Retention of emails etc. 1690



  • Hello everyone,
    We are testing SOX compliance for a public company and have discovered that when an employee is terminated or leaves, the company deletes all accounts, emails, network files etc. this person had created.
    I am new at SOX testing but it seems that this kind of general practice could violate section 802.
    Any responses to this including supporting information would be highly appreciated.
    Thank you in advance
    Criterion



  • Hi and welcome to the forums 🙂
    I’m not aware of a direct SOX requirement related to email retention for terminated employees. A company would be wise in retaining at least file history for a short period of time to help transitionalize.
    As some of my background relates to IT security, there are even some privacy issues related to viewing email history (esp. recent California legislative initiatives providing some employee privacy protection). While anything an employee does has the right to be monitored, etc. – security controls and a reasonable amount of privacy must be balanced.
    Still, if a terminated employee played a role in financial matters (and esp. if there were SOX compliancy issues or even fraud), the company should logically preseve any evidence.



  • I took a further look and found that starting in July some banks and other financial institutions have a 3 year requirment on email and even IM messages … You learn something new everyday.
    As direct linking is not allowed in forums, please add www and paste links into your browser
    Several good articles can be found here:
    google.com/search?hl=en-and-q=sox email retention
    SOX Records Retention info - middle of article
    s-ox.com/Feature/detail.cfm?articleID=921
    Secondly, record retention addresses the rules around retention of documents that are created, sent or received relating to an audit or review. Companies must establish clear e-mail retention policies, and the IT department must ensure that these policies are followed. Few companies have strict guidelines in place, which exposes them to legal and regulatory violations.
    Companies are uncertain how to keep email compliant under SOX standards, and are choosing to save everything, putting themselves at increased risk when or if litigation ensues . Furthermore, retention is not just about archiving, but also about retrieval. Saving all correspondence leads to obstacles when asked to deliver only relevant documentation. Finally, the costs of retaining and maintaining this documentation overwhelms the cost of implementing a policy framework to retain documents selectively, which is a critical element of an overall compliance architecture.
    Article: Email Retention is legal Cherynobyl
    silicon.com/research/specialreports/compliance/0,3800003180,39130615,00.htm
    The USD1.45bn judgment against Morgan Stanley for deceiving billionaire Ronald Perelman over a business deal has a lesson all companies should learn - keeping emails is now a must, experts say.
    Banks and broker-dealers are obliged to retain email and instant messaging documents for three years under US Securities and Exchange Commission rules. But similar requirements will apply to all public companies from July 2006 under the Sarbanes-Oxley corporate reform measures. At the same time, US courts are imposing increasingly harsh punishments on corporations that fail to comply with orders to produce email documents, the experts said.



  • Hi,
    In addition to the previous postings about e-mail archival, you might consider the followiing:
    Non-compliance with regulations is serious. In December 2002, The Securities and Exchange Commission, the New York Stock Exchange and NASD fined five firms a total of USD8.25 million for failure to preserve email communications.
    Each of the firms: Deutsche Bank Securities Inc.; Goldman, Sachs and Co.; Morgan Stanley and Co. Incorporated; Salomon Smith Barney Inc.; and U.S. Bancorp Piper Jaffray Inc. consented (without admitting or denying the allegations) to findings that each failed to preserve for a period of three years, and/or preserve in an accessible place for two years, electronic communications relating to the business of the firm, including interoffice memoranda and communications.
    DoD 5015.2-STD, for example, requires that any record (including email), when retrieved, can be reproduced, viewed, and manipulated in the same manner as the original.
    Your situation might be different and you might consider government contracts. Although you might not be required to retain e-mail in connection with SOX, other regulatory groups might contain such a requirement. For example, the Department of Labor in the event of an employee lawsuit brought against the Company under the labor laws.
    However, within SOX, I do not believe that specific language is written that addresses retention of emails and company requirements. As always, good business judgment is the unwritten rule.
    Hope this further helps,
    Milan



  • Hello everyone,
    We are testing SOX compliance for a public company and have discovered that when an employee is terminated or leaves, the company deletes all accounts, emails, network files etc. this person had created.
    I am new at SOX testing but it seems that this kind of general practice could violate section 802.

    I don’t see how this practice would necessarily cause a s802 issue.
    Firstly, most companies would find themselves in the position fo being able to restore this information from back-ups if necessary.
    Secondly, emails tend not to be documents that originate numbers in the financial reporting - at worst they would be evidence of control activities having been performed.
    Notwithstanding additional requirements for banks my understanding is that it is still acceptable for companies to have an email retention policy and to delete mail (and accounts) as a result of this - wlthough if you were to delete mail whilst under SEC investigation this would be a different ballgame. Also, I don’t think there is any onus on individuals to keep email as any retention would be done at a server level.
    imho you would have a bigger SOx issue if these accounts were not being deleted



  • you would have a bigger SOx issue if these accounts were not being deleted
    I agree and Denis shares a great point as usual … Having worked many years in IT security and still having an interest there – I could write a book on email issues 😉 e.g., folks emailing sensitive data is #1 on the list, using it for non-business use, using it non-responsibily, etc 😞
    It is better to usually clean-up after someone leaves, esp. if there’s no chance of a re-hire. Still, as I say at work, ‘you gotta do what you gotta do’ and thus SOX may require retentions of this type of history in some cases (e.g., banks or preservation of evidence in the case of fraud, etc). I like archiving all of this OFFLINE where possible , as you don’t want stale 3 year old user accounts in your system.
    If the email system can accommodate recovery of an email file from backups, one approach might be keep the backups from the email server for 3 years (in the case of banks) and delete the active content off the server after 30 or 90 days (as sometimes the replacement hire might need some business related ‘work in process’ controlled by the manager). This way, information is archived and not online – as email systems can eat up a lot of disk storage space.



  • Thanks for the links and the feedback guys



  • With the emergence of corporate wikis in recent times, how does the email retention for compliance change?
    One of the main advantages of an enterprise wiki is that it reduces the dependance on email and IM.
    Any thoughts on whether wiki discussions and content fall into the net? There are 2 cases to consider:

    1. Wikis hosted by the service provider
    2. Wikis bought by the enterprise and hosted internally…
      Looking forward to lots of 2 cents-es.
      Best regards,
      Feroz

Log in to reply