Two recent announcements address new targets in the compliance arena—Web conferencing and Office documents—and anyone implementing collaboration in the enterprise should pay attention. Nemertes’ latest research shows that although companies have focused their compliance efforts on industry- and regulation-specific data types (patient information, financials, etc.), more IT executives are starting to consider solutions for archiving and retrieving other forms of information, including semi-structured and unstructured data.
WebEx Retention Solutions, from conferencing vendor WebEx, automatically captures meeting content, including chat, presentations, and recorded audio and video, then creates searchable indexes of the data. The content can be tied into a company’s storage network for archiving and compliance purposes. Although the solution is being marketed to financial services companies, there’s no reason other organizations can’t take advantage of its features and functionality as they address Sarbanes Oxley and other regulations, or simply their own corporate governance policies.
Meanwhile, C2C Systems, a privately held provider of e-mail archiving software for Microsoft Exchange, announced a partnership with Bridgehead Software, which makes file-archiving solutions, letting users create an integrated archiving solution for e-mail and other file formats such as Office documents. The joint solution offers policy-driven archiving, quick retrieval, advanced search and discovery, and other integrated features.
Both the announcements could prove valuable to IT executives who need to start managing their corporate data at all levels. The WebEx system doesn’t have to be used for compliance—it could serve as a quick-and-dirty content-management application. But it has unique compliance advantages for companies in heavily regulated industries, such as financial services and healthcare, that need to start thinking about how any person-to-person interaction is being retained. The C2C partnership has the advantage of letting companies set one policy to control all document-compliance needs.
Vendors that currently focus on other areas of compliance should seriously consider additional data types that require their services. Collaboration vendors should partner with compliance vendors or develop their own compliance services. When it comes to compliance, many IT executives are waiting for the case law to help them determine what needs to be archived, and for how long. But you can bet that if e-mail is a target (and it is—the only question is, to what degree) other unstructured data isn’t far behind (including, even, VOIP calls).
Companies today are faced with an onslaught of regulations, many of which apply to or require the use of information technology. These statutes—which include Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley, the USA Patriot Act, the California Security Breach Law, Securities and Exchange Commission rule 17a-4, the Can-Spam Act and many, many others—often dictate how and when enterprises share information, with and among employees, partners, and customers. Since many employees use e-mail, IM, and collaboration applications in their day-to-day work environment, it’s reasonable to worry about how the regulations apply to those apps—and the data within them.
Among participants of Nemertes’ benchmark “Secure Messaging in a Changing World,” 71% are governed by one or more regulations. Surprisingly, however, many IT executives at those organizations say they aren’t sure how those regulations affect messaging or collaboration—they’re waiting to hear an answer on that from the company’s legal or compliance team. (The one exception is HIPAA, which clearly says that companies cannot send patient information to just anyone, e-mail and IM included; it’s reasonable to assume collaboration and content management applications are also covered under this regulation.)
Indeed, it can be difficult to assess whether certain rules apply to e-mail and IM, let alone collaborative applications such as teamrooms, blogs and wikis. Nevertheless, paying attention to compliance is critical for two main reasons: money and reputation. Companies and executive officers found non-compliant are subject to fines and jail time, but perhaps just as important, they risk damaging their own and their company’s reputations in a post-Enron world.
For example, failure to comply with HIPAA could find hospital executives, physicians and others facing fines of up to $25,000. Certain criminal violations could cost individuals and organizations $250,000 and up to 10 years in jail. The bad publicity that will surely accompany such a penalty can’t be measured (except, often as not, in stock prices).
E-mail is designed to leave a breadcrumb trail; a copy on any message server may get deleted or archived, but it’s there if companies want it. With public IM, such as AIM and MSN, there is no breadcrumb trail. That can lead to policy threats around corporate compliance—the loss of private information, and the inability to track uncontrolled and inappropriate employee behavior. For this reason, many companies are leery about officially sanctioning the use of IM. But unless they’re blocking it from the network (and even then, many tech-savvy employees will find ways around that), IT executives can be pretty sure people are using public services. According to our research, roughly two-thirds of companies use the consumer IM services, whether its officially allowed or not.
We recommend that any company regulated by HIPAA or SEC rule 17a-4 use a third-party archiving tool, such as FaceTime or IM Logic, or an enterprise-class IM system that can provide archiving and retrieval capabilities. Archiving (and retrieving) messages is a big part of messaging compliance—and it’s different from the kind of messaging storage typically needed for back-up and recovery efforts. With those, companies need to access all messages so that they can all be restored to the system in case of failure; access to individual messages isn’t an issue (indeed, the operation is always done as a batch job).
But compliance regulations require that individual messages be retrievable—a much more challenging IT proposition. Some companies manage the problem by setting strict limits on how long they keep messages, the thinking being if they don’t have the messages, they can’t be expected to retrieve them; one CIO told us his company deletes e-mail after two business days. There is no clear answer on how long companies are required to keep messages in any of the common regulations, but simply deleting them is not a good practice when it comes to legal discovery; recent rulings have shown that courts won’t necessarily take “we don’t have them anymore” for an answer, and resultant fines can be steep (in the millions of dollars steep).
When it comes to compliance—whether it’s around messaging and collaboration or not—education is key. No matter how good a company’s technology is, employees will always find ways around it, and ultimately they’re the ones who have control over information and how it’s shared. An employee who can’t electronically share unauthorized information can find other ways to pass it along, including stuffing copies of documents in his pocket. Companies will not be able to completely safeguard against breaches unless they take extraordinary measures, including physical searches and background checks.
But most employees want to do the right thing—and they will if they know what that is. That’s why it’s so important for companies to have written policies around all compliance issues, including messaging and collaboration. Such statements should be acknowledged and signed by everyone working for or with the company and include details on what kind of content is permitted to be shared, and in what ways; how attachments should be handled; how and when messaging and collaborative technologies can be used for personal business; whether and when messages and other documents must be encrypted; how the company handles viruses and spam, and what it expects end users to do; and what the penalties are for non-compliance. Surprisingly, for instance, 26% of participants say they have no messaging use policies in place.
Only 23% of participants are using software to help ensure e-mail and/or IM complies with the necessary policies and regulations, and we haven’t spoken to any using technology to help with compliance around collaboration. Many companies simply haven’t gotten around to implementing software to help them with the issue; 20% said they planed to in the coming 12-24 months.
And few companies today are doing any ROI calculations around compliance software on the messaging or collaboration front; the ROI on compliance is usually a calculation of risk: How likely is it that a company’s efforts without it will lead to non-compliance, and if it does, how likely is it that the company will be found accountable (and for how much), and what effect will the revelation have on stock prices? Furthermore, most companies are still deciding where and how compliance affects e-mail, IM and collaboration tools. Compliance software can’t help them enforce the rules until those rules are nailed down.
But the truth is, companies shouldn’t rely on the law to tell them how to safeguard their information—they should start taking matters into their own hands right now. As more employees use collaboration applications such as IM, conferencing, blogs, wikis and teamspaces, the work they produce within those apps need to be secured and protected.