A.P. Lawrence

2005/07/30 Archiving All Email

Nowadays, the problem isn't really so much how you do this, but rather is the legal morass surrounding it. The "How" is easy: with sendmail you can use procmail recipes or even milters to squirrel away copies of incoming and outgoing mail. Commercial products like Kerio Mail Server have direct support for archiving incoming or outgoing emails.

Some companies have legal need to do this. Sarbanes-Oxley may require it for many companies, as more and more do business by email. On the other hand, privacy laws, particularly with regard to medical records, are more stringent than ever. So, let's say we have a company that deals with stock transactions, and the SEC or Sarbanes-Oxley requires them to archive email. OK, now an internal employee sends a note to their doctor concerning a work place accident. Is it legal to archive that? Is it legal to read it? I sure wouldn't know, but it's the kind of thing you had better know the answer to before you turn on archiving. At http://www.intranetjournal.com/articles/200503/pij_03_08_05a.html, this subject is discussed in the context of the Sarbanes-Oxley Act and it is noted that:

information maintained that is not required for compliance does
not serve the company and has the potential to be evidentiary

Good luck trying to algorithmically determine which email is required for compliance. We can't even filter spam with 100% accuracy; how could you expect to figure out whether storing a particular piece of email was necessary to keep you out of trouble or vice-versa?

Comments /Words2005/2005_07_30.html


Sat Jul 30 14:27:05 2005: Subject:   BigDumbDinosaur
We can't even filter spam with 100 accuracy; how could you expect to figure out whether storing a particular piece of email was necessary to keep you out of trouble or vice-versa?

Obviously, you can't. The solution is to create and enforce a stringent policy of no personal use of company E-mail facilities, and to monitor traffic to assure compliance. Doing so would be considered due diligence on the part of the employer, assuring compliance with Sarbanes-Oxley, and would also give the company legal standing in terminating any employee who used company E-mail to communicate personal matters (e.g., with his doctor about a workplace injury). It's a very Draconian approach, to be sure, but in these hyper-litigious times, very necessary. One of my clients does exactly what I have described and to date, their policy has survived legal challenge.

The Sarbanes-Oxley Act is a prime example of our legislators reacting to a perceived problem without fully understanding the consequences of their actions. Sarbanes-Oxley also somewhat contrevenes case law regarding business E-mail, in which it has been established that a company has the right to monitor and, if necessary, censor E-mail that passes through its facilities. In that respect, E-mail should be treated no differently than the office telephone system: it is a company asset and therefore its use can be regulated by company policy.



Add your comments

Why no "Digg this!" etc.?

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here