Not In E-Mail Compliance? Trouble<at> YourCU.Org</at>

Register now

Clean up your e-mail.

"Credit unions that don't know their e-mail compliance for the Gramm-Leach-Bliley Act are an accident waiting to happen," asserted Dan Donjon, network security administrator at Air Academy Federal Credit Union (AAFCU).

Credit unions guilty of breaking e-mail security and privacy laws set by GLB's Safeguards Rules face heavy fines or jail time.

The SEC has also laid down the law. In 2002, five major Wall Street firms were fined more than $8 million for failing to store e-mails for the six years required by SEC 17a-4. "Courts want e-mails fast, and those companies were unable to produce them," explained Butch Hill, vice president of IT at AAFCU.

The CU industry could be walking on thin ice. Donjon and Hill agreed that many credit union executives seem unaware of e-mail laws.

And a number of prominent, large credit union IT departments interviewed by The Credit Union Journal over the past two years confessed that they know little about their e-mail compliance programs or automation.

However, Hill was quick to add, that after talking with CU colleagues at the CUNA Technology Council Summit in San Diego last month, it seemed "more and more credit unions were becoming compliant."

The $295-million AAFCU paid a "six-digit figure" two years ago to implement Secure Messenger's e-mail compliance, security and anti-spam automation, which included a three-year maintenance contract, Hill said.

Secure Messenger e-mail encryption is offered by Redwood City, Calif.-based Tumbleweed Communications Corp., providing secure Internet communications solutions.

"Tumbleweed was surprised to get a credit union of our size interested in e-mail security," Hill added. "But the price tag of the product was worth one or two lawsuits,"

AAFCU can automatically encrypt e-mails that contain confidential member information such as account numbers, said Hill.

"We like the rules-based outbound features that automatically identify the presence of confidential information and send e-mails via the secure channel without relying on an employee to appropriately flag the communications," he said.

Even though GLB is less concerned with spam, AAFCU also keeps unsolicited e-mails under its thumb, Hill said. About 98% of AAFCU's 1.1-million incoming e-mails are spam, and are filtered by Tumbleweed's E-mail Firewall module.

Each incoming and outgoing e-mail is also automatically indexed and archived for six years, Donjon said. "We don't want to be the guy sitting on the jury stand when the judge says 'Where's the e-mail?' and we have to say "What e-mail?'"

For storing e-mails, a searchable, dedicated e-mail archive server is the safest bet for easy access, Donjon added. Tape backup systems often lack necessary search tools.

AAFCU uses E-mailXtender, an archiving solution offered by Mountain View, Calif.-based EMC Corp., providing information lifecycle solutions.

CUJ Resources

For info on this story:

* Air Academy FCU at

* Tumbleweed at


For reprint and licensing requests for this article, click here.