Re: [Declude.JunkMail] OT: "Message" Storage

[Matt]

Karl, The problem is assuming that keeping it 'legal' involves lawyers for instance.  The Sarbanes-Oxley Act of 2002 was enacted by Congress and the responsibility for clarifying the law into workable practices was assigned to PCAOB (The Public Company Accounting Oversight Board, created by Sarbanes-Oxley), and signed off on by the SEC.  It is the responsibility of independent auditors to verify compliance and report it's findings to the board of directors, who are ultimately responsible for the companies in question. The need of public companies to maintain all business communications was established in The Securities Exchange Act of 1934, Rule 17a-4.  Even before Sarbanes-Oxley came around, companies were required to keep E-mails containing business communications, and there were fines paid.  The only thing that SOX did in this regard was to clarify certain aspects of the law, create the PCAOB for guidance and oversight of independent auditors, and created criminal  charges for some violations. The PCAOB issued AS 2 (Audit Standard Number 2) as the official guidance on how independent auditors would conduct such audits, and it was approved by the SEC in 2004.  The problem is that after the Enron/Worldcom/Tyco scandles of recent history, the demise of Arthur Andersen (Enron's independent auditor), and fines of many other independent auditors, the industry approached compliance with a risk-adverse bottom-up approach that the SEC has found to have been unintentional and carried costs that were not justifiable. This unfolded primarily as a result of participation of the American Electronics Association (AeA) in the following report:     SARBANES-OXLEY SECTION 404:     THE ‘SECTION’ OF UNINTENDED CONSEQUENCES AND ITS IMPACT ON SMALL BUSINESS     http://www.aeanet.org/governmentaffairs/AeASOXPaperFinal021005.asp Among the opinions expressed in this report that are applicable to the discussion on this list that relates to a one-size-fits-all approach is the following: External auditors have adopted a “one size fits all” approach to Section 404. This means that a small company with $16 million in revenue and a relatively simple organizational structure essentially is being held to the same standard as a large multi-billion dollar company with a very complicated organizational structure. The implementation cost is approximately $35 billion --- more than 20 times greater than the SEC estimated in 2003.3 The SEC believed there would be “a direct correlation between the extent of the burden and the size of the reporting company, with the burden increasing commensurate with the size of the company.” The opposite appears to be true. The SEC and the PCAOB subsequently clarified themselves in having auditors reevaluate their approach to compliance, and effectively blaming them for a risk-adverse approach to such procedures adding unjustifiable costs to small businesses covered by the law and their guidelines.  The following transcript of a speech given by the SEC's Commissioner just last month to the AeA is published on the SEC's site and details the key points in easy to understand words:     Speech by SEC Commissioner:     Remarks Before the American Electronics Association Classic Financial Conference     http://www.sec.gov/news/speech/2006/spch110706psa.htm "Basically, it drove accountants, who are famously risk-averse anyway, to attempt to ward off liability with unprecedented levels of mechanistic processes and testing. It is hard to blame them in light of Arthur Anderson, PCAOB investigations, and class-action lawsuits. An added bonus for the auditor: he bills for the extra work." The essence of the new guidance is that auditors should use a "top-down, risk-based approach" instead of a "bottom-up, risk-adverse approach" as had been widely adopted.  In otherw ords, the goal of AS 2 is not to have companies bend over backwards looking for absolutely flawless procedures that can be verified in umteen different ways.  A good summary of this can be found here:     One Size Fits All Is Good for Socks, Bad for SOX – New Guidance on Section 404 Internal Control Reports     http://www.perkinscoie.com/content/ren/updates/corp/052405.htm Naturally this all mostly reflects auditing procedures related to things besides business document preservation (including E-mail and IM's), however it is clear that the government did not intend to burden businesses, and especially small businesses with ridiculously complex systems required for compliance. I agree with Sandy that companies like Global Relay offer what are likely solid solutions and many companies would benefit from going the route of a packaged commercial offering, however it is not required, and that was the basis for this hijacked thread.  All that is required is that companies archive all business communications in a manner that is secure, verifiable, and reasonably available.  For a smaller company governed by SOX, this could be as simple as a message archiving scheme using some form of copy-all functionality. One should look for guidance from all applicable sources, but one should also understand that others may be in an extreme risk-adverse mindset, may be in a position to profit from certain solutions, or may not understand what is really required.  As consultants, service providers, and direct staff, we all must keep in mind that we don't want to become part of the problem. Matt IS - Systems Eng. (Karl Drugge) wrote: True, I'm covered by different laws.. But in regards to keeping 'legal', in all senses of the word, especially when you are discussing 'home grown' versus 'off the shelf' solutions, it would be best to consult legal advisors before implementing anything. If you aren't sure, get advice. If you are sure, get it in writing. I was private sector long before I converted to government, and still keep some of those clients. Most of my clients would much rather have a lawyers sign off, especially if it's going to help them avoid a lawsuit later. Karl Drugge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, December 18, 2006 12:48 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: "Message" Storage Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's "Government-in-the-Sunshine" laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and $$$$$$$$$$$$$$$$$$$$ ) later. Karl Drugge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: "Message" Storage </snip> In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.