mwlug compliance and e discovery policies
DESCRIPTION
Tips and Best Practices for building and enforcing email retention policies.TRANSCRIPT
MWLUG Conference 2009
IBM CenterChicago, IL August 27-28, 2009
Empowering the Lotus Community
Creating Effective Compliance and E-Discovery Policies – Best Practices and Procedures
Denny Russell is a Technical Support Specialist for the Domino products at Sherpa Software. He is a contributor to Sherpa’s Domino Blog, Administrator for the Lotus Notes/Domino environment (including Domino 8x, Sametime, Quicker and Blackberry Enterprise Server for Notes) and webmaster for Sherpa's corporate website.
Session: In this session, we will discuss the challenges of developing, implementing and enforcing a corporate retention policy that balances storage demands and those of your Legal and Compliance Teams. Learn about the Do’s and Don’ts of policy design as well as discover potential stumbling blocks and how to address exceptions. Examine how regulatory requirements and e-discovery requests could impact your policy and what to expect on the event of litigation. Lastly, determine if you have the right tools in place to support your policy initiatives and find out what additional tools can help.
Agenda
● Introduction● Compliance: What is it?● Policies & What You Need to Know● E-Discovery & What You Need to Know● What's Available in Domino● What to look for in a Solution● Questions
Compliance: What is it?
Laws, regulations and policies that drive your business and the way you handle your data.
●Space Needs vs. Legal/Industry Regulations
●Corporate Governance
●Federal Regulations
●Legal Restrictions
Agenda•Compliance: What is it?
Compliance: What is it?
Corporate Governance
●Storage Practices
●Internal Procedures
Agenda•Compliance: What is it?
•Corporate Governance
Compliance: What is it?
Federal Regulations
●Sarbanes-Oxley Act (SOX)
●Health Insurance Portability and Accountability Act (HIPAA)
●Gramm-Leach-Bliley Act (GLBA)
●FDA
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations
Compliance: What is it?
Legal Restrictions
●Federal Rules of Civil Procedure (FRCP)
●Litigation Holds
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
Compliance: What is it?
Policies
● Hiring/Termination Procedures● Acceptable Use Policies● Email Retention Periods● Instant Messaging Policies● Preservation Policies● Electronic Discovery Procedures
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies
Policy Enforcement: Best Practices
● Clearly define the purpose for the policy
● Gather support from Legal, Management and IT
● Establish practical rules for effective conduct of business
● Find a solution that fits your infrastructure and budget
● Handle exceptions, e.g. Litigation Holds
● Enforceable, Auditable
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices
What to Include in your Policies
Without a policy in place, legal liability increases● The length of time documents
are kept before they can be destroyed
● Email, Files, IM, Hard Copies, etc. ● Where will data be stored?● What format will the data be in?● Who will have access and what
can they do with the data?● Will there be exceptions to data
or employees that are part of it?
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include
Policy Enforcement Challenges
● Competing interests (corporate retention policy vs. individual and business needs)
● Requirements vs. Resources
● Buy-in & adherence from relevant personnel
● ‘Smoking Gun’ Emails
● Discovery Requirements
● ‘Reduce risk while meeting a business need’
● Lack of well defined rules
● No ‘one size fits all’ policy
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges
Resources for Building a Policy
● http://www.epolicyinstitute.com/● http://www.soxlaw.com/● http://www.hhs.gov/ocr/privacy/index.html● http://www.law.cornell.edu/rules/frcp/● http://www.sherpasoftware.com/blogs/Sher
paBlog.nsf/● http://www.aiim.com
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
E-Discovery and What you Need to Know
The process of collecting data when you become involved in legal issues.
• Placing documents/Users on Legal Hold
• How will you get the data?
• Where will you find the data?
• Who will be included?
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery
E-Discovery: Common Risks
Common risks organizations face with electronic data:
● Not retaining information that should be retained
● Retaining data that has outlived its usefulness
● Not having a defensible process for data management
● Inability to discover and retrieve relevant information, when requested
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks
E-Discovery: Relevant Questions
Questions compliance officers should be asking their IT departments:● Where is corporate data (corporate documents,
emails, contracts, etc) being stored - network shares, databases, local desktops, in PST files, etc.?
● Does the IT department have the ability to reach all of this data and search it?
● Can we retrieve unadulterated copies of this data?
● Is there a process to maintain chain of custody?
● Can we enforce a legal hold and prevent the purging of relevant data, if necessary?
● If we have policies, how are they being implemented? Is the enforcement process validated?
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions
EDRM Model
● Know which process effect you● How you will meet those steps
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions•EDRM Model
What's Available in Domino
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions•EDRM Model
•Available in Domino
Domino provides many tools to help you with this process.
• Journaling
• Archiving
• Searching
Domino Journaling
Journaling
● Capture sent and received messages
● Process based on:●Content within the subject or body
fields
●Recipients or senders
●Roll-over based on age or size
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions•EDRM Model
•Available in Domino•Journaling
Domino Archiving
Archiving● Policies allow you to control● Server or Local Archiving
● Local Archives are a legal/E-Discovery nightmare
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions•EDRM Model
•Available in Domino•Journaling•Archiving
Domino Searching
Individual mail files would need to be searched manually.
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions•EDRM Model
•Available in Domino•Journaling•Archiving•Searching
What to Look for in a Solution
● Flexibility ●Configuration
●Exclusions/Legal Hold
● Friendly to End-Users●Ease of use for the users
●Searchable – Can they easily find their data
● Friendly to E-Discovery Needs
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions•EDRM Model
•Available in Domino•Journaling•Archiving
•What to Look for
Q & A
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions•EDRM Model
•Available in Domino•Journaling•Archiving
•What to Look for•Questions•Contact Info
● Questions
Contact Information
● Denny Russell● [email protected]
● http://www.sherpasoftware.com/blogs/SherpaBlog.nsf/
● Twitter: http://www.twitter.com/DennyRussell
● LinkedIn: http://www.linkedin.com/in/dennyrussell
Agenda•Compliance: What is it?
•Corporate Governance•Federal Regulations•Legal Restrictions
•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources
•E-Discovery•Common Risks•Relevant Questions•EDRM Model
•Available in Domino•Journaling•Archiving
•What to Look for•Questions•Contact Info