All posts tagged Compliance

Beyond record keeping: the importance of Information Governance

Information governance is no longer limited to simple record keeping. In today’s workplace, it is the backbone of best practice across business functions and encompasses:

  • information security
  • compliance and risk management
  • privacy
  • data storage and archiving
  • business operations and management
  • IT management
  • Business intelligence and big data

In my role as an ediscovery consultant, I have seen the impact information governance has on legal scenarios involving litigation, regulatory investigations and data protection related requests such as the right to erasure. Furthermore effective information governance can bring many benefits and ensure the smooth management of various legal scenarios that depend on the production and identification of electronic evidence such as right to erasure requests.

Companies thathave their house in order generally find that requests for information are fulfilled with minimum disruption to their business. Rather than spending time searching for electronic documents, they can respond to the request right away, honing in on data quickly. Because they understand their data architecture searches  collection can be less widespread and therefore cheaper. In contrast, those with poor infrastructure waste valuable time and money seeking this out and often spend more on forensics services, processing and hosting fees.

In terms of compliance, we find that information governance and efficient compliance programmes go hand in hand. You can’t have a good compliance programme if you do don’t have a handle on where your data is, what data you are collecting and what backup systems are in place. Poor information governance provides a useful camouflage for those engaged in unlawful behaviour. Those who have been embroiled in regulatory investigations or experienced fraud know all too well the financial and reputational damage caused by not preventing misconduct.

Take the lead towards improving information governance at your company

If you have concerns about how your company is managing information, it is vital that you raise the issue with senior management, IT and other departments and begin the process of enacting change. As general counsel, your legal knowledge and responsibilities make you a key stakeholder in the process.

Where do I begin?

Some elements of information governance do require technical knowledge and specialist services such as ediscovery and data analytics. An experienced ediscovery vendor will be able to offer consultancy to tailor a specific programme for your company’s needs. However below is an outline of the typical steps involved in improving information governance:

  • Mapping and assessing data estates

Using consultative assessments, data mapping, system inventories and data mining technologies, your consultant will outline how important or sensitive data is created, secured, managed and retained throughout your organisation.

  • Analysing and classifying data

Once you know where your data resides and the extent of it, this data can then be defined and classified. Redundant and obsolete information can be eliminated using a specialist review platform, freeing up server space and reducing backup costs. Key information can be preserved and managed more easily.

  • Building context and monitoring activity

Technology such as predictive data analytics can then be deployed to mine critical information, evaluate the facts in context and define relationships between data sets and measure trends.

With stronger insight into trends and anomalies in targeted sets of content, you can holistically manage or predict risks and make informed legal decisions whilst reducing reactive legal fees.

  • Futureproofing your systems

Information governance is an ongoing process and not a one off project. Your ediscovery consultant will be able to design and implement sustainable policies, technology enabled solutions, flexible training programs, and periodic audits. This will ensure your information governance program can stand the test of time as cultural, business, legal and technical needs evolve.

About Tina Shah

Tina works at Kroll Ontrack as a Legal Consultant in Continental Europe. Tina has a variety of experience in the legal sector, including working as a lawyer for a global project management firm organised to provide comprehensive consulting services for FDA regulated companies and conducted extensive e-disclosure/document review for high profile litigation cases. Tina is a US-qualified lawyer and fluent in Italian and Spanish.

The Age of Corporate Anti-Corruption Compliance

Bribery and corruption is a growing concern for businesses in all sectors and jurisdictions, although some involve greater risks than others. All companies should consider themselves open to scrutiny by authorities. With the effects of social media, news continues to linger and reach more people than through traditional news outlets, potentially exposing companies to reputational damage. Companies also risk enormous fines, legal and investigative fees, which, combined with the steep costs of monitorship, means that a proactive approach to compliance is essential.

Snapshot of Global Standards

Despite a global marketplace, there is no international anti-corruption law and standard. The relevant laws in different countries and regions are complex and diverse. While anti-corruption laws are becoming more robust in many jurisdictions, the UK Bribery Act (known by some as “FCPA on Steroids”) now represents the most expansive and stringent anti-corruption law in the world, even compared to the US Foreign Corrupt Practices Act (FCPA). Along with national laws, companies should also be aware of treaties under the United Nations and the Organisation for Economic Cooperation and Development (OECD) in order to present evidence of a broad approach to compliance.

While anti-corruption laws may vary around the world, common requirements of these laws form the backbone of any compressive compliance programme. To effectively prevent and detect issues of corruption, bribery, and fraud in international business, compliance has to be an active part of the organization and culture. It is a continuous and ongoing process that requires nurturing, monitoring and maintaining. This requires a paradigm shift in activity, moving away from reactive fire-fighting to the proactive management, prevention and detection of corruption and compliance risks.

What Global Companies Should do to Prevent Potential Liability

What does the increased enforcement of the FCPA and UK Bribery Act mean for ediscovery? First, in any matters that are international in scope, you will need to comply with data privacy regulations. Depending on the type of investigations, the collection of documents can be from custodians scattered around the world. The varied documents (emails, financial records, or expense accounts, for example), may be written in different languages. Relevant information might also be stored in different media sources. Finally, determining what information to search for can be difficult, since you will need to show evidence of the absence of corruption. Given these challenging parameters, the best course of action is to get a sense of the potential scope of review as quickly as possible.

Given the regulators’ ongoing focus on compliance with global anticorruption legislation, conducting targeted due diligence and proactive audits is increasingly critical for companies involved in cross border transactions. With technology and tools, companies can develop proactive strategies to confront the rising global tide of enforcement of anti-corruption laws. Companies who understand this and pledge resources to ethics and compliance programs, can navigate their company away from icebergs and on to safer shores.

About Tina Shah

Tina works at Kroll Ontrack as a Legal Consultant in Continental Europe. Tina has a variety of experience in the legal sector, including working as a lawyer for a global project management firm organised to provide comprehensive consulting services for FDA regulated companies and conducted extensive e-disclosure/document review for high profile litigation cases. Tina is a US-qualified lawyer and fluent in Italian and Spanish.

Amsterdam: The Layover – E-Crime congress 2013

Don't Panic: Responding to Data Theft

Day 1

4:00 pm – Nexus, Farringdon Street, London
Here’s some wise advice – never answer your phone when your train is leaving in 15 minutes. Robert Jones learned this the hard way and as a result he had to set a new track record Nexus – City Thameslink Station, in under 2 minutes. “Surely that can’t be done!” I hear you cry. Well thankfully Rob, like all Kroll Ontrack employees, is a finely tuned athlete and has been training for marathons, and so made it with seconds to spare. Robbie J, quite literally going the extra mile to keep his clients happy. So the three intrepid travellers – Luke Aaron, Robert Jones and myself – got the train on time and were on our way to Gatwick airport.

5:30 pm – Gatwick Airport, Departure Lounge
Dinner consisted of tortilla chips, guacamole sauce and some random roasted vegetables, eaten with one of those silly security knives, more handle than blade, hardly gourmet cuisine. “That’ll be £9.50 please sir” –“How much? For some crisps and a dip” so lighter in the pocket, but ‘heavy’ on food we headed to the plane. After the traditional security routine – put toiletries in small evidence bag, take off coat, jacket and belt, unpack laptop, put all small change in tray (not that we had much left after dinner), get tray jammed by eight others in machine, get patted down by male security guard, feel violated, put belt back on, lose passport and boarding card, panic, find passport and boarding card in pocket you didn’t know existed, re-pack entire contents of luggage – we boarded the plane. Without naming names, it was the orange and white budget one that sounds like Cheesypet, who have started to allocate seats nowadays, much to the consternation of familiar Cheesypet travellers who had prepared for the scrum to get a seat near the front of the plane. We finally took off and were on our way to Amsterdam.

10:00 pm – Hotel Okura, Amsterdam
An hour later we landed on Dutch soil with the final destination as the Okura hotel. A fine and opulent hotel, the pinnacle of which was the remote controlled blind between the bath and bedroom. Rob claims he overheard Luke getting at least half an hour of entertainment by continually sending it up and down.

Day 2

12:25 pm – Hotel Okura, Amsterdam
After building up the stand with extreme precision, it was Luke Aaron’s time to shine at his debut as a Kroll Ontrack speaker. His educational seminar was entitled ‘Don’t panic: Responding to data theft’. In the 35 minute slot Luke explained to around 25 captivated visitors, from a variety of backgrounds including banking, telecoms and software companies, what policies and procedures every company should embrace regarding to a possible data theft. The presentation was very well received and was for many an eye-opening introduction to the world of data theft response.

Luke Aaron on data theft

2:25 pm – Hotel Okura, Amsterdam
Now it was time for Robert Jones and his special guest, Misha lutje Beerenbroek, Head of EC Competition and Trade at Baker & McKenzie, Amsterdam to impress the crowd. This pairing, which some (Rob) have compared to the compliance world’s equivalent to Jimmy Page and Robert Plant*, rocked the conference with a talk centred around ‘Using innovative technology to audit for compliance’. With a very relaxed and open approach the duo riffed away on regulatory trends towards cross-border investigations and fines, the growth of a compliance culture and the benefits of building strong compliance programmes to be better prepared for the risk of regulatory intervention in relation to antitrust, corruption and other issues.  A particular topic which got the audience talking was the frank discussion of approaches taken by companies when weighing up the problem of carrying out an internal investigation to defend the company, versus the risk of infringing an employee’s personal rights and data privacy laws. It was clear this gave many visitors a new perspective on internal audits and some audience members were still humming away afterwards to the tune of ‘Communication Breakdown’ (or ‘email analytics’, as we like to call it).

*Of ‘Led Zeppelin’ fame – apparently some people have never heard of them.

7:00 pm – Schipol, Departure Lounge
After re-hashing over dinner we came to the conclusion that it was a productive day. With our data centre in Germany due to be operational in late January and our French data centre to come online shortly afterwards, hopefully congresses like this will help make more businesses aware of our continued commitment to providing solutions in Continental Europe.

About Jasper van Dooren

Jasper is part of the Electronic Evidence Consultancy team, which provides scoping consultancy and advice to potential clients in ediscovery or computer forensics matters. He also assists clients by providing demonstrations, presentations, documentation and advice before and during project engagements to ensure that expectations and legal requirements are being met. Jasper graduated from Utrecht University, Netherlands, with a Master’s degree in Private law before moving to London.