The legal and commercial risks and issues to consider when managing s
|
|
- Daisy Payne
- 8 years ago
- Views:
Transcription
1 The legal and commercial risks and issues to consider when managing s Change Harbour, October 2012 About Change Harbour Change Harbour Ltd is a consultancy organisation that delivers innovative strategic, technology, process, sourcing and organisational design solutions to the legal industry. Change Harbour will design the most appropriate solution for our client s needs and will then engage with the relevant technology, business process or sourcing providers to manage the implementation of that solution. By learning from commercial best practice, monitoring developments from other industries and challenging the perceived norms within the sector, Change Harbour contributes positively to the maturing of the legal support industry. For further information, please see About Mimecast Mimecast () delivers cloud-based management for Microsoft Exchange, including archiving, continuity and security. By unifying disparate and fragmented environments into one holistic solution that is always available from the cloud, Mimecast minimizes risk and reduces cost and complexity, while providing total endto-end control of . Founded in the United Kingdom in 2003, Mimecast serves over 6,000 customers worldwide and has offices in Europe, North America, Africa and the Channel Islands. For more information, please visit or info@mimecast.com.
2 Contents 03 The problem with management 04 Addressing the problem 05 Understanding the regulatory requirements 05 Data Protection Act Sarbanes-Oxley 06 Freedom of Information Act 07 Understanding the legal and commercial risk 07 ediscovery 07 Reputation 08 Summary 09 Implementing the right solution 09 Training 09 Technology 11 Costs 12 Conclusions 2
3 The problem with management With recent high profile cases, such as the News of the World hacking scandal, hitting the news headlines, the issue of retention has quickly moved up the IT Director s agenda. Much soul searching has taken place as they ask themselves how easily they could retrieve evidence if required to do so by a court of law. Growing e-discovery, compliance and knowledge management requirements mean that organisations must be more vigilant in demonstrating control than ever before. For law firms relied upon to advise clients in all business sectors this is particularly critical. Yet with such a large percentage of internal and external business communications performed via , this is becoming an increasingly difficult task. In common with other highly complex advisory industries, the legal sector is a knowledge-based business. Legal departments within organisations, as well as law firms create, consume and publish huge volumes of legal and business information. It is critical that the knowledge and information relating to the management of a law firm s clients, and the delivery of legal advice to them, is managed, protected and controlled in order that: The client s intentions can be satisfied correctly in the most efficient and appropriate way. The law firm can demonstrate that their business is managed properly as required by the industry s regulating body, the Solicitors Regulation Authority (SRA). The client s intentions can be satisfied in a way that demonstrably conforms to the laws and regulations that relate to the specific business sector and jurisdiction they operate within. Historically, this has been achieved by recording the preparation and delivery of advice through the retention of physical files or through document management systems. However, in today s business environment this is no longer sufficient. has become an important tool in the preparation of legal advice and has replaced documentation as the primary method of delivering that advice. The use of in business has grown exponentially over the past decade; according to various studies, knowledge workers today send and receive more than 25,000 messages per year and it is estimated that 294 billion s were sent in However, with so many messages sent it can be hard to find what you need; according to Mimecast s Shape of study just 14% of business s are of critical importance to the receiver. This is perhaps why research also shows that workers spend one to two hours per day (25% of the working day) simply reading and managing their . According to some estimates, 60-70% of business-critical data is, at some point, contained in but it is often hidden among a huge volume on non-critical . The content of a single can therefore be critical to the success or failure of a business: It may contain information that can make a billion dollar deal achievable. It may contain evidence of a decision that could be the subject of litigation. It may contain client sensitive data that needs to be protected and kept secure. It may contain personal information that the firm is not legally entitled to retain. It is also an issue that is not adequately addressed. For example, in a recent AIIM survey: 17% of organisations captured important s in an management system, while 39% still use personal Outlook folders. Over 30% of organisations described their management as chaotic. 1/3 of organisations had no policy to deal with legal discovery and 1/4 would take a month to produce documents. 3
4 Addressing the problem To address these challenges and prepare for litigation and compliance reviews, enterprises - including law firms and legal departments need to incorporate management into a standardised, policybased system that ensures all relevant messages are stored safely and in accordance with any pertinent industry laws and governing bodies. There are no hard and fast rules governing the retention of s. It is a complex area that is open to misinterpretation and confusion. In some respects it is easier to say what effective and appropriate retention and management is not: It is not the blanket saving of all s forever. It is not the setting of arbitrary time limits for all messages before deletion, and It is certainly not doing nothing. A well-managed business should develop and implement policies that classify, store, manage and destroy s in a way that is documented, complies with the appropriate regulations/laws and is consistent with that business s approach to risk management. A well planned enterprise-wide retention policy outlines content, sets retention and deletion criteria and provides the flexibility to accommodate litigation holds and enable appropriate role-based user access. Ideally, the implementation of the policy will be automated and include an archiving and retrieval engine that enables the business to locate messages in a timely and cost-effective manner. By having a policy and implementing it effectively, organisations can theoretically reduce e-discovery costs, improve regulatory compliance, improve access to information, reduce the risk of litigation and improve IT performance without increasing costs. In summary, there are four main areas that are critical to implementing a successful policy: The relevant regulatory requirements must be understood; this is not easy as the regulatory framework can complex and confusing. The legal and commercial risk around the management of must be understood. The appropriate processes must be put in place to manage the policy. The right technology needs to be in place to support the policy without introducing prohibitive complexity and cost. 4
5 Understanding the regulatory requirements It is critical that all retention policies incorporate the requirements of the mandates governing the industry in which an organization operates. There are many common regulations to consider: Data Protection Act 1998 What is it? The Data Protection Act 1998 (DPA) gives individuals the right, on producing evidence of their identity, to have a copy of personal data held about them. The Act covers any data about a living and identifiable individual. The Act applies only to data which is held, or intended to be held, on computers ( equipment operating automatically in response to instructions given for that purpose ), or held in a relevant filing system. Key points Data must not be disclosed to other parties without the consent of the individual. Individuals have a right of access to the information held about them. Personal information must be adequate, relevant and not excessive. It may not be kept for longer than is necessary and must be kept up to date. Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. All entities that process personal information must register with the Information Commissioner s Office The departments of a company that are holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training). Subjects have the right to have factually incorrect information corrected. Global Considerations The Commission considers that personal data sent to certified US businesses under the Safe Harbor scheme is adequately protected. That means they agree to: follow seven principles of information handling; and be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes. Other countries are covered if you are satisfied that, in the particular circumstances, there is an adequate level of protection. Satisfying regulations To satisfy DPA requirements, organisations can: assess adequacy themselves, use contracts (European Commission approved model clauses), have Binding Corporate Rules approved by the Information Commissioner; or Receive consent from the Data Subject. Personal data can be transferred overseas where it is necessary for carrying out certain types of contract or if the transfer is necessary to set up the contract. Sarbanes-Oxley What is it? The Sarbanes-Oxley Act (SOX) is a piece of US legislation that regulates financial reporting. It was passed in the wake of the Enron episode and several other notable financial scandals in the US that involved suspect financial reporting. 5
6 Understanding the regulatory requirements Key points Sarbanes-Oxley regulations impose severe penalties on any business that deliberately alters or deletes documents in order to defraud customers or other third parties Global Considerations Any company with a listing on NASDAQ or the New York Stock Exchange has to comply with the Sarbanes-Oxley Act, even if it is a European company with headquarters outside the US. UK subsidiaries of US corporations need to ensure that the transactional data that they hold and share with their US parent will meet the requirements of the Act. Satisfying regulations To comply with SOX guidelines, companies must retain auditable s for a minimum of five years from the end of their last fiscal year. Freedom of Information Act What is it? The Freedom of Information Act 2000 ( FOIA ) came into force on 1st January 2005 and gave the public new rights of access to recorded information held by public authorities. communications fall within the definition of recorded information. Key points Anyone, anywhere, without giving either proof of identity or details of their motive for making a request, can ask for a copy of an Satisfying regulations The deadline for responding is 20 working days from the date of receipt of the request, and many public authorities have discovered that their current facilities for searching and retrieving archived s have caused considerable difficulties in meeting the deadline. One of the most alarming aspects of the FOIA is the fact that it is retrospective. Public authorities are obliged to provide information in s that were generated before the date the FOIA came into force, requiring them to search through archives. Industry-specific regulations Organisations will also need to pay specific attention to the regulations governing the vertical industries in which they operate. These industry specific regulations are constantly evolving, for example: The Financial Services Authority (FSA) is the independent body that manages the regulation of financial services providers in the UK under the Financial Services and Markets Act The FSA lays down strict requirements to protect the consumer against malpractice, and has wide investigatory and enforcement powers to ensure those requirements are observed. The FSA s regulations require all financial institutions to store all business s sent and received for up to six years, and some s indefinitely, so that cases can be reviewed. Two examples from the US: FINRA rules demand that financial services firms establish formal, written policies and procedures that detail their retention policies. After outlining these policies, a business must then demonstrate that all retention processes are in full compliance with FINRA guidelines. HIPAA regulations apply to any message or other electronic records that contain sensitive information about an individual s medical history. The preservation period for a medical record is a minimum of five years, though some related statutes dictate that certain information be retained for the life of the patient. 6
7 Understanding the legal and commercial risk ediscovery In the US, is now the leading piece of evidence requested at civil trials. More pointedly, approximately one-fifth of companies have been ordered by courts to produce employee (Robert F Smallwood). In the UK, a wronged party generally has six years from the date that a contract has been breached to bring a court action. Even when a court action is taken promptly, a case may not come to court until several years after the event, and often the only clear, contemporary evidence will be contained in s. Conversely, an organisation may need evidence to launch its own action to protect its position. A party in a dispute may have a significant advantage over its rival if it can retrieve the evidence faster and at a lesser cost than the rival. The lack of readily available evidence may lead to a settlement of a dispute that might otherwise have been successfully fought and won. An additional point to note is that the weight that can be attached to favourable evidence is based on the reliability of that evidence. The evidence obtained from an insecure and unreliable system that is not governed by clearly documented and enforced rules will be open to dispute and questioning by the opponent. Where an organisation can show, by production of supporting evidence, that the system in which the evidence was held is secure and separate from the main system and that the policy in relation to archiving is consistently applied, that organisation has the best chance of its evidence being believed. Where it can be shown that the policy is consistently applied because the system operates in accordance with policy rules, rather than human compliance, the weight of the evidence can be even greater. Failure to have the best possible archiving system and procedures could mean the difference between winning and losing an important case. Given the expense of fighting court actions, this is something where organisations should look to manage away the risk. Reputation In order to cater for changing business practice and requirements the Solicitors Regulatory Authority (SRA) introduced a new code of conduct and Handbook in October This changed the focus of the SRA towards a more flexible outcomes focussed regulation to put in place a more flexible framework. Some of the principles, outcomes and required indicative behaviours included in the framework will have implications for the way the documents and s relating to a piece of work (termed the matter file ) are managed. These indicate that each law firm should manage because it is an integral way in which they service their clients better. Relevant Principles Principle 5: You must provide a proper standard of service to your clients Principle 6: You must behave in a way that maintains the trust the public places in you and in the provision of legal services Principle 8: You must run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles Principle 10: You must protect client money and assets: You should protect money, documents or other property belonging to your clients which has been entrusted to you or your firm. 7
8 Understanding the legal and commercial risk Relevant Outcomes Relevant Indicative behaviours Outcome (4.1) you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents Outcome (7.3) you identify, monitor and manage risks to compliance with all the Principles, rules and outcomes and other requirements of the Handbook, if applicable to you, and take steps to address issues identified Outcome (7.6) you train individuals working in the firm to maintain a level of competence appropriate to their work and level of responsibility Outcome (7.8) you have a system for supervising clients matters, to include the regular checking of the quality of work by suitably competent and experienced people; Outcome (7.10) where you outsource legal activities or any operational functions that are critical to the delivery of any legal activities, you ensure such outsourcing: does not adversely affect your ability to comply with, or the SRA s ability to monitor your compliance with, your obligations in the Handbook; is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions; does not alter your obligations towards your clients; and does not cause you to breach the conditions with which you must comply in order to be authorised and to remain so. IB (7.1) safekeeping of documents and assets entrusted to the firm. IB (7.3) identifying and monitoring financial, operational and business continuity risks including complaints, credit risks and exposure, claims under legislation relating to matters such as data protection, IT failures and abuses, and damage to offices. IB (7.4) making arrangements for the continuation of your firm in the event of absences and emergencies, for example holiday or sick leave, with the minimum interruption to clients business. In addition to SRA guidelines, law firms are increasingly seeing express requirements from their clients as to how they manage and control confidential information in relation to the matters they handle. It is becoming increasingly common for law firms to be asked to demonstrate capabilities in relation to ISO27001 by being able to audit who has access to client specific data and prove that procedures are in place to control that. Summary: Although many regulations exist beyond those listed in this document, all regulatory bodies, regardless of industry and commercial considerations, make meeting the following requirements a key aspect of compliance: Integrity, where information must be in its original state without being altered or deleted. Security, where all retained information must be protected against security threats, including access by unauthorized persons and any outside forces that could physically damage or endanger the availability of archived messages. Availability, where organizations must prove that all s subject to the retention policy can be easily accessed by authorized personnel in a timely manner. 8
9 Implementing the right solution As highlighted, organisations across all industries, including the legal sector, are under increasing pressure to develop and implement robust, comprehensive retention policies that comply with various legal and regulatory bodies. Whatever policy a business determines appropriate for them, given their interpretation of the various regulations and laws, the critical factor is actually how they go about implementing that policy. There are two critical enabling factors that can support the effective implementation of an management policy: Training The value of having an retention policy defined and in place is lost if many employees remain unaware that such guidelines exist. To ensure that such a policy is observed across an organisation, it is important that all employees are trained and able to demonstrate that they understand content and storage procedures, as well as any rules restricting the use of tools, such as personal folders. Some organisation roles have specific archiving requirements, which must be captured in the larger retention policy and associated training. For example, brokers at financial services firms are required to keep all of their electronic correspondence for up to six years. Similarly, in pharmaceutical companies, scientists who perform drug tests must keep test-related s for even longer, as these may contain highly sensitive information that can be requested as evidence in e-discovery An effective education programme should therefore include: the reasons these rules are in place. instructions for using any supporting technology the consequences of non-compliance at both a business and personal level. guidance for those roles that have unique retention requirements. Technology A retention policy should be supported with an automated solution that enables the efficient and cost-effective storage and location of s for e-discovery, litigation, compliance and knowledge management purposes. The technology solution should be designed on the following principles: Centralisation The solution should allow organisations to centralise and keep in as few places as possible. Allowing users to save to hard drives, personal folders or disparate file shares is ultimately unacceptable. Locating the necessary data on all local hard drives or personal folders throughout a large organisation is a difficult, time-consuming and expensive process that often fails. 9
10 Implementing the right solution Automatic capture All relevant should be automatically captured. To comply with regulations and litigation mandates businesses must demonstrate that all s are captured and subject to the retention policy. As such, organisations need to implement a solution that captures in realtime every message that falls under the rules of the retention policy. Access It is not realistic to rely on human intervention to capture the relevant content and solutions should not allow for human intervention to alter or delete content after its use. Businesses should be able to ensure that all their employees have access to the electronic assets they need to carry out their business responsibilities. As such, the solution should support the establishment of policies and rules that enable certain messages to be saved for personal communication, while allowing all other messages to be managed by the default retention strategy. Litigation readiness and legal holds These rules should also allow users to search for all archived in both production and archive systems. Ideally access to the archive should not require intervention from the relevant IT department, but should be achievable by the end-user on demand. retention policies to be flexible enough to be suspended if a legal hold is necessary. If an organisation is anticipating legal action, it might choose to retain all s in order to preserve the information that may be used as evidence during litigation. Protection and resilience It is critical that a solution supports policies that can accommodate legal holds, because courts can impose sanctions for the spoliation of any messaging content or electronic records that are relevant to a legal proceeding. Where is stored and archived must be correctly managed and resilient. This means that the archive should: Be 100% available. Ideally your solution should have full redundancy. Ensure that the information held there is properly encrypted to prevent unauthorised and third party access. Fully protect all information from any form of virus, malware or intrusion. Provide for rapid access and retrieval. 10
11 Implementing the right solution If a solution is correctly implemented, organisations may subsequently benefit from: improved system performance, enhanced availability of data, reduced maintenance costs and minimised legal and commercial risk. Costs Though there are many specific legal and regulatory guidelines around retention, no court or compliance authority demands the archiving of every ever sent or received. As a result, organizations should implement a retention policy that reduces the storage burden by ensuring that the s essential to meeting compliance and litigation guidelines are saved, while those that are not needed are deleted. By reducing storage through retention and deletion policies in line with legal and compliance mandates, IT can limit storage-related expenditures and streamline administration tasks, which often comprise more than 40% of total IT support costs. In addition, this approach limits the amount of content requiring evaluation during the legal review phase of e-discovery, further reducing costs. 11
12 Conclusions In whatever way you interpret the various laws and regulations relating to information and retention, your organisation must have a policy that satisfies the business sector within which you and clients operate. However, that policy becomes redundant if it is not implemented correctly and implementation is not straight-forward. Holding information on your premises and in your systems does not, by definition, mean it is well protected, secure, resilient and accessible. Indeed, if the systems and processes your organisation employs are not sufficient, this approach may be deemed to be negligent. Given the huge volume of content, the increasing complexity of the regulatory environment and the heightened risk of litigation; using a specialist technology provider to help ensure compliance should be fully considered. In fact, in many instances, utilising an established and specialist service provider may be the only way you can guarantee the successful implementation of your retention policy. The maturing cloud computing and sourcing sector mean that organisations of all sizes can benefit from the technology platforms, economies of scale and processes these specialist providers can offer. The need to comply with regulatory demands and to manage your legal risk effectively does not discount the use of cloud based or managed services. In fact, in many instances, it may be the only way forward Mimecast. ALL RIGHTS RESERVED. WHI-WP
10 Steps to Establishing an Effective Email Retention Policy
WHITE PAPER: 10 STEPS TO EFFECTIVE EMAIL RETENTION 10 Steps to Establishing an Effective Email Retention Policy JANUARY 2009 Eric Lundgren INFORMATION GOVERNANCE Table of Contents Executive Summary SECTION
More informationEmail Archiving UK law, regulations and implications for business
Email Archiving UK law, regulations and implications for business A White Paper written for MessageLabs by Tamzin Matthew of Blake Lapthorn Tarlo Lyons Solicitors Table of Contents About the Author 3 Overview
More informationA Guide To Email Retention And UK Compliance Laws
A Guide To Email Retention And UK Compliance Laws Overview Now recognised as the primary channel of business communication for organisations in every industry, email contains enormous amounts of important
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationCompliance in the Corporate World
Compliance in the Corporate World How Fax Server Technology Minimizes Compliance Risks Fax and Document Distribution Group November 2009 Abstract Maintaining regulatory compliance is a major business issue
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationRackspace Archiving Compliance Overview
Rackspace Archiving Compliance Overview Freedom Information Act Sunshine Laws The federal government and nearly all state governments have established Open Records laws. The purpose of these laws is to
More informationWhite Paper. Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance
White Paper Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance Author Document Number Revision Issue Date Copyright : : : : : Ben Martin WHP-1010 V2.2
More informationArchive Legislation: Email archiving in Italy. The key laws that affect your business
Archive Legislation: Email archiving in Italy The key laws that affect your business Contents Laws regulating archiving 3 1. Companies 3 2. Legislation and Penalties 3 GFI Archiver 5 Archive Legislation:
More informationSecurity in Fax: Minimizing Breaches and Compliance Risks
Security in Fax: Minimizing Breaches and Compliance Risks Maintaining regulatory compliance is a major business issue facing organizations around the world. The need to secure, track and store information
More informationDOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS
Overview. DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS A comprehensive and consistently applied document retention policy is necessary to reduce the risk of being charged with spoliation
More informationEmail archives: no longer fit for purpose?
RESEARCH PAPER Email archives: no longer fit for purpose? Most organisations are using email archiving systems designed in the 1990s: inflexible, non-compliant and expensive May 2013 Sponsored by Contents
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationHeslop & Platt Solicitors Limited
TERMS OF BUSINESS Heslop & Platt Solicitors Limited 1. Introduction and Definitions 1.1 In these terms of business, the following words and phrases have the following meanings: Initial Client Letter Client
More informationClause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationE-Discovery: The New Federal Rules of Civil Procedure A Practical Approach for Employers
MARCH 7, 2007 E-Discovery: The New Federal Rules of Civil Procedure A Practical Approach for Employers By Tara Daub and Christopher Gegwich News of the recent amendments to the Federal Rules of Civil Procedure
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationEmail Archiving, Retrieval and Analysis The Key Issues
Email Archiving, Retrieval and Analysis The "If you are going to find a smoking gun, you will find it in email." Abstract Organisations are increasingly dependent on email for conducting business, internally
More informationOffice of the Chief Information Officer
Office of the Chief Information Officer Online File Storage BACKGROUND Online file storage services offer powerful and convenient methods to share files among collaborators, various computers, and mobile
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationWHITE PAPER. Deficiencies in Traditional Information Management
WHITE PAPER Deficiencies in Traditional Information Management Table of Contents 3 Abstract 3 Information Management Defined 7 Problems with Traditional Approaches 8 Conclusion Table of Figures 5 Figure
More informationCORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)
CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline) David J. Chavolla, Esq. and Gary L. Kemp, Esq. Casner & Edwards, LLP 303 Congress Street Boston, MA 02210 A. Document and Record Retention Preservation
More informationCONSULTATION PAPER NO 2. 2004
CONSULTATION PAPER NO 2. 2004 REGULATION OF GENERAL INSURANCE MEDIATION BUSINESS This consultation paper explains the need for the Island to regulate general insurance mediation business and examines the
More informationINTERNATIONAL SOS. Data Protection Policy. Version 1.05
INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationDean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage
Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything
More informationConsiderations for Outsourcing Records Storage to the Cloud
Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage
More informationArchive Legislation: Email archiving in the United States. The key laws that affect your business
Archive Legislation: Email archiving in the United States The key laws that affect your business Contents Laws regulating archiving and the penalties 3 I. The Securities Exchange Act of 1934 (the 1934
More informationHOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU
HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU 10 April 2014 Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer with the SRA Kirsti Laird Solicitor, (qualified
More informationCompany Profile. First Page. Previous Page. Next Page. Last Page. A Member of Harel Mallac Group
Company Profile A Member of Harel Mallac Group First Table of Contents Who are we? 3 Our Services 4-11 Key Differentiators 11 Contact Us 12 Who are we? Founded in the early 1970 s, Mauritius Computing
More informationEmail Archiving for the Financial Industry
jatheon technologies whitepaper hot ISSUE Email Archiving for the Financial Industry 2... I ntroduction 2... Challenges Faced b y the Financial Sector 2... Why Financial Firms Need to Comply 3... Compliance
More informationInformation Circular
Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal
More informationData Protection Policy
Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and
More informationCompliance Management Systems
Certification Scheme Y03 Compliance Management Systems ISO 19600 ONR 192050 Issue V2.1:2015-01-08 Austrian Standards plus GmbH Dr. Peter Jonas Heinestraße 38 A-1020 Vienna, Austria E-Mail: p.jonas@austrian-standards.at
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationSTFC Monitoring and Interception policy for Information & Communications Technology Systems and Services
STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining
More information5 ways Mimecast relieves the headache of email
5 ways Mimecast relieves the headache of email A Paralogic Networks Guide www.scholarisintl.com Introduction Email is one of the core internet technologies; for many businesses in the mid-1990s, the very
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationCA Message Manager. Benefits. Overview. CA Advantage
PRODUCT BRIEF: CA MESSAGE MANAGER CA Message Manager THE PROACTIVE MANAGEMENT OF EMAIL AND INSTANT MESSAGES IS INTEGRAL TO THE OVERALL STRATEGY OF INFORMATION GOVERNANCE. THERE ARE MANY COMPLEX CHALLENGES
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationLeathes Prior Solicitors Terms of Business
Leathes Prior Solicitors Terms of Business 1. Contacting us Our reception is open from 8.30am to 5.30pm Monday to Friday, excluding Bank Holidays. Arrangements can be made to see clients outside these
More informationInformation Governance Challenges and Solutions
Challenges and Solutions In this modern information age, organizations struggle with two things: the problem of too much electronic data and how to govern the data. Each year, the speed of information
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationUNCLASSIFIED. UK Email Archiving powered by Mimecast Service Description
UNCLASSIFIED 11/12/2015 v2.2 UK Email Archiving powered by Mimecast Service Description Cobweb s UK Email Archiving, powered by Mimecast, provides businesses with a secure, scalable cloud-based message
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More information(4) THAMES VALLEY POLICE of Oxford Road, Kidlington, OX5 2NX ("Police Force"),
DATE OF INFORMATION SHARING AGREEMENT JULY 2015 PARTIES (1) LIVE NATION (MUSIC) UK LIMITED (Company Number 02409911) whose registered office is at 2 nd Floor, Regent Arcade House, 19-25 Argyll Street,
More informationJohn Partridge Solicitor t/a SME Legal Services terms and conditions
John Partridge Solicitor t/a SME Legal Services terms and conditions Our aim We aim to offer our clients quality legal advice with a personal service at a fair cost. As a start, we hope it is helpful to
More informationCompliance Policy ALCO recommended standard
1. PURPOSE In accordance with CSSF Circular 2004/155, the board of directors of [NAME OF COMPANY] (hereafter the Company ) has adopted the following Compliance Policy. The Company s Compliance function
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationHow not to lose your head in the Cloud: AGIMO guidelines released
How not to lose your head in the Cloud: AGIMO guidelines released 07 December 2011 In brief The Australian Government Information Management Office has released a helpful guide on navigating cloud computing
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationWritten evidence for the Department of Business, Innovation and Skills: a small business commissioner
Written evidence for the Department of Business, Innovation and Skills: a small business commissioner About ACCA ACCA is the global body for professional accountants. We aim to offer business-relevant,
More informationGUIDE TO ACHIEVING EMAIL COMPLIANCE a South African perspective
GUIDE TO ACHIEVING EMAIL COMPLIANCE a South African perspective Abstract This document highlights some of the South African rules and regulations that require the effective management of email. It looks
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationCA Records Manager. Benefits. CA Advantage. Overview
PRODUCT BRIEF: CA RECORDS MANAGER CA RECORDS MANAGER HELPS YOU CONTROL AND MANAGE PHYSICAL, ELECTRONIC AND EMAIL RECORDS ACROSS THE ENTERPRISE FOR PROACTIVE COMPLIANCE WITH REGULATORY, LEGISLATIVE AND
More informationAn Agreement dated [ enter date ] governing the conduct of Insurance Business between:
Terms of Business Agreement (Non Risk Transfer) An Agreement dated [ enter date ] governing the conduct of Insurance Business between: and [Name of Managing Agent] on its own behalf and on behalf of the
More informationPublic Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner
Submission of the Office of the Data Protection Commissioner (DPC) on the data-sharing and Governance Bill: - Policy Proposals (dated the 1 st of August 2014) Public Consultation regarding Data Sharing
More informationProposed guidance for firms outsourcing to the cloud and other third-party IT services
Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is
More informationThe Cloud and Cross-Border Risks - Singapore
The Cloud and Cross-Border Risks - Singapore February 2011 What is the objective of the paper? Macquarie Telecom has commissioned this paper by international law firm Freshfields Bruckhaus Deringer in
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationSecurity Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background
Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,
More informationA Beginner s Guide to Information Governance
A Beginner s Guide to Information Governance Corporate information takes many forms. While most people readily think of financial and legal data such as budgets and contracts, an organization's entire
More informationLORD CHANCELLOR S CODE OF PRACTICE ON THE MANAGEMENT OF RECORDS UNDER
LORD CHANCELLOR S CODE OF PRACTICE ON THE MANAGEMENT OF RECORDS UNDER SECTION 46 OF THE FREEDOM OF INFORMATION ACT 2000 NOVEMBER 2002 Presented to Parliament by the Lord Chancellor Pursuant to section
More informationAustralia s unique approach to trans-border privacy and cloud computing
Australia s unique approach to trans-border privacy and cloud computing Peter Leonard Partner, Gilbert + Tobin Lawyers and Director, iappanz In Australia, as in many jurisdictions, there have been questions
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More information7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
More informationPrivacy and Cloud Computing for Australian Government Agencies
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationDiscovery Technology Group
Discovery Technology Group E-mail Retention: Readiness Survey E-mail now represents the largest source of new documents and records generated within a company, and the most troublesome from a retention
More informationUnsolicited visits and surprise requests for information by the Financial Services Authority. April 2009
Unsolicited visits and surprise requests for information by the Financial Services Authority April 2009 Contents 1. Introduction 1 2. The FSA s investigatory powers 2 3. Confidentiality of information
More informationSCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES
SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES 1 1 Definitions In these conditions:- We means Scotland s Commissioner for Children and Young People,
More informationRecords and Information Management. General Manager Corporate Services
Title: Records and Information Management Policy No: 057 Adopted By: Chief Officers Group Next Review Date: 08/06/2014 Responsibility: General Manager Corporate Services Document Number: 2120044 Version
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationSt. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy
Learn, sparkle & shine St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Adopted from the LA Policy April 2015 CONTENTS Page No 1. Introduction 1 2. Guiding Principles
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationRecord Retention, ediscovery, Spoliation: Issues for In-House Counsel
Record Retention, ediscovery, Spoliation: Issues for In-House Counsel CCCA Webinar April 1, 2015 Presenters: Gavin Tighe, Partner (Certified Specialist in Litigation) Stephen Thiele, Partner, Director
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
More informationTOWN OF COTTESLOE POLICY EMAIL MANAGEMENT
EMAIL MANAGEMENT POLICY STATEMENT Town of Cottesloe email accounts are intended for business transactions in support of the Town s strategic goals and objectives. Accordingly any email transmission residing
More informationStatement of Guidance: Outsourcing All Regulated Entities
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationCapstone Compliance Using Symantec Archiving and ediscovery Solutions
WHITE PAPER: CAPSTONE COMPLIANCE........................................ Capstone Compliance Using Symantec Archiving and ediscovery Solutions Who should read this paper IT decision-makers, architects,
More informationGUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK
GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive
More informationAccess to Health Records
Access to Health Records Crown Heights Medical Centre Procedure Access to Health Records ACCESS TO MEDICAL RECORDS (DATA PROTECTION) POLICY INTRODUCTION The Access to Health Records Act 1990 gave individuals
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationStandard conditions of purchase
Standard conditions of purchase 1 OFFER AND ACCEPTANCE 2 PROPERTY, RISK & DELIVERY 3 PRICES & RATES The Supplier shall provide all Goods and Services in accordance with the terms and conditions set out
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationCyberEdge Insurance Proposal Form
Note to the Proposer Signing or completing this proposal does not bind the Proposer, or any individual or entity he or she is representing to complete this insurance. Please provide by addendum any supplementary
More informationMonitoring Employee Communications: Data Protection and Privacy Issues
Monitoring Employee Communications: Data Protection and Privacy Issues By Anthony Sakrouge, Kate Minett, Daniel Preiskel and Jose Saras Reprinted from Computer and Telecommunications Law Review Issue 8,
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationA three step plan for migrating to Microsoft Exchange 2010
A three step plan for migrating to Microsoft Exchange 2010 Mimecast can mitigate the risks associated with migration, such as increased email downtime and threats to data security, helping businesses to
More informationIT Governance Charter
Version : 1.01 Date : 16 September 2009 IT Governance Network South Africa USA UK Switzerland www.itgovernance.co.za info@itgovernance.co.za 0825588732 IT Governance Network, Copyright 2009 Page 1 1 Terms
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationDaltrak Building Services Pty Ltd ABN: 44 069 781 933. Privacy Policy Manual
Daltrak Building Services Pty Ltd ABN: 44 069 781 933 Privacy Policy Manual Table Of Contents 1. Introduction Page 2 2. Australian Privacy Principles (APP s) Page 3 3. Kinds Of Personal Information That
More information