The News – 05/19/06

It’s Audit Time. Do You Know Where Your Email Is?

Email is the lifeblood of modern business and we all manage it every day, separating the unwanted email chaff from the wheat of important messages, finding old relevant emails, and deleting old messages we no longer need. As important as current email is, once emails get to be a year or two old, or even a month or two old, we rarely give them another thought.

Many businesses, however, not only need to be able locate an old email, but also need to certify to auditors that the email has not been changed (or deleted) and even to determine who has read it and when. For example, financial firms can be audited by the Securities and Exchange Commission (SEC) who may want to do a global search of all client communications, searching for words like “guarantee.”

Your firm may be subject to the various regulations regarding retaining old emails, but even if you're not, every business should have email retention policies for business continuity and protection from litigation.

It’s generally not a good idea to retain emails forever, which, if you are doing nightly backups that include email, may be exactly what you’re doing. Emails are business records that may be subpoenaed as part of a criminal or civil complaint against your business. The Enron debacle offers a good object lesson on this subject.

If your business is required to have email retention policies and procedures in place but does not, you are exposing yourself to the risk of an enforcement action involving monetary and other penalties. If you are in a health, finance or banking-related business, you should particularly be aware that you may be covered by email retention regulations.

Relevant rules dealing with email retention may come from the following regulations:

• SEC Rule 17a
• NASD Rule 3010
• Sarbanes-Oxley
• Graham Leach Bliley
• HIPAA
• Medicare
• Telecommunications Title 47, Part 42
• FDIC
• OCC (Office of the Comptroller of the Currency)
• FDA--Title 21>, Part 11
• DOD--5015.2 standard
• OSHA
• FERC (CFR TITLE 18)
• State legislation such as the Florida Sunshine Act

Here are more details on these regulations.

Recent surveys state that more than 90 percent of all documents produced since 1999 were created in digital form. In 2000, 83 percent of American Bar Association attorneys responding to a survey said that their corporate clients had no established procedures to deal with electronic discovery. In 2005, however, a survey of around 500 large corporations found 80 percent now have document retention policies and 75 percent have litigation hold policies.

Thus, not having email retention policies and capabilities today may place a corporation outside established practice, and that could expose your business to legal claims regarding negligence (I am not a lawyer; always seek legal counsel for information regarding your business' legal matters).

Whatever the size of your business, email management is an important challenge. According to the Radicati Group, a Palo Alto-based market research firm, the average corporate user generates and receives about 84 emails per day requiring around 10 MB of storage. Radicati believes that by 2008, emails will require 15.8 MB of space daily. Managing, searching, and retaining this volume of email can be a significant task for your IT systems and personnel.

In recent high-profile cases such as Enron, corporate email represented a gold mine of information for discovery. Is your business in the position to produce email evidence for discovery without a time-consuming and expensive effort? Are you archiving nothing, some email, or all email? Which is the best strategy for your business, given its needs for continuity (Joe leaves; Susan must take his place), regulatory compliance (SEC rules require retention of some emails for six years), and responsiveness to litigation discovery?

These are difficult questions for many businesses, and serve to highlight the need to create and follow an email retention policy and, if you are subject to retention regulations, implement an email retention and reviewing system that meets pertinent regulations.

When the auditors come knocking, asking where your email for the last six years is, they’re not going to take “I dunno” as an answer.

Briefly Noted

• Shameless Self-Promotion Dept.: I’m republishing SNS on a couple of other services now, including Gather, and I’ve changed the StratVantage Stratlets hosting to use Blogspot.
  
  I was interviewed for ManagementFirst’s Feature of the Month and got to toot my horn for a bit.
  
  The WiMAX Guys’ main business is new installs for people who want to set up wireless hotspots such as hotels, warehouses, apartment buildings, and office buildings or hotzones that cover cities. We also sell a knowledge-based Web portal called the MAX K-Base. Check out our main Website at www.TheWiMAXGuys.com.
  
  The first chapter of my wife’s novel, Knowing What You Know Today is up on her Website. The rest of the book costs money – now at a new lower price! – but it’s well worth it, believe you me. Check it out at www.debellsworth.com. She’s also put up a new site, www.empathysymbol.com to publicize the empathy symbol she designed back in college.
   
  Many issues ago I debuted SNS Begware, an opportunity for you, gentle reader, to express your appreciation by tipping your server via PayPal. See the sidebar for more info. Total in the kitty so far: $111.48.
  
  And now that I’m partnered with one of the largest advertisers on the planet, Google, that should be kicking in serious coin to the StratVantage coffers. Let’s see. The current total is: $81.84. Great. BTW, I am informed that I can’t ask you to read this issue on the Web and click on the ads due to Google’s terms of service. So don’t. You can, however, shop at Amazon, pay nothing additional, and send a spiff to me.
  
  
• FISH of the Day: The Forwarded Internet Serial Humor of the Day today comes from Patty Kolbo, and it’s a video daily double. Those of you of a certain age will remember all these dance moves, and may have committed a few of them yourselves. Enjoy.
  The evolution of dance
  
  
• Join the Alert SNS Reader Group! You may have heard of a concept called Web 2.0 (or even the more grandiose Web 3.0). Basically it’s about adding to Web-based software the kind of interactive and functionality we all take for granted in our installed software. It’s a bunch more than that as well; Web 2.0 encompasses other concepts such as Software as a Service (SaaS), Web services, and Service Oriented Architecture (SOA). These are all fancy technologies that enable an ordinary person – or at least an ordinary programmer person – to pull together bits of functionality available on the Web to create something new. 
  
  So to demonstrate the power of Web 2.0, I invite you to join the Alert SNS Reader Group.
  
  
• We Don’t Need No Stinkin’ Horses! Alert Prince Charles! At last, someone has found a good use for the Segway scooter. And it took a Silicon Valley genius to do it. Steve Wozniak, inventor of the original Apple personal computer, offers the coveted “Woz Challenge Cup” to the world champion Segway Polo team.
  
  Woz’s team, the Aftershocks, and the New Zealand Pole Blacks played five chukkers in the 1st World Segway HT Polo Games of 2006. Unfortunately, the match ended in a 2-2 tie. Despite this, the cup will reside in Auckland with the Pole Blacks until the 2006 SegFest when representatives from their team will bring the cup to the U.S. And if you’re eager for more action, the next International Segway HT Polo Games will be held in California in Summer, 2007.
  Segway HT Polo
  
  
• Things Not In the Constitution: Alert SNS Reader Doug Laney sends along a link to The US Constitution Online, which has a section detailing rights and conventions commonly, and erroneously, assumed to be part of the constitution. They include: separation of church and state; executive order/executive privilege; right to privacy (a common right-to-lifer sticking point); jury of peers; innocent until proven guilty; and even the right to vote. It’s interesting reading.
  US Constitution Online
  
  
• It’s Been 21 Years of Windows: Looks like we all missed a pretty big milestone last fall: Windows has reached its majority; it’s now of a legal drinking age! Ah, how I remember Windows 1.0 beta, just a toddler of an operating system, nothing much more than a file manager with fringe benefits. And it seems like only yesterday that the first really useful Windows came out, Windows 3.0, with its cute Unrecoverable Application Errors. Isn’t that just like a kid, blaming everyone else for its shortcomings? And I remember, too, the gangly adolescence of Windows 95, when its reach exceeded its grasp, and UAEs, previously restyled General Protection Faults (GPFs), turned into Blue Screens Of Death (BSOD) – certainly a more mature, if not overtly petulant, way to address failure. Then there were the truly awkward years of Windows Millennium, when, like most teenagers, it hardly worked at all.
  
  Yes, we thought we might be finally out of the woods when Windows turned 18 and XP looked and acted a lot more grown up. As it turned out, like most high school grads, XP still had a lot to learn, and we struggled through two major Service Pack releases to reach the final pinnacle of Windows’ coming of age: Windows XP Version 2002 SP2 with hotfixes KB873333, KB873339, KB883939, KB885250, KB885835, KB885836, KB886185, KB887472, KB887742, KB887797, KB888113, KB888302, KB890046, KB890175, KB890859, KB890923, KB891781, KB893066, KB893086, KB893756, KB893803V2, KB894391, KB896344, KB896358, KB896422, KB896423, KB896424, KB896428, KB896688, KB896727, KB898461, KB899587, KB899588, KB899589, KB899591, KB900485, KB900725, KB900930, KB901017, KB901214, KB902400,  KB903235, KB904706, KB904942, KB905414, KB905749, KB905915, KB908519, KB908531, KB910437, KB911562, KB911567, KB911927, KB912812, KB912919, KB913446, KB913580!
  
  It’s been a long struggle bringing up Windows. But now we can look back with pride at how we’ve taught Microsoft what it means to be an operating system.
  
  That, of course, reminds me of one of my favorite aphorisms. Microsoft divides people into two groups: Microsoft employees and beta testers.
  Vista Ultimate
  
  
• Is Your Telephone Company Too Gay? Alert SNS Reader Seth Freeman sends along a link to some hilarious phone goofing by comedian Eugene Mirman. Mirman was plagued by phone calls from a phone company (United American Technologies) trying to get him to switch from his current phone company to a Christian one that didn’t support gay marriage and pornography. The three recorded phone calls are very surreal (but a bit rude).
  Eugene Mirman
  
  
• This Can’t Be True, Can It? I don’t quite know what to make of this well-done documentary that asserts that the US government was complicit in the 9/11 attacks. Decide for yourself.
  Loose Change
  
  
• RFID Viruses – Another Architecture Security Failure: I’ve railed before about the inherent architectural insecurity of Voice over IP’s SIP protocol, and now I have to rage again about Radio Frequency ID (RFID). RFID is a way to wirelessly get information from tagged objects. Currently mostly used on large objects like railroad cars and pallets and cases of products, eventually RFID will be inside individual packages of consumer packaged goods (like razors or cereal boxes) and also inside people. In fact, one company recently announced it would be chipping its employees so it could do away with access cards.
  
  Well, no matter what you think about the personal privacy aspects of these new developments, you’d have to agree that implementing an architecture that has gaping security holes to perform tasks such as identifying you (either by an implanted chip or via your US passport, which will soon carry an RFID chip) it a very bad idea.
  
  Now comes the news that the first RFID virus has been created in the lab. Luckily there are no known RFID viruses in the wild, but, really people. When will we ever learn?
  
  Researchers from the Computer Systems Group at the Vrije Universiteit in Amsterdam announced that data from RFID tags can be used to exploit back-end software systems. The scientists note, “RFID malware is a Pandora's Box that has been gathering dust in the corner of our 'smart' warehouses and homes. While the idea of RFID viruses has surely crossed people's minds, the desire to see RFID technology succeed has suppressed any serious consideration of the concept. Furthermore, RFID exploits have not yet appeared in the wild. So people conveniently figure that the power constraints faced by RFID tags make RFID installations invulnerable to such attacks.”
  
  Add to this a recent Wired Magazine article entitled, The RFID Hacking Underground, in which several RFID systems were easily compromised by security experts, and you wonder why security is always the last thing on IT architects’ minds.
  
  And, BTW, you can chip my body when you pry it from my coffin.
  Silicon.com