Banner
Backup D.R. Replication Virtualisation Hardware/Media Privacy

Current Filter: Storage>>>>>Opinion>

PREVIOUS

Filtered Articles:2 of 34   Current Article ID:4667

NEXT



Preservation Order

Editorial Type: Opinion     Date: 08-2014    Views: 3065   






Compliance, by its very nature, can only go one way, but some companies still falsely believe that they can demonstrate after the fact. Rich Turner, Vice President of Business Development and Strategic Marketing for C2C Systems, examines why there is no such thing as 'retrospective compliance' and what UK companies can do to effectively demonstrate compliance from the outset.

It would be an altogether more prosperous world if hindsight drove our business decisions. When it comes to compliance, the courts are littered with cases of tribulation. Unsurprisingly, the US lead the way. Fallen energy giant Enron's vast email collection hailed the "birth" of modern compliance regulations, with businesses worldwide suddenly facing the fact that simply through the virtue of employing people, they had an ongoing obligation to prove adherence with regulatory compliance for their applicable documents and records. Indeed, in certain vertical sectors, compliance has become even more regulated. The UK Financial Services Act mandates "preservation" of company/client interactions (including email) for specified periods of time - so if a company sells something for anything other than cash, by default, they are regulated and must achieve compliance.

How companies comply
In general, specific industry regulations include provisions directing companies to preserve specific documents and communications for specified periods of time, but none of these regulations outline the mechanism by which they must preserve such information, nor do they even outline what "preservation" actually means. It's all down to best practice. This has created a murky situation on compliance disputes for many solicitors and corporate legal departments across the UK.

Whilst most companies will mandate that documents, emails, records, and transactions are retained and preserved for specified periods of time, compliance audits for their own sake remain rare. That said, the big four accounting firms have large compliance practices advising usually larger companies how to demonstrate compliance through undertaking an audit that also identifies areas of weakness or failure, so they can impose corrective measures.

When companies don't comply
As you would expect, if employed, ignoring specialist advice on regulatory compliance is a distinct no-no. Unresolved issues can result in fines and indeed, criminal proceedings based on an event which indicates to a regulatory body or an aggrieved party that the company may be out-of-compliance. The case generally starts with the request of data pursuant to a specific event which should have been preserved by the company under a particular compliance regulation, but which cannot be found, or worse, was deemed never to have been preserved in the first place. The company's legal team will enter the fray, but it may be an uphill battle to prove that the company did indeed follow the regulations.

As with most electronic litigation matters, the US sets the pace in achieving watertight compliance. In the US, regulatory challenges are now more common than compliance audits. Agencies in charge of regulating companies have found that specific challenges are more lucrative than audits, and work more effectively at ensuring companies follow regulatory guidelines. A regulatory challenge starts as a simple request for information regarding a specific incident, and the failure to provide this information triggers much larger, punitive audits.

The issue goes well beyond retaining a particular email: preservation is more than simply saving data, it is the act of saving that email as it was originally sent or received, and protecting it against tampering or deletion. How can a company prove that critical email communications in dispute were never altered? The simple answer is they can't if they're merely saved them to an archive or worse, left them in a mailbox. And what about sent messages? Or communications which have not been kept at all?

Demonstrating Best Practice
The standard solution to ensuring that critical email communications are preserved in their original state is Journaling, a feature built into Microsoft Exchange. Journaling captures email communications in transit, and places them in a secure repository where they can't be deleted or tampered with. Journaling is relatively mature and offers the most reliable way to demonstrate compliance. Compliance archives can be subject to retention rules just like user-accessible archives and rid of messages which aren't required to be preserved.

This is exactly what US Bancorp did in their famous case against Viramontes, who sought sanctions because US Bancorp hadn't kept everything. The truth was they had kept only what they were required to keep.

The challenge with compliance is that it can only be demonstrated from the point at which it is initiated. In other words, there is no way to turn those older stores of electronic communications retained in inboxes or even archives into compliance archives. Unlike a compliance archive, it is impossible to prove that these communications weren't altered or key ones removed. If a company doesn't already have compliance installed in their message system, all isn't lost: there are no regulations with indefinite preservation requirements, so at some point after the company starts capturing email communications via a compliance routine, they will be able to demonstration 100% compliance from that date forward.

Until that point, however, any query for a communication which is earlier than the date at which compliance started will raise red flags. Companies need to understand that even though they have a compliance system now, these earlier issues of non-compliance may still result in fines. The fact that these companies are now using a compliance solution will go a long way in demonstrating "best practices" and often help in reducing or even waiving such fines, but there is no way that companies can take stores of saved communications and suddenly turn them into compliance. It simply doesn't work that way round.

Legal advice
To be honest, the legal world is a largely reactionary one: legal processes like disclosure occur after-the-event. Compliance is all about action before-the-event. The rules and regulations are complex and sometimes conflicting; while a solicitor can certainly help a company navigate the events surrounding a compliance challenge, prevention of such events is generally outside their expertise.

This is where a class of consultants focused on information governance provide value and guidance. Preservation for compliance is not only about what is preserved, it is about how long it is preserved, and whose correspondence and documents need preservation in the first place. If companies were to simply place all their employees' correspondence under preservation, the result could be massive over-retention. Worse, the sheer quantity of preserved material could preclude companies' ability to find data in question.

Information governance specialists, on the other hand, are conversant with the regulations and often the agencies, ministries and departments responsible for enforcing them. They can quickly outline reasonable compliance guidelines and since many of them work closely with solicitors, ensure these frameworks survive legal challenges as well.

More info: www.c2c.co.uk

Like this article? Click here to get the Newsletter and Magazine Free!

Email The Editor!         OR         Forward ArticleGo Top


PREVIOUS

                    


NEXT