Rules and regulations regarding what records companies must keep and be able to produce as evidence in the case of a court hearing have been around for decades, with one of the first such laws being the Securities and Exchange Act of the US that was passed in 1934. Initially governing only written documents and guarantees, the rule has been expanded to cover new communication technologies such as email and instant messaging.
In recent years, a wide range of governmental and industry-specific regulations have been passed-some international in nature, some limited to a local scope. One particular law that is currently causing headaches for many companies is the PCI standard from the Payment Cards Industry. This law specifies security standards that must be adhered to by all companies processing personal data relating to credit cardholders, including the need to protect personal information and store it in encrypted form, to restrict access to data, and to track and monitor all attempts to access that data. On a more general level, there are a plethora of regulations related to privacy and data protection that require companies to invest in secure electronic data management systems to ensure that personal information related to individuals is protected.
Such regulations are forcing companies to revamp their electronic data management policies and capabilities, with one of the key drivers being the threat of legal sanctions imposed on them. Data leakage prevention has become a particular buzz phrase in the technology industry-especially given the large number of high-profile cases of inadvertent data loss by companies and US agencies that have hit the headlines recently.
In the face of the threat of potential litigation or reputational damage, companies are coming to realise the vital importance of regaining control of their business information, including how it is securely archived in order to be able to respond to investigations with the minimal level of business disruption. In the past, the probe for evidence for legal purposes involved searching through filing cabinets of stored paper documents. In today's business world, up to 90% of the information that a company holds is in electronic form, including business documents in a variety of native formats, databases and directories, and messages, such as information contained in email and instant messaging systems.
In order to assuage these threats and to comply with regulations that, in some cases, force companies to maintain company documents for many years, companies are putting in place technology to control the management of their data and the repositories it is stored in. The capabilities of such systems include automated document retention and archiving, document destruction overrides, automated creation and enforcement of data management policies, access control management, encryption technologies, monitoring, web filtering capabilities and full audit trails of who has done what to which material, and when. Such systems should control all data generated by an organisation in whatever application it was created and on whatever device it resides, including hard drives, storage systems, email systems and internet access records.
Although such data management technology systems provide many advantages for companies looking to control and secure their information flows, employee education is a key factor in the success of any project. All staff must be made aware of the behaviours expected of them, including activities such as accessing bulletin boards, using instant messaging programs, using personal email or logging in to social networking sites. In some cases, employees register for such sites using their company email addresses-potentially opening up part of the company directory to abuse. Some companies deploy content filtering technologies, which can prevent sensitive or dubious material from being sent outside of the firm, and others monitor the use that their employees make of communications systems such as email and instant messaging.
However, monitoring of employees' use of email is something that should be done with care in certain jurisdictions, including France and Germany, where companies must respect the rights of their employees to expect privacy-even on company-owned equipment, and even where the company has set a policy of not allowing the use of company equipment for such things as personal email. In the case of France, the authorities have ruled that employees have the right to privacy even at work, and especially considering the increasing blurring of private and working lives.
Another requirement that international companies will have to factor in to their data management capabilities is that a practice that is required in one country may be illegal in another jurisdiction. For example, the US-and many other jurisdictions based on common law principles-allows for a fairly permissive pre-trial discovery of documents in the case of any company facing litigation for which they must product company data and information records as evidence. However, in some countries including France, Switzerland and Germany, local laws prohibit attempts to gather "any document that may be relevant" through blocking statutes, making such activity a criminal offence that is punishable by imprisonment and fines. This is a headache for companies involved in multi-jurisdictional disputes, or who operate across multiple countries, as national regulatory differences must be included in their data management plans and capabilities.
Best practices guidelines for effective electronic data management:
• Do your homework-find out which regulations apply to your business, taking into account operations in different geographies, and what the requirements of those regulations are.
• Start with a process of discovery internally, covering all data formats, applications and technology devices.
• Assess information access rights in place across the organisation and put in place restrictions on all unnecessary data access.
• Select an electronic data management system that covers all devices, applications and information sources in use, but that is flexible enough to be tailored to the company's specific requirements, such as the use of filtering, encryption and archiving.
• Train employees as to the company requirements and ensure that all employees have read and understood policies set through electronic acceptance of the terms. Include any sanctions to be applied in the event of a security incident.
• Audit and report on the system to gauge its effectiveness and be prepared to make changes.
Regulatory compliance is the new reality for most businesses today. Whilst the burden is the most onerous for those with shareholders to satisfy, all companies would be well advised to take a look at the processes that they have in place for ensuring that the information that they produce is maintained and used in a secure manner-as required by many regulations. However, as recent court cases in some countries have shown, companies operating internationally should take care when treading through the minefield of how particular regulations are interpreted in the countries in which they operate.
