Devising and implementing email retention, archiving, and retrieval policies has climbed to the top of the "to-do" list at most large enterprises, particularly public companies and those in regulated industries such as health care and financial services. However, the email-retention issue looks very different through the small-to-midsized business (SMB) lens. In what can only be described as sobering results, a recent study conducted by the University of St. Thomas in St. Paul, Minnesota in conjunction with Intradyn, a provider of automated email-compliance solutions for the SMB market, finds that not only are many small and midsized securities firms (broker-dealers) not archiving their email, many claim that they didn't even know they were obligated to do so.
The researchers interviewed either the compliance officer or IT manager at security firms with fewer than 100 employees selected on an "nth" name basis from the membership list of the National Association of Securities Dealers (NASD). This represents 94 percent of NASD membership. The study found that 36 percent of the respondents aren't yet archiving email. Twenty percent say they aren't even aware of the requirement to archive email. And of the people who aren't yet archiving email, 80 percent say that they don't have any plans to do so at present.
These numbers might, in fact, understate the problem. According to Gary Doan, president of Intradyn, around 50 percent of the firms contacted in the study refused to participate. It's reasonable to assume that the rate of noncompliance among firms that wouldn't answer the survey questions would be higher than that of the group willing to talk about what they were doing.
On some levels, the high rate of noncompliance is shocking. The financial services industry is highly regulated, and the Securities and Exchange Commission's (SEC's) Rule 17a, which mandates the retention of business records on nonalterable media for up to 7 years, has been on the books for a significant period of time. Moreover, since 2003, large brokerage houses have been fined more than $1.4 billion in total for, in part, the mismanagement of email communications.
But the high rate of noncompliance is perhaps understandable. Until last month, when a small brokerage house in Pennsylvania was fined $325,000 for failing to retain the email communications of its 83 employees, among other violations, no smaller firms had actually been punished for email violations. Moreover, other studies have shown that many companies across many industries aren't adequately archiving their electronic communications. One industry publication found that 59 percent of respondents across all industries weren't archiving email and IM messages as business records. Only 27 percent said they archive such messages.
Nevertheless, noncompliance poses a significant threat to many companies. According to a Forrester Research study, 10.5 percent of companies surveyed had been ordered by a court or regulatory body to retrieve email within the last year.
So why have SMBs ignored this requirement? Doan's answer is simple: cost and complexity. "They've done their research, but the cost of most enterprise solutions is beyond their means. And they do not have the technical staff to implement and manage them," he says. Intradyn offers a product to address these SMB needs--its ComplianceVault Email Archiving & Retrieval Appliance--which Intradyn comarkets with Sony Electronics. ComplianceVault is an integrated hardware and software appliance that captures a company's email continuously and stores it on both a hard disk and Sony AIT write once, read many (WORM) tape, thereby meeting regulatory requirements. According to Doan, the appliance, which works with Microsoft Exchange, IBM Lotus Notes, and any IMAP or POP3 email server, requires no integration or IT expertise. It also offers search and auditing capabilities.
Although cost and complexity are significant barriers to email archiving for SMBs, they're only part of the problem. As Doan acknowledges, SMBs haven't fully embraced the concept of using appliances to perform specific, targeted functions. They still think more in terms of software solutions, which in this case can be difficult to implement. Moreover, Doan notes, some email compliance offerings marketed as appliances are actually software/hardware bundles that still need integration. In other words, even solutions that are meant to simplify choices require users to go through a learning curve. There is no "no-brainer" answer.
Moreover, SMBs often think tactically rather than strategically about IT investments. "They have the attitude of 'if it ain't broke, don't fix it,'" Doan says. Until smaller companies start getting fined more regularly, they might not be motivated enough to explore solutions.
Intradyn also offers a backup and archiving appliance. In a study the company conducted several years ago, it found that a large number of SMBs didn't have sufficient backup and archiving processes in place--a failure that can threaten a business's very existence. Similarly, to a large degree, email retention and archiving isn't working for many SMBs. They just don't know it yet.