Compliance

12:00 PM
Connect Directly
RSS
E-Mail
50%
50%

E-Discovery Requirements Are About to Hit Canadian Firms

As Canadian firms prepare for new e-discovery rules, they can look to their U.S. counterparts for technology lessons.

Time is growing short for Canadian securities firms to prepare for the scheduled April enforcement of the new Canadian National Instrument 31-103 (NI 31-103), regulation that significantly expands record keeping requirements for electronic communications. Fortunately NI 31-103 substantively mirrors U.S. regulations already in place, which means Canadian firms have the opportunity to learn from others' experiences.

"NI 31-103 is very similar to SEC and FINRA requirements in the U.S.," substantiates Carolyn DiCenzo, a Gartner research VP. "It's important to remember that the spirit of the law is communications and not just one particular type of communication, such as e-mail or instant messaging."

In other words Canadian firms seeking technologies that address NI 31-103 should take a step back and consider all of the communications channels they are using now, and in the future, before selecting a technology solution. "For example, BlackBerry has its own server software," DiCenzo notes. "Therefore firms using BlackBerrys need a solution that captures and manages messages from both their e-mail server and their BlackBerry server. This includes pictures or video clips attached to messages, which can be construed as something that must be saved."

If you're tempted to conclude that daily system backups are sufficient, think again, experts warn. Messages deleted between backups — a common occurrence — are not retained. And backup software can't provide an audit trail showing what, if any, alterations occurred during an e-mail's life cycle. Nor do backup systems offer the indexing and searching capabilities necessary to meet discovery stipulations, such as "Deliver all communications regarding Company X." Even if you could find a way to overcome these hurdles, backup tape simply cannot restore information fast enough to comply with timeliness mandates.

All E-Discovery Solutions Are Not Created Equal

Although numerous vendors offer e-mail archiving solutions that can help, all are not created equal -- and many firms are still vetting solutions. In fact a recent survey of 118 IT cross-industry executives conducted by IDC found that most companies are still in the early stages of identifying the relevant individuals, records owners and system custodians to handle e-discovery requests.

Nonetheless Canadian firms can learn from their U.S counterparts that have progressed further down the e-discovery road. "For instance, robust solutions allow for quarantining messages that violate user-defined policies for both outgoing and incoming traffic," DiCenzo points out. "Many send an alert to a particular person, such as your compliance officer, when an e-mail policy is violated. Although regulations don't require this feature, clearly there's a risk reduction benefit to such capability. Otherwise you're just recording a horse that has already left the barn."

Solutions that save storage space, such as deduplication and compression technologies, are also critical, DiCenzo adds. These features remove inherent e-mail redundancies. For example, an e-mail server will save and back up 20 distinct copies of the same e-mail sent to 20 different recipients, whereas many archiving solutions save one compressed copy with references to the remaining 19 recipients.

A Solution Already on the Shelf

Best of all, an advanced e-mail archiving solution can actually pay for itself, as Marquest Asset Management learned. The Toronto-based firm averages approximately 4,000 e-mails per day despite a total head count of just 16 employees. "We maintain a small Microsoft-enabled LAN on-site, but all of our significant applications are delivered via ASP [application service provider]," explains operating partner Pamela Moore, a self-described "non-techie" who doubles as the firm's entire IT department. "We do have an IT consultant who comes in as necessary, but our goal is keeping his visits to a minimum."

Moore had an early heads-up on the scope of NI 31-103 at a trade group committee meeting in February 2008. "Everyone in the room was worried about complying except me," Moore chuckles. "That's because I realized I had the solution sitting on a shelf."

In a stroke of serendipity Moore had met the inventor of an e-mail archiving appliance when he was renting space in her building several years ago. "In 2004 I bought an early production version strictly for its indexing capability, which was both very powerful and very easy to use," she recalls. "E-mail had actually increased the amount of paper we were filing because everyone printed out their e-mails for documentation. But we had so many other priorities that deploying the appliance wasn't on the list."

During the intervening years the inventor sold his technology to another Toronto firm, Jatheon, which added regulatory compliance features and then marketed the appliance as "The Plug n Comply" in the U.S. and Europe. Moore knew she needed more advanced features, such as policy-based e-mail quarantining, than her early unit supplied, so she briefly considered other options but settled on Jatheon. "Many vendors say they can supply the same features as Jatheon, but I've yet to see one that actually does," she claims.

In May 2008 representatives from Jatheon joined Marquest's IT consultant to deploy the appliance. "What took only about two hours to implement gives us a foot-square box that will hold 15 years' worth of e-mails due to its 10-to-1 compression ratio," Moore reports. "Plus it only cost $15,000, which is nothing relative to what it does for us. Not only have we complied with NI 31-103 before it's even final, the unit allowed us to cut a half an FTE [full-time equivalent] of clerical help for filing. And we're not relying on paper files, which no one ever used anyway because they're too difficult to search. In fact it's the first time I've actually seen a technology truly replace paper."

Since Jatheon's technology scales easily from accommodating the requirements of small firms such as Marquest to accommodating the needs of large enterprise deployments, according to the appliance vendor, CEO Kieron Dowling says the firm frequently fields SOS requests. "We get called when a company without an adequate archiving solution finds itself in litigation," he explains. "Depending upon the amount of data, our solution can ingest and index legacy data in days or weeks, rather than the months it takes to restore from backup tape and hunt for information. Furthermore companies that get our solution before litigation is filed or a government audit occurs often ingest legacy data proactively and reduce their overall costs."

Benefits Beyond Compliance

Savvy companies are even leveraging the benefits of e-mail archiving beyond compliance. "For example, quarterly financial reports often e-mail back and forth many times as they're finalized," notes Dowling. "An archiving system can alert you if someone diverts a report to their home computer, creating a potential leak. The same is true for protecting any type of intellectual property that gives your company a competitive advantage."

Advanced e-mail archiving solutions can also improve productivity. "Giving discovery tools to your employees allows them to search for information in e-mails that have been purged from your e-mail server," Dowling says. "Even if an e-mail does still reside on the server, discovery tools free users from knowing where to look. Since e-mails are now recognized as valuable information resources, people no longer read and delete. But the information is of no value if the e-mails can't be efficiently and effectively mined — by anyone at any time — for the treasures they hold."

Indeed Marquest is reaping the benefits of providing all staff with self-service features for e-mail mining. "The appliance is making us more efficient," the firm's Moore says. "Over time, it will also enable growth. But most employees will have only partial access, with a limited number of us having complete access. And passwords for administrative features are definitely being kept in a vault. Most important, the net result of Jatheon is easily meeting regulatory requirements at, essentially, no extra cost."


Anne Rawland Gabriel is a technology writer and marketing communications consultant based in the Minneapolis/St. Paul metro area. Among other projects, she's a regular contributor to UBM Tech's Bank Systems & Technology, Insurance & Technology and Wall Street & Technology ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Video
Stressed Out by Compliance, Reputational Damage & Fines?
Stressed Out by Compliance, Reputational Damage & Fines?
Financial services executives are living in a "regulatory pressure cooker." Here's how executives are preparing for the new compliance requirements.