Emails and Sarbanes-Oxley Compliance 1162
lekatis last edited by
What is an email? I know that you know, but if you discuss with lawyers, you will understand that perhaps you don’t know
Is it something like a telephone call, a conversation that happens to be written? No. It is a business document. If you say something, you may forget it after a couple of minutes. If you send an email, you can never delete it, and even if you forget it, it can not only create serious compliance and legal problems to your company, but also it can get you fired, arrested or sued.
As an expert witness, I want to share with you that for lawyers and investigators, an email message is the best plase to search for evidence. They know very well that all the good stuff is in emails, and this is the reason there are so many subpoenas and search warrants for email records. Cases range from criminal prosecutions to sexual harassment lawsuits to Sarbanes Oxley compliance audits and investigations.
Is beer better that women? I don’t think so, but somebody in Chevron Corp. believed that, and used the corporate email to spread the word The result: Chevron was ordered to pay female employees USD2.2 million to settle a sexual harassment lawsuit.
Massive amounts of information are communicated and exchanged via email every day. In more and more organizations, many agreements, contracts and approvals are handled exclusively via email.
The Sarbanes-Oxley Act imposes strict penalties for the destruction, alteration and falsification of business records. Email and Instant Messages, are business records. Not every single email and instant message, but some of them, are viable business records that are subject to legislation prohibiting their destruction.
What organizations need?
- A very good retention policy
- Archiving in redundant tamper proof systems
- Monitoring - regular review of incoming and outgoing emails, compliant with privacy local legislation. Encryption capabilities are important, to ensure privacy and confidentiality.
- Remote access controls and two way strong authentication
- Filtering and anti-spam solutions
- Antivirus solutions. Malicious code can attack the integrity of financial documents
Is retaining all emails the best approach to protect against audits and lawsuits?
No. It is above and beyond what is necessary. Backing up an entire email system on a daily basis is too much. Don’t forget that Sarbanes Oxley mandates not just to keep the records (that have to do with financial reporting), but also to be able to find them. Finding emails among the vast archive is really hard.
Keeping personal emails: It has nothing to do with Sarbanes Oxley. It is also dangerous. In many countries of the world (EU included) it is illegal according the data protection legislation.
A good email management solution must give the opportunity to search quickly and efficiently, regardless of volume or size, for specific messages or categories of messages.
Denis last edited by
I guess the key to dealing with email is to remember that although some business documents are emails, not all emails are business documents.
eMails that are not business documents could, and should, be deleted on a regular basis with no SEC repercussions. But how do you differentiate between them.
In my business I am generally recommending that email should never be the sole documentation for any business transaction, there needs to be appropriate policies (and training) in place to ensure that employees know when email is the appropriate means of documentation and when things need to be documented independently.