidence in litigation

issues. If these e-mails are considered part of a financial transaction, it is likely that by losing and destroying

e-mails, Australian businesses are contravening archiving and corporation laws. While there is no general provision dealing with the retention of e-mails in Australia, the

Corporations Law there requires financial documents to be retained for five years and Government departments, under the Archive Act, need to retain e-mails for seven years.

ISPs in India have been asked to keep all e-mail logs for three months (they have started keeping it for 3+3 months) and all telecom operators have been asked to keep SMS message records for three months by the government.

PK Gupta, director, strategic development (intercontinental operations),

Legato Systems


A company must maintain solid storage management, especially with respect to electronic records. The number of copies of e-mail that a business must manage to ensure compliance and provide adequate disaster-recovery protection is only one facet of the need for solid storage management. In addition, other rules governing the need for record and index availability mean that any application management software must provide functionality to access data and interact with storage management applications to ensure data availability. As more and more electronic records and attachments fall into categories governed by the laws, companies will find themselves not only managing storage, but also becoming more familiar with specific business and compliance needs.

Effective e-mail archiving makes data administration more efficient, brings significant return on investment, and lowers the total cost of ownership for existing e-mail application environments such as Microsoft Exchange. In addition to delivering such benefits, the right e-mail archive strategy could potentially save your company millions in fines and legal fees.

In order to manage the burgeoning e-mail storage requirements, as well as to maintain access to the corporate knowledge within its e-mail repository, companies in a wide range of industries are turning to innovative products to instantly captures messages, organize, protect, retain, manage and provide expeditious and effective search and retrieval capabilities. Archived messages in the enterprise message center remain fully accessible to end-users via full-text search capabilities.