Reduce Business Risk with Mail Manager

Do you know your obligations?

The Data Protection Act 1998

The revised UK Data Protection Act (DPA) became law in the UK 1998. Core to the DPA is the way in which it mandates all organisations to disclose information it might have.

This key instrument of disclosure is called a "Subject Access Request". Anyone can issue a SAR (employee, ex-employees, customers etc.) against any organisation - Public OR Private - by simply writing a letter in a format available from Data Protection Act web site, sending a cheque for £15, delivered via registered mail to the organisation.

The organisation receiving the SAR legally has to give up all data requested within 20 days. Failure to comply breaks the law , seriously affecting the organisations ability to defend its self against any legal actions.

The most common use of Subject Access Requests (currently) is by employees, or ex-employees making claims of unfair dismissal, sexual / racial discrimination, harassment and such like.

The difficulty in trying to find relevant emails and other communications (including those containing opinions as well as facts) between different parties from historic backups (if available) over a two-year period is immense.

Very few organisations would be able to meet a request to produce ALL information held within their email system on a particular subject within 20 working days.

Federal Rules of Civil Procedure

Rule 34(b)(2)(A) states that "The party to whom the request is directed must respond in writing within 30 days after being served. A shorter or longer time may be stipulated to under Rule 29 or be ordered by the court."

As stipulated by Rule 26(a)(1)(C) and Rule 26(a)(1)(D), parties must make the initial disclosure at or within 14 days after they meet to set a discovery plan, unless a different time is set by stipulation or court order.


The Act impacts non-US firms that have operations in the United States.

Because email is increasingly used to transmit and store records that are subject to retention under Sarbanes-Oxley, it is critical that any organisations that is, or will be, governed by the Act implement a data retention strategy that can adequately meet these requirements.

The ultimate Impact of the Act

Because email is commonly used to communicate internally and externally in the vast majority of organisations covered by Sarbanes-Oxley, and because these communications often contain information about business transactions and business decisions, email must be retained in order for a covered organisation to comply with the provisions of the Act. However the "grey area" is with regard to the full scope of messages that must be retained, since the Act clearly specifies the consequences for non-compliance, but it does not explicitly state what must be retained in order to comply with the Act.

Clearly, email is the communication medium of choice for a growing proportion of business records that are subject to retention under Sarbanes-Oxley. Any organisation that wishes to comply with the Act must, therefore, implement a data retention capability that will permit them to demonstrate compliance with the Act.

The Sarbanes-Oxley provision of mandatory document retention forces businesses to keep records readily for review for a period of up to five years. The penalty for knowingly and willfully violating this provision imposes fines and a maximum sentence of 10 years in prison, or both.

SOURCE: The impact of Sarbanes-Oxley on Data Retention, FrontBridge Technologies / Osterman Research Inc. 2005



How others have been caught out

  • Microsoft was ordered to pay damages of $25 million when certain e-mail evidence had not been produced during discovery.
  • In Williams v. Sprint, the court ruled that electronic documents had to be produced in native format. This meant that metadata had to be intact, including features such as file owner, date of creation, senders, recipients, routing data and subject lines.
  • In Best Buy v. Developers Diversified Realty, the responding parties argued that e-mails and other electronic information were not reasonably accessible because the information would have to be retrieved from a back-up system. They contended that the cost of recovering the information would be in the six figures. The judge wasn"t having any of it and ordered the information produced within a mere 28 days.

Source: The new e-discovery burden, by Eric J. Sinrod,, Published on ZDNet News: Oct 17, 2007



The cost of ignoring the problem

In analyzing one particular 1,000 user company with average email volumes today, we estimated that if the company were to employ journaling with a seven-year retention, a total of 23 terabytes will accumulate. The storage costs aren"t the problem. The real costs will come in lawyer bills to sift through such volumes of email although search, classification and analytics solutions can help. Not to mention the IT management costs that will explode.

Source: The Art of Email Management (IBM, August 2010)

FINRA fined Piper Jaffray $700,000 for email retention violations, related disclosure, supervisory and reporting violations. The firm failed to disclose that email retention deficiencies impacted its ability to respond fully in FINRA investigations.

SOURCE: Monday, May 24, 2010

Companies within industries unbound by electronic regulations tend to create retention policies and simply forget about them until a lawsuit arises and the retention policy is questioned. This then becomes an issue for the company's CIO, who is typically in charge of these responsibilities.

David Canfield, a managing consultant for IT consulting company Kroll Ontrack, told Forbes "without having a good understanding of the legal issues and the ramifications of the systems, a CIO may opt for the most efficient model. It's more efficient to have attachments stored separately and deduplicated. Those decisions are based on the most cost-effective, time-effective and space-effective way to store data. They don't realize what the impact is down the road when it comes to litigation."

SOURCE: Tuesday, July 20, 2010