Nothing is ever communicated in writing, without some degree of anticipation about how the audience will read it or interpret it. What is usually not anticipated - especially in a corporate environment - is how anyone potentially can access anything that is typed. Moreover, employees have become so comfortable with electronic communications that they take the same casual approach to e-mails as they do in verbal conversation. This is one of the real effects of technology today - it has changed not just the way we communicate, but even what we communicate, leaving corporate America digitally overwhelmed, over-regulated, and drowning in electronic proof of our every mood.
How do you manage the concept that virtually everything that pops into an employee's head, is probably going to end up documented in one form or another? And how do you manage the fact that volumes of electronic information support virtually every process within today's corporation? The value of having huge reservoirs of data is well understood, but the price we are paying is just starting to be identified.
Strategists teach us that there are four basic stages of problem solving: identifying the problem, evaluating it, controlling it and fixing it. We have identified the problem: corporate records have gone electronic. The Cohasset Report, a 2004 study conducted by Cohasset Associates and sponsored by the Association of Records Managers and Administrators (ARMA) and the Association for Information and Image Management (AIIM), notes that 65% of the respondents indicated that electronic records are not adequately accounted for. The study concluded that most organizations are simply not equipped to protect themselves from compliance risks and legal liabilities.
Companies today need to take better control of their information management strategies and compliance measures. There are many laws that directly or indirectly affect how organizations must deal with electronic compliance - the most prominent of which is the Sarbanes-Oxley Act of 2002 (SOX). How can companies make sure that they are doing everything possible to meet the demands of SOX and other compliance-related laws? Below are seven deadly sins that companies must avoid in order to maintain their high-performing capabilities while complying with the law.
1. Inadequate Defensive Security Measures
These days the focus of the media is on external attacks, with hackers being the most infamous group of people initiating these attacks. The paradigm of a strong fence is shifting towards a holistic enterprise security model that deals not only with external attacks, but also internal attacks. When a company has a deficient security policy, highly sensitive data is at risk of being exposed and exploited. A full-time awareness of who is accessing what data - as well as when they are accessing it - is necessary to ensure a secure environment. All devices in the enterprise network that pass and process sensitive data, such as financial records, need to have their security verified on a regular basis.
Section 404 of SOX requires that all publicly traded companies submit an evaluation of their internal controls. Other laws, such as the Health Information Portability and Accountability Act (HIPAA), require organizations to have increased security measures regarding the data they use and retain. HIPAA protects consumers' private health information from being exploited by employers, insurance companies or other entities that might benefit from the data.
2. Inadequate Documentation And Audit Trail Rules
Vast amounts of sensitive data are being created, modified, deleted, exchanged and accessed with a company's information systems. The problem is that the communication between these systems is often relayed manually without an audit trail.
Take the example of an employee who exports a report into an Excel spreadsheet, modifies some key numbers, and then imports the doctored spreadsheet into the company's IT system. In most organizations, the system will overwrite the new data but not keep a record of what data was modified. But in order to be compliant with SOX, these types of manual changes must have a thorough audit trail, so it is critical for organizations to have IT systems that can track and maintain data and the audit trails surrounding it.
In addition, processes and procedures must be documented so that employees can certify that they followed a compliant protocol, and tools must be implemented to track the effectiveness and timeliness of these policies and procedures. And most importantly, organizations need to make sure that their employees are complying with these policies and be able to document compliance.
Exceptions also must be documented, researched and new controls developed to limit future lapses. Written documentation must detail the thought processes and decisions made regarding the resolution of exceptions.
3. Lack Of Information Life Cycle Management
Electronic data presents unique retention challenges. It is essential that companies determine what data needs to be preserved before they are faced with litigation. Preservation involves the cessation of backup tape overwriting, hard drive imaging, disk defragmentation, and other means of data destruction or manipulation. Metadata must also be kept unchanged to determine dates and times of certain events such as modifications.
Companies need to understand that they must be selective in saving data. Having an inefficient preservation policy will spell disaster when a certain document needs to be retrieved at a later time. Knowing what to delete is crucial to the preservation of electronic data since it keeps the total amount of data from growing too quickly.
The difficult part of the retention of data is finding the "sweet spot" where most of the unimportant documents are deleted and important ones are preserved. That balance is what determines the efficiency of the organization's preservation/ retention policy. Companies that have a sound retention policy are easily able to relinquish information not required by law, reducing both risk and costs.
4. Information On Demand, But Not Controlled
Within the past few years, storage space has become so inexpensive that organizations tend to save everything. However, the ability to find and retrieve specific documents within those repositories is a different story. Without proper procedures, locating an important document is comparable to finding a needle in a haystack. The defense that electronic discovery is "too costly" will not suffice in court. Provided that the documents requested have a high chance of existing, companies must be able to obtain them regardless of where they are - tape backups, CDs, PDAs, cell phones, etcÉ or risk damage to their case as well as a fine.
Implementation of a robust and enterprise-wide document archiving system is the best way to mitigate this risk. Documents should be automatically indexed based on key attributes to enable future search and retrieval. Moreover, information should be organized in a way that would contextualize a group of emails so that a singled out email can be viewed as part of a complete conversation - giving the email tone and meaning.
5. Deficient Email Governance
Despite the rapid growth and use of email, most organizations are currently incapable of meeting required archiving and retention policies.
Discovery of emails has proven to have a significant impact on many cases, including Zubulake vs. UBS Warburg . Companies need to be able to readily identify and retrieve emails that contain information about business events, ongoing activities, transactions, or legal issues, as well as those that constitute communication with clients, internal staff, and/or other stakeholders. Once an email has been identified as a record of value, it must be kept.
The problem with email retention is the sheer number that potentially can be marked as a "business record" and therefore saved. One of the benefits of having an email retention policy, as mentioned above, is that it educates employees as to which emails should be deleted, reducing the number of irrelevant emails. Of course, the best way to solve this problem is through the implementation of an email archiving system that would centralize all emails, mark those that are relevant, index them on several key fields, and save them to a backup system - all seamlessly with limited employee involvement.
6. Ignoring Other Forms Of Electronic Communication
When it comes to technology compliance, the topic of email seems to receive the lion's share of attention. Most organizations are viewing instant messaging (IM) as immaterial to an organization's compliance and security policy. However, ignoring IM could result in severe consequences. IM data should be treated like emails with respect to retention and discoverability. Since IM technologies are usually not implemented in a structured manner, the security risks are increased. Intellectual property can be compromised, illegal information can be sent, and viruses can be downloaded unbeknownst to the user.
Other security risks currently under the radar include voicemails and electronic faxes (e-faxes). Voicemails occupy a legal gray area that has no direct law or major precedent corresponding to it. Companies should keep track of federal mandates that pertain to voicemails to be prepared for any changes to the status quo. E-faxes, since they are digital, can be compared to PDFs that are stored in a user's computer.
7. Nobody In Charge
If you consider all of the stories and studies on the subject, a clear pattern emerges when it comes to electronic information: there is no single entity of accountability for the big picture. As a result, when liabilities occur, everyone - and no one - is to blame. Looking at a typical organization today, IT departments own the physical aspects of information management (including IT related compliance) and Risk departments own the user related compliance and training, while Business units own the day-to-day policing and Legal Departments defend the actions of the company in a resulting dispute.
Clarity around the front end of compliance, the "what" and "why" and the back end "how," will make the whole process of compliance more efficient. If employees make a habit of deleting files that are irrelevant, the discovery process can be streamlined when litigation comes. But in order to do that, employees must know about the organization's internal and external communication policies. Employers have the right to look into employees' computers and extract information. Employees must be made aware that the employers have that right and may need to exercise it in the event of litigation.
Many years ago the concept of the corporate CIO was foreign to most corporations. Today, it is the norm. Likewise, we see an evolution of accountability that will provide executive level oversight to the life cycle of corporate information with the primary focus being the strategic management of information and the comprehensive responsibility to achieve compliance through efficient implementation of procedures and processes, including employee education.
Published November 1, 2005.
