Statements by the SEC’s Office of
Compliance Inspections and Examinations (“OCIE”) staff suggests that the OCIE
is taking the position that it is entitled to review all e-mails retained by
the adviser, regardless of whether they are covered under the Rule 204-2. This
includes personal e-mails. If an adviser does not retain all email, then it
should implement a policy to ensure that all required e-mails are being
retained and not deleted.
An SEC examination request list presented
to an adviser recently requested:
“For individuals to be selected upon
commencement of the examination, or shortly
thereafter, please be prepared to
provide all e-mails, including their corresponding
attachments, sent and received during
a period to be specified. This information should be
provided in an electronically
searchable format. In identifying e-mails that are responsive to
our needs, please be mindful that
e-mails may be stored both on servers and on individual hard drives of the
persons selected.”
Electronic communication must be kept
for the same length of time as if the record was a
written/printed record. Generally,
records should be kept in an easily accessible place for a
period of not less than five full
fiscal years after the last entry was made in that record, the
first two years in an appropriate
office of the investment adviser. Be mindful that if the email
pertains to documentation
demonstrating the calculation of performance, for example,
it may be subject to retention for
five full fiscal years after the adviser stops advertising the
performance.
Advisers must:
- Arrange and index the records in a way that permits easy location, access, and retrieval of any particular record;
- Provide promptly any of the following:
§ A legible, true,
and complete copy of the record in the medium and format in which it is stored;
§ A legible, true
and complete printout of the record; and
§ Means to access,
view, and print the records; and Separately store, for the time required for
preservation of the original record, a duplicate copy of the record;
- Maintain and preserve the records, so as to reasonably safeguard them from loss, alteration, or destruction; Limit access to the records to properly authorized personnel; and Reasonably ensure that any reproduction of a non-electronic original
Therefore, when
selecting an Email Archiving product, the following areas should be
considered.
- To be properly prepared for legal discovery and regulatory compliance, Hedge Funds and Private Equity Firms must maintain a well-controlled environment over emails and be able to search through and retrieve the data.
- The Firm needs to ensure that it automatically preserves all electronic business records and the records should be stored securely on tamper-proof media for their designated retention period(s).
- The system should have a facility (search) that will easily locate and produces electronic communications and prepare them for SEC examinations or other requests.
- The Firm should be able to customize supervision policies without technology limitations. The product the Firm chooses should:
o
Configure
company-approved keyword lists
o
Automate
policy enforcement and streamline compliance review procedures with systemized
search criteria
The
company will need to ensure they have well documented records of supervisory
procedures and that the product is able through detailed audit trails to
demonstrate that the policy was properly enforced
Retention Capabilities:
- The system that the Firm chooses should be able to capture and automate the unique retention policy of each Firm.
- Determine how the product manages retention policies. For instance the management of the retention policy should be easily maintained and updated by the user. With that stated, the Firm needs to understand what happens with the old policy(s) and the associated legacy emails.
- The product should be able to maintain multiple retention policies for each type of message across companies.
- Every policy change should be properly tracked in an unalterable audit trail, ensuring an accurate record of the Firm’s policy changes.
- Determine how the product disposes messages from the archive. So for instance, when a message reaches its retention time frame does it automatically delete or does the system alert the authorized user who then can extend the period or delete the messages. Once disposed, can the data be restored?
Capturing Information
§ Determine whether the messages and
associated attachments are captured on a real-time basis or is it on a batch basis.
In either case, how does the product ensure that all messages were indeed
captured?
§ Determine what the informational data that
the email archiving system is actually capturing? As an example, the product should capture:
o
Header
data
o
Message
date and time, IP addresses, types of servers, etc.
o
Attachments
o
To/From,
cc’s, bcc’s. etc..
o
Type
of message, as an example, you might have a different retention policy for
voice mail that is emailed through an IP address compared with regular emails
§ The product should allow the Firm to
import legacy emails and combine them into one system. This will facilitate in creating a
consolidated archive for rapid retrieval and review.
§ The product should be flexible enough to
upload on a multi-company basis and manage each company uniquely or on a
consolidated basis.
§ The product should automatically encrypt
all emails and other messages so only authorized individuals can view the
information.
§ When capturing messages, the product
should time stamp and index each message.
§ If the Email service is down for a period
of time, what mechanism is in place to ensure that all emails are subsequently
captured?
§ Does the ability to capture emails change
based on the platform used (Remote access, PC, Mac, droid, ipad, blackberry,
etc...)
Technology
§ The service should have redundant data
centers.
§ The
Email service should use WORM (write once read many) technology ; to satisfy
the rule that records should not be altered any manner.
- The Firm should determine how each product encrypts email messages. All messaging Information should be properly encrypted. As an example, one product has the feature of ensuing that messages are decrypted only when an authorized user on the Firm’s network conducts a search. A further protection of the information is that the encryption keys are created and maintained by the Firm and separate from the encrypted data stored within the vendor’s control. Therefore, the Firm’s messaging data can never be viewed by the vendor without the Firm’s permission.
§ The
product should have the flexibility to securely download Emails to a PC and
have them properly encrypted.
§ Can
the service be hosted?
Search Engine
§ Overall the Firm should determine the type
of criteria and the method in which the Firm prefers to initiate these
searches. Each product will have varying
ways to conduct a search.
§ The product should index each message and attachments using a
full-text index/catalog to permit searches in the application
§ The product should allow administrators to
be able to search across their email and electronic message archives based on
virtually any criteria including:
o text/HTML body, subject, sender, recipient
(including CC, BCC & distribution lists), message date and time, headers
(including IP address), attachment type(s), attachment name, attachment
contents, keywords or phrases.
§ The system should allow the user to run
robust ad-hoc discovery searches for one-time instances and be able to save
these searches for future use.
§ Once the search is completed, does the
method in which the search results are displayed or reported meet the
expectations of the company? The search
results should also have the feature to download the information directly to a
PC or Mac or encrypted and copied to portable electronic media.
§ The system should also allow Personal
archive access. End-users should have access
to their personal email archive securely from any web browser, mobile device or
an integrated email client plug-in.
§ End users should also have access to
customizable saved searches and other tools to conveniently provide access to
historical messages.
§ When a legal or regulatory event occurs,
the product should allow the Firm to define a litigation hold period for each
matter which groups messages for the duration of the event. The product should also have the ability to
set the date parameters of the event and capture new emails that are relevant
to ongoing event.
§ The product should ensure that during a
search that it does not return duplicate email messages
Supervision and Security
The supervision
procedures should have a flexible technology foundation. The software should be
customizable to your particular firm's supervision policies and procedures. The system should take
advantage of its flexibility for optimal efficiency in message review and
effectiveness in identifying and mitigating risk.
- The system should allow a workflow hierarchy that can be configured to model the authorization structure of the organization.
- The product should allow the granting of temporary permissions or access to consultants or outside legal counsel or other individuals.
- The product should have the capability to track similarities of emails from multiple individuals.
- The product should track the administrator session and any action taken throughout the entire lifecycle of a message should be documented.
- Administrators should have the ability to annotate, flag, open/close or escalate messages.
- To ensure data meets the highest evidentiary standards, the product should have safeguards that would prevent any records to be deleted or altered once they have been archived and before their termination date.
- The product should track and report on incoming and outgoing messages (from any platform) based on the Firm’s predefined filtering parameters (e.g. key words/phrases, email addresses, web sites, etc…).
- Is the service a fully managed SAS70 Type II-certified service.
- The operations of vendor should follow strict procedural controls that are clearly documented, and undergoes annual audits to ensure that the documented procedures of the vendor are properly followed.
Reporting
- The product should be able to produce analytical reporting on corporate email usage, system audit history and message archive data.
- Ad hoc reports and standard reports should be available.
- A report or audit trail to demonstrate that the policy(s) that the Firm employs are actually being followed.