Messaging compliance is a necessary nightmare for administrators today. The need to comply with or conform to the regulations that have been designed over the past decade has become a necessary burden when establishing your messaging environment. Ignoring the compliance aspects up front while designing and deploying your messaging environment could cost more than time and money later on should litigation require you to produce messaging evidence. Plus, your organization might be held legally responsible should it be found that you are not in compliance with the regulatory requirements.
Each organization is different, so the laws may apply different to each one. Thus, you need to know the requirements for your business; well-known regulations include Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA), and the Patriot Act. It's best not to take it upon yourself to study up on the law and but rather to seek out expert messaging architects and legal advice in planning out your messaging infrastructure to be in compliance.
Although you should get expert help on understanding the laws' requirements for your business, it's up to you to implement these requirements in IT systems. Some of the issues you'll have to implement include:
- Data retention: You may be required to retain messaging correspondence for a period of time.
- Privacy and confidentiality: With sensitive data traversing through a messaging system, it's necessary to ensure that the data is protected.
- Ethical walls: It may be necessary at times to prohibit communication between people within your own company. There are ways around such prohibition, but as far as it depends upon your ability to control the messaging aspect of communication, you need to prove that you've done your best.
- Discovery: Litigation against your organization or individuals within your organization may require mailbox content be discovered and handed over for review.
It's critical to accept that such policies have to be implemented and enforced at the server level, not the user level. In other words, compliance cannot be left up to your users' management and filing habits (in the case of retention compliance), nor can you simply give your people a talk about "ethical walls" and hope they comply. You need the tools to enforce compliance so that policies you create can be applied continuously -- not only for the sake of complying, but so you can prove that your organization did everything it could to comply with the legal requirements governing your business.