IM Rule # 25: Be strategic. Manage instant messaging with litigation and regulatory investigations in mind.
CFO.com and Newsday report that, as part of a 2004 investigation into software giant Computer Associates’ accounting practices, federal investigators have questioned the company’s long-standing policy of not backing up its own e-mail server—even though the manufacturer of automated e-mail backup systems routinely recommends this practice to clients. Computer Associates’ retention policy requires employees to permanently delete e-mail after thirty days.
Computer Associates has defended its backup policies, stating that it is in compliance with securities law requirements for retaining e-mail and preserving records that may be needed for the pending government investigation. [1]
The problem with retention policies that call for the wholesale destruction of e-mail and instant messages is that valuable business records—records that one day may be needed as evidence—will be destroyed right along with personal and nonbusiness-record messages. What seems on the surface to be a quick and easy solution could have long-term ramifications for an organization involved in a regulatory investigation or workplace lawsuit.
Some business executives (and even some IT managers) mistakenly believe that electronic record retention applies only to regulated companies in the healthcare and financial services industries.
Nothing could be further from the truth. The retention of instant messages, e-mail, and other electronic business records is an essential business function for every organization of every size and type— regulated or unregulated, public or private, international conglomerate or mom-and-pop shop.
In June 2003, the state of Massachusetts fined SG Cowen Securities $100,000 when the New York-based brokerage firm’s Boston office was unable to produce the e-mail records investigators requested. [2] As Massachusetts Secretary of State William Galvin told the Boston Globe, ‘‘E-mail messages are critical business records.’’ The fact that e-mail records are a bit more casual makes them ‘‘no less significant’’ than paper records. [3]
When it comes to instant messaging, e-mail, and other electronic records, retention periods vary—and some can be quite lengthy. For example, if a U.S.-based employee were to send an e-mail notifying her employer that she had been exposed to a toxic substance, the Toxic Substances Control Act would require the employer to retain that e-mail message for thirty years. [4]
In February 2004, the broker-dealer firm State Street Research Investment Services, Inc., paid a $1 million fine to the NASD to settle an investigation into inadequacies in its e-mail retention policies and supervision of mutual fund trades. [5] The firm didn’t admit or deny the allegations.
[1]Stephen Taub, ‘‘Computer Associates E-Mail Policies Probed,’’ CFO.com (February 13, 2004), www.cfo.com.
[2]Steve Ulfelder, ‘‘Better Save than Sorry,’’ NetworkWorld ( September 8, 2003), www.nwfusion.com/reviews/2003/0908csiside2.html .
[3]Steve Ulfelder, ‘‘CSI: Lost E-Mails,’’ Network World ( September 8, 2003), www.nwfusion.com/research/2003/0908csi.html.
[4]Michael Osterman, ‘‘Survey Reveals Shocking Lack of E-Mail Retention Policies,’’ Network World Messaging Newsletter (August 21, 2003), www.nwfusion.com/newsletters/gwm/2003/0818msg2.html .
[5]‘‘State Street Research Reaches Settlement with NASD Relating to Supervision of Excessive Trading,’’ State Street Research Press Release distributed via Business Wire (February 19, 2004).