Topics >  Managing Technology >  Business Software >  E-mail > 

What's Next: Data Disasters

If litigation requires you to produce every e-mail your employees have written about a given topic, could you do it? If not, you could be looking at jail time. Really.

When it comes to the Internet, nothing is ever really forgotten and everything leaves a trail. This can be good or bad for business, depending on where you stand in relation to the law. These data trails can be used to find who has been stealing your trade secrets--or to bust you if you are the thief. They can show who is working and who is goofing off. They can tell you a heck of a lot about who your online customers are, allowing you to make better decisions and more money. This information is extraordinarily valuable, and there are laws that require companies to produce it, and do it right now. But it hasn't been easy to do until a San Francisco start-up called Addamark Technologies figured it out.

In the pre-Enron, pre-WorldCom, pre-Tyco, pre-you-name-the-crooked-company days, the legal rules for retaining communication records said only that a company had to be consistent. You couldn't, for example, keep all e-mails except those having to do with a hostile takeover or a case under litigation. If it was your company's policy to erase all old e-mails once a year or once a month, that was okay, as long as the policy was in writing and was strictly followed. Enron, for example, wiped clean its e-mail slate every 72 hours, which is hardly a surprise. Today the rules have changed. Public and many private companies have to keep a copy of written communication of every type (letters, e-mails, even Internet instant messages) for up to seven years. You have to keep the copies in a form that allows their authenticity to be verified, whatever that means. Not only that, but you must keep a second copy of every message in a different location in case of fire or natural disaster. The second copies must be on nonerasable storage media, such as optical disks. And if the SEC asks you to provide a copy of any given document or every given document you have until close of business today to do it. Almost no company can do this.

If you are a health care organization, an insurance company, or even a human resources department, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires as of this year that if a client asks you for a list of every person or organization with whom you have shared his or her medical records you have to provide that list...on the spot. Almost no organization can do this.

And if you aren't a public company, don't engage in health care, or have no human resources department, you still aren't off the hook, because these are becoming the accepted standards for all companies. If you still dump e-mail every 72 hours and end up in court, you are effectively guilty as charged.

Penalties for noncompliance right now are mild, but they are sure to get stronger in the future, right up to sending people to jail. The new SEC regulations, for example, hold the CEO personally responsible for record retention, meaning he or she, not some nerd in the computer room, will be doing time. Then there are the civil penalties that will come from the inevitable lawsuits. It is possible that every customer of a hospital or clinic could walk into small claims court tomorrow and walk out with $1,000 or more because the paper trail of who got their records couldn't be produced or was incomplete. Every hospital and clinic in America is vulnerable, for they are all in violation. And while HIPAA doesn't specifically provide for private legal actions, neither does it prohibit them if other laws are being violated too. So we're in a whole lot of legal trouble and most companies don't have the technology to comply with laws already on the books, much less the even stricter ones likely to follow.

It could have been argued that these legal requirements are unreasonable, but then along came Addamark.

And then there is data theft. Electronic documents are stolen all the time, and it usually isn't through some high-tech cracking scheme but an inside job. The bad guy is often a disgruntled employee, or someone who appears to be an employee but is really a competitor using an employee's login name and password obtained through a process called "social engineering." "This is Mitch in IT; we're working on the network and need your login and password to check something out." Only Mitch is calling from your top competitor. This really happens. There is an evidence trail of all this in your phone system and on your servers, if only it could be found.

The problem here isn't generating the information, which is done automatically by every e-mail, database, or Web server application. The problem isn't storage, because data storage is cheap and always getting cheaper. The problem is finding what you need--a problem that until recently looked insurmountable. Log data, which is what we are talking about, is huge. Just the e-mail system for a large company can generate terabytes of log data per day (that's one thousand billion bytes) concerning who said what to whom and what path the message followed. That's for one day. The new SEC regulations say a company has to hold those records for approximately 2,000 days, and most companies are deciding just to keep them forever.