Journal Explosion and Regulatory Compliance - A Volatile Combination?
The journaling of email for regulatory compliance has been around for several decades. It was originally driven by SEC Rule 17, requiring that all communications to and from target employees (broker-dealers) must be captured immediately and stored in an immutable format so that the emails/attachments could be considered a true (unchanged) copy of record. The objective was to ensure that if a client ever filed a complaint, the SEC could review original communications and records to determine if the broker-dealer misrepresented facts or didn’t act in a professional manner, such as guaranteeing specific returns.
Thankfully, for firms using Outlook as their email platform, Microsoft created the journal folder in their on-premises Exchange email system. A copy of every message, sent or received, is immediately copied to the journal folder. End-users don’t have access to the journal copies, preventing them from being changed or deleted accidentally or deliberately.
Journal Folders – A Potted History
In the early 2000s most financial services (FinServ) companies quickly began adopting email archiving systems that could manage the captured journal emails and apply retention/disposition policies. This ensured that regulated journal emails were kept for the required time period, in an unaltered state, with complete chain of custody. SEC requirements also included the requirement that these journaled/archived messages be stored in an immutable format (known as WORM – write once read many). Because of this requirement, archived journal email was stored on optical write-once media, which transitioned to software-based WORM hard disk arrays such as the EMC Centera WORM disk storage system. On-premises archived journaling solutions became a staple for SEC compliance for many years.
5 Advantages of Journal Archiving in Microsoft Azure...
...an infographic for IT, security and compliance teams
Along came the Microsoft Cloud and Office 365
Several years ago, Microsoft introduced a SaaS cloud version of their popular Office Suite, Office 365, which included a cloud-based version of the Exchange Email system. Office 365 has become a wildly successful business and the most widely used personal productivity platform over the ensuing years.
FinServ companies transitioning to the Office 365 cloud have faced one major issue: Office 365 does not include a journaling function. This creates a roadblock for the FinServ industry’s adoption of Office 365 because they still need to journal email from specific employees for SEC 17 compliance. Microsoft’s response has been to suggest that organizations set up a separate journaling capability to either an on-premises Exchange system (which means maintaining two Exchange systems) or migrate their existing on-premises journal or archive to a third-party cloud-based archive.
Third-party SaaS Cloud Journals – the bad, the ugly and the obnoxious
For many in FinServ, migrating to a third-party cloud journal has been the only feasible choice. However, this additional platform requirement is expensive and frustrating. First, there’s the license cost. The annual cost of maintaining a third-party cloud journal, along with the company’s Office 365 subscription, can add up. Second, there’s the cost of the ransom. Many companies have expressed frustration with their inability to get their journaled data back out of these cloud journals. A surprising number of third party SaaS archiving vendors put up obnoxious roadblocks to stop customers from moving to another cloud vendor, or at least make it as difficult as possible. This includes extorting ridiculous “exit fees” – we call them ransom fee, and using extraction throttling – only allowing very slow speed data removal.
Exploding Journals for Office 365 (Explosions are never a good thing)
Another potential journal solution some third party SaaS archiving vendors have been pushing is the idea of “journal exploding.” During the migration process, the vendor analyzes each journaled email and determines the number of senders and recipients. They then create and store a copy of the message for every sender and recipient of that message directly in their Office 365 mailbox. For example, a journaled message with one sender and ten recipients is exploded into eleven messages, which are then put into each user’s Office 365 mailbox – causing a ten-fold increase in storage requirements for Microsoft. These migration vendors have argued that customer Office 365 tenancies are not priced by storage but instead by user, so what’s the harm.
There are many issues around journal explosions, the first one being the SEC immutability requirement. As new messages are created via the journal explosion, they are inserted into the targeted end-user mailboxes. To ensure the messages remain immutable, the mailbox must be put on perpetual “litigation hold” so that the messages can be represented as SEC-compliant. Perpetual litigation hold overrides the natural retention/disposition activity, so these messages must be manually managed by an admin with the proper access rights.
But the perpetual litigation hold strategy raises additional issues. Litigation holds can be removed by administrators, so it’s possible for messages in the mailbox to be edited or even deleted by the admin or others. The SEC immutability requirement is very prescriptive in that regulated messages must be completely immutable – meaning that no one can have admin access to them for the life of the SEC retention requirement. In my mind, this means that journal exploding into Office 365 is not a viable or compliant solution for FinServ journals.
Setting up Azure Cloud Journals
Instead of turning over your sensitive and regulated journal data to a “one-size-fits-all” SaaS cloud vendor, or alternatively, exploding the journal and stuffing huge amounts of email into your Office 365 mailboxes (with questionable compliance), we recommend leveraging your Microsoft cloud. This can be done inexpensively, and in a compliant manner, by storing it in your organization’s own Azure tenancy where it can be managed, audited, and stored immutably, all under your direct control.
Archive360’s Archive2Azure Information Management and Archiving solution is installed in your organization’s own Azure tenancy, where it can grab a live Office 365 email journaling stream into Archive2Azure for ongoing management, discovery, and immutable storage. This inexpensive journaling solution keeps all of your sensitive and regulated data directly within your organization’s control. Also, because Archive2Azure is designed as a PaaS solution as opposed to a SaaS solution, your organization keeps and controls all encryption keys, and decides what levels of security will be used.
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.