Compliance has created a need for the retention of e-mails. There is nothing new in an organisation retaining e-mails, but now it must be able to retrieve them when required and more importantly they must be produced to a regulator within a timeframe specified for the particular regulation. E-mail retention is a requirement for a whole raft of legislation and regulations including Freedom of Information Act, Data Protection Act, Basel II, Companies (Audit, Investigations and CE) Bill, SEC 17a-3/4, NASD 3010/3110, Dept of Defense Directive 5015.2, and Sarbanes-Oxley. This has forced organisations to consider how e-mails can be retrieved quickly and efficiently.
There has been a number of high profile cases both in the UK and the US where financial institutions have been fined large sums of money because they have been unable to produce requested e-mails in the time allowed. In the US, five banks were fined a total of $8.25 million ($1.65 million each) at the end of 2002 for failing to retrieve e-mails according to the requirement of the rules under which they were requested.
The Swiss pharmaceutical company Ciba-Geigy contested a court order to produce e-mail documentation during a 1995 court case, claiming that it was untimely, the requested information was too broad, and it placed too much of a burden on the company. It failed and was forced to search through 30 million e-mails. In other cases, financial institutions have found it cheaper to pay the fines rather than locate individual e-mails.
In the UK, Norwich Union was forced to make an out of court settlement of 50,000 after it was found that some of its employees had been sending defamatory e-mails about a competitor. By the time the writ had been issued the e-mails in question had been deleted. The result of all of these breaches of regulations is brand damage, which can have a far greater impact than any fine levied.