Monitoring software keeps e-mails legal and relevant

Orchestria weeds out bad e-mails, tackling both compliance and capacity issues. But is it reliable?

So you've got too much email and not enough email space, and the compliance regulators are coming. What's a storage manager to do?

Deleting everything after 60 days and then telling the courts, "that's our policy" doesn't cut it anymore. You could train employees to figure out which emails to delete, but that poses a high risk factor. Archiving all your emails and manually monitoring which ones to keep is another possibility, but you'd better have deep pockets.

Orchestria Corp., a New York-based company that provides software that monitors emails, instant messages and BlackBerry handhelds, recently conducted a study among its client base showing that as many as half of company emails are personal or spam and are irrelevant to the business. The hard part is figuring out which ones.

Related articles

Avoiding common e-mail storage policy mistakes

How to store e-mail on the cheap

Crash Course: Compliance

E-mail archive applications combat storage woes

"Most banks keep everything for seven years because they're paranoid about compliance," said Paul Johns, vice president of global marketing at Orchestria. "But nearly half the stuff only needs to be kept for one to 60 days."

Orchestria -- which serves tightly regulated industries like financial services --claims to tackle both compliance and capacity issues with its active policy management (APM) software. APM automatically weeds out personal emails as well as potentially harmful emails that discuss inappropriate or confidential information. In short, it prevents you, in real time, from sending or receiving an email that could get you in trouble.

It does this by using search agents placed on a user's desktop or centrally on a server to analyze email interaction. Through context analysis algorithms and language recognition technology, APM searches emails and Web pages for thousands of keywords and phrases in real time. If a user is sending or receiving content that is outside the bounds of corporate policy, APM will alert users through warning pop-ups or even block messages outright.

"The SEC has rules on what can be said in an email," Johns said. For example, certain stocks cannot be discussed. In all banks, the research and trading departments cannot communicate at all. "But you can't trust human beings all the time," he said. "Having software that analyzes and blocks email content can keep the company and its employees out of court."

One Orchestria user, a major global investment banking firm, learned this the hard way during a securities fraud investigation last year. The investigation relied heavily on email content and the company ultimately settled for $1.4 billion. As a result, the bank went looking for technology that could prevent compliance breaches before they occur.

Orchestria made the bank's short list and won it over during the evaluation process by proving that if it had been installed, the APM software would have prevented the breaches from taking place. APM also identified the exact emails that had caused the fine from the Attorney General. The bank was impressed.

Mike Casey, principal analyst at Contoural Inc. in Los Altos, Calif., wasn't completely convinced. "What it does is very clever, but is it reliable? And will the courts believe that software knows more than a human being? If you're going to rely on it for compliance, I would get an OK from legal counsel first," he said.

Casey also brought up the point that emails often start out as chitchat and segue into a business discussion. "Will the software be able to tell the difference?"

Orchestria's Johns assures that the APM software monitors every bounce back and forth of an email, and can spot where business is discussed.

"Everybody hates managing email -- from the administrator to the user to the CIO," said Peter Gerr, an analyst at Enterprise Strategy Group in Milford, Mass. "As long as the APM software protects businesses from risk and wasted money, it should continue to succeed."

Read more on IT risk management