Frank Lagorio's Weblog

Confusion Even Among Attorneys I have been attending various classes and seminars on Compliance, eDiscovery and ILM, one recently with my father, who is a practicing attorney in California. I would not recommend this activity. My arm is sore from him hitting me and saying this applies to you! Actually there are several new cases in the litigation area that have come out since Zubulake and its rulings. These new cases appear to be extending and clarifying the rulings in Zubulake. I am also surprised to note that few general counsel and/or risk managers are unaware of these developments. One area that a recent lecturer made and that I heartily agree with is that notice of a pending litigation may not start when the defendant receives a summons. A simple article in a newspaper can serve as notice or even imputing notice due to the egregiousness of the behavior on the part of the defendant. That gets scary. And the plaintiffs bar is all over this. As my dad says, this appears to be a bunch of bull but bull you have to pay attention to.

Storage Networking World Storage Network World was a personal high point for me. I was selected to speak based on a presentation that I submitted around compliance and what to do about it. I find that just staying up on compliance is a second job. But one that is near and dear to me. Anyhow, after doing the research for that presentation, I have decided to start doing critiques of the things that cross my desk. I just hate the market speak that seems to come across some lips in this business. I had a call the other day where I called to inquire about a product and the person on the other end went on for 20 minutes talking about compliance without saying one meaningful word. So. There it is. My personal crusade and mission statement. Keep tuned for further blogs. F.

ILM Summit I have just finished attending the ILM summit in Irvine. The first day was a huge advertisement for each of the vendors that presented. Sun didn't present. It felt like they each had 1 slide on their idea of ILM and then 20-30 slides on product. Of the attendees in the sessions that I attended, the audience was mostly vendors. It was a vendorfest. The "TUTORIAL" was done only by vendors. What can you be tutored about from a vendor when they only talk product. All in all, it was a disappointment. The one takeaway from an end user was: ILM is 90% process, 10% product. Too bad the vendors didn't know that.

Bank News Article Review on E-mail & Regulatory Compliance I just finished reading the Bank News July 2004 issue. In the article Adam Wilkins writes in a general way about email management. He mentions the various legislation, fines & penalties and then defines three cycles of email management: backups only, "self-insurance" and "insurance plus roi". Insurance plus ROI basically means integrating email into business process by having a single repository managed via a single business process. These ideas are only presented in a general way and so provide little practical insight. From these generalities, he says do something about it now. If you are a publicly traded organization, you are compelled to do something now or suffer the consequences. He states that you "actually create a policy and make it known". Unfortunately, this does not go far enough. A recent case concluded that a policy alone is not enough, it must be followed. There the company had a policy, did nothing, got sued and then destroyed email after the fact. Court held that once sued, if present, must be kept regardless of policy. The author says start with customer service, procurement and legal. How many lawsuits originate from customer service? What about the C-level folks who are subject to compliance? What about customer facing folks like sales or Wall Street traders? Would that be better protection than capturing procurement email? Legal of course is aware of the venue and so would likely be least productive. He makes additional suggestions which seem not well thought out. For example, "Encourage employees to use their "own" accounts for personal messages" like MSN's Hotmail. With that suggestion, you have simultaneously thwarted your ability to monitor, allowed employees to misuse corporate assets, waste time, and opened the door to vulnerabilities by allowing any corporate data to fly out the hotmail window. On the other head, he suggests that typing PRIVATE in the subject line can avoid the review process again leaving the employee to judge what is a business record. While the article makes some good points about automating and administrative methods for accessing old messages in the future, the overall gist, in my opinion is naive.

Document Retention Policies The first step in setting up a document retention policy is, as my old law school civil procedure professor used to say, make sure that everyone is invited to the party. This means you need to have the legal department, IT department, and the C level officers together in a meeting. Once you have defined what needs to be retained according to legal, then IT has to ensure that appropriate technology is in place to support the retention policy and the C level folks provide the funding and enforcement mechanisms. All are needed to implement what is essentially an infrastructure change. Some authors have suggested that since Sarbanes Oxley explicitly states that auditors must keep documents for seven years, some companies may not need to retain documents or not retain them for as long. I would suggest that the retention period for a company really needs to be determined by the company's legal advisors. Whatever period(s) of retention are agreed upon, they must be explicitly adhered to and clearly stated in the retention policy. And remember that litigation requires that lawsuit related documents have an additional hold placed upon them. One key point here is that if the policy states that documents are destroyed in 3 years and they are not destroyed, if a lawsuit is commenced, one cannot retroactively destroy documents. So at three years and one day, documents must be destroyed lest they inadvertently provide a smoking gun for the opposition. So how do we enforce this policy? That is where the technology enters in. Relying on human systems can be fraught with peril. A system doesn't hesitate to delete, migrate or retain. At its most basic level, a heirarchical file system that migrates and purges data addresses some of these issues. In Sun's case, we have SAM-FS. There are others out there. This coupled with a mechanism for applying a legal hold may be all that some companies need. At the other end of the spectrum, an archiving system may be required. An archiving system will reduce litigation expenses as most documents can be readily accessible. I was once a litigation support manager in a law firm. I was forced to design and assemble the component parts I needed to assist the firm and its clients. Now archiving systems are available off the shelf that address most needs. (marketing hat on) Sun and AXS-One offer a system which differs from the rest in that it can be modified for future needs by a workflow engine and extensions either developed by us or the customer. (marketing hat off). So to recap, one needs to develop the policy for compliance and to select appropriate technology to enforce that policy.

What is Compliance anyway? Many people have been asking what is compliance? Compliance means that you, as a company will not only obey, but take affirmative action to comply with the various new Federal laws recently enacted as a result of corporate malfeasance. These ideas behind these laws started with DOD rules for document handling and then were embellished. So you have SEC rules, Sarbanes Oxley legislation, Patriot Act rules, Basel 2 in Europe, Hippa with regard to personnel and privacy and others. These rules specify various document retention periods, retention media (WORM drives) etc. What is particularly invasive however is that it must all be audited and the auditors must be watched as well. Some companies are taking a wait and see approach because no case law has developed nor appealed which spells out in particular what is actually "the law". This is a poor idea. Federal agencies will frequently attempt to intimidate what they feel is appropriate behavior. Look no further than Attorney General Spitzer in his fight over NYSE compensation as an example. What is required immediately is that at least a company have a plan in place unless you are specified as a fast track company ie. Financial sector.

Securites Industry Association Show Yesterday I attended the SIA in New York at the Hilton Hotel. I have a law degree, a 20 year background in technology, worked in law firms, did litigation support, and I have to tell you I was amazed at the hype and damned lies I heard around compliance with various regulations. Some vendors went so far as to say they were certified (Not possible) for Sarbanes Oxley. Another vendor claimed a competitors clients as their own. It was shameful. On another note, there is a new magazine that has just been published called "Corporate Compliance Advisor". It has a real world example article, a analysis article, Sarbanes Oxley and HIPPA sections, as well as a litigation preparedness article. I found their Sarbanes Oxley software roundup to be severely lacking. However, the price, $99.00 annually is steep for the information contained therein. But specialized information can be pricey. One sidenote, Gartner has a nice full page ad on the inside cover. One notable quote "Firms that focus only on compliance will miss the chance to strengthen corporate governance and transparency, which in turn can lead to better-informed decision making and higher ROI." I think this captures the idea that we can turn lemons into lemonade and treat compliance as an opportunity to improve profits. See www.advisor.com or complianceadvisor.com for details.

Is Sarbanes Oxley a Trojan Horse for Attorney Client Priviliege? In recent discussions around compliance with Federal Mandates such as Sarbanes Oxley, a new topic has emerged. Do the regulations erode attorney client privilege? The thinking goes like this: email is protected when there is a reasonable expectation of privacy. If I send email to my corporate attorney and that email is reviewed on a random sample by a compliance officer, then my attorney client privilege is possibly compromised. If I am at my company and dealing with some matter and because I use a key work like sexual harassment and the keyword causes a key word review for questionable material, does that breach attorney client privilege? If so in either case does that mean that compliance officers should officers of the court, ie. attorneys or potentially legal staff who can maintain attorney client privilege? Or should legal department email be excluded from review? Can the proverbial cat be put back in the bag? This is only one issue among many that will require close review of corporate policies in general and email policies in particular.

Email Archiving & Compliance; Book Review We have a reseller agreement in place with AXS-One to resell their email archiving product. This product works in conjunction with SAM-FS, our hierarchical storage manager. We now have a pretty complete story for Sarbanes Oxley and SEC compliance issues. With the pending new legislation we are going to be prepared to assist customers with these requirements. And they are requirements! Penalties for non-compliance range from fines to jail/prison. So this blog will track those issues and hopefully provide an education around these issues. I have just finished reviewing the book, "Email Rules", by Nancy Flynn and Randolph Kahn, ESQ. In my opinion this book is out of date. However, if one has never considered email policies before and one is still in a college MIS course, it might provide some background information. For most business folks, it does provide a beginning. For IT, your time is better spent elsewhere