You can't outsource email compliance headaches

The old cliche 'you can't outsource a problem' proves especially true when it comes to email and compliance.

As companies face the difficult task of ensuring their email systems conform to the increasing number of corporate regulations such as Basel II and Sarbanes-Oxley, many may be tempted to hand the whole mess over to an outsourcing partner.

But thinking they can do so would be a mistake, warns the Federation Against Software Theft (FAST).

Liability in most cases remains with the data owner - and if the regulators come calling, businesses can't use incompetence on the part of an outsourcer as an excuse.

Simon Briskman, partner at law firm Olswang, agreed: "You can't outsource your regulatory obligations. What you can do is outsource functions. But if [the outsourcer] fails, you're liable."

Briskman stresses that before hiring an outsourcer a company must perform a regulatory audit to understand its particular compliance issues.

Then, he said, "having understood its own compliance burdens, [a business should] specify what the outsourcer needs to do" in terms of storing files in the right format or allowing the company to access data should things go wrong.

John Lovelock, director general of FAST, said companies must understand the risks involved in outsourcing email and if they still choose to do so, to retain legal counsel and draft a service level agreement (SLA) that covers all the pertinent compliance and liability issues - such as who owns data and who's responsible for producing reports for regulators. Then, he adds, companies "need to monitor SLAs at various levels down the project".

Lovelock also recommends including an exit plan. "You need to know how to extricate yourself from the deal" should it not work out, he said.

According to FAST, examples of email compliance issues companies may not be aware include storing emails in their original form, saving records on non-erasable, non-volatile drives and showing a complete list of recipients on each message.

Small businesses may be more likely than large firms to be unaware of compliance and liability issues because they tend not to have in-house legal counsel that understands the business and can advise them.

However, Briskman said: "Even at the largest companies, with the sweeping changes with Basel II and Sarbanes-Oxley and much of the regulation of ecommerce, it's difficult" to keep on top of all compliance issues.

This is not to say companies shouldn't outsource email or other data services.

FAST's Lovelock said: "Outsourcing is a great way of getting a service you can't deliver yourself... But be aware of all the pitfalls."

Briskman concurred: "External solutions are often the best technology solution. Get the best technology solution - then make sure you understand the legal issues."

Responsibility for email compliance - and dealing with an outsourcer - shouldn't fall on any one individual in a company, such as a CIO or IT director.

FAST's Lovelock said: "It's an organisational issue that everyone - CEO, IT and legal - needs to be involved in."

It wouldn't hurt for outsourcers to get in on the action, too.

Dan Scobie, strategic technology officer at technology services provider Star, said: "It's important that all parties engaged in any sort of outsourcing service have a clear understanding of where liability exists and who has ownership for that liability."

And the right outsourcer can even lend a helping hand in the process.

Scobie said: "We engineer SLAs to provide assurances around things like data storage... A key responsibility of outsourcing providers is to prove their capabilities in things like compliance issues."