The regulation race: Compliance is key

Sweeping initiatives are being introduced across economies worldwide, requiring organisations to retain records and prevent them from being erased or modified for substantial time periods. The main thrust behind records-retention regulations is the desire to maintain an exact record of activities in order to improve corporate governance. There are many initiatives in SA to which companies must respond today.

Complying with these regulations, whatever their source, involves three distinct areas:

Data storage - security, data integrity, cost of ownership, performance, accessibility and recovery.

Applications - records protection, online indexing, categorisation, search and audit capabilities, and policies and procedures - how data is to be moved and stored, how, when and who can access and modify it, and then, if and when information should be destroyed after the designated retention period.

When establishing the medium that underpins data retention and protection policy, it is important to consider:

Fast data access - an intention of these regulations is to enable investigators and company lawyers to find records quickly and respond to requests for data. This precludes the use of offline or off-site storage on tape or optical disks.

Ability to search - Magnetic disk storage is efficient in enabling fast searches across large amounts of data without the need for locating and mounting tapes or optical media.

Cost-effectiveness - The cost of high-capacity magnetic disk storage continues to drop. Magnetic storage systems now also offer a WORM (write once, read many) capability that enables users to write records that cannot be modified under any circumstances.

Disk drive systems have improved in reliability and capacity while dropping in price, making them highly competitive. However, hardware alone does not provide a solution. To provide performance indexing, search, fast backup and remote mirroring companies need optimised software.

Key features to look for in a disk-based storage systems are:

Speed. Slow drives can tie up servers and users unnecessarily when archiving records. Look for a high performance system that does not sacrifice speed.

Stable operating system. Using a common OS and management interface consistently across all product lines ensures a vendor gives users great flexibility in architecting compliant solutions.

Open protocols. The storage system should provide open protocol access. Use of proprietary APIs should be avoided. These make it more difficult to access or migrate data over the years.

Simplistic and effective WORM implementation. It is simple to enable WORM functionality and to modify applications to work with the data-retention requirement. Magnetic WORM storage systems only require two lines of code: one to set the expiration date, the other to WORM the file.

Data management tools. The system should safely retain regulated data, yet also be usable for other applications such as data backup, disaster recovery, general reference information and general storage.

A secure clock. The system should not allow expiration of retention dates simply by setting the clock forward to the future, as this would permit inappropriate modification or deletion of records before their retention period has passed.

For organisations needing to comply with records-retention regulations, magnetic disk storage solutions today offer the best combination of reliability, simple implementation, cost-effectiveness, data access and data protection. E-mail management is not just about the filtering and monitoring of pornography within an organisation.

The information held in the corporate e-mail store can literally benefit the business on just about every level - commercially, legally, financially, as well as individual employees. With the proper e-mail archiving and management system in place, this information can directly contribute to the bottom line of the business, as Somerfield Group discovered.

With an annual turnover of lb5 billion, 59 000 employees and almost 7% of the total UK grocery market, the 1 300 Somerfield and Kwik Save stores that comprise the Somerfield Group open their doors to more than 12 million consumer visits each week.

E-mail is particularly important to the food retailer`s business because it is the main channel of communication between its buyers and suppliers. It often provides the only written record of the agreed terms and conditions of a deal. While e-mail increases both speed and efficiency for buyers, it also creates a logistical and legal nightmare for business control, making it virtually impossible to audit, store or find records relating to individual commercial transactions.

In September 2002, Somerfield selected and standardised on Enterprise Vault from KVS. "As a company, we generate around 100 000 e-mails every week," said Colin Clark, corporate cost audit manager, for Somerfield Stores. "With the majority of our commercial negotiations being conducted by e-mail, we need to ensure that confidential information stays within the business, and that contracts along with e-mails relating to negotiations, are properly stored so that we are protected as a business from any legal action in the event of a contractual dispute. In addition to the corporate governance issues, we also needed to deal with the sheer volume of e-mail traffic and e-mail misuse, which was creating costly, unstable and storage-intensive PST files."

Somerfield deployed the journalising functionality of Enterprise Vault first. This enabled the company to capture all external e-mails involving commercial negotiations, making them easily search-able and retrievable. Somerfield then deployed the mailbox archiving facility within Enterprise Vault, which negates the need for e-mail quotas, eliminates PST files and provides each user with an unlimited and easily searchable mailbox.

"By far, the greatest benefit of Enterprise Vault has been the ability to search and discover the truth - nine times out of ten this resides in the corporate e-mail system," added Clark. "We`ve been able to take a large, unmanaged mass of data that articulated appropriate e-mail use regarding porn, abusive language and offensive content."

With Enterprise Vault, Clark and his team are able to identify when the e-mail policy has been breached without having to read personal e-mails. Instead, they can send a polite warning to an employee in the first instance without violating their privacy. A member of the buying team left the company and deleted all of his e-mails and PST files. Using Enterprise Vault, Clark was able to retrieve the lost e-mails for his replacement, which revealed lb120 000 worth of savings with a particular supplier. This was a direct bottom line saving to the business - without it, the invoice would have gone unnoticed.

After one of Somerfield`s temporary contractors left the company, Somerfield was able to trace his lost e-mails. Based on their content, they discovered he had not been doing the work he was being paid for. Out of 200 e-mails, just three related to actual business correspondence. As a result, Somerfield was able to recoup some of his salary. One of Somerfield`s suppliers went into receivership.

Somerfield had an outstanding claim of hundreds of thousands of pounds and was able to provide the official receivers with 973 e-mails supporting its case. An employee was leaving to go and live and work in Spain. She had e-mailed her bank details to her bank in Spain, but the e-mail had bounced. After her departure, her e-mail account had been closed, but Somerfield was able to locate and resend the e-mail at her request.

Somerfield was unhappy with the levels of service it was receiving from one of its software suppliers. By searching Enterprise Vault, Somerfield was able to retrieve correspondence relating to specific agreed service levels and prove the supplier had failed to deliver its agreed service levels. Somerfield`s Head of Legal had been searching for an e-mail for three month. With Enterprise Vault, she found it in seconds.

This is invaluable to the business. As Clark says: "What do you do when someone leaves the company and in six years` time, you need to remember whose inbox contract negotiations resided in?" One of Somerfield`s suppliers claimed that Colin Clark had personally agreed a full and final settlement on an outstanding query, implying he had sent an e-mail, when in actual fact he hadn`t. Using Enterprise Vault, Clark was able to prove every e-mail that had been sent, thereby saving the company lb100 000.

Somerfield`s retention policy for storing e-mail is straightforward. It is driven entirely by the UK law of commercial contracts, which places a six-year limit on all deliberations. However, because of Enterprise Vault`s ability to store yet retrieve e-mail content and attachments offline from the e-mail server, Somerfield Group has adopted a policy of keeping everything.

"The KVS system easily paid for itself within three to four months," added Clark. "Installation went like a dream and we`ve been extremely happy with it ever since. Enterprise Vault now sits alongside content filtering software, which manages spam and other inappropriate e-mails coming into the corporate system." Since installing Enterprise Vault, Somerfield has been able to archive, search and retrieve more than four million e-mails over 18 months.

"I`ve never lost a single e-mail since September 2002," added Clark. "And because we have proof of what`s actually occurred, not one of our disputes has ever gone to court. The number of disputes headed to our legal department for further action has also decreased. Word has got round that we keep a permanent record of all e-mail correspondence and that we`re able to lay our hands on it in a matter of seconds. That tends to stop people calling your bluff."

Having installed Enterprise Vault for e-mail management, archiving and journaling, Clark and his team are now considering installation of Enterprise Vault for File System Archiving within the current financial year. "With our move to thin client, we intend to prevent users from storing any data on their local drives, which will make the network much more critical to the business," concluded Clark. "Enterprise Vault will play a critical role in our business systems as we move forward."