Michael Salvarezza & Virginia MacSuibhne SCCE Conference, Washington D.C. October 2013 3 Need a picture of data volume 4 1
5 6 Complexity of Information Governance Requirements Complexity of rapidly changing compliance landscape Complexity of corporate/legal structure Complexity of content/context Complexity of infrastructure Complexity due to sheer volume of information Small SMEs Current Generation Solutions Large SMEs Complexity of requirements grows exponentially with size of organization Fortune 2000 Fortune 550 Fortune 100 7 2
Social media and business transformation Explosive growth in volume of content creation Growing urgency to gain control of this dynamic Rapid expansion in laws and compliance regulations MiFID Title 21 CFR 11 PATRIOT ACT 8 Social Media promotes: Sharing Collaboration Open Rapid access to information Casual, informal, spontaneous communication Records Management is about: Governance Litigation Support Businesses care about: Agility Complexity Access to information Insights derived from information Speed and results 9 Policies might cover: social media, BYOD, mobile computing, cloud computing No policy can address all instances, so focus on principles and extend trust Focus on what is critical to the business to keep Recreate vs. capture 10 3
Lead with trust and then provide guidelines Encourage responsible use Frame policies to address responsibility, not productivity Grant equal access Provide training 11 The trouble with rules Copyright 2011 LRN Group Inc. All rights reserved Understand the benefits, and the risks of using social media, and include them in Record Management policy, procedures, and guidelines Understand the regulations that govern your company s use of social media FINRA, SEC, and other government agencies have regulations requiring the preservation of data on social media sites Privacy considerations Maintain any business records under your corporate records policies and procedures 13 4
Consider where the business record is created: If the record is created outside of the social media site, the copy posted to the social media site could be considered a convenience copy If transactional information created on a social media site is a business record under your policy, then have a mechanism in place to capture, store, search, and retrieve those records Ensure procedures specify that Records Managers review the social media site framework before the site is launched to assess capability for proper handling of business records Educate employees through training sessions and communications 14 Make sure the policy is enforceable. Do not rely on device specificity, make sure the policy is broad and general (devices become obsolete). Orient the policy from the business value perspective. Provide training on appropriate use of devices, proper management and security of information, segregation of personal and business data and IT information management controls. 15 Define accountabilities for control (user, IT, business unit, etc.) Address the distinction between personal and business data Ensure proper controls in the event of theft or loss of the device Provide coverage for business provided devices and personally owned devices Address funding of devices or the cost of controls, especially for personally owned devices Address different geographies Focus on both employees and contracted resources 16 5
Define the appropriate use of business records on mobile devices and address requirements for retention of records Security Awareness/Privacy Awareness/Compliance Human Resource considerations Use of devices for personal use Use of devices after hours and on personal time Use of devices while engaged in travel Inappropriate data and website access 17 Ease of deployment Application Whitelists & Blacklists App Security Screening Browser security Encryption Data wiping Business vs. Personal? Auto-provisioning? Location capabilities Inventory Reporting 18 1. Service definition 2. Key legal concerns: indemnification, warranties, production of data 3. Security 4. Privacy 5. Contract renewal provisions and termination clauses 6. Disaster recovery and business continuity 7. Service Level Agreements and penalties 19 6
Information in social media, on mobile devices and in the cloud, like any electronic information, is discoverable Increasingly a target for discovery Contains candid discussions of thoughts, activities, intentions, photos, videos Information covered by legal holds must be preserved Includes social media potentially relevant to pending or reasonably anticipated litigation In company s possession, custody, or control 20 Early cases may confuse discoverability, accessibility, and privacy, but will evolve Companies will need to preserve information in their possession, custody, and control Employers will control information on company systems Employers will have authority over company information on employee systems Privacy considerations won t protect responsive information Employee privacy will not protect corporate information Employee privacy will not protect employee information from production by employees when relevant Third parties will have to respond to subpoenas 21 Data is scattered on many sites internal and external: Information on external sites is decentralized Social media sites present new retrieval and search challenges: Each third party maintains data differently and provides different rights to access Third parties are not subject to their clients preservation requirements, which may accelerate a company s need to retrieve information to which company has access that is covered by a legal hold Technical tools to capture social media sites or content lags behind need Search expertise is required to successfully query in the dialect of social media users 22 7
Work with your IT management to understand your internal capability to preserve information on social media sites and in the cloud Work with your lawyers regarding the contract terms that govern use of and retrieval from each site Investigate new software capabilities that can aid in preserving data by capturing dynamic web pages Learn what the tools can and cannot do to make the social media information available Learn what expertise is required to search this data effectively Demonstrate that the company has been thoughtful in preparation, has procedures, and methodically executes with a consistent, repeatable process that produces measurable results 23 New tools are tackling the capture of dispersed content The National Institute of Standards and Technology sponsors research into the effectiveness of search The Text Retrieval Conference (TREC) Legal Track is a research forum measuring the effectiveness of search in a legal context since 2006 Mock litigation context; applicable to compliance and records management Mock complaint and document requests Using publically available data sets Participants submit responsive documents Results are measured for: Precision how much of what is retrieve is on target Recall how much of the relevant information was retrieved 24 Search results vary widely Define procedures to locate, preserve, retrieve, and search content Internal sites External sites: contracts may control accessibility and timing Mobile devices Cloud infrastructure 25 8
Rethink We cannot solve our problems with the same thinking we used when we created them. Albert Einstein Corporate IT: Manage corporate information and IT infrastructure Corporate RM: Manage process of creating, maintaining, training and enforcing reasonable policies Legal Counsel: Manage organizational legal challenges in defensible manner Risk Officer: Manage risk matters within organization Privacy Officer: Oversee and manage compliance with Privacy laws and regulations Compliance Officer: Oversee and manage compliance issues within organization Security Officer: Manage security matters within organizations, including data security BOD: Board of Directors with primary responsibility for overseeing program and policies Other: Depends on organization. 27 Ambiguity is actually OK Take risks go on a TRIP Challenge the status quo try something different Find the value proposition Elevate the conversation 28 9
Leadership framework Copyright 2011 LRN Group Inc. All rights reserved It s a Journey Copyright 2011 LRN Group Inc. All rights reserved 10