Sponsored by NetIQ

Ask Rebecca Herold your IT compliance questions!
 Contact Rebecca Herold
 through email, the
 discussion board, or IM.
  Learn more...


Presented by Realtimepublishers
Register now to participate! Minimize
While you're welcome to browse the conversation, you'll need to log in or register to really Join the Conversation. Registration is free and takes only a few minutes, so why not sign up? Just click the "Get a Free Account" link near the top of the page. We look forward to meeting you!

The Conversation Minimize
Subject: Unified Messaging and eDiscovery
You are not authorized to post a reply.

07/11/2006 11:04 AM Alert 
In contemplating a replacement of our voice mail system(s), we are considering 'unified messaging' options that would allow voice message management from users' Exchange/Outlook inboxes.  Very popular with users.  BUT, there are lingering doubts about whether merely using Exchange will subject all our voice messages to the same archiving and discovery requirements that have grown up around email.

The difficulties of 'searching' voice messages are obvious - nothing to search except sender, receiver, date and time.  Perhaps try Speech-to-text, but not likely to work.

Is it reasonable to configure Exchange so we don't log or archive voice messages the same way we do email, and publish policies that satte that voice messages are gone when you hit delete - not backed-up, not archived.  Coupled with features to prevent sending messages outside the organization, or saving to private folders/DASD - would that fly?

07/13/2006 8:59 AM Alert 
I've got interests that dovetail. I faciliate a VoIP community that somewhat mirrors this one, but I also have very focused interests in security. Compliance issues and concerns always catch my eye, so I watch in here also. If I could offer some observations in response...

Is VoIP itself subject to the archival and audit requiremens of voice? data? or both? If you view it as voice, then you probably apply the same parameters you would to voice mail in a traditional phone system. A cautionary note - if you treat VoIP as data in any regard, and you have documented retention policies for data, you may need ot think about voice mail in depth. For example, if the company policy is to not delete email ever, and your VoIP system delivers messages via email, you could be opening up issues with how you manage voice.

The other question is your direct one. In the cases I've been involved with, that first question gets answered before addressing this one. For my state employer, the decision was made, by many lawyers and extended investigation, to treat VoIP just like a telephone call, eliminating the need for archival records just like voice mail messages in the standard telephone world. Some reasoning behind this was that in our environment, some senior managers (appointees) fall under a set of guidelines that requires email and documents to be retained permanently. I think there was some logic that drove the impetus to avoid treating voice mail (and VoIP in general) the same as data because it would have presented a huge archiving burden.

In practice, most people I've worked with treat VoIP more like telephone service and less like IP data.

More specifically to your question, managing this in Exchange is far more cumbersome. Microsoft isn't overly friendly as I recall in only archiving subsets. I would imagine if voice mail messages delivered in Exchange carry something in the header line that notes it as voice mail, some script could be used to purge those message prior to the archival process. An alternative might be to auto-purge rather than archive based on filetype of the attachment (WAV/MP3), but this would then potentially purge messages that really need to be archived. Another option might be to archive the message but not the attachment perhaps.

I hope this helps. It's more grounded in process and functionality than in compliance. I haven't seen anything of substance in case law. Nobody wants to see a precedent set.


07/14/2006 5:42 PM Alert 
Thank you for the insight Ken. I appreciate you bringing the technical and operational issues to light.

Upon doing a bit of research I found in 2003 the U.S. Securities and Exchange Commission (SEC) Final Rule: Retention of Records Relevant to Audits and Reviews went into effect. If you fall under the SEC, then you should familiarize yourself with this regulation. This reg indicates that voice mail records generally would not fall within the retention requirements scope "provided they do not contain information or data, relating to a significant matter, that is inconsistent with the auditor's final conclusions, opinions or analyses on that matter or the audit or review." However, voice mail would need to be retained "if that item documented a consultation or resolution of differences of professional judgment."

So, a consideration to keep in mind is the content of the voice mails.

A few Other U.S. laws and regulations that impact your voice mail retention decisions include, but are not limited to, the following:

* Federal Wiretap Act
* The USA PATRIOT Improvement and Reauthorization Act (the reauthorized USA PATRIOT Act)
* Communications Assistance for Law Enforcement Act (CALEA)
* Sarbanes-Oxley Act

This is definitely a good topic to discuss with your legal counsel prior to making any decisions.

You are not authorized to post a reply.
Forums > General Discussion > Ask Rebecca > Unified Messaging and eDiscovery

ActiveForums 3.5