Current Filter: Document>>>>>>

   

It would be an altogether more prosperous world if hindsight drove our business decisions. When it comes to compliance, the courts are littered with cases of tribulation. Unsurprisingly, the US lead the way. Fallen energy giant Enron's vast email collection hailed the "birth" of modern compliance regulations, with businesses worldwide suddenly facing the fact that simply through the virtue of employing people, they had an ongoing obligation to prove adherence with regulatory compliance for their applicable documents and records. Indeed, in certain vertical sectors, compliance has become even more regulated. The UK Financial Services Act mandates "preservation" of company/client interactions (including email) for specified periods of time - so if a company sells something for anything other than cash, by default, they are regulated and must achieve compliance.

HOW COMPANIES COMPLY
In general, specific industry regulations include provisions directing companies to preserve specific documents and communications for specified periods of time, but none of these regulations outline the mechanism by which they must preserve such information, nor do they even outline what "preservation" actually means. It's all down to best practice. This has created a murky situation on compliance disputes for many solicitors and corporate legal departments across the UK.

Whilst most companies will mandate that documents, emails, records, and transactions are retained and preserved for specified periods of time, compliance audits for their own sake remain rare. That said, the big four accounting firms have large compliance practices advising usually larger companies how to demonstrate compliance through undertaking an audit that also identifies areas of weakness or failure, so they can impose corrective measures.

WHEN COMPANIES DON'T COMPLY
As you would expect, if employed, ignoring specialist advice on regulatory compliance is a distinct no-no. Unresolved issues can result in fines and indeed, criminal proceedings based on an event which indicates to a regulatory body or an aggrieved party that the company may be out-of-compliance. The case generally starts with the request of data pursuant to a specific event which should have been preserved by the company under a particular compliance regulation, but which cannot be found, or worse, was deemed never to have been preserved in the first place. The company's legal team will enter the fray, but it may be an uphill battle to prove that the company did indeed follow the regulations.

As with most electronic litigation matters, the US sets the pace in achieving watertight compliance. In the US, regulatory challenges are now more common than compliance audits. Agencies in charge of regulating companies have found that specific challenges are more lucrative than audits, and work more effectively at ensuring companies follow regulatory guidelines. A regulatory challenge starts as a simple request for information regarding a specific incident, and the failure to provide this information triggers much larger, punitive audits.

The issue goes well beyond retaining a particular email: preservation is more than simply saving data, it is the act of saving that email as it was originally sent or received, and protecting it against tampering or deletion. How can a company prove that critical email communications in dispute were never altered? The simple answer is they can't if they're merely saved them to an archive or worse, left them in a mailbox. And what about sent messages? Or communications which have not been kept at all?

DEMONSTRATING BEST PRACTICE
The standard solution to ensuring that critical email communications are preserved in their original state is Journaling, a feature built into Microsoft Exchange. Journaling captures email communications in transit, and places them in a secure repository where they can't be deleted or tampered with. Journaling is relatively mature and offers the most reliable way to demonstrate compliance. Compliance archives can be subject to retention rules just like user-accessible archives and rid of messages which aren't required to be preserved.

Page   1  2