The legal and commercial risks and issues to consider when managing s

Transcription

1 The legal and commercial risks and issues to consider when managing s Change Harbour, October 2012 About Change Harbour Change Harbour Ltd is a consultancy organisation that delivers innovative strategic, technology, process, sourcing and organisational design solutions to the legal industry. Change Harbour will design the most appropriate solution for our client s needs and will then engage with the relevant technology, business process or sourcing providers to manage the implementation of that solution. By learning from commercial best practice, monitoring developments from other industries and challenging the perceived norms within the sector, Change Harbour contributes positively to the maturing of the legal support industry. For further information, please see About Mimecast Mimecast () delivers cloud-based management for Microsoft Exchange, including archiving, continuity and security. By unifying disparate and fragmented environments into one holistic solution that is always available from the cloud, Mimecast minimizes risk and reduces cost and complexity, while providing total endto-end control of . Founded in the United Kingdom in 2003, Mimecast serves over 6,000 customers worldwide and has offices in Europe, North America, Africa and the Channel Islands. For more information, please visit or info@mimecast.com.

2 Contents 03 The problem with management 04 Addressing the problem 05 Understanding the regulatory requirements 05 Data Protection Act Sarbanes-Oxley 06 Freedom of Information Act 07 Understanding the legal and commercial risk 07 ediscovery 07 Reputation 08 Summary 09 Implementing the right solution 09 Training 09 Technology 11 Costs 12 Conclusions 2

3 The problem with management With recent high profile cases, such as the News of the World hacking scandal, hitting the news headlines, the issue of retention has quickly moved up the IT Director s agenda. Much soul searching has taken place as they ask themselves how easily they could retrieve evidence if required to do so by a court of law. Growing e-discovery, compliance and knowledge management requirements mean that organisations must be more vigilant in demonstrating control than ever before. For law firms relied upon to advise clients in all business sectors this is particularly critical. Yet with such a large percentage of internal and external business communications performed via , this is becoming an increasingly difficult task. In common with other highly complex advisory industries, the legal sector is a knowledge-based business. Legal departments within organisations, as well as law firms create, consume and publish huge volumes of legal and business information. It is critical that the knowledge and information relating to the management of a law firm s clients, and the delivery of legal advice to them, is managed, protected and controlled in order that: The client s intentions can be satisfied correctly in the most efficient and appropriate way. The law firm can demonstrate that their business is managed properly as required by the industry s regulating body, the Solicitors Regulation Authority (SRA). The client s intentions can be satisfied in a way that demonstrably conforms to the laws and regulations that relate to the specific business sector and jurisdiction they operate within. Historically, this has been achieved by recording the preparation and delivery of advice through the retention of physical files or through document management systems. However, in today s business environment this is no longer sufficient. has become an important tool in the preparation of legal advice and has replaced documentation as the primary method of delivering that advice. The use of in business has grown exponentially over the past decade; according to various studies, knowledge workers today send and receive more than 25,000 messages per year and it is estimated that 294 billion s were sent in However, with so many messages sent it can be hard to find what you need; according to Mimecast s Shape of study just 14% of business s are of critical importance to the receiver. This is perhaps why research also shows that workers spend one to two hours per day (25% of the working day) simply reading and managing their . According to some estimates, 60-70% of business-critical data is, at some point, contained in but it is often hidden among a huge volume on non-critical . The content of a single can therefore be critical to the success or failure of a business: It may contain information that can make a billion dollar deal achievable. It may contain evidence of a decision that could be the subject of litigation. It may contain client sensitive data that needs to be protected and kept secure. It may contain personal information that the firm is not legally entitled to retain. It is also an issue that is not adequately addressed. For example, in a recent AIIM survey: 17% of organisations captured important s in an management system, while 39% still use personal Outlook folders. Over 30% of organisations described their management as chaotic. 1/3 of organisations had no policy to deal with legal discovery and 1/4 would take a month to produce documents. 3

4 Addressing the problem To address these challenges and prepare for litigation and compliance reviews, enterprises - including law firms and legal departments need to incorporate management into a standardised, policybased system that ensures all relevant messages are stored safely and in accordance with any pertinent industry laws and governing bodies. There are no hard and fast rules governing the retention of s. It is a complex area that is open to misinterpretation and confusion. In some respects it is easier to say what effective and appropriate retention and management is not: It is not the blanket saving of all s forever. It is not the setting of arbitrary time limits for all messages before deletion, and It is certainly not doing nothing. A well-managed business should develop and implement policies that classify, store, manage and destroy s in a way that is documented, complies with the appropriate regulations/laws and is consistent with that business s approach to risk management. A well planned enterprise-wide retention policy outlines content, sets retention and deletion criteria and provides the flexibility to accommodate litigation holds and enable appropriate role-based user access. Ideally, the implementation of the policy will be automated and include an archiving and retrieval engine that enables the business to locate messages in a timely and cost-effective manner. By having a policy and implementing it effectively, organisations can theoretically reduce e-discovery costs, improve regulatory compliance, improve access to information, reduce the risk of litigation and improve IT performance without increasing costs. In summary, there are four main areas that are critical to implementing a successful policy: The relevant regulatory requirements must be understood; this is not easy as the regulatory framework can complex and confusing. The legal and commercial risk around the management of must be understood. The appropriate processes must be put in place to manage the policy. The right technology needs to be in place to support the policy without introducing prohibitive complexity and cost. 4

5 Understanding the regulatory requirements It is critical that all retention policies incorporate the requirements of the mandates governing the industry in which an organization operates. There are many common regulations to consider: Data Protection Act 1998 What is it? The Data Protection Act 1998 (DPA) gives individuals the right, on producing evidence of their identity, to have a copy of personal data held about them. The Act covers any data about a living and identifiable individual. The Act applies only to data which is held, or intended to be held, on computers ( equipment operating automatically in response to instructions given for that purpose ), or held in a relevant filing system. Key points Data must not be disclosed to other parties without the consent of the individual. Individuals have a right of access to the information held about them. Personal information must be adequate, relevant and not excessive. It may not be kept for longer than is necessary and must be kept up to date. Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. All entities that process personal information must register with the Information Commissioner s Office The departments of a company that are holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training). Subjects have the right to have factually incorrect information corrected. Global Considerations The Commission considers that personal data sent to certified US businesses under the Safe Harbor scheme is adequately protected. That means they agree to: follow seven principles of information handling; and be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes. Other countries are covered if you are satisfied that, in the particular circumstances, there is an adequate level of protection. Satisfying regulations To satisfy DPA requirements, organisations can: assess adequacy themselves, use contracts (European Commission approved model clauses), have Binding Corporate Rules approved by the Information Commissioner; or Receive consent from the Data Subject. Personal data can be transferred overseas where it is necessary for carrying out certain types of contract or if the transfer is necessary to set up the contract. Sarbanes-Oxley What is it? The Sarbanes-Oxley Act (SOX) is a piece of US legislation that regulates financial reporting. It was passed in the wake of the Enron episode and several other notable financial scandals in the US that involved suspect financial reporting. 5

6 Understanding the regulatory requirements Key points Sarbanes-Oxley regulations impose severe penalties on any business that deliberately alters or deletes documents in order to defraud customers or other third parties Global Considerations Any company with a listing on NASDAQ or the New York Stock Exchange has to comply with the Sarbanes-Oxley Act, even if it is a European company with headquarters outside the US. UK subsidiaries of US corporations need to ensure that the transactional data that they hold and share with their US parent will meet the requirements of the Act. Satisfying regulations To comply with SOX guidelines, companies must retain auditable s for a minimum of five years from the end of their last fiscal year. Freedom of Information Act What is it? The Freedom of Information Act 2000 ( FOIA ) came into force on 1st January 2005 and gave the public new rights of access to recorded information held by public authorities. communications fall within the definition of recorded information. Key points Anyone, anywhere, without giving either proof of identity or details of their motive for making a request, can ask for a copy of an Satisfying regulations The deadline for responding is 20 working days from the date of receipt of the request, and many public authorities have discovered that their current facilities for searching and retrieving archived s have caused considerable difficulties in meeting the deadline. One of the most alarming aspects of the FOIA is the fact that it is retrospective. Public authorities are obliged to provide information in s that were generated before the date the FOIA came into force, requiring them to search through archives. Industry-specific regulations Organisations will also need to pay specific attention to the regulations governing the vertical industries in which they operate. These industry specific regulations are constantly evolving, for example: The Financial Services Authority (FSA) is the independent body that manages the regulation of financial services providers in the UK under the Financial Services and Markets Act The FSA lays down strict requirements to protect the consumer against malpractice, and has wide investigatory and enforcement powers to ensure those requirements are observed. The FSA s regulations require all financial institutions to store all business s sent and received for up to six years, and some s indefinitely, so that cases can be reviewed. Two examples from the US: FINRA rules demand that financial services firms establish formal, written policies and procedures that detail their retention policies. After outlining these policies, a business must then demonstrate that all retention processes are in full compliance with FINRA guidelines. HIPAA regulations apply to any message or other electronic records that contain sensitive information about an individual s medical history. The preservation period for a medical record is a minimum of five years, though some related statutes dictate that certain information be retained for the life of the patient. 6

7 Understanding the legal and commercial risk ediscovery In the US, is now the leading piece of evidence requested at civil trials. More pointedly, approximately one-fifth of companies have been ordered by courts to produce employee (Robert F Smallwood). In the UK, a wronged party generally has six years from the date that a contract has been breached to bring a court action. Even when a court action is taken promptly, a case may not come to court until several years after the event, and often the only clear, contemporary evidence will be contained in s. Conversely, an organisation may need evidence to launch its own action to protect its position. A party in a dispute may have a significant advantage over its rival if it can retrieve the evidence faster and at a lesser cost than the rival. The lack of readily available evidence may lead to a settlement of a dispute that might otherwise have been successfully fought and won. An additional point to note is that the weight that can be attached to favourable evidence is based on the reliability of that evidence. The evidence obtained from an insecure and unreliable system that is not governed by clearly documented and enforced rules will be open to dispute and questioning by the opponent. Where an organisation can show, by production of supporting evidence, that the system in which the evidence was held is secure and separate from the main system and that the policy in relation to archiving is consistently applied, that organisation has the best chance of its evidence being believed. Where it can be shown that the policy is consistently applied because the system operates in accordance with policy rules, rather than human compliance, the weight of the evidence can be even greater. Failure to have the best possible archiving system and procedures could mean the difference between winning and losing an important case. Given the expense of fighting court actions, this is something where organisations should look to manage away the risk. Reputation In order to cater for changing business practice and requirements the Solicitors Regulatory Authority (SRA) introduced a new code of conduct and Handbook in October This changed the focus of the SRA towards a more flexible outcomes focussed regulation to put in place a more flexible framework. Some of the principles, outcomes and required indicative behaviours included in the framework will have implications for the way the documents and s relating to a piece of work (termed the matter file ) are managed. These indicate that each law firm should manage because it is an integral way in which they service their clients better. Relevant Principles Principle 5: You must provide a proper standard of service to your clients Principle 6: You must behave in a way that maintains the trust the public places in you and in the provision of legal services Principle 8: You must run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles Principle 10: You must protect client money and assets: You should protect money, documents or other property belonging to your clients which has been entrusted to you or your firm. 7

8 Understanding the legal and commercial risk Relevant Outcomes Relevant Indicative behaviours Outcome (4.1) you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents Outcome (7.3) you identify, monitor and manage risks to compliance with all the Principles, rules and outcomes and other requirements of the Handbook, if applicable to you, and take steps to address issues identified Outcome (7.6) you train individuals working in the firm to maintain a level of competence appropriate to their work and level of responsibility Outcome (7.8) you have a system for supervising clients matters, to include the regular checking of the quality of work by suitably competent and experienced people; Outcome (7.10) where you outsource legal activities or any operational functions that are critical to the delivery of any legal activities, you ensure such outsourcing: does not adversely affect your ability to comply with, or the SRA s ability to monitor your compliance with, your obligations in the Handbook; is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions; does not alter your obligations towards your clients; and does not cause you to breach the conditions with which you must comply in order to be authorised and to remain so. IB (7.1) safekeeping of documents and assets entrusted to the firm. IB (7.3) identifying and monitoring financial, operational and business continuity risks including complaints, credit risks and exposure, claims under legislation relating to matters such as data protection, IT failures and abuses, and damage to offices. IB (7.4) making arrangements for the continuation of your firm in the event of absences and emergencies, for example holiday or sick leave, with the minimum interruption to clients business. In addition to SRA guidelines, law firms are increasingly seeing express requirements from their clients as to how they manage and control confidential information in relation to the matters they handle. It is becoming increasingly common for law firms to be asked to demonstrate capabilities in relation to ISO27001 by being able to audit who has access to client specific data and prove that procedures are in place to control that. Summary: Although many regulations exist beyond those listed in this document, all regulatory bodies, regardless of industry and commercial considerations, make meeting the following requirements a key aspect of compliance: Integrity, where information must be in its original state without being altered or deleted. Security, where all retained information must be protected against security threats, including access by unauthorized persons and any outside forces that could physically damage or endanger the availability of archived messages. Availability, where organizations must prove that all s subject to the retention policy can be easily accessed by authorized personnel in a timely manner. 8

9 Implementing the right solution As highlighted, organisations across all industries, including the legal sector, are under increasing pressure to develop and implement robust, comprehensive retention policies that comply with various legal and regulatory bodies. Whatever policy a business determines appropriate for them, given their interpretation of the various regulations and laws, the critical factor is actually how they go about implementing that policy. There are two critical enabling factors that can support the effective implementation of an management policy: Training The value of having an retention policy defined and in place is lost if many employees remain unaware that such guidelines exist. To ensure that such a policy is observed across an organisation, it is important that all employees are trained and able to demonstrate that they understand content and storage procedures, as well as any rules restricting the use of tools, such as personal folders. Some organisation roles have specific archiving requirements, which must be captured in the larger retention policy and associated training. For example, brokers at financial services firms are required to keep all of their electronic correspondence for up to six years. Similarly, in pharmaceutical companies, scientists who perform drug tests must keep test-related s for even longer, as these may contain highly sensitive information that can be requested as evidence in e-discovery An effective education programme should therefore include: the reasons these rules are in place. instructions for using any supporting technology the consequences of non-compliance at both a business and personal level. guidance for those roles that have unique retention requirements. Technology A retention policy should be supported with an automated solution that enables the efficient and cost-effective storage and location of s for e-discovery, litigation, compliance and knowledge management purposes. The technology solution should be designed on the following principles: Centralisation The solution should allow organisations to centralise and keep in as few places as possible. Allowing users to save to hard drives, personal folders or disparate file shares is ultimately unacceptable. Locating the necessary data on all local hard drives or personal folders throughout a large organisation is a difficult, time-consuming and expensive process that often fails. 9

10 Implementing the right solution Automatic capture All relevant should be automatically captured. To comply with regulations and litigation mandates businesses must demonstrate that all s are captured and subject to the retention policy. As such, organisations need to implement a solution that captures in realtime every message that falls under the rules of the retention policy. Access It is not realistic to rely on human intervention to capture the relevant content and solutions should not allow for human intervention to alter or delete content after its use. Businesses should be able to ensure that all their employees have access to the electronic assets they need to carry out their business responsibilities. As such, the solution should support the establishment of policies and rules that enable certain messages to be saved for personal communication, while allowing all other messages to be managed by the default retention strategy. Litigation readiness and legal holds These rules should also allow users to search for all archived in both production and archive systems. Ideally access to the archive should not require intervention from the relevant IT department, but should be achievable by the end-user on demand. retention policies to be flexible enough to be suspended if a legal hold is necessary. If an organisation is anticipating legal action, it might choose to retain all s in order to preserve the information that may be used as evidence during litigation. Protection and resilience It is critical that a solution supports policies that can accommodate legal holds, because courts can impose sanctions for the spoliation of any messaging content or electronic records that are relevant to a legal proceeding. Where is stored and archived must be correctly managed and resilient. This means that the archive should: Be 100% available. Ideally your solution should have full redundancy. Ensure that the information held there is properly encrypted to prevent unauthorised and third party access. Fully protect all information from any form of virus, malware or intrusion. Provide for rapid access and retrieval. 10

11 Implementing the right solution If a solution is correctly implemented, organisations may subsequently benefit from: improved system performance, enhanced availability of data, reduced maintenance costs and minimised legal and commercial risk. Costs Though there are many specific legal and regulatory guidelines around retention, no court or compliance authority demands the archiving of every ever sent or received. As a result, organizations should implement a retention policy that reduces the storage burden by ensuring that the s essential to meeting compliance and litigation guidelines are saved, while those that are not needed are deleted. By reducing storage through retention and deletion policies in line with legal and compliance mandates, IT can limit storage-related expenditures and streamline administration tasks, which often comprise more than 40% of total IT support costs. In addition, this approach limits the amount of content requiring evaluation during the legal review phase of e-discovery, further reducing costs. 11

12 Conclusions In whatever way you interpret the various laws and regulations relating to information and retention, your organisation must have a policy that satisfies the business sector within which you and clients operate. However, that policy becomes redundant if it is not implemented correctly and implementation is not straight-forward. Holding information on your premises and in your systems does not, by definition, mean it is well protected, secure, resilient and accessible. Indeed, if the systems and processes your organisation employs are not sufficient, this approach may be deemed to be negligent. Given the huge volume of content, the increasing complexity of the regulatory environment and the heightened risk of litigation; using a specialist technology provider to help ensure compliance should be fully considered. In fact, in many instances, utilising an established and specialist service provider may be the only way you can guarantee the successful implementation of your retention policy. The maturing cloud computing and sourcing sector mean that organisations of all sizes can benefit from the technology platforms, economies of scale and processes these specialist providers can offer. The need to comply with regulatory demands and to manage your legal risk effectively does not discount the use of cloud based or managed services. In fact, in many instances, it may be the only way forward Mimecast. ALL RIGHTS RESERVED. WHI-WP