1 / 23

Information Management Compliance

Building a Compliant Records Program. Information Management Compliance. Randolph Kahn, Esq. Randolph Kahn, ESQ. Commvault Innovate 8. ARMA – Toronto. What Do You Do For a Living?.

ashley
Télécharger la présentation

Information Management Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Compliant Records Program Information Management Compliance Randolph Kahn, Esq. Randolph Kahn, ESQ. Commvault Innovate 8 ARMA – Toronto

  2. What Do You Do For a Living? “More than 3 years after the Sept. 11 attacks, more than 120,000 hours of potentially valuable terrorist-related recordings have not yet been translated …and computer problems may have led the bureau to systematically erase some Qaeda recordings…[t]he investigation found that limited storage capacities in the system meant that older tapes had sometimes been deleted automatically to make room for newer materials, even if the recordings had not yet been translated”

  3. Information Perfect Storm • Volume • 988 exabytes of new data 2010 • 200+ billion email per day • Value • All kinds of business being done • Morelaws and regulations • Liability • Greater downside • Info mismanagement ubiquitous • SO what do you do in a down economy with less IT budget After funneling billions in investor money… Fairfield …is offering up its explanation to investors . . . firm supplied falsified trading documents. . . what now appear to have been fake electronic records… WSJ, 3/2/09 “making patient data more accessible has the unpleasant side effect if it potentially falls into the wrong hands” WSJ, 3/4/09 3

  4. How Do You Define Success? • Intelligence Agencies’ Databases to Be Linked • “… nearly five years after the intelligence community was rebuked by the 9/11 commission for failing to “connect the dots” and detect the attack…New technology is addressing a more basic problem…Spies often have trouble emailing colleagues…email addresses aren’t readily accessible, and messages sometimes get eaten by security filters.“Today, an analyst’s query might scan only 5% of the total intelligence data in the U.S. government, said a senior intelligence official. ” WSJ 2/22/09 “If we aren't supposed to eat animals, why are they made with meat?”

  5. Let’s Level Set--True or False • IT cares about the value of information in their systems? • Back up is the same as records retention? • Bad info management practices means responding to document requests in a lawsuit is super duper fun? • IT buys technology today without considering its legal and compliance needs? • Discovery is the act of finding something really great in places you never imagined? “I think people tend to forget that trees are living creatures. They're sort of like dogs. Huge, quiet, motionless dogs, with bark instead of fur.” Jack Handy

  6. What is Compliance? “Compliance” is conformity with some criteria • Sources of compliance criteria • Laws & regulation (SEC, Sarbanes Oxley, Part 11) • Industry standard (ANSI, ISO) • Company policy (RM, E-mail, Privacy, IT Security) • Best practice “Smoking kills. If you're killed, you've lost a very important part of your life.” Brooke Shields “Data Breach at Army Hospital Sensitive information on about 1000 patients…was exposed” WSJ June 3, 2008

  7. What Does Failure Look Like? “In an Aug. 15, 2005, voicemail messages addressed to company salespeople, an …employee… followed up on a “weight and diabetes sell sheet” they had recently been sent.” “…the document written by Dr. Geller doesn’t accurately reflect the company’s position in 2000. In fact, it was not Dr. Geller’s ultimate view either. It was an initial draft for discussion purposes.” “In response to a plaintiffs’ attorney’s question, Dr. Geller responded that the statement was “an artifact of an earlier discussion document.” WSJ 2/27/2009 “Bank of America Subpoenaed on Bonuses” WSJ 2/27/2009

  8. Information Management Compliance Policies and Procedures Executive Responsibility Delegation Communication and Training Auditing & Monitoring Consistent Enforcement Continuous Improvement “A corporation can act through natural persons, and it is therefore held responsible for the acts of such persons…on the other hand in certain circumstances, it may not be appropriate to impose liability upon a corporation, particularly one with a compliance program…” U.S. Dept. of Justice “When you come to a fork in the road, take it.” Yogi Berra

  9. Key 1: Policies and Procedures In Fund-Fee Case, Emails May Hold Key WSJ, 7/17/09 • GOOD directives • Policy v. procedures • Tells employees what to do • Tells the “world” you care • Change only when needed "There Are Three Kinds of People - Those Who Can Count and Those Who Can't” “Thus, the court has already found, as a matter of fact, that Rambus anticipated litigation when it instituted its document retention program” Rambus v. Infineon

  10. Different Policies for Different Uses “..In an employment discrimination suit ... the employer sent the policy to the employee via a mass email containing two links to the policy and did not require any further action ... the employee claimed that he received a large volume of mass company emails daily and that he could not specifically remember the arbitration policy. Although an email ‘tracking log’ indicating the time and date that the employee opened the email, the employer could not prove that the employee had actually read the email or clicked on the links. The court determined that the mass email did not constitute sufficient notification and further admonished the employer for not taking ‘the incredibly simple and inexpensive step of configuring their system to log when and if employees clicked on the links.’" Campbell v. General Dynamics “ Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy.“ Albert Einstein FDA Says Cookie Dough . . . has tested positive for E.coli … FDA has been examining…records. WSJ, 6/30/09 RIM Disaster Recovery Back up Storage Discovery

  11. Policy Changes to Reflect Business Reality? • YOU MAKE THE CALL: • As volume and value of email goes up, new policy should dictate: • All email will be purged • All email will be “retained” on back up tapes forever • Make a PST of everything before the CIO, the rat that she is no longer allows you “ . . .we see no evidence of fraud or bad faith in a corporation destroying records if it is no longer required by law to keep and which are destroyed in accord with its regular practices. As we have previously observed, storage of records for big or small businesses is a costly item and destruction of records no longer required is not in and of itself evidence of spoliation.” Moore v. General Motors If a wolf can take down a deer from either flank, does that make him bambidextrous?

  12. Does Policy Dictate In-house or Outhouse • Where do you keep your information • Cloud Computing • Software as Service • ASP A computer once beat me at chess, but it was no match for me at kick boxing. PayPal Users Hit by Global Service Outage WSJ, 8/4/09 “Gmail Glitch Shows Pitfalls: Failure Spurs Concern Over Reliability of Online Software” WSJ 2/26/09

  13. Key 2: Executive Responsibility • Only way to ensure consistency across enterprise • Policy does not happen from below • Sets the tone for corporate culture • Holds the purse strings The man who smiles when things go wrong has thought of someone to blame it on. Robert Bloch Will they listen: As CEO, I want to remind you that our Records Management and Legal Hold Policies require that you retain records and preserve any information that may be needed for a lawsuit… As Records Manager, I want to remind you that our Records Management and Legal Hold Policies require that you retain records and preserve any information that may be needed for a lawsuit…

  14. Executives Pay the Price • Danis v USN court addresses CEO's failures: • CEO “personally took no affirmative steps to ensure that the [document retention] directive was followed.” • He did not direct that the company “implement a written, comprehensive document preservation policy, either in general or with specific reference to the lawsuit.” • He “did not instruct that any e-mail or other written communication be sent to staff to ensure that they were aware of the lawsuit and the need to preserve documents.” I am not a vegetarian because I love animals; I am a vegetarian because I hate plants. Whitney Brown

  15. Key 3: Delegation of Responsibilities • Danis Case (Continued) • The lawyers did “nothing to ensure that all. . . employees who handled documents that might be discoverable were aware of the lawsuit and the need to preserve documents.” • Directors failed to take, “any active role in implementing a broader preservation policy,” and did not follow up with the CEO “to determine if their directive had been implemented.” “Son, if you really want something in this life, you have to work for it. Now quiet! They're about to announce the lottery numbers.” Homer Simpson Notice to IT Department: Please be advised that the Legal Hold Policy mandates that all those in the care, custody and control of potentially relevant electronically stored information and other tangible objects musts be properly garnered and thereafter preserved for threatened or imminent formal matters…

  16. Key 4: Communication and Training • Messaging of changes or position on a topic • Tells employees what to do and how to do it • Should be on-going • May provide the only protection to the institution. • Which message has the desired effect? • “The records management policy helps the company increase productivity and save money…” • “Do it, if you want your check…” • “Following the records management policy helps you manage your work load and allows the company be a more efficient business by having ready access to customer information, which in this environment may be the difference between winning

  17. Key 5: Auditing and Monitoring? • “…Bloomberg News reported over the weekend, Intel’s general counsel stated that e-mails for 151 employees who were to have been instructed to retain them as possible evidence in the AMD antitrust trial were lost by virtue of a single IT manager misreading a spreadsheet where the employees’ names were first distributed” • BetaNews 3/19/ 2007 “Fluor's e-mail retention policy provided that backup tapes were recycled after 45 days. If Fluor had followed this policy, the e-mail issue would be moot. Fluor does not explain why, but it maintained its backup tapes for the entire 14-month period.” Murphy Oil v. Fluor Daniel

  18. Key 6: Consistent Enforcement Can you make these seemingly inconsistent statements work with a simple policy fix? “We manage information in a medium independent way, so that company records may be in any electronic system” “The company voicemail system will be purged in the ordinary course of business every 30 days” “I dream of a better tomorrow, where chickens can cross the road and not be questioned about their motives.” “For companies, A Tweet in Time Can Avert a PR Mess” WSJ Aug, 3, 2009 “New technology to help marketers and media companies send videos via email.” WSJ, April 2 , 2009

  19. Bring “Old School” Business Rules Forward When mere data becomes information requiring real management “The program …is aimed not at consumers, but at sales staff, accountants, and others who need to mash up data from different sources to solve business problems.” “Do The Mash” New York Times “Obama Announcement by Text Sends Message About Medium” WSJ Aug. 23, 2008

  20. Key 7: Continuous Improvement “If you rob a bank and your pants fall down, its OK to laugh, and its OK to let your hostages laugh too, because come on, life is funny.” Jack Handy You Make The Call? “For this lawsuit, back-up tapes of all email are to be preserved until further notice”, even though policy states that back-up tapes are to be used for disaster recovery purposes only and should be purged after 30 days. “Please be advised that accounting records will be retained on back-up WORM disks and thereafter select records will be purged when their period of retention has been met.”

  21. Manage “Under One Roof” Increasingly, knowing what information exists and where, is no small challenge Having as much “under one roof” is better for management Fewer technologies allows for better use of resources “I find that the further I go back, the better things were, whether they happened or not.” Mark Twain

  22. Conclusions • Simplify(people, process &technology) • Manage the content • Use fewer technologies more efficiently • Anticipate problems • Compliance methodology may be difference between winning and losing "Why does Sea World have a seafood restaurant? I'm halfway through my fish burger and I realize, Oh man ... I could be eating a slow learner.”

  23. Thanks He who laughs last didn't get it. Randolph A. Kahn, ESQ. rkahn@kahnconsultinginc.com 847-266-0722 www.twitter.com/InfoParkingLot

More Related