The US National Association of Securities Dealers (NASD) has claimed that the bank inappropriately deleted millions of emails, which Morgan Stanley claims were lost in the 9/11 terrorist attack. However, the company did not disclose that the email records still existed.
Although many of the facts in the case are in dispute – for example, Morgan Stanley claims that it did disclose the existence of the back-up tapes, while the NASD states that it did not – the fact remains that Morgan Stanley was not sure which emails it had back-ups of or where they were kept. This emphasizes yet again the importance of implementing an email management strategy, part of which must include the retention of emails.
Each time there is a story relating to an indiscretion regarding email, it provides IT security analysts with an opportunity to get on one of their hobby horses, and, over the past few months, there have been plenty of opportunities. Instances such as these emphasize the importance of putting in place effective email management systems that ensure that an organization knows exactly which emails it has and that they are discoverable.
The only effective way of achieving this is by implementing an email archive, and ensuring that emails are archived directly from the journal as soon as they are received by the organization and before an end user can delete them. This is particularly important for organizations in regulated industries such as the financial sector, where emails should be retained for several years.
However, implementing an archive alone will not guarantee a successful email retention policy. Organizations should also consider appointing a person with ultimate responsibility for managing the retention of information (not just emails), and ensuring that it is discoverable.
The number of companies that fail to implement email archives because they claim that they do not have the resources required to manage the archive, yet are forced to call in external consultants to help them locate the information, including emails, when they receive a discovery request is quite astounding.
In many cases, including that of Morgan Stanley, even after this discovery process has been completed at a very high cost, the company is still unable to state categorically that all relevant emails have been discovered, resulting in large fines being levied – fines that would have more than paid for an email archiving system, and a person to manage it.
While companies fail to react to the threat of litigation or the increasing number of regulations that require the retention of information, including emails, we will continue to see companies such as Morgan Stanley face ever-larger fines, in some cases caused by a lack of email management many years ago. This calls for a policy to not only put future emails into an archive, but all the historical emails that reside on back-up tapes located in the vaults of an external storage facility.
Claiming that email back-ups were destroyed in a disaster several years ago is no longer a defense, as it can never be guaranteed that all copies were in fact lost or that there are not copies surviving on laptops or other mobile devices, which Morgan Stanley is discovering to its cost.
Source: OpinionWire by Butler Group (www.butlergroup.com)