Is Symantec Spreading SarBox FUD?

Colleague Mark Edmead, who is also my co-presenter at the E-Mail Management and Compliance Advisor Seminar in Las Vegas next month, forwarded me a copy of a presentation today. Offered by Symantec as part of the Ziff-Davis E-Seminar Series, the topic was entitled "Ensure the Integrity of E-Mail". As I read the presentation, I was immediately drawn to a section of the presentation. The section dealt with regulatory requirements for document retention. In addition to HIPAA, 21 CFR, and SEC 17-4a, the chart states that under the Sarbanes-Oxley Act of 2002, "All Public Companies" are required to retain "all records related to audit or review" for a period of "7 years after the conclusion of audit/review". I only have one word for this statement: WRONG!.

Section 802 record retention requirements only apply to public accounting firms. It does not apply to companies being audited. The  section of 802 that applies to companies subject to SarBox is the imposition of criminal penalties if executives knowingly destroy or alter documents in advance of subpoena or bankruptcy proceedings. What companies need to have is a defined records management cycle. The length of retention IS NOT defined by Sarbanes-Oxley (it may, however, be dictated by other laws and agencies).

It is irresponsible of Symantec and Ziff-Davis to allow this information to be presented incorrectly. Why? Because it spreads like a virus and becomes accepted as "Gospel Fact:, perhaps forcing companies to make heavy expenditures in unnecessary hardware/related costs. If you would like to know more, take a few minutes to read Section 802 of SarBox