Every month, Information Age invites 20 IT directors, CIOs and others with core responsibility for IT decisions to share their views and experiences on strategic issues. The roundtable debates are held under the so-called Chatham House Rule so that delegates can speak freely without concern that their statements will be attributed to them or their companies.
In July, the lunch debate (held in London’s Rules restaurant and sponsored by Hummingbird) focused on a burning topic: How IT can support the pressures organisations are under to comply with an ever-larger body of legislation and internally prescribed rules that are designed to keep the company on the rails (and in some cases senior management out of jail).
Many issues came to the fore, but one dominated the discussion: the burden of storing and managing documents – especially email.
There can be scores of reasons why the authorities can require an organisation to open up its old files – for example, as part of a compliance investigation, the discovery process in a legal dispute or a tax audit. But in almost every one of the executives at the Information Age roundtable debate agreed that the burden on IT systems was growing exponentially as more records have to be kept, retained for longer and (critically) retrievable when required.
One delegate, an information systems director from the insurance sector, gave a particularly haunting illustration: His organisation is involved in the insurance industry’s biggest ever claim – for the destruction of the World Trade Center in New York in September 2001 and the horrendous loss of life. The ongoing court debate is focused on whether the fine print of the contract would class the terrorist attack as one incident or two – if it is two, the multi-billion dollar claim is doubled.
As part of that, the courts have asked for copies of two million emails, from the inboxes of 70 people.
The company’s IT department was ‘lucky’; it had been archiving email methodically. But the cost and the time involved in retrieving them and having executives read them out and have their contents cross-examined in court has encouraged a radical change of policy. “This has consumed an enormous amount of senior management time,” said the IS director. As a matter of course, the company now deletes all email after three months (except for those that it is obliged by law to keep, and even those it prints).
Picking up on the fact that executives at the insurance company were forced to read out email messages that were often flippant and for internal consumption only, other delegates at the lunch spelt out how they set strict email policies at their organisations.
“Email content is a tricky thing,” outlined a retail sector IT director. “Email policy has to be put directly into the employee contract. And our policy says that email needs to be treated in the same way you would treat a letter written on headed paper. That is, as a record within business.” The lack of security that surrounds email also came to the fore: “Treat emails like you are writing a postcard,” said one delegate. “As it is distributed widely, expect people to be able to read it.”
That attribute of transparency also raised another issue: “Email can be archived, but it is difficult to show that an email has not been interfered with.”
For another IT manager, there was a radical solution to the whole compliance issue: do nothing. “You can take a cold, hard look at compliance issues from a commercial perspective and make the conscious decision not to comply,” he said. “The fines are less than the costs. In any case, rules such as Sarbanes-Oxley and the Data Protection Act actually conflict. To comply with one, we have to breach the other.”