Friday, May 16 2008
  Legacy|Mission|Careers|Management|News|Contact|Partners
     
  SERVICES  
   
     
  SECURITY TOOLKIT  
   


   
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
 info@OnlineSecurity.com

© 2008 Online Security
All rights reserved.

 
Forum : Corporate

Compliance Issues Facing Business Today.

Acting as a “compelling event” in the adoption of new breeds of risk management and corporate compliance products and services are the recently highlighted fraudulent business practices occurring within many of America’s Fortune 1000 corporations. Governmental and regulatory investigations have identified, secured, and utilized significant amounts of incriminating evidence from within the corporate Information Technology (IT) infrastructure. Purposeful fraudulent activities aside, second-level effects are now beginning to trickle down into thousands of well run corporations that operate within highly regulated market sectors. For many, their only “questionable act” is a commitment to the deployment of technologies and business practices that promise to improve workforce productivity, client and supplier relationships, and shareholder return.

The challenges for corporate entities to address the issues is often one of trying to “herd cats.” The insatiable desire for technology that enables real-time communication, as well as immediate capabilities to develop and distribute information has created a huge information management quandary. Our ability to communicate and distribute information “at will” has created potential significant corporate risk associated with failure to adhere to governmental, industrial, or self-imposed corporate compliance metrics. Although much is in place to regulate previous generations of communication and information distribution methods, recent technological advances have seriously taxed the viability of many long-standing regulatory compliance standards. In response, new interpretations and amendments to these standards have been instituted, thus resulting in many of these same corporations having to react to put their “house in order.”

Defining the Challenge
Recent studies indicate that approximately 80% of all corporate information exists in a digital form today, while 93% of all new corporate information is created digitally. This information, created by various enterprise applications, is stored “live” throughout the corporate network or after some period of time, archived onto storage media. The IT industry often refers to this information as “Unstructured Data,” as typically no specific business rules associated with how it is created or stored exist within the corporation. This unstructured data, such as spreadsheets, client correspondence, presentations, sales and marketing materials and the like, then gets distributed both internally and externally to employees, clients, suppliers and potentially numerous entities associated with the business.

Without question, the preferred method of communication and information distribution within the corporate environment is email. Significantly, the email application itself is now becoming the defacto storage location for many business critical documents. In a recent white paper published by ZANTAZ Corporation, and authored by Henry Wolfgang Carter, Esq. of H.W. Carter Consulting, the following statistics were noted.

In 1998 there were approximately 47 million email users in the United States with the estimate of 105 million by the end of 2002. Nearly, nine out of ten employees have access to email.

A recent study by the University of California at Berkeley (“Berkeley Study”) found that between 600 billion to 1.1 trillion email messages are sent each year, averaging 20KB per message. In another study, the International Data Corporation (“IDC”) forecast that by 2005 the number of emails will exceed 9 trillion annually.

In another study conducted by The Radicati Group in 2002, where data was collected from vendors, service providers and users within Global 1,000 corporations, the following statistics were gathered regarding email traffic:



  1. In 2002 the average corporate email user sends 22 messages per day and receives 39 per day;


  2. The average size of a message without attachments is approximately 14.7KB. Messages with attachments are basically much larger, averaging 300KB per message;


  3. The average corporate email user sends/receives about 5MB of data per day via email. By 2006 the figure is expected to reach 8.5 MB per day; and


  4. Over the next four years, it is expected that message sizes will rise, especially due to an increased number of attachments. This can generally be attributed to the fact that more and more business documents are being sent as attachments.

Gaining ground within corporate communication culture is the deployment of Instant Messaging (“IM”). The number of corporate IM accounts is expected to grow to 687 million in 2004, from 28 million in 2000 reports The Radicati Group. The combined use of email and IM for real-time communication and information distribution internally and externally has provided levels of productivity never before experienced. However, these capabilities, at the same time, create serious communication and information management compliance issues.

This provides a backdrop for what is found within a typical corporate IT infrastructure. Unfortunately, the adoption and productive utilization of these technologies by corporations that participate within highly regulated markets has forced the review, re-interpretation, and amendment of many compliance standards by the Federal Government. As a specific example, those corporations managed and regulated by the Security and Exchange Act of 1934 have been significantly impacted.

Industry Response
In response, the IT industry has begun to market and deploy solutions that assist in many of the areas currently under scrutiny by Federal Regulators. Risk Management and Compliance Practices offered by many consulting firms assist corporations to identify and interpret the governing regulations for their business sector. Through detailed analysis, the scope of potential non-compliance within the business is determined, and an internal “compliance initiative” that will bring each operational component into compliance is developed. These compliance initiatives are comprised of re-engineered business processes and new technology to assist in the automated management of the communication and information distribution.

New technologies combined with “re-purposing” of existing technologies are now being deployed to assist corporate IT organizations in automating the compliance adherence process. These solutions are primarily focused on retention, indexing, and supervision of email and IM activity corporate wide. They are the first set of “proactive” compliance applications created in an attempt to address the latest round of interpretations and amendments to the SEC Act of 1934.

Business Example
Driven by information preservation rules outlined in SEC 17a-4, corporations within the financial services sector have begun to seek assistance from companies such as ZANTAZ®, a leading provider of Compliance Technology Solutions™ ().

Among a host of additional data preservation related requirements (see ), SEC 17a-4 states; “Every such broker and dealer shall preserve for a period of not less than 3 years, the first two in an accessible place: Originals of all communications received and copies of all communications sent by such member, broker, or dealer (including inter-office memoranda and communications) relating to his business as such.”

With the help of companies like ZANTAZ, a corporation can deploy proactive compliance initiatives that:



  1. Automatically capture, archive and instantly retrieve email, attachments, and IM;


  2. Monitor and supervise email, IM and other electronic communication; and


  3. Quickly restore data from back-up tapes in the event of an audit, litigation or investigation.

Companies like ZANTAZ have gone to great lengths to empower a corporation to quickly, efficiently, and cost effectively deploy proactive compliance solutions associated with electronic communication preservation, supervision, and record-keeping regulations mandated by SEC Rules 17a-3 and 17a-4, NASD Rules 2210, 3010 and 3110, NYSE Rule 342, CFTC Rule 1.31 and NFA Rule 2-9.

Reality of React and Respond
The world being what it is, any proactive attempt to reach a compliance “steady-state” can be undermined by a single non-compliance or litigation evident, at which point the corporation is thrown back into the familiar “react and respond” mode. It is reality and the nature of the beast! Just as corporations develop strategic plans associated with proactive solutions, acceptance of the Reality of React and Respond needs to occur, and plans put in place to optimize the corporation’s ability to address them when they arise.

Although primarily targeted toward the litigation market segment at present, Electronic Discovery products and services such as those offered by FIOS () can deliver complete functionality needed by a corporation to address both ongoing compliance adherence, as well as the confidence to address internally and externally triggered events.

FIOS, a leading electronic discovery services company for many of the nations leading law firms, provides visibility into a corporation’s entire “data universe,” including the unstructured data. Whether in response to an external inquiry, or in an effort to maintain corporate or market mandated compliance, FIOS’ services empower a corporation to efficiently collect and review relevant communications and information distributed associated with the topic(s) or custodian(s) in question.

The purpose of federally mandated information retention policies is not to require information preservation for the mere sake of information preservation. The goal is to regulate preservation because at some point in time, these corporations will receive a request driven by either a non-compliance or litigation event. At that point, the need to aggregate and review ALL data, whether email, IM, or unstructured data, associated with the topic will be required. These reactionary events translate to huge expenditures when they occur, as legal service providers become involved, consuming vast amounts of time and energy from internal resources. The ability to proactively apply the same technologies and business practices, which has been historically reserved for reacting to litigation events, can now provide enhanced internal confidence, risk mitigation and substantial cost savings when applied proactively. Corporations can access and review questionable communication exchanges or distributed information as deemed necessary, based upon internally mandated compliance initiatives. Armed with this functionality, corporations now have near real-time visibility to their risk factors and liability.

Beyond Regulated Markets
Not participating in a highly regulated market? You are not off the hook. A recent decision handed down by a court in New York on May 17th, 2003 make this patently clear ().


Excerpts from New York Times (entire article)
A Ruling Makes E-Mail Evidence More Accessible
By LANDON THOMAS Jr.

BS Warburg was ordered this week to pay for the search and recovery of e-mail messages requested by a plaintiff, giving aggrieved investors a new legal tool to support their cases against investment banks.

Shira A. Scheindlin, a judge in the southern district of New York, said that UBS had to dig into its archives and pay for the restoration of a limited batch of e-mail messages sought by a former employee who is suing the firm for sexual discrimination and retaliatory dismissal.

Judge Scheindlin's opinion, delivered on Tuesday, is already being referred to by lawyers representing investors and investment banks as a definitive piece of jurisprudence.

"The decision is very significant and will help customers get crucial evidence for their cases," said Jacob H. Zamansky, a leading arbitration lawyer. "As long as you can make a showing that the evidence you are asking for is relevant, the banks must bear the cost for searching through the e-mails."

"It's very important for our case," said Melvyn I. Weiss, whose law firm, Milberg Weiss Bershad Hynes & Lerach, is leading the suit. "Judge Scheindlin has set the standard. She has made it clear that she will force the defendants to make available all material that otherwise would be difficult to obtain."

"This will be the law of the land when it comes to arbitrations," said James A. Batson, of Liddle & Robinson, who is representing Ms. Zubulake. "Defendants can no longer hide behind the cost factor."

Summary
Although public emphasis has been placed on those corporations participating in highly regulated market sectors, no corporate entity is released from requirement to comply with their specific industry regulatory standards. The IT industry has responded with dynamic technologies and business approaches to address the needs of the corporate client. Whether the need is initiated due to proactive compliance initiatives, or reactive investigatory or litigation-triggered events, internal IT organizations now need to aggressively adopt solutions which enable their corporation with capability to identify and manage their risk, thus taking much great effective control of their

 

>> All Corporate Forum Articles

  
Forum
Corporate
Fraud Prevention
Intelligence
Medical
E-Commerce Law
International
Underground
Legal
Technical
Security