Monday, January 16, 2012

Email Archiving... What is the rule?


Archiving of Emails The Rule:



Statements by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) staff suggests that the OCIE is taking the position that it is entitled to review all e-mails retained by the adviser, regardless of whether they are covered under the Rule 204-2. This includes personal e-mails. If an adviser does not retain all email, then it should implement a policy to ensure that all required e-mails are being retained and not deleted.

An SEC examination request list presented to an adviser recently requested:
“For individuals to be selected upon commencement of the examination, or shortly
thereafter, please be prepared to provide all e-mails, including their corresponding
attachments, sent and received during a period to be specified. This information should be
provided in an electronically searchable format. In identifying e-mails that are responsive to
our needs, please be mindful that e-mails may be stored both on servers and on individual hard drives of the persons selected.”

Electronic communication must be kept for the same length of time as if the record was a
written/printed record. Generally, records should be kept in an easily accessible place for a
period of not less than five full fiscal years after the last entry was made in that record, the
first two years in an appropriate office of the investment adviser. Be mindful that if the email
pertains to documentation demonstrating the calculation of performance, for example,
it may be subject to retention for five full fiscal years after the adviser stops advertising the
performance.

Advisers must:
  • Arrange and index the records in a way that permits easy location, access, and retrieval of any particular record;
  • Provide promptly any of the following:
§  A legible, true, and complete copy of the record in the medium and format in which it is stored;
§  A legible, true and complete printout of the record; and
§  Means to access, view, and print the records; and Separately store, for the time required for preservation of the original record, a duplicate copy of the record;
  • Maintain and preserve the records, so as to reasonably safeguard them from loss, alteration, or destruction; Limit access to the records to properly authorized personnel; and Reasonably ensure that any reproduction of a non-electronic original

Therefore, when selecting an Email Archiving product, the following areas should be considered. 
  • To be properly prepared for legal discovery and regulatory compliance, Hedge Funds and Private Equity Firms must maintain a well-controlled environment over emails and be able to search through and retrieve the data.
  • The Firm needs to ensure that it automatically preserves all electronic business records and the records should be stored securely on tamper-proof media for their designated retention period(s).
  • The system should have a facility (search) that will easily locate and produces electronic communications and prepare them for SEC examinations or other requests.
  • The Firm should be able to customize supervision policies without technology limitations. The product the Firm chooses should:
o   Configure company-approved keyword lists
o   Automate policy enforcement and streamline compliance review procedures with systemized search criteria
The company will need to ensure they have well documented records of supervisory procedures and that the product is able through detailed audit trails to demonstrate that the policy was properly enforced
Retention Capabilities:
  • The system that the Firm chooses should be able to capture and automate the unique retention policy of each Firm.
  • Determine how the product manages retention policies.  For instance the management of the retention policy should be easily maintained and updated by the user. With that stated, the Firm needs to understand what happens with the old policy(s) and the associated legacy emails.
  • The product should be able to maintain multiple retention policies for each type of message across companies.
  • Every policy change should be properly tracked in an unalterable audit trail, ensuring an accurate record of the Firm’s policy changes.
  • Determine how the product disposes messages from the archive.  So for instance, when a message reaches its retention time frame does it automatically delete or does the system alert the authorized user who then can extend the period or delete the messages. Once disposed, can the data be restored?
Capturing Information
§  Determine whether the messages and associated attachments are captured on a real-time basis or is it on a batch basis. In either case, how does the product ensure that all messages were indeed captured?
§  Determine what the informational data that the email archiving system is actually capturing?  As an example, the product should capture:
o   Header data
o   Message date and time, IP addresses, types of servers, etc.
o   Attachments
o   To/From, cc’s, bcc’s. etc..
o   Type of message, as an example, you might have a different retention policy for voice mail that is emailed through an IP address compared with regular emails
§  The product should allow the Firm to import legacy emails and combine them into one system.  This will facilitate in creating a consolidated archive for rapid retrieval and review.
§  The product should be flexible enough to upload on a multi-company basis and manage each company uniquely or on a consolidated basis. 
§  The product should automatically encrypt all emails and other messages so only authorized individuals can view the information.
§  When capturing messages, the product should time stamp and index each message.
§  If the Email service is down for a period of time, what mechanism is in place to ensure that all emails are subsequently captured?
§  Does the ability to capture emails change based on the platform used (Remote access, PC, Mac, droid, ipad, blackberry, etc...) 
Technology
§  The service should have redundant data centers. 
§  The Email service should use WORM (write once read many) technology ; to satisfy the rule that records should not be altered any manner.
  • The Firm should determine how each product encrypts email messages. All messaging Information should be properly encrypted.  As an example, one product has the feature of ensuing that messages are decrypted only when an authorized user on the Firm’s network conducts a search. A further protection of the information is that the encryption keys are created and maintained by the Firm and separate from the encrypted data stored within the vendor’s control. Therefore, the Firm’s messaging data can never be viewed by the vendor without the Firm’s permission.
§  The product should have the flexibility to securely download Emails to a PC and have them properly encrypted.
§  Can the service be hosted?
Search Engine
§  Overall the Firm should determine the type of criteria and the method in which the Firm prefers to initiate these searches.  Each product will have varying ways to conduct a search.
§  The product should  index each message and attachments using a full-text index/catalog to permit searches in the application
§  The product should allow administrators to be able to search across their email and electronic message archives based on virtually any criteria including:
o   text/HTML body, subject, sender, recipient (including CC, BCC & distribution lists), message date and time, headers (including IP address), attachment type(s), attachment name, attachment contents, keywords or phrases.
§  The system should allow the user to run robust ad-hoc discovery searches for one-time instances and be able to save these searches for future use.
§  Once the search is completed, does the method in which the search results are displayed or reported meet the expectations of the company?  The search results should also have the feature to download the information directly to a PC or Mac or encrypted and copied to portable electronic media.
§  The system should also allow Personal archive access.  End-users should have access to their personal email archive securely from any web browser, mobile device or an integrated email client plug-in. 
§  End users should also have access to customizable saved searches and other tools to conveniently provide access to historical messages.
§  When a legal or regulatory event occurs, the product should allow the Firm to define a litigation hold period for each matter which groups messages for the duration of the event.  The product should also have the ability to set the date parameters of the event and capture new emails that are relevant to ongoing event.
§  The product should ensure that during a search that it does not return duplicate email messages

Supervision and Security
The supervision procedures should have a flexible technology foundation. The software should be customizable to your particular firm's supervision policies  and procedures. The system should take advantage of its flexibility for optimal efficiency in message review and effectiveness in identifying and mitigating risk.
  • The system should allow a workflow hierarchy that can be configured to model the authorization structure of the organization.
  • The product should allow the granting of temporary permissions or access to consultants or outside legal counsel or other individuals.
  • The product should have the capability to track similarities of emails from multiple individuals.
  • The product should track the administrator session and any action taken throughout the entire lifecycle of a message should be documented.
  • Administrators should have the ability to annotate, flag, open/close or escalate messages.
  • To ensure data meets the highest evidentiary standards, the product should have safeguards that would prevent any records to be deleted or altered once they have been archived and before their termination date. 
  • The product should track and report on incoming and outgoing messages (from any platform) based on the Firm’s predefined filtering parameters (e.g. key words/phrases, email addresses, web sites, etc…).
  • Is the service a fully managed SAS70 Type II-certified service.
  • The operations of vendor should follow strict procedural controls that are clearly documented, and undergoes annual audits to ensure that the documented procedures of the vendor are properly followed.
Reporting
  • The product should be able to produce analytical reporting on corporate email usage, system audit history and message archive data.
  • Ad hoc reports and standard reports should be available.
  • A report or audit trail to demonstrate that the policy(s) that the Firm employs are actually being followed.