Uh oh.

 

Time to backup up and take a breath.

 

I have not been following this, but have meant to go back and read it because of the implications of the subject.

 

Having gone back and read some of the posts, well, Matt, I like you a lot, but there are some issues.

 

Matt said:

Not to debate the applicability of the technology, but you shouldn't

proceed under the assumption that government regulators are out there

giving IT staff lists of words to be used in "full-text search" of

E-mail archives.  That is not the law, and it is not how subpoenas are

issued

 

In reality, that is exactly what they can indeed do. No, I have not reviewed the letter of the law, nor will I, nor do I have a desire to. However, I have been briefed on the matter by the in-house IT staff of clients I am involved with that are either subject to SOX or SEC regulations.

 

Matt said:

What is at question here is document retention, or more specifically in

this case, E-mail retention.  There is nothing specific in

Sarbanes-Oxley that indicates anything other than destruction of

records, thereby implying that records such as E-mail are required to

maintained for a period of 5 years.  There is absolutely no mention of

required technologies, but it is clearly implied that you can't lose

access to such documents due to a failure to properly apply a

technological solution that survives that length of time (i.e. archival

means need to be accessible going 5 years back at any time).

 

While it is true that no mention of what technology is to be used, there are requirements, particularly in SEC regulations, that once a subpoena is presented, you have a time limit to comply and produce the requested information. This time period can be in as little as 4 hours. Obviously, you are going to need technology to provide copies of all e-mail to and from so and so for the last 3 years in 4 hours. Simply having an archive is not enough. You must have the means to search and retrieve quickly.

 

Matt said:

There are applications that archive and mine data from E-mail, but IMO,

these are really just big-brother types of apps, and I've never been big

on invading people's privacy.  There are other services that some

companies use under the general guise of "policy enforcement" which is

just a fancy way of saying content screening.  I think that Sniffer's

engine could be set up to do at least part of this work (outside of

attachments), but there are large companies out there that already offer

such services and this is generally limited to only large customers.  I

consider this to be an ineffective solution since it can be so easily

bypassed with a flash drive on a key chain, or missed by a set of

keywords or phrases.

 

Every one is intitled to their opinion. However, truth is the courts have found and upheld that e-mail using company assets are not private, and a company policy must be dictated to enforce such. This means that if a company policy states all e-mail is company property, and no personal e-mail is allowed, or words similar to that effect, the courts have upheld the companies’ explicit right to search, review, archive and take action on e-mails used within the company. Therefore, there is no question of privacy, as it is company property.

 

Matt, I do not see any personal attack on you by Sandy. What I see is his response to specific things you have said which appear to be incorrect. The various regulations regarding e-mail are convoluted for us to understand at best, and while yes every one is entitled to an opinion, it should not be stated as fact.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent:
Friday, October 29, 2004 4:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Determining a BCC Recipient

 

Let's please try to keep the personal stuff off of this list for the good of everyone.  Even though I might find it a tad bit amusing at times when it is directed at me, I don't think that others appreciate seeing it here, and I generally don't.  I hesitated even to draft this reply except that I felt it would possibly help in the future seeing as how repeated this pattern has become.  This is a support group where people come to share ideas and learn from others, and flame wars have no place in such a forum.  One can express an opinion or attempt to establish fact without in effect attacking or belittling a fellow participant, and unlike the circumstance regarding IMail, there is no reason for anyone to become angry about things so insignificant.  I don't claim to be perfect in this regard myself, but I think it needed to be said.

Matt



Sanford Whiteman wrote:

you   shouldn't   proceed   under  the  assumption  that  government
regulators  are  out there giving IT staff lists of words to be used
in  "full-text  search" of E-mail archives. That is not the law, and
it is not how subpoenas are issued.
    

 
First:  I  clearly  noted  that  legal (or compliance, if distinct) is
given  all  documents,  including  criteria for an archive search, and
that  IT  staff  are not responsible for the search. IT is expected to
create a system that compliance officers can use independent of IT (in
turn   respecting   employees'   privacy   from  sysadmins'  snooping,
restricting  access  to  those that perform that role professionally).
The  full  retention  media  must  also  be  made  available,  but the
regulators will request pruned material. You seem to think that you're
really  going to hit it off with regulators by coolly giving them hard
drives with terabytes of raw mbox data and nothing more. You obviously
don't  know  how  it  feels  to  be faced with hundreds of millions of
dollars in fines and the knowledge that every day you delay is another
day   with   your   company   name   in  the  papers  as  an  "ongoing
investigation."  You  do  not  mess  around or play tough on producing
records; you will only go down harder. The examples are legion.
 
Second:  last  you wrote, you'd only been involved in an investigation
that  was  not  bound to SOX or SEC regulations. I see nothing in your
new   comments,   though   they're   more  verbose,  that's  any  more
authoritative.  Your  isolation of SOX seems deliberately naive, since
it  is  commonplace  for  SOX's  open-ended storage requirements to be
allied  with  SEC  17a-4  requirements  to ensure coordination between
departments  and  guarantee  prompt  response to inquiries without the
perception  of  considered  obstruction  through  negligence.  And  no
organization  creates separate SOX-compliant systems and SEC-compliant
systems if bound by both.
 
Third: my notes are based on our work with three different clients' IT
staffs,  their  inside  and  outside  counsel  (two  different outside
firms),  and  documents  submitted  by  regulatory  agencies that were
specific  to the cases; it is also based on the experience of building
the original, incomplete archiving systems for these clients and later
expansions  and  revisions  of  these systems to achieve independently
verified SEC/NASD compliance.
 
Fourth:  there  were  no "enemy lawyers" involved, unless you consider
those  attempting  to prevent criminal actions--in this case, stealing
millions   from  individual  investors  to  benefit  secret  corporate
alliances--to  be  your  "enemies."  Yet,  if those are the enemies in
question,   I'm   surprised  you're  opposed  to  _Ipswitch's_  recent
activity.  Aren't  they  just  following  in the footsteps of Enron by
concealing their probable dead-end status while soliciting huge monies
for  nonexistent  products?  How  can  a private company's secrecy and
price gouging be such an abomination, based on the insults you've used
on  the  IMail  list,  while  here  you  encourage  a public company's
destruction of records wherever you perceive a loophole?
 
--Sandy
 
 
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]
 
SpamAssassin plugs into Declude!
  http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/
 
Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/
  http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/
 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 
 
  



-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================

Reply via email to