Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News October 3, 2005 Issue

Firms Need to Break Silos When Developing E-mail Policies

A key theme during the IDC/Kahn Consulting e-mail conference last month:

When developing and implementing an e-mail retention, storage, and retrieval policy, compliance staff need to sit down and talk to the computer people. "Unless you have a number of folks around a table, itís not going to be done right," said Randolph Kahn of Kahn Consulting.

Lee Dittmar of Deloitte Consulting agreed. When it comes to managing e-mails and other electronic records, compliance "canít sit on top . . . it needs to be part of what you do," he said. "You canít add compliance in after the fact."

Why do both sides need to be present? "Itís not the job of IT to interpret law," noted Kahn Consulting director Barclay Blair. On the other hand, he said, lawyers "need to understand whatís possible from an IT perspective."

Moreover, business people need to be at the table as well, to weigh the risk and rewards and payoffs and costs of various e-mail strategies. "The business people need to bring their expertise at managing problems to bear on information management," said Blair. And, of course, if a firm has a records management staff, that group should participate as well. Some panelists also suggested that a firmís human resources department be involved in e-mail discussions.

After breaking down the silos, the next challenge is to get the various individuals to speak ó or at least understand ó each otherís languages. Often, noted Dittmar, when IT, legal, and business do talk, "they are not really sure about what the other person is talking about." Blair noted that IT and legal people think about e-mail in entirely different ways: IT people have traditionally been concerned with issues such as mailbox capacity, attachment size, and storage. Legal and compliance types, however, focus on the content of e-mails, regulations, and e-mail retrieval.

Blair provided another example of different perspectives, using data encryption. Legal and compliance, he said, might be focused on what courts and regulators view as reasonable encryption procedures. The IT department might be concerned about balancing system performance with encryption strength. The business side might be most concerned about avoiding a bottom line impact from security breaches. And records management staff might focus on still other issues, such as whether the "decoder ring" necessary to unlock the encrypted data will be available years down the line.

There is a downside, however, to getting folks around a table: the best decisions arenít always made by committee. One suggestion, offered by a conference attendee, is to designate a new corporate officer responsible for integrating legal, IT, business and records management issues. "You need to incent someone who is held accountable for all of these issues," said the attendee. "While the CEO may be held ultimately accountable," the CEO may take the view that "I donít do IT," she said. "He may need a delegated chief."

Also of note: the e-mail experts at the conference listed a number of historic approaches to e-mail retention that, they claimed, no longer work. Check out the last bullet:

  • Take the lowest cost approach, then beg for forgiveness.
  • Just make do.
  • Let each division within a firm decide for itself how to retain e-mails.
  • Just keep everything.