Thousands of U.S. businesses fail to meet government regulations regarding the secure archiving of electronic data, despite possible penalties that include imprisonment and heavy fines.
Sometimes businesses put themselves at risk because they're cavalier about the consequences of noncompliance, experts say -- but they also do so, in many cases, because they don't understand the regulations or because they're unable to make compliance a priority within their organizations.
According to a report from Cohasset Associates Inc., a Chicago-based management consulting firm that specializes in document-based information management, 53% of organizations do not include electronic records, such as e-mail, as part of their records management program. Further, 39% still have no e-mail retention policy.
"Businesses operate under a cover-your-behind motivator and a cost motivator," said Matt Suffoletto, CEO of Ixos Software AG, a document and workflow management firm with U.S. headquarters in San Mateo, Calif. Suffoletto said that, within most organizations, it's the projects that generate money that are given priority. As a result, putting processes in place to meet SEC requirements has rarely been at the top of a CIO's tick list -- until now.
In December, the SEC lowered the boom on five brokerage houses for violating e-mail record-keeping requirements. These firms, Deutsche Bank Securities Inc., Goldman, Sachs & Co., Morgan Stanley & Co. Inc., Salomon Smith Barney Inc., and U.S. Bancorp Piper Jaffray Inc., were fined a combined $8.25 million.
Peter Gerr, a senior research analyst with Milford, Mass.-based Enterprise Storage Group, said that, because of these recent crackdowns and the introduction of newer compliance regulations, such as the Sarbanes-Oxley Act, he expects compliance with e-mail retention regulations to be one of the most important issues for businesses in 2003 and 2004.
But Gerr said he doesn't believe failure to comply is a result of businesses being laid back about the regulations. Instead, he said, it's a lack of understanding of the regulations that's throwing a wrench into the best of intentions to comply.
"It's the lack of awareness," he said. "Education and clarity are the top challenges for both IT people as well as the technology vendors that are trying to sell [solutions] to them."
At the center of the compliance regulations (and confusion) is SEC Rule 17a-4. In 1997, the SEC revised its thinking on the preservation of communications between exchange members, brokers and dealers, saying that businesses should also keep track of electronic communications like instant messages and e-mails.
Rules regulating the management of business documents are not new. The government has required businesses to maintain business records for some time. What's different now is that electronic records, such as e-mail and instant messaging, are part of those regulations; consequently, the sheer volume of data that needs to be archived is daunting.
Attorney Randolph Kahn said that, in many cases, businesses and executives are not tuned in to regulatory requirements. Others know the requirements, but don't follow them.
"That approach may have been fine in the past," he said. "Careers have been damaged and companies have fallen as a result of not being in compliance. Now it's on everyone's mind. The rules and requirements can no longer be misunderstood."
Kahn specializes in legal issues related to electronic records, and he consults with corporations to develop e-mail policies and retention rules. Kahn is co-author of E-Mail Rules: A Business Guide to Managing Policies, Security, and Legal Issues for E-Mail and Digital Communication, which will be available next month.
Dazed and confused
There's another element working against organizations: ambiguity within the regulations.
"There's a real challenge to understand what it actually means to be compliant," Gerr said. "The regulators have intentionally left them open-ended because they don't want to have too much of an impact on technology or innovation, but they have to somehow figure out how to keep businesses in check."
Of those who responded to a recent SearchStorage.com poll, 59% said they didn't know whether they were in compliance with the SEC regulations.
In following up with some of these respondents, it appears that a number of those who are not in compliance or don't know whether they're in compliance are in these positions because they just can't figure out what specifically they have to do.
It's no wonder they're confused. Even experts within the industry can't agree on what the regulations mean or how they should be carried out. In fact, while SearchStorage.com reported this story, at least two people offered expert opinions that any company trading publicly needs to meet the SEC regulations. Another expert, someone who specializes in SEC compliance, said that only exchange members, brokers and dealers must be in compliance.
According to one IT manager who did not want to be identified, it's difficult to find something in writing from the SEC that indicates that SEC rule 17a-4 (as well as the Sarbanes-Oxley Act of 2002) applies to all corporations, and not just brokers, dealers and auditors.
"I need to find something concrete to provide to my CFO that stipulates -- specifically -- not only that we fall within the rule and act," he said, "but also something that stipulates the required retention periods for specific documentation, both paper and electronic."
Suffoletto said that SEC regulations are fairly definitive but added, "the only real way to tell if you're in compliance is when you're being audited. That's the test of compliance. It leaves a lot open."
Whose job is it, anyway?
According to experts, there's still another problem. Who is responsible? Increasingly, the responsibility falls on the storage manager, because he's the person who is in charge of storing data. But new laws, such as the Sarbanes-Oxley Act, say that the CFO and CEO are also accountable.
"Certainly, the storage administrator is in the food chain," Suffoletto said.
However, the burden doesn't fall solely on the storage administrator or even IT.
"The policy-setting [part of compliance] is about corporate governance and the responsibility of the CEO and CFO," Suffoletto said. "However, implementation and understanding of being technically in compliance is the responsibility of the CIO and storage administrator.
"There's a very short string between the two because of the risk of being audited and liability."
Increasingly, technology is going to take a larger role in compliance, and high-tech vendors are introducing products that they say can help with record management and with meeting SEC regulations. Some companies opt to hire SEC specialists or consultants to advise them on being compliant. There are also dozens of Web sites that outline the regulations and provide advice on compliance.
But the starting point, experts say, is to develop policies and procedures "so employees know what to do and what not to do," Kahn said.
Additionally, he said, employees need to have high-level support. Failure to have it will substantially limit the buy-in. "If corporate executives fail to have proper directives, if they prohibit the destruction of records, we're talking prison time here," he said.
Still, everyone, from the CEO to the mailroom clerk, needs to be part of the compliance process. "You can delegate responsibilities regarding the management of data to the lowest-level employee," he said. "Businesses must communicate to all employees about what's acceptable and what isn't."
Businesses need to take SEC compliance very seriously. Failure to do that is no longer acceptable and tantamount to throwing away the company's legal and financial position, he said. "Take reasonable efforts to meet regulations, address the spirit of the law -- that's what companies should do. Simply understand the law," he said.
FOR MORE INFORMATIONLegal rules of e-mail storage EMC partnership focuses on e-mail archiving, SEC rules SEC Compliance and Storage Management