| Four years have passed since President Bush signed | | | | period for such retention should be at least five |
| the Sarbanes-Oxley Act and most analysts agree the | | | | years. The emails should be classified by dates |
| law is working as larger companies are finally getting | | | | (months and years) to make it less complicated for |
| their accounting books in order. | | | | auditors to access such information. If the emails are |
| The act was formulated to strengthen accounting | | | | disorganized, the auditors may have to dig deeper |
| oversight and corporate accountability. It did this by | | | | and they might find improprieties. |
| increasing accounting and auditor regulations, | | | | - The obstruction of justice segment is similar to the |
| enhancing disclosure requirements, creating new | | | | document alteration provision under the |
| federal laws and increasing penalties under existing | | | | Sarbanes-Oxley Act, but it includes a statute that |
| federal laws. | | | | prohibits tampering with witnesses. The legislation |
| An important aspect of the act focuses on the | | | | states that acting or attempting to alter or destroy a |
| details of data security, retention and protection. So | | | | record or other object "with the intent to impair the |
| the question is, how does the Sarbanes-Oxley | | | | object's integrity or availability for use in an official |
| legislation impact email retention policies? | | | | proceeding" can be punishable with fines, |
| Surveys indicate that 93 percent of all business | | | | imprisonment for up to 20 years, or both. How does |
| documents are created electronically and that has | | | | this impact email retention policies? Again, any |
| forced most corporations to address their retention | | | | company that has a data retention policy must |
| policies. Businesses, small or large, can no longer | | | | enforce a security plan such that data can be |
| consider email retention a non-priority. | | | | accessed by only the proper personnel. An online |
| Companies must develop a classification of data for | | | | data backup service with strong encryption and user |
| off-site storage, such as an online storage service | | | | tracking helps eliminate the chance of human |
| that encrypts and protect the data. | | | | intervention with whatever email data has been |
| The Sarbanes-Oxley Act includes three provisions | | | | stored. With certain managed backup services, online |
| that deal with electronic documents, such as those | | | | backups are performed automatically, so data is |
| communicated through emails. They include document | | | | protected without manual intervention. Data moves |
| alteration or destruction, mandatory document | | | | through an existing network connection, using |
| retention and obstruction of justice. | | | | state-of-the-art data security including AES |
| - In terms of document alteration or destruction, the | | | | encryption to a secure remote data center.Clearly, |
| Sarbanes-Oxley law states that people who | | | | the document-retention regulations implemented by |
| knowingly alter, destroy, mutilate, falsify or conceal | | | | the Sarbanes-Oxley legislation sends a signal to |
| any document (electronic or paper) with the intent to | | | | businesses that they must institute a policy regarding |
| impede proceedings involving federal agencies may | | | | their data and documents, including those transmitted |
| be fined or imprisoned up to 20 years, or both. How | | | | through email. Businesses must realize that they can |
| does this impact email retention policies? If a | | | | be held liable for retained and deleted electronic |
| company has an email retention policy in place, it | | | | documents. The policies these businesses put in place |
| must include a security plan. Only certain individuals | | | | should include an inventory of all the electronic |
| should be given clearance to access the archived | | | | hardware and software that can store emails |
| emails. A report with that person's name and purpose | | | | (including cell phones and laptops), all locations and |
| should be produced every time a certain email is | | | | storage formats of archived emails, and all the |
| accessed, and documentation of change to the | | | | methods that email documents can be transferred |
| existing document should be noted. | | | | into and out of the company. The next step should |
| - The Sarbanes-Oxley provision of mandatory | | | | include classification of such emails, and then a secure |
| document retention forces businesses to keep | | | | off-site online backup storage plan. |
| records readily for review for a period of up to five | | | | The days of simply keeping emails in a folder at each |
| years. The penalty for knowingly and willfully violating | | | | workstation are part of the past thanks to |
| this provision imposes fines and a maximum sentence | | | | businesses that have put forth a solid data retention |
| of 10 years in prison, or both. How does this impact | | | | plan. The Sarbanes-Oxley Act has served as an |
| email retention policies? A business must generate a | | | | effective means to help push the creation of such |
| data-retention policy with archive history periods | | | | plans. |
| included. According to Sarbanes-Oxley, the time | | | | |