The Sarbanes-Oxley Act of 2002
All public companies are required to save records relevant to the audit process, including e-mails, for seven years. The real-time disclosure rule, will force companies to monitor the contents of e-mail for material events.
Securities and Exchange Commission Rule 17A-4
Stemming from the Securities Exchange Act of 1934, this rule requires brokerages to save e-mails in an easily accessible place for two years.
The Health Insurance Portability and Accountability Act of 1996
Privacy rules dictate what information health-care companies can and cannot include in e-mails.
Health-care companies are required to retain e-mails that are especially important during audits.
The Can-Spam Act of 2003 for marketers, the Tread Act of 2000 for the automotive industry, the Gramm-Leach-Bliley Act of 1999 and the USA Patriot Act of 2001 all force companies in many industries to change the way they manage e-mail.
The four aspects of good e-mail management: storage, archiving, indexing and policy enforcement are where the CCO, CIO and General Counsel are all converging with their current conversations. What remains to be done, is for the technologies to catch-up and to assist especially in indexing and policy enforcement. You can bet that some organizations are making a copy of every single e-mail sent and putting it into a vault. And others who will retain e-mail only for 30 days before it is deleted forever. The policy is different depending on the type of organization and the number of times you are served with "Discovery" requests from legal counsel.
Jeffrey Schwarz, an Information Technology Partner from McDermott, Will & Emery, was quoted in the January 15 issue of CIO in an article addressing how federal regulations, from HIPAA to Sarbanes-Oxley, have moved e-mail management to a top priority for CIOs. "E-mail has become the primary medium for how we communicate," Mr. Schwarz commented. "Four years ago we used paper and FedEx. Now almost everything is done over e-mail." He continued saying, "We are trying to make a system do something that it wasn't designed to do. E-mail wasn't designed to be a document repository. It was meant to be send, read, delete. But now you can't delete. There are regulations that don't let you do that."
Regulatory Compliance is not a traditional IT training ground until now. It's critical that an information management policy and regulatory procedure fusion take place at the board level to insure against the risks associated with e-mail retention or lack there of. But still, what is the Chief Compliance Officer going to do to mitigate these risks sooner than later?
E-Evidence and Digital Forensics are sought after disciplines these days at large law firms and other specialized consultancies. E-mail litigation is fueling this fire. The "E-Mail Trail" called by some is the "Smoking Gun" that gets juries convinced and plaintiffs huge awards or convictions.
The demand is only likely to increase as the volume of cases with digital evidence increases, according to the Department of Justice.
"Cyber-crime is obviously something that is a national priority," said Steve Bunnell, chief of the criminal division at the U.S. attorney's office in Washington, D.C., which recently established a cyber-crime division.
"Computer crimes are something that crosses borders. ...There is really a premium on getting the right and left hand working together," Bunnell said.
Courtrooms and universities are welcoming more lawyers specializing in electronic crime. They are setting the stage for the evolution of "cyber-law" as the debate over digital evidence -- and what limits may be put on it -- is raging among legal scholars and law enforcement, Brenner said.