Information Management 101 for Corporations

Pages 33
Views 7

Please download to get full document.

View again

of 33
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Description
Information Management 101 for Corporations Georgetown CLE Advanced Computer & Internet Law Institute Peter Kurilecz CRM CA Records Manager Nextel Communications, Inc. (703)
Transcript
Information Management 101 for Corporations Georgetown CLE Advanced Computer & Internet Law Institute Peter Kurilecz CRM CA Records Manager Nextel Communications, Inc. (703) Marc Martin Partner K&LNG (202) Introduction Retention Requirements Security, Privacy and Confidentiality 1. Electronic Business Record Retention Requirements Electronic business record retention regulations establish periods of retention, acceptable storage media, and organizational requirements for electronic records. Failure to maintain sufficient records can mean violating multi-layered laws and regulations that can result in hefty fines, imprisonment and bad publicity. What is a Business Record for Your Company? A Business Record may include any medium used to communicate or record company- or business-related information, whether in written, electronic, or voice form. Examples include the following in any medium: business agreements, calendars (including Outlook calendar entries), contracts, correspondence, customer complaints, databases, diagrams, s, government-issued licenses (e.g., FCC, PTO, etc.) or penalties (e.g., IRS, SEC) and related correspondence, invoices, leases, litigation files, meeting minutes, memoranda, notes, photographs, regulatory filings, sales projections, spreadsheets, and voice mails. Examples of electronic forms of media include, but are not limited to, home PCs, laptops, CDs, DVDs, cellular phone voice mail and text messages, VOIP-transmitted voic / , instant messages, faxes via , pagers, and PDAs. Criteria -- Trustworthy Electronic Business Records Integrity complete and unaltered Security protection of confidentiality and privacy Authenticity origin must be reliably demonstrated Accessibility with respect to time and technological access (degradation of data, availability of necessary hardware) Where Electronic Business Records Matter In the courtroom (e.g., Rules of Evidence) In commerce (e.g., proper execution, protecting confidential information) Before administrative agencies (e.g., HIPAA data format standards) U.S. Approach to Information Management Law There is no single, comprehensive law governing information management. Rather, law is comprised of: Federal and State Statutes Rules of Procedure and Evidence Common Law Industry-Specific Regulations Contractual Agreements Federal Law and Regulations Public Companies: Sarbanes-Oxley (SOX) requires all public companies to retain its documents related to its financial audits (i.e., audit workpapers ) for seven years. Such documents could include website records, internal control reports (and the documents used to create them), regulatory filings, and litigation-related documents. Improper destruction of records can result in a 20-year prison sentence. Federal Law and Regulations Additional SOX Retention Implications SOX makes it a crime to knowingly alter or destroy any document with the intent to impede, obstruct, or influence the investigation of any matter within the jurisdiction of a department or agency of the U.S. or in relation to or in contemplation of any such matter. Earlier standard was limited to where individual intentionally destructed or impeded an investigation that the individual knew to be pending or imminent. Federal Law and Regulation CONTINUED IRS Retention Rules: IRC Sec Records must be maintained so long as they are subject to audit under the Internal Revenue Code. This means all documents must be kept for at least three years, some for six, and some should be kept permanently. Failure to comply can result in penalties. Federal Law and Regulation IRS Retention Rules: Rev Proc Provides guidance to taxpayers that maintain books and records by using an electronic storage system that either images their hardcopy(paper) books and records, or transfers their computerized books and records, to an electronic storage media, such as optical disk. Federal Law and Regulation IRS Retention Rules: Rev Proc Specifies the basic requirements that the IRS considers to be essential in cases where a taxpayer s records are maintained within an ADP system. Federal Law and Regulation Securities Industry Record retention regulations (e.g. Rules 17a-3, 17a-4 for Brokers/Dealers, 17ad-6 and 17ad-7 for transfer agents, NASD Rule 3110, NYSE Rule 440) Health care HIPAA regulations medical records must be retained at least 6 years, and at least 2 years after the death of a patient. Penalties for noncompliance include up to $250,000 and up to 10 years in prison. Internet access providers & telecommunications companies Communications Assistance to Law Enforcement Act (CALEA). CONTINUED Federal Law and Regulation 18 CFR 225 Preservation of Records for Natural Gas Companies 18 CFR 356 Preservation of Records for Oil Pipeline Companies 17 CFR 257 Preservation and Destruction of Records of Registered Public Utility Holding Companies and of Mutual and Subsidiary Service Companies CONTINUED State Law Spoliation Many states recognize an independent tort of spoliation. Destruction of evidence, including electronic evidence, can be a ground for independent penalties or lead to adverse inferences in litigation. In the event of any potential litigation, you must STOP scheduled document destruction and retain all documents that may be relevant to the litigation. Consequences Andersen was ruined by information management issues, among others. Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, U.S. Bancorp, Piper Jaffray and Salomon Smith Barney fined $1.65M each for failing to properly preserve communications. SG Cowen fined $100,000 for deleting s (by reusing backup tapes) before expiration of retention period Carlucci v Piper Aircraft judgment of $10M to plaintiff. Defendant failed follow procedures and destroyed records during discovery phase 102 FRD 472 (S.D. Fla, 1984) Consequences CONTINUED Applied Telematics v. Sprint. Sprint produced certain electronic tapes of computer transactions. It later resumed its practice of re-using other tapes not produced, effectively destroying non-produced records. The Court said Sprint knew or should have known that this information was relevant and required Sprint to pay the cost of obtaining comparable information from other sources. Frank Quattrone urged his employees in an to cleanup files as the government was investigating CFSB s allocations of IPO shares. He was convicted of obstruction of justice and sentenced to 18 months in prison. CSFB paid a $100M to settle related civil claims. Contractual Retention Obligations Standard Retention Covenants in Contracts [Company A] and [Company B] shall maintain complete and accurate records of all amounts billed to and payments made by [B], in accordance with GAAP. [A] and [B] shall each retain such records for a period of three (3) years and maintain billing detail for the same time period. [A] and [B] shall provide reasonable supporting documentation to each other concerning any disputed invoices. Contractual Retention Obligations Duty to return versus duty to destroy potential conflict with statutory requirements. Admissibility of electronic records in court where s the signed original? Tangible versus non-tangible records. Redlines and drafts on hard drives Archived w/ attachments Where are the Electronic Business Records? New workplace technologies such as instant messaging, PDA-based , cellular SMS (text messaging), VOIP communications, and traditional make it increasingly difficult to ensure that data is actually deleted. Multiple copies of any given business record may exist on networks, on back-up tapes, and on employee hard drives, home PCs and handheld devices. Note advent of portable hard drives on key chains, Ipods and Palm PDAs (T5). Consequences Easley, McCaleb & Assoc., Inc. v. Perry. A court ordered that deleted files on a defendant s computer hard drive are discoverable. Global Research Analyst Settlement In 2003, the government s case, leading to a $1.4 Billion settlement, was based on its discovery of harmful company s. CONTINUED Consequences The I used Sandy to get my kids into the 92 nd Street Y pre-school (which is harder than Harvard) and Sandy needed Armstrong s vote on our board to nuke Reed in Showdown. WSJ, 11/11/02 The Press Report: Former top Citigroup analyst Jack Grubman said in an that he raised his rating of AT&T stock in part because his boss helped get Grubman s twin daughters into an exclusive nursery school. USA Today, 11/14/02 CONTINUED Don t Forget the Metadata Courts have held electronic versions of documents are discoverable even where paper versions have been produced. Metadata information in electronic records may provide important clues concerning, among other things, authorship, history of edits, and dates of creation. Software solutions can delete metadata. 2. Security, Confidentiality and Privacy Privacy laws regulate collection, use and disclosure of personal information. Information security laws can trigger liability and disclosure obligations in event of corporate network security breaches. Intellectual property laws can trigger vicarious/3 rd party liability for infringement. Contractual obligations arising from NDAs govern protection of and access to workplace electronic records Federal Law and Regulation SOX requires establishment of internal controls by publicly traded companies. Electronic Communications Privacy Act (ECPA) requires employee consent prior to monitoring electronic communications. Digital Millennium Copyright Act (DMCA) can create liability if infringing records are made publicly available. Federal Law and Regulation Children s Online Privacy Protection Act (COPPA) HIPAA Section 1173(d)(2) requires that safeguards must be in place to protect patient data and protect authenticity of data. Penalties for noncompliance include fines up to $250,000 and up to 10 years in prison. FACTA 16 CFR 682 Any person who maintains consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. Effective 1 June 2005 State Law California requires individuals to be notified when certain personal information is subject to security breach (federal agencies considering same rule). Many states govern disposition of personnel records and certain kinds of medical records (HIV, drug/alcohol, mental health, etc.) Texas HB 698 A business must dispose of personal identifying information by shredding, erasing or other means to make it unreadable or undecipherable. A business that does not dispose of a record in the manner required is liable for a civil penalty of up to $1,000 for each record. Consequences DoubleClick created a public firestorm over Internet privacy when it acquired Abacus Direct and proposed to exploit its personal identity information for Internet marketing purposes. Public pressure compelled DoubleClick to retract its proposal. Eli Lilly & Co. inadvertently revealed the personal identities of thousands of subscribers to its Prozac newsletter, by using the TO instead of the BCC field. Contractual Confidentiality Obligations What is the issue? Ensure your company protects: (a) its own confidential information, such as trade secrets, from disclosure to others and (b) other parties confidential information shared with it under an NDA or other contractual agreement. Contractual Confidentiality Obligations Why is there a problem? Traditional confidentiality terms/conditions focused on tangible documents. As electronic documents became prevalent, more opportunities to make mistakes, inadvertent disclosure. Lack of strong records management means greater likelihood that your confidential information will be disclosed or that your employees will breach a confidentiality obligation arising in contract. Contractual Confidentiality Obligations CONTINUED Typical confidentiality clauses and NDAs: Defines what is confidential information. Lists exceptions to protection. Sets limitations on the use and care of confidential information. Describes remedies injunctive relief. Other Contractual Confidentiality Issues Protecting Your Own (and other parties ) Confidential Information in an Electronic World. Limit access to records on a need to know basis. Use employee confidentiality agreements. Create internal firewalls. Replication through . Distribution lists Posting documents on shared drives Password protection and encryption Security-related Liability Internal/third party misappropriation of trade secrets Digital Millennium Copyright Act (DMCA) liability (defeating protective technology) Violations of Computer Fraud and Abuse Act (anti-hacking law) Employee Misconduct
Advertisements
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x