How To Archive

(1)

Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94089 P 408 517 4710 F 408 517 4711 [email protected] www.proofpoint.com

Financial Best Practices Whitepaper: Archiving

Why Email Archiving and eDiscovery Are More Important than Ever

for Financial Services Firms

(2)

Until now, many enterprises and financial ser-vices firms have treated email archiving and eDiscovery as special technologies pertinent only to a few departments or organizations. Un-der Dodd-Frank, firms have a compelling reason to archive communications across the organiza-tion and to be certain that they can search their archives in a timely fashion for specific email messages pertinent to a regulatory investiga-tion.

New regulations are being enacted all the time, and trends in federal law and state law suggest that data privacy, data breach, and eDiscov-ery regulations are only going to become more stringent.

(3)

Contents

EYES EVERYWHERE

With the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act in July 2010, a fundamental shift has taken place in financial services regulation in the United States.

Before Dodd-Frank, regulations required financial services firms to archive data relevant to specific busi-ness transactions and financial activities. By examining archived email, regulators could determine whether a firm had violated any laws or regulations about a specific type of behavior. Was a broker touting stocks in email? Examining the archives required by SEC 17a-4 would reveal the answer. Was a management team wrongfully divulging or concealing financial information? Examining communications preserved in accor-dance with Sarbanes-Oxley would resolve the question for investigators.

Each in their own way, regulations such as FINRA, SEC 17a-4, NASD 3010, Sarbanes-Oxley (SOX), and Gramm-Leach-Bliley (GLBA) required broker-dealers and other financial services firms to be able to dem-onstrate that they were conducting their business operations properly, safeguarding material financial data, not touting stocks, and so on. The number of records to be searched might be vast—hundreds of gigabytes or even terabytes. The required discovery time might be short—a matter of days, especially if counsel was interested in reviewing the material before turning it over to the court.

But the scope of the search, however daunting it might seem, tended to focus on a specific department or a type of operation. A search might even pertain to a single business transaction or a single email message. Compare that narrow focus to the broad regulatory swath defined by the Dodd-Frank Act. To take one example, Dodd-Frank establishes the Financial Services Oversight Council, which includes the Secretary of the Treasury and heads of specified federal financial regulatory bodies. This council’s charter includes investigating “the nature, scope, size, scale, concentration, and interconnectedness, or mix” of a company’s activities in order to determine if the company poses “a threat to financial stability or to the economy.”1

No longer is the focus on a specific transgression or a pattern of transgressions. Now regulators are en-joined to be ever vigilant for financial services firms whose mix of activities or deals might constitute a threat to themselves or to the economy overall.

The only way to assess such a threat is for regulators to be continuously monitoring the internal operations of a firm. To understand the “mix” of a firm’s activities, for example, regulators must have continual access to internal information from multiple departments and divisions. To understand “interconnectedness,” regulators need to understand whom a firm is working with, what sort of partnerships it’s forming, and what sort of deals it’s structuring.

With Dodd-Frank, the regulatory focus has shifted from improperly conducted operations to business strategy itself. Narrow regulatory scrutiny becomes broad. And the volume of data to be searched and analyzed upon short notice becomes astronomical.

Until now, many enterprises and financial services firms have treated email archiving and eDiscovery as special technologies pertinent only to a few departments or organizations; to broker-dealers, for instance. Under Dodd-Frank, now, firms have a compelling reason to archive communications across the organiza-tion and to be certain that they can search their archives in a timely fashion for specific email messages pertinent to a regulatory investigation.

New regulations are being enacted all the time, and trends in federal law and state law suggest that data privacy, data breach, and eDiscovery regulations are only going to become more stringent.

THE LIKELIHOOD OF LITIGATION

Aside from ever-increasingly regulatory scrutiny, financial services firms have plenty of other reasons for investing in email archiving and eDiscovery.

Take litigation. In 2008, about 83% of U.S. corporations are involved in litigation of some kind or other, ac-cording to a survey by Fulbright & Jaworski. That survey also found the greatest increases in multi-plaintiff cases concerned wage and hour, discrimination, and privacy issues — issues, in other words, where evidence is likely to involve H.R. issues and could potentially touch any department in the organization.2_{Studies by}

other organizations bear this out. A quarter of Fortune 500 companies have had to defend themselves against sexual harassment litigation, according to the American Management Association. Other types of litigation, such as anti-trust litigation and patent infringement litigation, can pose even higher risks and generate even high costs.

Lawsuits happen, and when they do, the court is likely to order a firm to produce email messages as evi-dence. Over half of U.S. companies have been ordered by a court or a regulatory body to produce employee

eDiscovery Defined

Electronic discovery typically refers to the retrieval of electronic data to meet a legal request. The term is also used when data is retrieved for regulatory compliance, HR concerns, validation of client correspondence or other corporate needs.

The electronic discovery burden on IT organizations has increased both in frequency and scope. Osterman Research, Inc. found that during the past three years, 72% of IT organiza-tions were required to search through backup tapes to retrieve one or more email in response to a legal or HR request. The same survey found that nearly 38% of organizations were or-dered by a court or regulatory body to produce employee email.

(5)

Proofpoint: Email Archiving and eDiscovery for Financial Services Page 2

email or instant messages, according to a recent survey by Osterman Research. Companies—including well-known financial services firms—have been fined millions of dollars for failing to produce relevant email evidence in a timely manner.

The Federal Rules of Civil Procedure (FRCP), which govern procedures for civil lawsuits in the United States, were revised in 2006 to clarify the requirements for the delivery of electronic evidence. The rules require that firms be able to search and retrieve requested data within timelines established by the court. Failure to comply with FRCP guidelines can result in hefty fines. For example, when a mobile technology company was found to be withholding damaging email messages from the court, the company was fined $8 million.

To be prepared for legal discovery, organizations must know where all their email data is stored, and be able to search through and retrieve that data in a short period of time.

KEEPING TABS ON VITAL BUSINESS DATA

Even aside from the benefits of regulatory compliance and legal defense, keeping email and knowing what’s in it is simply a sound business practice. Roughly 60% of business-critical data resides in email. Being able to search and retrieve messages containing important data, such as business agreements, drafts of con-tracts, and so on, only makes sense. Email also provides an essential archive of knowledge from previous employees, most of whom do not systematically document their business knowledge before moving on. Knowledge workers spend 15-30% of their work days looking for the information they need.4_{Much of that}

information resides in email.3_{An archiving and eDiscovery solution that enables authorized users to search}

their own archives for data promises to increase productivity while lowering labor costs.

THINKING BIG ABOUT ARCHIVING AND EDISCOVERY

Employee productivity, defense against litigation, and compliance with increasingly stringent federal laws and industry regulations—the reasons for financial services firms to invest strategically in email archiving and eDiscovery become more compelling and urgent every day. And with state legislatures and federal agencies continuing to tighten the rules around data breaches and consumer data, financial services firms should expect that the management, storage, and retrieval of email is only going to become even more critical in the years ahead.

It’s time, then, to recognize that email archiving and eDiscovery aren’t simply tactical measures applicable to one or two departments. Rather, they’re strategic capabilities required across the enterprise.

What are the requirements for an effective, strategic, enterprise-wide archiving solution that can address the growth in litigation and ever increasing complexity of regulatory compliance?

REQUIREMENTS FOR AN EMAIL ARCHIVING SOLUTION

The volume of email communications is exploding. Fortunately advances in application technology and architecture make solving very large data problems easier than ever before. It’s now possible to deploy an enterprise email archiving solution that enforces flexible data retention policies and supports rapid eDis-covery without bogging down IT resources with disruptive tasks that consume energy—and entail tangible legal risk.

The solution should meet several stringent requirements.

Flexibility

Given regulatory uncertainty and growth in litigation, it’s essential that the solution be flexible enough to meet the requirements of today and the changes of tomorrow. Flexibility includes the ability to quickly automate and enforce retention policies as they evolve, as well as the ability to scale and provide linear performance as a business evolves and grows.

Security

The solution should archive messages in a secure, tamper-proof repository according to detailed retention policies, as required by FINRA and other regulations. If the solution takes advantage of cloud storage, it must adhere to the highest security standards and be audited by third parties as evidenced by SAS 70 II, ensuring that data is secure while in transit and at rest.

8 hours vs. 30 minutes: Archiving Saves Time and Money

Osterman Research found that it takes a median time of eight person-hours to satisfy a single re-quest to retrieve data from backups. Fulfilling that request might take one to two calendar days.

Putting an archiving solution dra-matically accelerates the process. Enterprises with email archiving sys-tems in place were able to respond to the same requests within 30 min-utes—a 16 X improvement.

(6)

Page 3 Proofpoint: Email Archiving and eDiscovery for Financial Services

Precision and Agility

Legal hold management carries a disproportionately large share of eDiscovery risk because of multiple points of failure and processes that are not consistently adhered to. Therefore, a solution should be able to quickly execute legal holds in anticipation of litigation, and then enforce the holds with complete transpar-ency and documented audit trails to ensure maximum defensibility of process.

Storage-savvy Data Architecture

To avoid runaway storage costs, the solution should take advantage technologies that can reduce the size of stored data without jeopardizing the archive’s integrity. Additionally, solutions that leverage cloud-based storage should be considered in order to cost effectively partition and distribute the data load so that performance does not deteriorate as the archive grows.

Ease of Use

The solution needs to be easy to use, so compliance officers, HR managers, legal counsel, and other au-thorized users can search archives without passing all requests through otherwise-occupied IT engineers. End users can take advantage the archive to perform daily searches of their own archives so they can find the business information they need to do their jobs.

Ease of Integration

The system should integrate easily with enterprise email infrastructure, such as Microsoft Exchange and Active Directory, and support evolving eDiscovery standard protocols such as EDRM XML, so that data can be seamlessly passed for downstream legal review.

Up-front and Lifetime Cost

The system should be able to be deployed in weeks or even days, rather than months or years. Enterprises need to be able to address archiving and eDiscovery requirements today, not a year from now.

To meet this requirement, enterprises should consider the advantage of SaaS architectures that manage and store email communications at a secure, third-party data center in the “cloud.” SaaS solutions can typically be brought online much faster than internal systems, which depend on already busy IT depart-ments testing and provisioning new hardware and software system.

Equally important, SaaS solutions typically cost far less than internal systems, both in terms of initial investment as well as lifetime total cost of ownership (TCO). SaaS archiving solutions eliminate the need for investments in dedicated hardware and additional IT staff, allowing enterprises a lower total cost of ownership than an on-premise solution. With a SaaS solution, the increased need for data archiving can be accomplished on-demand, without any performance issues or downtime.

Enterprise email storage requirements are growing roughly 35% annually, so reducing expenses of on-premises hardware, storage, software upgrades, annual maintenance, and associated staffing and overhead costs through SaaS can have a significant impact on the total cost to address regulatory uncertainty and explosive growth of eDiscovery.

As you can see, the number and types of policies are numerous and increasing. However, they are all neces-sary in today’s information-centric environment. The boundaries must be established so policies can be enforced. This paper will examine the Content Classification Policy and Email Retention Policy areas and the corresponding threats associated with data loss prevention next.

CONCLUSION

In the past, financial services firms could treat email archiving and eDiscovery as a tactical requirement for regulatory compliance. But the broadening sweep of federal laws and regulations, the high likelihood of civil litigation, and the importance of giving employees the data they need to do their jobs, all make it clear that firms would do better to treat email archiving and eDiscovery as a strategic investment for the entire enterprise.

Such a solution need not be unwieldy or require months to deploy. New SaaS-based architectures make it possible to deploy an effective archiving and eDiscovery solution quickly and cost-effectively.

(7)

Proofpoint: Email Archiving and eDiscovery for Financial Services Page 4

With such an eDiscovery solution in place, financial services firms are ready to meet the stringent regula-tory requirements of today, as well as whatever new requirements and email storage challenges tomorrow may bring.

PROOFPOINT ENTERPRISE ARCHIVE AND PROOFPOINT EDISCOVERY

Proofpoint Enterprise Archive™ is an on-demand email archiving solution that addresses three key chal-lenges—email storage management, legal discovery and regulatory compliance—without the headaches of managing an email archive in-house. As a Software-as-a-Service (SaaS) solution, it can be deployed in days, with minimal upfront costs and planning. Because Proofpoint takes care of everything from storage to security issues, the archive can be easily managed by your existing messaging IT staff. Proofpoint Enter-prise Archive can be used by any enterEnter-prise that uses the Microsoft Exchange email server.

Features include:

• Patented DoubleBlind Encryption™ that guarantees data is fully protected in transit and in the cloud.

• A centralized, searchable, policy-based archive that ensures that enterprises are always ready for litigation and regulatory audit requests.

• High-speed search technology returns results in 20 seconds or less.

• A flexible policy engine that lets even non-technical users easily create and enforce legal holds during eDiscovery, so enterprises can comply with regulations such as SEC and FINRA. • Easy-to-use, self-service interface that makes email end-users more productive by giving them

ready access to all their historical email.

• Storage optimization technologies that improve email system performance and simplifies email system management through automated removal of large attachments (“stubbing”) and facili-tate PST file elimination.

ABOUT PROOFPOINT, INC.

Proofpoint focuses exclusively on the art and science of cloud-based and hybrid email security, eDiscovery and compliance solutions. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system to protect against spam and viruses, safeguard privacy, crypt sensitive information, and archive messages for easier management and discovery. Proofpoint’s en-terprise email solutions mitigate the challenges and amplify the benefits of enen-terprise messaging. Email Security and Data Loss

Prevention

Proofpoint offers industry-leading security solutions for email se-curity and data loss prevention. Proofpoint’s solutions are available through SaaS, on-premises appli-ances, and hybrid solutions combin-ing SaaS with on-premises products. The Proofpoint Enterprise Protec-tion™ suite delivers Proofpoint’s best-in-class, inbound and out-bound email security and manage-ment features in one cost-effective, easy-to-use, SaaS solution. Protect your mission-critical email infra-structure from outside threats in-cluding spam, phishing, unpredict-able email volumes, malware and other forms of objectionable or dan-gerous content before they hit the enterprise perimeter. The Proofpoint Enterprise Privacy™ suite provides “defense in depth” protection for private information of all types. It protects private information in email, defends against leaks of confidential information and ensures compliance with common international, indus-try and US data protection regula-tions—including HIPAA, GLBA and PCI-DSS.

Together, Proofpoint’s email secu-rity, anti-spam, and email archiving solutions offer enterprises the most comprehensive and cost-effective enterprise email solutions available today.

Notes

1. Bill Summary and Status – 111th Congress (2009-2010)- H.R. 4173 –CRS Summary – Library of Congress 2. Fulbright & Jaworksi, Fifth Annual Litigation Trends Survey Findings, 2008

3. Osterman Research, Inc. 4. Microsoft

(8)

www.proofpoint.com

US Worldwide Headquarters Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94089 United States Tel +1 408 517 4710 US Utah Satellite Office Proofpoint, Inc. 13997 South Minuteman Drive, Suite 320 Draper, UT 84020 United States Tel +1 801 748 4610 Asia Pacific Proofpoint APAC Suntec Tower 2, 9 Temasek Boulevard, 31F Singapore 038989 Tel +65 6559 6128 EMEA Proofpoint, Ltd. 200 Brook Drive Green Park Reading, UK RG2 6UB Tel +44 (0) 870 803 0704 Japan Proofpoint Japan K.K. BUREX Kojimachi Kojimachi 3-5-2, Chiyoda-ku Tokyo, 102-0083 Japan Tel +81 3 5210 3611 Canada Proofpoint Canada 210 King Street East, Suite 300 Toronto, Ontario, M5A 1J7 Canada Tel +1 647 436 1036 Mexico Proofpoint Mexico Salaverry 1199 Col. Zacatenco CP 07360 México D.F. Tel: +52 55 5905 5306 ©2010 Proofpoint, Inc. 10/10

Proofpoint focuses exclusively on the art and science of cloud-based email security, eDiscovery and compliance solutions. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system to protect against spam and viruses, safeguard privacy, encrypt sensitive information, and archive messages for easier management and discovery. Proofpoint’s enterprise email solutions mitigate the challenges and amplify the benefits of enterprise messaging.