May 2006

eDocument Retention May 2006

Agenda: • What is Email Archive/Audit? • The Current Environment • The Ideal Compliant Email Archive • Proactive Approach - Live Capture • System Data Flow • Adaptable Compliance

What is an Email Archive • An offsite or onsite copy of company emails • Automatically collected • In an intelligent fashion • Stored securely • Fully Searchable and Auditable • Eliminating data collection/harvesting during eDiscovery • Admissible in court

Agenda: • What is Email Archive/Audit? • The Current Environment • Data Retention Implementation • The Ideal Compliant Email Archive • Proactive Approach - Live Capture • System Data Flow • Adaptable Compliance

The Situation Today • Business documents are being generated at such a rate that economic retrieval is extremely challenging. • During 2004, enough information was produced worldwide to fill 500,000 libraries of congress. • 64 billion emails were sent in 2005 with 108 billion expected in 2008. • Global email traffic has grown to some 171 billion messages per day, of which 71 percent is spam. • The average corporate user sends and receives 113 email messages a day. That translates into nearly 300MB per month.* • By the end of the decade, that number is expected to grow to 160 messages and 417 MB per month.* • As much as 85% of all email data is due to attachments.* • Gartner Group: We spend as much as 20% of our time searching through our email and files. A medium-sized company could exceed Google’s capacity within 2 years The Library of Congress *Radicati Group

The Elephant in the Living Room • Let’s not forget why we have to be compliant – • THE THREAT OF LITIGATION Only 30% of companies consider search and discovery to be a top priority when choosing an email archiving solution. Of these, 25% said that the main driver for search and discovery functionality was to expedite review and audit processes, and still more to reduce legal discovery costs. Companies should be ready to do eDiscovery at all times

War Stories • 90% of U.S. corporations are involved in litigation and 20% of all companies are sued every year. • Bank of America was fined $50,000 per each email they failed to produce in court. Total penalty: $10 Million. • Morgan Stanley lost $1.45 Billion in damages and was sanctioned for its failure to preserve and produce certain electronic records. • The SEC piled on an additional $15 M penalty, so far… • US corporate financial restatements soared 28% from 2003 to 2004, and 10 to 30% of financial data is erroneous. The cost of erroneous data is $600 Billion in the US. • Schering Plough fined $500 Million for noncompliance in 2002 • The typical large corporation paid $16 million in corporate governance costs. • The average company with over $1 Billion in revenues has 147 lawsuits and 48 different financial systems. • The average cost for companies with less than $1 billion in revenue increased by more than 230% since Sarbanes-Oxley went into effect.

War Stories However, by far the largest penalty for failing to comply is the devastating impact on a company’s market capitalization when shareholders find out that a company is not compliant.

Corporate Compliance Progress • From ARMA Survey 2005: • “Nearly one-half of the respondents (49%) are • either: • ‘not at all confident’, or only • ‘slightly confident’, • that their organizations • could demonstrate that their electronic records were • accurate, reliable and trustworthy.” (randomly selected logos)

An Implementation Roadmap • Establish Policies for: • Email • Unstructured Data • Financial Reports • Training Materials, etc. • Identify data value for all data under management • Relational by subject area • Content Managed as Related to Relational • Email, Backup and Offsite • Dispose of non-regulated, low-value, low-access data with an appropriate audit trail. • Develop processes to periodically dispose of expendable data with audit and reporting systems.

Establishing the Retention Policy • Establishing the Data and Information Retention Policy • Preservation and Retention • Retention Policy • Preservation and Retention Duty • Compliance • Litigation • Creating Your Policy – This is not an IT Problem • Document Destruction • Retention Policy and The Litigation Hold • Information Security

Preservation - Time: foreseeable dispute (shorter than retention) Bases: rules, tort, inherent power Breach: spoliation Penalties: default or dismissal, evidence, fines Retention - Time: statute or regulation Bases: statutes and regulations Breach: spoliation Penalties: default or dismissal, evidence, fines, statutory penalties Preservation vs. Retention Duty

Retention - Legal compliance Litigation preparedness Company’s reputation Destruction Reduce Operational Cost Asset protection Privacy Purpose of Retention/Destruction

20,000+ statutes and regs require retention Consider impact of foreign retention requirements Harm of retention spoliation similar to harm of preservation spoliation Compliance

Four Legs of Compliance Compliance is the result of integrated Policies and Processes The Policy - Information Records Management Policy is established by corporate Legal. Specific measure for compliance are tied to the policy. What’s the policy and how do you measure compliance? The Leadership – The Policy is reflected in the visibility, adoption, enforcement and compensation by and for senior management. Does Leadership walk the walk? The Technology – The Policy is reflected in all aspects of data management. IT is using and NOT establishing The Policy. Does the Procedure tie to the policy? The Training – The Policy reflected in all aspects of training, education, procedure and compensation. Does everyone understand their responsibility, liability and consequences?

The Compliance Team The Compliance Team is Composed of: • General Counsel • Compliance Officer • Information Architect • Application Architect • Content and Messaging Manager • Training Supervisor • The Compliance Team provides an enterprise understanding of data retention through: • Comprehensive understanding of corporate policy and procedures related to regulatory compliance. • Elimination a fragmented responses to regulatory inquiry • Optimizes response to Litigation Discovery

Statutes and Retention • SEC Rule 17a-4 Electronic Storage of Broker Dealer Records • Graham-Leach-Bliley Act - Financial Services Modernization Act -1999 • Sarbanes – Oxley Act of 2002 • FDA 21 CFR Part 11 • DOD 5015.2 Department of Defense • Health Insurance Portability and Accountability Act (HIPAA) • Fair Labor Standards Act • Occupations Safety and Health Administration (OSHA) Act • Internal Revenue Service Reform Act • Food and Drug Administration • Health and Human Services

Statutes and Retention SEC Rule 17a-4 Electronic Storage of Broker Dealer Records • Retention – Minimum of 3 Years • Related to the retention of correspondence between the securities company and its customers. • Purchase and sale documents, • Customer and associated persons’ records, • Customer complaint records • Written supervisory procedures • Additional rules have been established by both the NASD (sect 2210 and 3010) and NYSE(SECT 342 ) that require members to comply with SEC 17a-4 or risk fines by both the SEC and the members SRO.

Statutes and Retention • "preserve the records exclusively in a non-rewriteable, non-erasable format.“ This requirement does not mean that the records must be preserved indefinitely. Like paper and microfilm, electronic records need only be maintained for the relevant retention period specified in the rule. • The electronic storage media must verify automatically the quality and accuracy of the storage media recording process; serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.

Statutes and Retention Graham-Leach-Bliley Act or Financial Services Modernization Act of 1999 • Retention Period – 6 Years or “Best Practices” • Related to limited privacy protection against the sale of private financial information to third parties. • Personal financial information must be securely retained. • Customers must be advised of the policies in place for sharing personal financial data. • Customers must be able to easily opt out of the sharing of some financial data

Statutes and Retention Name - Health Insurance Portability and Accountability Act • Retention Periods • Complaints – 6 Years • Medical and Diagnostic Records – 6 Years • Medicare Records – 5 Years • Special Consideration for Minors • Records must be retained for 2 years after a patients death • Relates to documents on uses and disclosures, authorization forms, business partner contracts, notices of your information practice, responses to a patient who wants to amend or correct their information, the patient's statement of disagreement, and a complaint record.

Statutes and Retention The Sarbanes-Oxley Act of 2002 • Retention Period – 7 Years • Deals with the falsification, destruction, alteration of documents or data with the intent to impede, obstruct or mislead an investigation by any federal agency. Includes the destruction of materials used in the creation of audits or financial assessments • Applies directly to publicly held companies • US Companies valued at over 100 million dollars will spend a combined 2 Billion dollars on implementing SOX 4 • Privately held companies with US ties are adopting SOX as well.

New SOX “Data” Sources • Website Records - Section 403 - Posting stock ownership changes • Internal Control Reports – Section 404 - Audit notes on how the internal control reports are created • Corporate Officer Certification – Section 302 – Who certified which reports and audits and when. • Complaints – Section 301 – The collection, retention and treatment of complaints, external, internal, anonymous as they relate to financial audit and disclosure. Also, a description of how the complaint was addressed. • Penalties – Section 906 – False certification can result in $5,000,000 in penalties and/or 20 years in prison.

Memorable I-Wish-I’d-Deleted-That Emails “…How much do we need to pay you to screw Netscape?...” Warm Regards, Bill Gates Microsoft Corporation

Memorable I-Wish-I’d-Deleted-That Emails “…Let’s clean up those files…” Memorable Wish-I’d-Deleted-That Emails: “How much do we need to pay you to screw Netscape?” Fondly, Frank Quattrone Credit Suisse First Boston

Requirements • Speed – The system must provide sub-second respond time for most queries. • Cost efficiency - The system must be inexpensive. • Regulatory compliance – The system must be conformant. • Reliable – The system can never lose or corrupt data. • Litigation Readiness – Must be continually ready to produce documents with a verifiable Chain of Custody and no spoliation.

Litigation-Ready System – The Hardware • Utilize a cluster-computing architecture as the basis for a Web-based solution • Excellent Price / Performance • Excellent Scalability • Excellent Reliability • Extremely Fast Response Times

Litigation-Ready System – The Interface • Design an easy-to-use human interface • Minimize the learning curve • Keep employee morale high • Maximize productivity

Litigation Ready System • Support most file types with real-time capture • Export to major third-party litigation systems Live capture, Outlook, Lotus Notes, Financial Reports, Excel, Word, PDFs… TIFF/PDF Other… • Minimize operational problems • Optimize responsiveness to courts • Handle exceptions • Talk to other systems

A Litigation-Ready Archival Solution • Searchable / Compliant Email Archival • Real-time data collection, Intelligent filtering for compliance • Benefits: • Off-site email archiving • Adaptable compliance • Easy retrieval of emails for all users • Continuous litigation readiness Repository Live Capture Live capture of data

Litigation-Ready Solution Benefits: • Secure off-site email archive • Compliance conformance • Find any email quickly and easily • Elimination of the data collection/harvesting task • Litigation readiness with chain of custody and spoliation functions Repository Live Capture Live capture of data Support major email systems Powerful Search Email/File Management Full Access Control WORM Archive

System Data Flow Message Servers Live Capture Data Life Cycle

System Data Flow Deduplication Intelligent Filtering Message Servers Live Capture Data Life Cycle

System Data Flow Deduplication Intelligent Filtering Compliant Searchable Repository Message Servers Live Capture Data Life Cycle

System Data Flow Deduplication Intelligent Filtering Compliant Searchable Repository Message Servers Live Capture Delete Data Life Cycle

System Data Flow Deduplication Intelligent Filtering Compliant Searchable Repository Message Servers Live Capture Delete 3rd-Parties: KVS, Ziplip, MessageGate Data Life Cycle

System Data Flow NAS, SAN, other servers Deduplication Intelligent Filtering Compliant Searchable Repository Message Servers Live Capture Delete 3rd-Parties: KVS, Ziplip, MessageGate Data Life Cycle

System Data Flow WORM Option Fully Tailorable ASP or In-House Multi-Pass Wipe Delete NAS, SAN, other servers Deduplication Intelligent Filtering Compliant Searchable Repository Message Servers Live Capture Delete 3rd-Parties: KVS, Ziplip, MessageGate Data Life Cycle

System Data Flow WORM Option Fully Tailorable ASP or In-House Multi-Pass Wipe Delete NAS, SAN, other servers Deduplication Intelligent Filtering Compliant Searchable Repository Message Servers Live Capture Delete 3rd-Parties: KVS, Ziplip, MessageGate Data Life Cycle Cull Search Produce Audit/ Report Administer

Live Capture – LITIGATION HOLD WORM Option Fully Tailorable ASP or In-House Multi-Pass Wipe Delete NAS, SAN, other servers Deduplication Intelligent Filtering Compliant Searchable Repository Message Servers Live Capture Delete 3rd-Parties: KVS, Ziplip, MessageGate Data Life Cycle Cull Search Produce Audit/ Report Administer

Intelligent Filtering – Compliance and More IF Condition THEN Captured Emails, Files, etc. Action Any file stored in the Repository Multiple File Types Emails Office Documents Financial Reports Etc. Any Search Result File “Age” Content Boolean Concept Etc. Actions Send an Email Place into Folder Adjust Permission Level Change Attribute Delete Etc.

Thank You For Your Time E. Casey Roche – Discovery Mining Inc. 415-561-6780 X116 www.discoverymining.com Suzanne Riddell – DataForeSight Inc. sriddell@dataforesight.com 303-278-2150

Return On Investment Considerations Elements: • Value of risk mitigation • Avoid detrimental affect of failure to comply on company’s market capitalization • Avoid potential penalties • Missed deadlines, failure to produce • Cost of live capture versus simple tape back-up • Tape restoration is extremely expensive • Having live capture in place can save 50% to 80% in the event of litigation • 20% of all US companies are litigated against every year • Quantifiable Side Benefits • Having a secure off-site archive • Providing searchable email archive • Avoiding the cost of data collection/harvesting • Time and money

Backups vs. Archives • “But we have a backup!” …sorry, not enough. • Failings: • No security • No authenticity • No search capability • No easy restore • No audit • …backups are a legal time bomb “The defendants did not show any policy that defined what e-mail should be reduced to hard copy because of its importance.” Murphy Oil USA v. Fluor Daniel

May 2006

May 2006

Presentation Transcript

May 1, 2006

May 2006

May 2006

May 2006

Porto, May, 2006

May, 2006

May 3, 2006

May, 2006

London May , 2006

upd8 (May 2006)

Zagreb, May 2006

May 17, 2006

May 2006

May 2006

May 13, 2006

May 2006

May 2006

May 2, 2006

May 2006

May, 2006