Four Principles of More Compliant Archiving

Business enterprises both public and private must comply with federal and state regulations. But as laws keep changing, how can you ensure your archiving measures up?


Did You Know? Federal, state and corporate regulations require most companies to retain electronically stored information for up to seven years. They must also be able to produce records quickly upon request.


Several years ago, the Securities and Exchange Commission fined a Wall Street firm millions for failing to produce email needed for a legal discovery. That failure violated federal laws requiring regulated securities brokers to hand over certain records and documents to the commission on demand. In a similar instance, regulators fined other top investment firms more than $1.5 million each for destroying email messages.

These are just two examples hammering home how important it is for your company to have a detailed retention policy.

Following best practices for your archiving strategy reduces not only information loss risks but also inadvertent disclosures and downtime during unplanned outages. That boosts your firm’s efficiency and competitive advantage as a brand.

Know Your Regulations

Federal, state and corporate regulations require most companies to retain electronically stored information for up to seven years; they must also be able to produce records quickly upon request. More specifically:

  • Securities and Exchange Commission (SEC) Rule 2-06(a) requires accounting firms to retain records relevant to the audits or reviews of issuers’ and registered investment companies’ financial statements for seven years.
  • SEC Rule 17a-4 requires broker-dealers to retain many records for three years, including communications that relate to their business.
  • The Sarbanes-Oxley Act mandates that certain access logs be retained for one year.

Other legal and regulatory requirements may also come into play, depending upon your business sector. For example, the December 2006 revision to the Federal Rules of Civil Procedure (FRCP) states that healthcare organizations must be prepared to discuss how and where they store their email early in pretrial proceedings, must preserve their email in a compliant manner and produce it with specified metadata intact, and must produce their email quickly, according to discovery timelines.

Not knowing the law could cost you big time—the Financial Industry Regulatory Authority (FINRA) alone handed out $50 million in fines in 2009. You also risk damaging your reputation and net profits from the negative publicity and financial hit noncompliance can cause.

Consider these four measures to build and maintain a more compliant archiving process for your organization:

1. Create an internal policy.

A 2008 BearingPoint survey about email management found that fewer than 50 percent of companies maintained a data retention policy. To ensure legal compliance and protect both your company and the users from email system misuse, establish a framework for developing, enforcing and monitoring your data retention policy.

Most data-retention policies contain a policy statement and a retention schedule that lists every possible type of information the company could have in its stores and the required retention period. Specific instructions are detailed for archiving and data destruction.

2. Define ownership and involve the stakeholders.

Define who is responsible for developing, monitoring and updating the policy. Make sure to include your legal/compliance, IT and HR departments and your board of directors in the policy development cycle. By identifying a group of employees dedicated to backup data security throughout your information’s lifecycle, your organization can address the inherent challenges and risks of doing business in your sector.

Also ensure that employees are aware of your internal retention policy, and, more important, that they understand the consequences of deliberately concealing or destroying information. By clearly outlining your internal retention policy, you:

  • Discourage both intentional and unintentional regulatory missteps among employees
  • Better protect the company in the event of a policy breach

3. Ensure easier archive searches.

FRCP regulations require that “everyone must produce their email quickly according to discovery timelines.” Fortunately, technology has caught up with electronic discovery regulations, so some archiving products include advanced search capabilities to ease this onerous task. With third-party archiving, you can reduce discovery-response times from months or weeks to minutes and seconds.

4. Remember that data is more than just email.

While an email archive may seem adequate, you can overlook key documentation if you lack a platform for archiving other communications. Be sure to implement an archive not just for email but also for social media posts, instant messages, text messages and all other critical data sources.

The regulatory landscape is constantly changing as communication evolves between organizations and their customers, partners and other stakeholders. Adopting a modern archiving approach will help your organization navigate future regulatory changes.

Partnering: Optimize the Cost of Doing Business

Whether forced by regulations or storage constraints or simply to keep employees sane, organizations in all industries must ensure that they’re properly retaining data. The expense of this task is well worth it, once you consider the potentially much higher price of legal sanctions.

A trusted third-party service provider can help store your backup media and ensure that your business will not lose critical data in the event of a lawsuit or disaster. Choose an offsite service provider with a high level of reliability for day-to-day operations and successful disaster recovery when you need it most.


A Top Priority

According to a report from the Information Systems Audit and Control Association, meeting regulatory compliance will be the top issue affecting security officials during the next 12 to 18 months. As such, these professionals plan to tailor their data protection measures to all applicable compliance standards.


Do you have questions about data backup and recovery? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Data Backup and Recovery team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.

Related Content:

Are You Listening to the Man? Regulations and Your Migration Strategy

Tape Archiving: Still Efficient, Still Inexpensive

Tape Identification: A Smart Step in Data Retention