Wall Street & Technology recently held a half-day forum at which a panel of experts discussed the issues around e-mail and instant-message retention. In light of some hefty SEC fines, executives are finally focusing on this complex issue which seems to require a legal, business and technology-mixed solution.
In the following exchange, one of the panelists, Joe Abbruzzese, senior vice president of Infrastructure/Client Services with Lehman Brothers, fields questions from a WS&T moderator and the audience.
Wall Street & Technology: I understand you had some experience with the insourcing versus outsourcing question of dealing with e-mail management. Can you tell us about going through that experience and how you came to decide on the right path for your firm?
ABBRUZZESE: Yes. I would say that the first thing you ought to do is the math. Figure out whether or not you could do this cheaper internally, or through a service provider. However, before that, you should assess your current infrastructure and how much you've invested in it thus far. Figure out if it is 17a-4 compliant and, if it's not, what's the investment to make it 17a-4 compliant? The other question I'd ask is do you know what it takes to be 17a-4 compliant and do you think, with your internal staff and your compliance people, that you could build an infrastructure that could be 17a-4 compliant and do it better, cheaper and faster than a service-provider option?
So those are the tough questions I think you need to ask. Make sure that you look beyond the cost of the storage. A lot of people focus on just the storage cost. It's way beyond the cost of storage. Of course it's software, consulting and the big, big investment is intellectual capital, i.e. your people. It will take your best people to figure out. And whether or not your CIO wants to make that investment - from a technology and people perspective - is really a question you need to ask yourself. At the end of the day, does this provide a competitive advantage? And I'm not sure it does. So, really consider those costs.
WS&T: People say, whenever you ask them about a solution they implemented, that every firm is different and every firm has specific requirements. Can you talk specifically about Lehman, either in terms of you being in a good position to deal with this problem or at a disadvantage?
ABBRUZZESE: I don't think Lehman is any further ahead than probably some of the top firms on the Street. but I think, when we looked at this problem, again, we looked at whether or not we wanted to insource it or outsource the problem and we elected to go with an outsourcing solution. There were a lot of reasons why we selected to go that route. (Abbruzzese declined to name the vendor Lehman chose.)
From a cost perspective, we found if you do the total cost of ownership (TCO) the right way, you'll find that you probably can't do it as cost effectively as a service provider. So, I think if you do the math - at least at Lehman when we did the math - we found that we couldn't do it as cost effectively. The time to market or time to implement the solution was much quicker. I think the longest lead-time item that you'll have is ordering the data lines and getting your contract though the legal department.
So, from a time-to-market perspective, you'll certainly be up and running in a much quicker timeframe and be in a better place with the service-provider option. So, that's what we felt.
The other thing we lacked is what I touched on earlier, the intellectual-capital investment. We felt that the IT-personnel requirement was vastly reduced. We still have a commitment there, but the stuff we're talking about, 31 billion messages, the archives are only going to get bigger and bigger. To build systems that have a response time that actually responds when you hit the enter key is key. So, everything is centered around performance management and capacity planning. That will take your best people. And the service provider, again, this is their core competency. So, that was another reason that we really liked.
The other thing is within information technology, anyway, there's a general lack of understanding of what 17a-4 even is. And for us to try and keep abreast of it as it evolves and what it means and breakdown the requirements and turn those into information-technology requirements, really made a service-provider option even more attractive. So, there's probably a number of firms on the Street that are probably in the same place we are.
We just brought our system up live in the first week of June actually, so we're really not that far ahead, probably, of many firms on the Street. And, we think we've made the right decision. So far, the implementations went extremely well.
Audience: My question is does the panel have an opinion about where the right to privacy begins with the individual and when you stop tracking what people do from their home computers?
ABBRUZZESE: At Lehman, our perspective is that it's Lehman property. You only use Lehman devices to send and receive and you don't have any privacy as it relates to messaging.
Audience: First off, based on your experiences working with other organizations, how many of those have you found actually used policies and technological solutions to capture interday messages, so that you don't get the double-delete scenarios happening (the idea that deleting an e-mail from the "in-box" and "sent" folders means there will be no record). I know a lot of organizations tend to use backup solutions or are moving to more near-line solutions, but how many of those are actually capturing the interday stuff and preventing that from disappearing?
ABBRUZZESE: I would say that the solutions that are available today, the double delete doesn't work. Typically, as soon as you hit that enter key and that e-mail goes, it goes through 25 different servers before it gets to the receiver. One of those servers actually archives that e-mail out, so the double delete doesn't work anymore. And that should be a requirement in your solution that you look for in the future.
Audience: A lot of what we've been discussing would be clear on how we do these things going forward. What about going back? This is not a new rule. It's only being interpreted in a new way, so if I've discovered now that perhaps what I've been doing has not been sufficiently compliant. What is a good faith effort in order to get my records compliant? Do I have to go back three years? What's the advice?
ABBRUZZESE: If you take a look at your historic stuff, it's probably not even on a WORM (Write Once Read Many) compliant device. It's probably out on a bunch of tapes and you have a bunch of operators out there juggling tapes to restore stuff. So, basically one of the things that we thought was a very cost-effective way to move forward was to put this stuff all online, so we made a tremendous investment to just put it online. And again, as I said earlier, take a look at the investment that you've made so far and what can you leverage. And putting all the historic stuff online was the best decision for us, and everything moving forward from June 1 is by our service provider that's 17a-4 compliant.
I would say that this is, again, 17a-4 is, from our perspective, so complicated that we thought it was the core competency of the vendors that play in this space and we really didn't want to get into the space.
WS&T: Can you talk a little more about how best to work with a vendor in this area?
ABBRUZZESE: As it relates to managing the vendor, it's about the service-level agreement, putting metrics in place and managing the vendor to those metrics. One of the key metrics is response time. These archives are going to be huge, so make sure that you get the response. Availability is going to be key as well, because these attorneys work all different hours, all nights, 365, so make sure that, from an availability perspective, you have the right availability stuff that you need in the service-level agreement.
SEC Rule 17a-4 and NASD Rule 3110
Requires firms to preserve for a period of not less than three years (the first two years in an easily accessible place) originals of all communications received and copies of all communications sent by the firm or its employees relating to its business. Those rules apply to electronic communications.