| ||||||||
| ||||||||
Current Filter: Storage>>>>>Opinion> Preservation Order Editorial Type: Opinion Date: 08-2014 Views: 3065 Key Topics: Storage Compliance Email Management Archiving & Compliance Data protection Key Companies: C2C Systems Key Products: Key Industries: | |||
Compliance, by its very nature, can only go one way, but some companies still falsely believe that they can demonstrate after the fact. Rich Turner, Vice President of Business Development and Strategic Marketing for C2C Systems, examines why there is no such thing as 'retrospective compliance' and what UK companies can do to effectively demonstrate compliance from the outset. It would be an altogether more prosperous world if hindsight drove our business decisions. When it comes to compliance, the courts are littered with cases of tribulation. Unsurprisingly, the US lead the way. Fallen energy giant Enron's vast email collection hailed the "birth" of modern compliance regulations, with businesses worldwide suddenly facing the fact that simply through the virtue of employing people, they had an ongoing obligation to prove adherence with regulatory compliance for their applicable documents and records. Indeed, in certain vertical sectors, compliance has become even more regulated. The UK Financial Services Act mandates "preservation" of company/client interactions (including email) for specified periods of time - so if a company sells something for anything other than cash, by default, they are regulated and must achieve compliance.
How companies comply Whilst most companies will mandate that documents, emails, records, and transactions are retained and preserved for specified periods of time, compliance audits for their own sake remain rare. That said, the big four accounting firms have large compliance practices advising usually larger companies how to demonstrate compliance through undertaking an audit that also identifies areas of weakness or failure, so they can impose corrective measures.
When companies don't comply As with most electronic litigation matters, the US sets the pace in achieving watertight compliance. In the US, regulatory challenges are now more common than compliance audits. Agencies in charge of regulating companies have found that specific challenges are more lucrative than audits, and work more effectively at ensuring companies follow regulatory guidelines. A regulatory challenge starts as a simple request for information regarding a specific incident, and the failure to provide this information triggers much larger, punitive audits. The issue goes well beyond retaining a particular email: preservation is more than simply saving data, it is the act of saving that email as it was originally sent or received, and protecting it against tampering or deletion. How can a company prove that critical email communications in dispute were never altered? The simple answer is they can't if they're merely saved them to an archive or worse, left them in a mailbox. And what about sent messages? Or communications which have not been kept at all?
Demonstrating Best Practice This is exactly what US Bancorp did in their famous case against Viramontes, who sought sanctions because US Bancorp hadn't kept everything. The truth was they had kept only what they were required to keep. The challenge with compliance is that it can only be demonstrated from the point at which it is initiated. In other words, there is no way to turn those older stores of electronic communications retained in inboxes or even archives into compliance archives. Unlike a compliance archive, it is impossible to prove that these communications weren't altered or key ones removed. If a company doesn't already have compliance installed in their message system, all isn't lost: there are no regulations with indefinite preservation requirements, so at some point after the company starts capturing email communications via a compliance routine, they will be able to demonstration 100% compliance from that date forward. Until that point, however, any query for a communication which is earlier than the date at which compliance started will raise red flags. Companies need to understand that even though they have a compliance system now, these earlier issues of non-compliance may still result in fines. The fact that these companies are now using a compliance solution will go a long way in demonstrating "best practices" and often help in reducing or even waiving such fines, but there is no way that companies can take stores of saved communications and suddenly turn them into compliance. It simply doesn't work that way round.
Legal advice This is where a class of consultants focused on information governance provide value and guidance. Preservation for compliance is not only about what is preserved, it is about how long it is preserved, and whose correspondence and documents need preservation in the first place. If companies were to simply place all their employees' correspondence under preservation, the result could be massive over-retention. Worse, the sheer quantity of preserved material could preclude companies' ability to find data in question. Information governance specialists, on the other hand, are conversant with the regulations and often the agencies, ministries and departments responsible for enforcing them. They can quickly outline reasonable compliance guidelines and since many of them work closely with solicitors, ensure these frameworks survive legal challenges as well. More info: www.c2c.co.uk | |||
Like this article? Click here to get the Newsletter and Magazine Free! | |||
Email The Editor! OR Forward Article | Go Top | ||
PREVIOUS | NEXT |