The Electronic Communcations Compliance Council
Navigate
 
 HOME  
 ABOUT TE3C  
 RESEARCH & WHITEPAPERS  
 EVENTS  
 MEDIA CENTER  
 TOOLS & RESOURCES  
   



TE3C Events

Electronic Communications Compliance Roundtable Discussion
January 11, 2005

Transcript can be downloaded here.

Operator: Welcome to the Electronic Communications Compliance Council Roundtable discussion. At this time all participants are in listen-only mode. It is not necessary to put your phone on hold or on mute any time during this conference as we control these features centrally. Toward the end of the conference we will conduct a question and answer session. Prior to this we will give specific instructions on how to queue up for your questions. I would now like to turn the conference over to Priscilla Emery, please go ahead ma’am.

Priscilla Emery: Good morning I want to welcome you here to have the first round table of the Electronic Communications Compliance Council or as we refer to it as the TE3C. I want to talk first about the mission and objectives of the council, what we’re hoping to do over the course of its life and then start a discussion, introduce each of the founding board members and then have a discussion about some of the issues associated with electronic communications compliance.

First, we want to point out that this is an industry supported organization whose mission is to communicate and inform users about the electronic communications compliance life cycle. And that includes everything from electronic mail, instant messaging; text messages anything that’s used in the course of communications within a business and that from the beginning of a transaction of any type to the end archival portion of any type of business communication. Also to provide guidance on how to minimize risk in and involving and legal environment legal and regulatory environment because we have so many different new regulations that have come up in the last few years. We continue to see more things happening in both the financial services industries as well as insurance and other types of industries. I know public companies are subject to SEC regulations as well so that there’s a lot of questions out there among both the users of e-mail as well as companies as to what they should be doing to be compliant as well as how to manage that compliance and to also provide a conduit communication between the stake holders in this area. So we have a variety of different people here from different backgrounds and also we want to provide the ability to talk to the people that are actually creating these regulations. So that we establish a dialogue more in terms of providing some reality behind not just the theoretical issue of compliance but the real issue of compliance in a business world.

Some of the things that we hope to do besides generate awareness on the compliance issues also provide cross industry positions on issues relevant to compliance, privacy, policy, records management, legal, IT, and electronic discovery. Educate organizations on the risks related to not having a messaging policy or not properly enforcing a policy to serve as a voice, an educational resource for electronic communications compliance issues and to promote effective messaging policies and enforcement procedures within organizations and we’ll see some of our approaches to that today as well. Offer insights into some of these industry trends, some of the leading thinking in this particular area and also like this particular situation that we have today is to provide a form for cutting edge discussions and projects on issues surrounding electronic communications compliance.

We will probably issue, and we’re planning to issue different white papers as well as have resources available for people on our web site so that they can get information as the organization grows and develops it’s own information and guidance. These would include industry and usage surveys that will help eliminate outstanding issues and trends in this particular area, have these types of roundtables in this kind of form and in other types of forms where different people in this area, different stake holders in the electronic communications compliance area may be needing. Developing and participating in other educational forums, industry templates, we’ll talk about some of the work there that we may be, that we’ll be providing and also providing some benchmark information as to how organizations can best comply and provide procedures for compliance in this area and that’s basically it.

What we will do is, I will introduce the council and each person will cover the - their perspective on the different industries on this particular area and why they are involved in the council, and then we will go into a Q&A session with the participants and we will open up the mikes to the questions that I have ready for the group but also to any of you who may want to interact. So I’ll start the session first with Nancy Flynn of the ePolicy Institute.

Nancy Flynn: Thank you Priscilla; just to give you a quick overview of the ePolicy Institute and why that we feel that the mission of the council is so important. The ePolicy Institute works with employers on the development and implementation of effective e-mail and instant messaging policy as a way to both enhance employee compliance and also to reduce work place risk. And that would be risks of everything from lawsuits triggered by inappropriate e-mail and IM to regulatory disasters, to just a broad spectrum of risks and we also work with employees to help educate them about the importance of compliance and then the policies and procedures that are specific to their organizations. And then in addition to that, we consult with and have worked as expert witnesses in litigation involving employee e-mail. So one thing that I would like to stress is when we talk about compliance we’re really talking about both regulatory compliance and then also legal compliance. And probably you know, from my perspective working with corporations and associations and government entities one of the biggest management challenges that employers are currently facing is how do you get your employees to comply with your policy, and how do you as a manager really put the most effective policies and procedures into place to make sure you don’t get yourself into trouble either on the regulatory side or the legal side.

Just as background, the 2004 Workplace Email and IM Survey that was conducted by American Management Association and the ePolicy Institute revealed that 1 in 20 companies has had employee e-mail subpoenaed either by a court of regulatory body and 13% of employers have gone to court to battle a workplace lawsuit that was triggered by employee e-mail. And that could be hostile work environment, sexual harassment, discrimination whatever; failure to comply with policy often plays a role. At the same time, while we see the incidence of litigation and regulatory investigations increasing, we’re also seeing the fact that only 34% of employers have a retention policy in place and that number really has not changed over the past 24 months. We know that only 43 or rather that 43% of regulated employees tell us they don’t know if they’re complying with regulations when it comes to e-mail retention, they are pretty much in the dark. And then we have the fact that instant messaging is coming on fast in the workplace; it’s expected to surpass email use in the workplace by 2006. We know that from our survey that only companies retain employee IM; 58% of employees are using IM to engage in very dangerous personal chat, including gossip, sexual comments, obscene material, disparaging remarks, the type of information that can trigger litigation. And we also know that only 20% of organizations have an IM policy in place. So, managers who are already challenged, if you will, by e-mail policy compliance are really facing a potential disaster when it comes to IM policy compliance.

So at the end of the day what it comes down to, is what we at the ePolicy Institute we like to advocate is the 3-E approach to e-mail and IM policy compliance and that is number 1, you establish a written policy - a policy that’s clear, it’s comprehensive, it’s not open to interpretation and it makes clear to your employees that compliance is mandatory, it’s not an option. Second, you educate your workforce and this is where employers really fall short. We know that only 54% of employers take the time and invest the resources in employee training and you can’t expect an untrained workforce to understand your policy let alone comply with it. And then the third E would be, you enforce your policy with a combination of software technology and disciplinary action and we know that 25% of companies have terminated employees for violating e-mail policy so, and that number has increased over the years. So we know a growing number of employers are becoming concerned about insuring compliance and that really brings us to the mission of this council and the reason why I personally and the ePolicy Institute as an organization, are happy to be affiliated with TE3C and that is at the end of the day, that the mission of this council is educating employers and helping those employers insure that compliance is taking place in the workplace. And I think we’re going to do a terrific job at helping get that job done.

Priscilla Emery: Thank you very much Nancy. I think the statistics and the information that Nancy has brought to the table this morning helped to point out the big issues that many organizations are facing right now. And that one of the reasons why we feel that 2005 is the year of electronic communication compliance and business; all these elements are coming to a head and one of the reasons why this council is put together is to provide a view of what I call a holistic view, a more well-rounded view of all the different areas and viewpoints that need to be taken into account when looking at these issues. So I’d like to turn it over next to Richard Marshall of Kirkpatrick and Lockhart, Nicholson, Graham.

Richard Marshall: Thank you very much. I am an attorney - the firm which name I won’t repeat - is a law firm and I used to work for the Securities and Exchange Commission as an attorney and the particular issue that I have devoted great attention to over the last couple of years, are the problems faced by entities that are subject to record keeping requirements. For example, broker dealers, investment advisors, investment companies, insurance companies, banks, now public accounting firms are subject to requirements under various rules that require them to retain certain categories of records. In most cases those record keeping requirements were drafted many years ago before there were electronic communications. They have been updated in the sense that they have permitted records that historically were kept in paper form to be stored electronically subject to various conditions, but the difficulty that regulated entities have faced; these are entities subject to a requirement under law to maintain certain categories of records. The problem they have faced is how can they sensibly divide the electronic communication that they have between information that is legitimately related to business and is personal. Electronic communication is highly efficient both for business and for personal reasons and the question is that there’s some sensible way to make that division so that you don’t have storage of every single e-mail, instant message when a request is made for information either in a private law suit or in a governed investigation, they need to search every single communication.

There should be conceptually, some sensible way to draw a line and only preserve information that is related to some legitimate regulatory purpose as reflected in the record keeping requirements. The difficulty is is that there is a lack of clear guidance here from the regulators; there are enforcement actions, SEC enforcement actions that were brought at the end of 2002 against certain broker dealers. That is really the only meaningful guidance that has been given in this area and that authority unfortunately has articulated a couple of standards which are very difficult to apply and practice. One, the person who either creates or receives the electronic communication cannot be the sole sorter. Sole person who makes a determination: this record is subject to record keeping requirements, this other record is not; the one that’s subject to record keeper requirements – saved, the other one not. You can’t leave that to the person that creates and receives the e-mail. Now that makes sense in the sense that if you left it to the people who either created or received the e-mail you run the risk of either that they do it in a way that is ignorant, they don’t understand the record keeping requirements or they do it for a malicious purpose. They’re engaged in misconduct, they have an incentive to conceal incriminating information so if you just leave it to them, then it becomes subject to abuse.

The problem that that creates is that what alternative is there? And what the regulators have not yet given guidance on and what I think there is a need for guidance on, is some objective standard addressing the concerns that the regulators recognized and leaving it to either the creator or the recipient to do the sort. Can objective standards be developed so that a sort if done of electronic communication into required records personal? The implication’s enormous; enormous expense can be saved in storage, enormous expense can be saved when a request is made for information in search and retrieval.

The second aspect of these enforcement actions is that the electronic communication has to be stored in a manner that permits it to be retrieved within a reasonable time when a regulatory inquiry is made. And again, this has been an extraordinary burden. If you put the first point together with the second point the first point is basically left the industry, industry subject to record keeping requirements with the perceived need to retain every electronic communication. They have to be able to retrieve what the government wants in a reasonably short period of time. This has met enormous investments in technology; it is making electronic communication extremely difficult to retain, retrieve, systems are becoming very expensive and the question is, can we get some sensible guidance from the regulators dividing the personal information…when can we have lunch today? Does anybody know a good plumber - my sink is broken? From the - your performance is X, your fees are Y, let’s all go out and commit fraud together. The kind of stuff that the regulators have a legitimate reason to require firms that are subject to record keeping rules to keep. And that’s where the hope is that we can move the ball forward with the regulators to get some sensible guidance serving everybody’s interests.

Priscilla Emery: Thank you Richard, very much. So you can see the other perspective is actually to provide a dialogue so if we can clarify some of these regulatory issues so that people can move forward and comply in a way that’s efficient and effective and not as costly as is turning out to be in many instances. I’d like to introduce Peter Mafteiu of BKD Wealth Management Advisors and he will discuss his perspectives on this issue.

Peter Mafteiu: Yes thank you very much, Priscilla. My comments are piggy backed on top of what Nancy and Rick have both been saying. I’m the registrant in the room and as Director of Operations and Compliance, I’m responsible for insuring that our firm is meeting our regulatory requirements to maintain these electronic records and the approach that we take, it’s all internal control based. It’s interesting and one of the things I’ve already picked up from this council is that we have components of a e-mail retention and in-use policy in our policies and procedures and operations manual, but it’s not a stand alone document it’s somewhat embedded. So now I’m thinking that I might want to create a stand alone document and do some specific training on there but I think our people get the concept. As Rick indicated, we are forced to build our policies and procedures somewhat in a vacuum thinking that we’re doing the right thing that we realize from sitting through SEC speeches, reading everything we can get our hands on, trying to do own personal interpretation of the book of record keeping rule under the Advisors Act. We think that even though we’re building in the vacuum, there’s enough guidance out there that there’s safety in numbers and we’re doing the right thing. So we address it through our policies and procedures but as Nancy indicated, you can’t just do that alone so we think we’ve done a very good job in training our people on what’s the right thing to do. And bluntly, we use the press test; if you don’t mind it being on the front page of the Wall Street Journal or the New York Times, feel free to send it an e-mail. If that might concern you or it’s that sensitive it’s probably more prudent to pick up the phone and discuss it but we ask people to think twice about its contents. We also ask people not to use corporate e-mail for personal use like maybe alerts on some eBay bids, that kind of thing. I mean they’re silly things, but we run e-mail surveillance. The Chief Compliance Officer will call individuals when he sees what we believe are inappropriate uses of corporate e-mail and we just try to keep the noise down. We remind our people that we see all e-mail incoming and outgoing; we use Outlook so we set up a surveillance e-mail box so we can search all of it, so we ask them not too much personal information in there. We really are uncomfortable looking at some of those things and we would prefer that they not use it.

One of the things that some registrants do - that we chose not to do - we do not prohibit the use of personal e-mail accounts like hotmail, or Yahoo and some of the other vendors out there. We ask people that they do their personal e-mail correspondence. We admit there’s a bit of a risk there because we can’t run surveillance but at some point you have to trust your people. I can see that in the future, like a lot of firms prohibit, they block Yahoo and Hotmail so people can’t use Internet browsers in the office to do personal e-mail. At this particular point in our environment, we’ve made the judgment call that that’s not a high risk area for us but I could see in some firms, some registrants, that they would want to prohibit that. What we do prohibit is instant messaging and block participation. It’s very difficult to run surveillance on that, that when we, this calendar year when we’re doing our internal review and audit of our compliance system program, we’ll be looking at some of these and making a determination. Certainly people can delete their instant messaging connections but we hope that they don’t play those kinds of games. But it’s very difficult to run full surveillance on that and that is one area, but we’re pretty clear with blogs and we think that we can run surveillance on blogs. We do run surveillance where people go on the Internet.

We captured too…I’m not sure how other firms deal with it but there are some contact management software programs that allow you to e-mail. Again we use something called Advent Portfolio Management System and one of their modules is Cube as our contact management software. One of the reasons we went to Outlook is because it interfaces with Outlook so all outbound e-mails to customers whether weed (sp?) prospects or clients are captured through our e-mail surveillance so…but some people may overlook that. We do run surveillance on all e-mail, it’s manual at this time through key word searches. Right now our volume doesn’t really warrant electronic surveillance but I’m sure as the firm grows that’s in our future. And then the last thing we do is audit and test our policy and procedures and as I said a moment ago, that’s…will be something that will be occurring this calendar year as we run our branch inspection in compliance with the October 5th new compliance rule where all registrants have to conduct an annual review of their compliance program. Even though we have 18 months to get this review done we’ll get it done this calendar year.

And that’s just a summary from my perspective which is a very little world, but there’s a lot of noise that’s out there that will impact us and that’s our role here on the council is to kind of bring that practical side to the council and say “here’s there challenges.” Right now we archive all of our email, we burn it to cds and that works now but I can see that as volume increases that won’t be so easy. We just went through an SEC examination in December and it was successful for that exam and what the SEC asked for was actually a little surprising. So it was easier on us than I thought it would be. And with that.

Priscilla Emery: Well thank you very much Peter. We’ve done his perspective, your perspective, and it really helps to bring to light some of the real world issues associated with dealing with compliance and regulations in terms of actually implementing these policies and having to deal with the companies themselves. And the people, cause this is still a people issue. I’d like to next introduce Paul Chen of Fortiva and he can talk about his perspective on the issue. He’s one of initial founders of the group.

Paul Chen: Thank you Priscilla. I think everybody agree here that paper-based record e-mail is becoming a very important document and require very careful management to protect a business on a risk of regulations and litigation. And that’s why Fortiva is in the business of helping our customers managing their e-mail record archives. To help them protect themselves against this risk of litigation regulation but at the same time without making a significant investment in IT infrastructure and also all the hassle ongoing management, all the necessary resources.

And we are very passionate about this and also very excited about our participating in the TE3C organization and that’s why we’re so making significant contribution by making our products the policy builder as a free resource on the TE3C website. Because, as we all know also pointed out by Nancy earlier, e-mail policy is the first necessary step in helping a company protect themselves against these risks coming down the pipe and that’s why we’re think of expect any end-user using an e-mail Fortiva policy builder will allow them to actually build an e-mail policy for customers to their own companies needs. And very quickly they can actually have a policy in place and help them actually protect all these different risks. So policy builder basically is very easy to use online tool; people walk through and create a policy. So you don’t have a policy already in place, you should definitely try the policy builder on the TEC3 website to get your own policy in place. If you do actually have one already you still definitely should try to policy build because it allow you to determine ways to improve your own enterprise electronic communication power.

Priscilla Emery: Thank you Paul, very much. I know the group appreciates the contribution of Fortiva’s ePolicy Builder as a resource, as one of the resources that people can use when getting on the TE3C site that will help them either to benchmark their present policies that are in place or to help them start and create policies. That’s…I’ll introduce myself in my other life besides being Chair of the TEC3, I have my own company called Enterprise Advisors. We do market research and competitive analysis of the - what is called the Enterprise Content Management area of which e-mail management is part of that area mostly focused on technology and implementation. But I do spend a lot of time with records managers and user organizations that are dealing with having to implement technology support compliance and there are the challenges. Without policies, without clear guidance on regulations, without a clear understanding of what it is you want to do, technology is difficult to implement because the technology is an enabler of those policies and procedures. Technology can help to optimize the storage and retrieval of those e-mails and instant messages but it’s not do so without the policies and procedures in place as well as the education and guidance that’s required for the people to use those tools. And so we’re very happy that we have an initial tool to allow people that access our site which will be www.te3c.org and they can get on that site and try out the policy builder to give them some initial guidance as to how to move forward in this area.

We of course plan to have future white papers as well as survey results and other types of guidance as the group moves forward. So this is just an initial step but I think it’s a very important one because without an initial policy in place it’s very difficult for most people to move forward. So given my perspective from a technology standpoint, I spend a lot of time with both the vendors that develop the technology and we’ve seen many different approaches to e-mail management. Everything from storing everything to immediately storing every message that you see versus making sure that their records management are put management file plan in place that only stores or maintain certain records, and defining an e-mail as a particular type of record. Let’s say an e-mail associated with accounts payable is an accounts payable record and an e-mail associated with a financial services transaction is in that particular record and those are classified and maintained in a separate file plan; just like any other electronic document. But without the appropriate records management file plans in place without the appropriate policies in place so people understand where to put those e-mails, it’s very difficult for any of those technologies to work.

There are technologies out there that can support the capture of e-mails into records spans. There are services in place to automatically capture and archive e-mails for any set length of time, some from different sets depending on the types of regulations in place. And user companies are having significant challenges in determining which of these technology alternatives are best for them. So a lot of that depends on the business decisions they make right up front. It tends to narrow down your choices at that point. Once you’ve made your decision to create file plans and/or just archive everything, it sort of limits your alternatives there and helps actually in the decision making process. So that’s the perspective I come from and I welcome the opportunity to be involved with this group because as I said before, it gives a much broader sense of the issues and I think will help to determine and give people guidance in a much more realistic way of where electronic compliance is going - electronic communication compliance is going, and provide and provide some useful information and guidance for people.

So with that, I’m going to start with the formal Q&A session. I will open up the mike and if Judy, you can open up the mike just in case any one of the journalists on the phone wants to interject a question, they’re welcome to. I will start the roundtable with my own questions but if anyone has any particular questions that they would like to ask feel free to signal or to raise your hand and we will open up the mike to you. So with that, I’m going to start the first question to the group which is what are the biggest issues facing businesses trying to implement effective e-mail policies. And would anyone like to start that question? Richard?

Richard Marshall: I’ll be happy, I guess lawyers always have…they’re never at a loss for words so I’ll throw in…there are two issues that regulate an entities face. One is the cost; the cost of storing and retrieving these e-mails and instant messages is absolutely astronomical. I don’t have any kind of survey data but I certainly know of individual entities that have spent millions of dollars responding to requests. So cost is clearly a component and if the cost becomes too high, this medium of communication is going to become prohibitive, it can’t just stay that the costs keep going up in multiples and multiples until it’s hundreds of millions of dollars and billions of dollars. Eventually the firms just won’t be able to communicate through these mechanisms. So cost is the number one issue. The number two issue is surveillance. There are strayed (sp?) lunatic people that say they say silly things and you have to find a way to do some kind of sensible surveillance and when you have an enormous body of communications that have to be surveilled it’s a great challenge.

Priscilla Emery: Can I remind everybody who’s on the phone that the mikes are open, so we can here any background noise, so if you’re talking please mute your phone and again if you’d like to ask a question please signal the operator. Thank you.

Nancy Flynn: Yeah and I, this is Nancy, I’m going to follow up on Richard’s comment to say, even for organizations that are not regulated, it’s important to bear in mind that today e-mails and instant messages are the electronic equivalent of DNA evidence. If your organization ends up on the wrong side of a workplace lawsuit, you can take it to the bank your employee e-mail is going to be looked at; it’s going to become part of the discovery process. So with that said, when you put your policy together you need to ask yourself, will this e-mail policy, will this instant messaging policy, will this Internet policy withstand the scrutiny of opposing legal council? Are there holes in this policy? Have we, have we put together a policy, a policy and an employee training program and a compliance slash enforcement program that adheres to best practices? And that said, I just really want to stress the fact that when you put your policy together, you want to be as clear as possible and do not leave these policies open to individual interpretation.

As Richard mentioned, all organizations seem to have a rogue employee who, in spite of policy, nonetheless will send messages that could potentially trigger problems. But even among your most compliant employees, no organization can ever, 100% safe, accidents happen. Even the most well-intentioned executives and employees have been known to write messages that later the organization wish had never been written.

So that said, what you need to do, once again, is make sure that policy will really withstand scrutiny because take it from me, if you end up sued, you’re, not only will your employee e-mails be subpoenaed, but your policies are going to be subpoenaed, your training program’s going to be looked at. The opposing legal council’s going to look at your software technology. You need to approach your e-mail manager program from a strategic standpoint.

Richard Marshall: If I could just, I just want to clarify one point, it’s a legal point, but I think it’s important. I’ve been distinguishing between entities that are subject to requirements that they keep certain records because if you are in that category, for example a broker dealer, if you don’t save certain e-mails, you can be sanctioned just for not keeping them.

Let’s suppose you’re in another category. There’s a newsstand in this hotel, I don’t think it’s subject to any record keeping requirements. Maybe it doesn’t save any of its e-mails. That’s not a violation of any law or rule. But, if you’re a broker dealer, you’re in a much tougher spot because if you don’t keep an e-mail or an instant message, it’s in a required category; you’re subject to sanction just because you didn’t save that record. Now if you’re in the second category, the newsstand in this building, you can craft a sensible policy, keep some things, not keep some things, however you decide to draw the line is up to you. And then the question comes back just to follow on what our last speaker said, do you have a sensible policy? Do you really follow it? Are you keeping a lot of junk? If you are keeping a lot of junk, are you surveilling it? For a regulated entity, broker dealer is a perfect example; they don’t have the luxury of drafting a policy and deciding what they want to keep and what they don’t want to keep. They’re in a much tougher spot.

Priscilla Emery: Yeah, and they’re not the only…

Richard Marshall: They’re not the only one.

Priscilla Emery: We see this in certain state governments, the Sunshine Laws which say that every communication, including who’s going out to lunch and those kinds of things, if it’s on e-mail, it must be publicly available. We see this in the state of Florida as well as some of the other states. So, that there are other types of regulations out there and organizations need to understand what regulations they are subject to, in addition to, adding to what Nancy was saying is that education component, which is extremely important and the fact that this has to be a visible strategic initiative from the top down.

I’ve seen many organizations who the actual offenders were the top people and so that becomes an issue in which case, it’s very important to educate people to the consequences of non-enforcement. It’s not just a matter of if you don’t save these e-mails we could be subject to some potential litigation or some regulatory audit issues. What are the consequences to the employee and/or the executive if they do not comply? And if there’s no consequences that says a lot about how important that policy is. And so we’ve seen that in the past as well. That technologies, they help for enforcement in the future, but they’re only as good as the policies (inaudible). Paul?

Paul Chen: I just want to add, I think you see all this complexity of the few regulations that’s in place – hold it this way - in that the English, a lot of companies who are not able to move forward fast as they would like because the industry guidance out, what is the proper e-mail policy particular to their own industry? Broker dealer may have one set of rules, but it’s still people training for (inaudible) implement a set e-mail policy but with not a clear idea of how they are meeting expectations of regulators, how they protect themselves against future litigation. You know, dealing with this hotel right now, do they have an e-mail policy that is appropriate to protect them against the regulations or insurance?

You see the thing, we’re in the early stage of this industry right now and I think that’s why (inaudible) also it’s very important to actually provide a clear guidance for (inaudible) simply to help these people actually move forward as fast as they can. Otherwise, as Peter say, become a left alone by yourself trying to figure out all the complex problem.

Peter Mafteiu: You raised an interesting (inaudible). I was just thinking about our, the wealth advisors and my response (inaudible) to be focused in on us, as a registrant, an SEC compliance as a registrant advisor, but there’s a whole other layer of (inaudible) known subsidiary of an (inaudible) so subject (inaudible) of the accounting firm, which is the HR side of (inaudible) no inappropriate e-mail, on and on and on. You know, about (inaudible) all those HR issues that surface (inaudible) two-pronged approach.

(Audio was cutting in and out from 40:02 minutes to 43:54 minutes.)

Nancy Flynn: This is Nancy. I just want to make one final point and this is kind of a follow up on what Paul said about the value of the policy that’s being made available online through te3c.org and that is that, now we’ve got experts in the room and we’re discussing some concepts that perhaps are sophisticated concepts when you come to regulated industries, records, retention and archiving, but when you bring it down to a really basic level, we know from this year’s ePolicy Institute AMA survey, only 70% percent of organizations even have an e-mail policy in place so not all organizations have even taken care of the basics yet.

And then you bring it down to another basic level and when I travel around the country conducting ePolicy Institute training, I am shocked by the number of people who do not know what a business record is. So I think when organizations start to put together their policy programs, they should not shy away from really starting with the basics, and that may involve having their in-house legal council educate their executives on what is a business record and why does it need to be retained. And then you take that education down to the employees. But I guess what I want to stress (inaudible) employers not to shy away from this topic thinking it’s not going to be sophisticated, it’s not.

John Dickinson: How does a journalist signal an operator?

Priscilla Emery: Excuse me?

John Dickinson: How does a journalist signal in for a question?

Priscilla Emery: Well I guess you just did.

John Dickinson: This is John Dickinson from TechWeb's Messaging Pipeline. I’m really glad that somebody out there, a couple of you are bringing up the idea of training because a lot of these policies are at best obscure. I mean, if you just sort of publish the SEC regulations for broker dealers around the company, a lot of people would just sort of throw them into the outbox or the waste basket or something like that. I think, and people just don’t get it and I think the other point about senior executives, all one has to do is read Judge Jackson’s findings of fact of the Microsoft decision and you’ll understand how senior executives just don’t understand what is okay and not to do in e-mails.

I also, I want to revisit this issue of blocking Yahoo mail and Hotmail and products like that inside the enterprise. That is an issue on a couple of grounds for people. If you don’t block it, you’re not only subjecting yourself to compliance issues, you’re subjecting yourself to security issues, in particular viruses in spam that can come through those products. And it’s not easy to control from an IT point of view what is coming down the ACT pipeline.

Priscilla Emery: Do you have a question with regard to that?

John Dickinson: No, I’m wondering why that’s not a strong part of your compliance advice?

Priscilla Emery: Well we haven’t, it may become part of our compliance advice. It depends on each organization. This is just an initial rollout of some of the information that we have. But your points are well taken in terms of those types of e-mail. As Peter mentioned, in his organization they have said basically that they can’t necessarily stop that but other organizations in some cases, and with the use of some software tools, can actually capture those e-mails as well. And I guess this points to the next question, which I was going to ask, which is should end users control which e-mails should be archived? And should e-mail retention policies be administered by individuals or automated? Because it speaks to the fact that, do you trust your end users, whether they’re using an outside e-mail or internal e-mail, to be the ones to actually archive and save those records or those documents? Or does it make sense to have that automatically pulled in? I open that up to the group as well. And I also want to remind people on the phones that these mikes are open. So, unless you’re muting, we can hear you in the background. Thank you.

Richard Marshall: I’ll be, the Securities and Exchange Commission very clearly said in the enforcement cases at the end of 2002 that it was not acceptable to leave it to either the creator or the recipient of the electronic communication to decide whether it’s a required record or not. There has to be some objective independent determination, whether by a person or an automated system. So unfortunately, the guidance from the enforcement case is that the creator and/or the recipient can’t be the sole filters for whether it’s a required record. That applies to broker dealers, investment companies, investment advisors, public accounting firms, people who are subject to record keeping requirements under SEC rules. Other regulators have followed that lead. So, for example, futures commission merchants, other entities that are subject to record keeping requirements generally have followed that lead.

Nancy Flynn: Yeah, and this is Nancy. And this is sort of a follow up to the question that just came in by phone, and that is that I totally agree. Whether you are going to leave retention up to employees or automate it, you have to stress education. We know that only 54% of employers take the time and invest the resources to educate their employees. And that said, our condition at the ePolicy Institute is that again, you cannot, you can’t expect 100% policy compliance 100% of the time, accidents will happen, intentional sabotage will happen. But that said, it’s my position that it’s incumbent upon employers to do everything you can to ensure compliance and that would be ideally a combination of individual employee participation that is enforced with education and disciplinary action, backed up by software technology. Take advantage of the software technology that’s out there.

Priscilla Emery: Yeah, I agree with Nancy in that perspective, especially in the other industries that may not have as clear cut regulations in terms of not having the end user, the original creator, being the ones to archive the e-mail. It gets a little fuzzier in other organizations and it’s really up to each organization, depending on the kinds of regulations they are subject to, whether they are state governments, federal governments have their own regulations in terms of archiving e-mails already, and then of course insurers that have to save certain types of transactions as well.

But, there’s the internal types of stuff, the HR oriented information, the health based information, all kinds of other things that may not necessarily be subject to the same types of regulations that Richard mentioned earlier, but the users need to be educated to the fact that those types of e-mails need to be saved. And a lot of it depends on how well do you know your end users? How disciplined are they to begin with? And how well you educate them to that.

Richard Marshall: Yeah.

Priscilla Emery: And it’s a trust factor as well.

Richard Marshall: I think the technology experts can speak to this better than I can, but as a lawyer I would note that there have been cases in discovery, where people were seeking e-mails, where a company thought that they had deleted e-mails because they left it either to the creator or the recipient to delete, but delete didn’t mean destroyed/eradicated because somewhere in the bowels of the computers, those e-mails could be recovered. And that has proven to be an embarrassing and very expensive problem because the surveillance was directed to the e-mails that had been quote unquote saved, meaning not deleted by the recipient or creator. But somewhere in the computer, those deleted e-mails could be recovered, never surveilled by the company, very embarrassing.

Priscilla Emery: Yeah.

Richard Marshall: And I’m not an expert in how that technology works, but that has been a big problem.

Priscilla Emery: Well any…phone call, go ahead.

Paul Chen: Yeah it has, definitely Richard, I agree with that. I think the best way to actually protect the enterprise from a risk of an electronic complication is to have a centrally managed administered retention policy and for a software technology that should retain it’s e-mail accordingly and set a rule on a consistent basis. So the same time, I think the user’s got to be part of process too. I think we need to train the user to actually create e-mail properly in the first place. But at the same time, also user can be a good additional input to the retention policy by sort of, a good example is the user can be actually a great help to a system is, will be, you know, trying control, you know, cfsb.com for example, is the same thing as insider trading as cfsb.com because everybody has different e-mail addresses. I could have an address at yahoo.com that equates to Paul Chen (sp?), paulchen.com (sp?). The user cannot tell the system these are two, exactly two same people, even though it’s two different e-mail addresses. Because later on when three come down the pipe is, in a feature, when you’re going through a regulatory examination or litigation case, you need to search for any e-mail coming from Frank or from Paul and you need a way to actually tell every single e-mail.

Priscilla Emery: Oh, yeah.

Paul Chen: And that’s the best way to get your users involved is getting them training and to get them to become a part of the process.

Priscilla Emery: I want to also add to Richard’s point to do with purging of e-mail, not just deleting, but purging. There is a difference and in a records management world, there is a difference between retaining any kind of document for any length of time and electronic documents, the same way as paper documents. And just like when you get rid of paper documents and purge them from an organization, you shred them, hopefully, and don’t allow them to just be thrown out with the trash because anyone can go through the trash and see what those documents were. It’s the same thing with electronic documents, they have, you can delete a document, but that, a computer forensics expert can go through any kind of drive and see, go through the multiple layers of that drive and find that e-mail if they really wanted to. A good records management software application will actually purge that e-mail and delete all the pointers to it. And that’s not just e-mail, but any electronic documents that need to be purged for any reason based on those retention rules.

So again, technology can help with both sides of that equation, but without the proper policies and education, it’s important to understand which e-mails need to be saved, for how long they need to be saved, why they are saved, and then when they need to be destroyed, and how they are destroyed, and who is responsible, ultimately responsible for destruction. So those are just some of the components of that.

Peter Mafteiu: A little bit earlier, the caller raised a question about these Yahoo and Hotmail accounts and it got me to thinking of why we made the decisions that we did. And there’s about 40 people in our firm and half of us have access remotely from our home computers or a laptop when we travel, to company e-mail through obviously Internet connection. But, we do that because we want people to communicate about the firm and about clients through the company e-mail so we can capture it and we can run surveillance on it. We also want them not to use that corporate e-mail account for personal use and logic says that if we allow them to use their Yahoo and Hotmail accounts, and we see a lot of forwarded e-mails that come into the corporate account, they forward it to their personal address and then we’ve asked them to just tell the recipient to use your personal address and not the corporate one.

So, we’ve cut down a lot of noise by doing that and I think the caller raises a very good question. How much safety, Rick, as an attorney, do we have in allowing these personal e-mail accounts without the technology to run surveillance over those to a firm that they’re not utilizing them for business related e-mail? And the fact of the matter is, in our particular shop with our particular culture, I think we’re just making a business decision that we’re okay with it for now. But I can certainly see that changing because at some point, you know, how far does one go to trust and can a subpoena just bluntly request the personal e-mail account. I don’t know if that would work or not. I think it’s a fact of circumstance, but I think we’re as paranoid as the next group of people, but I don’t know that we’ve let that really dictate yet what we think is a common sense approach to asking people to do one thing, but not taking the tool away from them right now to be able to do that, which is get personal e-mails and personal e-mail accounts.

Nancy Flynn: Well, you know from a technology standpoint, there are software products out there where, mostly records management products, but also other e-mail archiving products that actually can capture those types of e-mails. They can capture Hotmail accounts, Yahoo accounts, even Instant Messages. That technology is there. So it’s a matter of do you implement the technology to support that and how much complexity do you want to bring to your organization. Is it for, useful for your organization, do you allow for the personal communication, and if so, do you then add that to the mix of e-mail servers that you have to watch and that kind of thing. So, and that’s the cost issue as well.

Peter Mafteiu: Our decision now is…

Richard Marshall: The thing is Steve has issued a notice to members that says that Instant Messaging and other non e-mail forms of electronic communication are subject to the same record keeping requirements and the same surveillance requirements as any other forms of communication.

Peter Mafteiu: I think our decision just is at this particular point, we’re not taking that further step but that doesn’t mean that the topic has been shelved, I mean it’s still there.

Paul Chen: It’s always a balancing the risks versus the costs and also the need to run a business.

Peter Mafteiu: That’s right. And the size and complexity of our shop, which is we don’t have a lot of the typical issues that many firms do. But I can certainly see how in some shops they would want to lock down any other type of e-mail account. I mean that makes common sense in some environments.

Priscilla Emery: I’m going to ask one more question of the group and then we’ll open it up to the individual journalists to ask any other questions that they might have. The next question is who should be responsible for e-mail and Instant Messaging policy, aside from the regulators that have issued those regulations? Internal into the organization, who should be responsible for developing those policies and how can a business effectively balance the roles that IT, records management, HR, and legal play?

Nancy Flynn: Well, this is Nancy. My recommendation would be that first of all, you get a senior executive involved as your e-mail policy champion, if you will. An individual who has the authority and commands the respect of managers and employees alike, so employees understand that this policy program is being pushed down from the top, it’s important to the organization, compliance is mandatory, it’s not optional. Then when you have your champion in place, in an ideal situation, you put together an e-mail policy team that would include your legal council, your records manager, your chief information officer and your HR director. So those individuals could all bring their expertise and critical information to bear on the drafting of your policy and then the most effective implementation of it.

Priscilla Emery: Any other perspectives on this?

Richard Marshall: Well, I think in the United States lawyers should always be involved because we have so many rules. A great theme over the last few years has been what I would call prevention, proactive, some people call it compliant. Proactively building systems to make sure that you do it right, that you have quality control and so compliant should have a place at the table. There is clearly a need for expertise on the technology front, this is complex, technical and it can’t be done just by a lawyer and a compliance person. And this is expensive, so you need somebody who controls the purse strings, a business person, usually a senior executive. Those are the key elements that I’ve seen in every organization.

Paul Chen: This is Paul. You know, based on our implementation with our customers, the biggest, some of the biggest success we have seen has actually involved different stakeholders from different parts of the company; definitely legal or chief compliance officer and a chief security officer in some cases, but also definitely the CIO, the IT department. And because, you know different individual departments actually bringing different requiring to a table and to find the right means of pass. But we do believe, you know especially being an IT professional for the last, well my career practically, I, we do believe that an ongoing management or enforcement of policy should be given to people like key compliance or legal, or even HR to actual enforcing it. And then IT should just stay out, maybe just managing the structure, well even also seeing the structure to somebody else to actually deal with.

Priscilla Emery: Okay. Well Judy, can you communicate to everyone how they should signal to ask any questions?

Operator: Yes ma’am. If anybody on the audio portion would like to ask a question, please press one on your touchtone phone.

Priscilla Emery: And I ask anyone here who has any questions?

Operator: Ma’am, we have a question.

Priscilla Emery: Okay, we’ll take the question.

Operator: Okay we have a question from Stewart Gittleman (sp?). Sir, your line is open.

Stewart Gittleman: Yes, thank you very much. I was wondering whether there was a need for specific policies regarding cell phone text messaging or blackberry communications, especially the pin-to-pin types of communications. And that is addressed to whoever can answer it.

Richard Marshall: Yeah, there is no clear answer from a legal standpoint, but if I was going to make an educated guess, it would be that those communications would be treated like any other written communication. The fundamental principal that the regulators have worked from is that communication that can be captured electronically is the same thing as a writing. So although there is no clear guidance, it hasn’t been addressed, my guess would be that it would be prudent to treat that as something that needs to be addressed in a policy.

Nancy Flynn: Right.

Stewart Gittleman: Thank you Rich.

Priscilla Emery: I think Nancy has a perspective on this question.

Nancy Flynn: Yeah.

Stewart Gittleman: Oh great.

Nancy Flynn: Yeah, I would, just to follow up on Richard’s point, is an issue in addition to compliance when it comes to those tools as well as e-mail and IM is the whole productivity issue and that’s another issue where a well written policy can help management. We know that employees are spending two to four hours a day on e-mail. In an eight hour work day, that can be up to half the work day e-mailing. Then you compound that with your employees bringing their camera phones to work and their blackberries. So once again your policy can and should be a management tool. So not only is it helping with compliance requirements, but it’s also helping with overall business management.

Stewart Gittleman: Thank you.

Peter Mafteiu: In what way though, with the management tool, saying people shouldn’t use their blackberries in the office space? Does it all depend, or?

Nancy Flynn: Yeah, I know of organizations that ban the use of camera phones in the office, employees are not allowed to bring them to the office, they’re not allowed to use them. I know organizations that severely limit which employees may use blackberries for business reasons. Organizations that are concerned about security, theft of data, really need to keep a close eye on who, especially employees who are traveling, who has access to a laptop, who has access to a handheld, is the information that’s contained on those devices secure? What happens if somebody leaves their laptop at the airport or loses their blackberry? How secure is your data? I mean loss of confidential information is a big problem. So, absolutely, all those tools need to be addressed in policy.

Peter Mafteiu: I’m getting paranoid.

Priscilla Emery: In this day, intellectual property theft is a big issue.

Paul Chen: I just want to mention, I think with the proper technology in place, there’s no need to compromise on productivity because all these, we need try to manage all this risk. You know, you could still have RIM in archiving your e-mail properly or your RIM message properly without running into trouble with the regulators. But at the same time because they archive all the single message, individual user has the capability to search through all the e-mail in the last twenty-four months, how many times have each one of us tried to look for that single e-mail I sent, I just have no idea, where I can find it anymore. So, there’s no need to compromise if you actually plan it properly and the technology actually, Richard I don’t think necessarily has to be very expensive. It could be cost effective and also get you a productivity gain.

Priscilla Emery: Yeah, but I’m not a lawyer so I can’t really speak to this, but you’ve already seen a case, the Kobe Bryant case where text messages were potentially presented into evidence as part of the whole deposition process. So that these types of communications are becoming part and parcel of a legal deposition process and may have the potential for audibility process, parts of process, especially if they become part and parcel of business communication. So I think being much more proactive on how you plan to manage those devices and what they can be used for will, may save you a lot of grief in the future and not sit around and wait for those regulations to take, to kick in, but to be prepared for them because more than likely they will ultimately be in place.

Richard Marshall: As a practical matter, the biggest problem, from the legal perspective, has not been retention, it always seems that the worst electronic communication is retained by somebody, it’s the content.

Priscilla Emery: Right, right.

Richard Marshall: And it’s not the junior clerk, it’s the senior people. It’s really senior people saying things that somehow manage to get retained that are incriminating.

Nancy Flynn: Right, and the easiest way, from my perspective, the easiest way to control risk is to control content and that’s where your policy and your education come into play.

And if I could just make one more comment, following up on Priscilla’s comment that she just made, there often seems to be a technology disconnect between the executive ranks and the employees. So I think that executive would be well served to be a little bit more visionary about technology because a lot of the technologies that the senior ranks might consider to be emerging technology, take Instant Messaging for example, employees don’t consider it emerging technology, they’ve been using it since they were in middle school. And employers really need to get with it and not just sort of coast on the assumption that, gee, this is emerging, we don’t have to address this yet.

Priscilla Emery: Before we take another question on the phone, I think there was a question here.

Female Speaker: Yeah, I just had a question about the background of the group. How did you, as individuals, come together? Seeing as you all have such different backgrounds how does this come together?

Nancy Flynn: I think Paul Chen and his group, the Fortiva people helped to find us and of course we then started talking together and we all come from different, sort of like different sides of the elephant kind of thing in that we have different positions in the state. But some of have been visible in the state for quite some time to do with e-mail technology and policy management and others have been dealing with the legal ramifications of compliance. So, I give Paul and his group a lot of credit for doing a lot of the legwork in trying to find everyone and then getting us all together.

Paul Chen: Yeah, I think at the end of the day we’re all very passionate about electronic communication and compliance issues and that’s why it was easy to actually put together this group. I think the vision for the group is actually, you know we want to definitely introduce more members into the group to help us to grow the industry. I think the industry definitely needs some sort of group like this to actually provide guidance and educating the formal user.

Nancy Flynn: This is the formative stages of the group, but we hope to get many more voices and perspectives on these issues to help to shape and, some of these guidance points, benchmarks, studies and information and education so that we can provide value to this, what we think is a growing community.

Priscilla Emery: I’ll take another question from the phone if anyone has one.

Operator: Yes ma’am. We have a question from John Dickinson. Sir, your line is open.

John Dickinson: Thank you very much. It’s John Dickinson again. One thing that I didn’t hear brought up and I’m wondering if you guys are considering putting it into the compliance section, I do, I actually think it’s an important issue is point-to-point file sharing. It seems to me that if an enterprise employee downloads illegally a movie, I think you’re in a compliance problem immediately.

Paul Chen: I think that’s a good point. I think that’s really bringing out an issue that with electronic communication or e-mail or point-to-point file sharing, there’s a different channel for different information that gets into your organization. And that’s why it’s really important to have a set policy and educate the user on what is appropriate and what is not appropriate and have a system in place such enforcing these policies.

Priscilla Emery: I mean, if you’re downloading any kind of files, whether they’re electronic e-mail files or electronic files from other sources, the organization should have a policy in place and the user should know what is appropriate use of business computer resources. I mean we’re talking about electronic mail, but these are other electronic documents and there should be an electronic document policy in place for the appropriate use of data and information throughout and organization. We can touch on that in some degree, but I think it goes much broader than e-mail and Instant Messaging communications. I think it’s the security aspect of an organization. Downloading those kinds of files makes the company subject to all kinds of exposures in terms of viruses and so on and other types of, you know, inappropriate content issues.

So, in many organizations those policies are in place, whether or not they’re monitored is a whole other issue. We’ve seen, I’ve seen it, you know, in most HR policies in many cases, in some organizations anyway, there is a policy in place for inappropriate information that’s residing on one’s laptop or desktop and its, it needs to be clearly stated what inappropriate information is beyond pornography and other types of illicit information, there’s the music, videos and so on or anything else that one pulls down that’s not business related.

Paul Chen: Yeah, I just want to add to that, Priscilla is, in fact I’ve seen to, I recall reading trial book cases of precedent that if you have a policy and not enforcing it, it’s as good as nothing.

Priscilla Emery: Right, enforcement is, consistent enforcement is very important.

Nancy Flynn: Right, and as a follow up on enforcement, you know I’ll just thrown out a couple more statistics here for you; we know that 60% of employers monitor their incoming and outgoing e-mail, but only about 28% monitor internal e-mail communications. And it’s those internal communications that where employees are most likely to play it fast and loose with content. And again, as I said earlier, content does tend to be the big trigger. It can be a risk that can be controlled, but you want to take care, you want to take advantage of that software technology. And when your software, if you’re monitoring content, if you’re filtering content, once you become aware of a problem, address it. And that’s another issue that we see out there and that is some organizations have a policy in place, they may have the monitoring software in place, but they don’t act upon anything. They don’t enforce their policy. You know, what’s the point of having the policy and the technology in place if you’re not going to follow through?

Priscilla Emery: I think, and a lot of organizations, I don’t think make it very clear to their employees that e-mail is not private, especially within the context of the organization. A lot of employees have the misconception that anything they send will not be seen, even if you delete it. And that is not true. And so people need to understand, one of the things I always tell people, if you do not want anyone else to read this ever, don’t send it because eventually, and that’s for both private and public e-mail, someone will forward it to the most inappropriate person, so that people need to understand that and be educated to it. And a lot of companies I’ve seen don’t want to let their, don’t want to admit to the fact that they do filter and monitor e-mails, or to tell their employees that this is not private, and it isn’t. And so people need to be very realistic about the fact that this is not private communication, hopefully secure, but not necessarily private.

Any other questions? Yes, in here, Maria Santos.

Maria Santos: (Inaudible) policy and what would you say is the number one concern for it? I mean…

Priscilla Emery: The question is, what do we consider the number one concern in terms of compliance for financial services companies?

Richard Marshall: Well I think, as I said before, number one, the cost. This is in the millions, if not tens of millions of dollars. It’s starting to become a major budget item and that’s just becoming an issue for running the company. The second is surveillance. As it turns out, there are a lot of these communications that are retained somewhere and they’re incriminating and they’re used in private litigation and law enforcement investigations. So the ability to surveil these things is a tremendous challenge.

Paul Chen: I think, I just want to also, based on our customer feedback, people are really struggled to understand what they have in place right now, is it good enough? Is it meeting the regulator’s expectations? Is it protecting the enterprise from future litigation or not? And I think that’s why people are spending more than necessary, in my opinion, putting together this huge system when they don’t necessarily need to do that. I think, because once we have industry guidelines and standards I think we can move much further than we are today.

Nancy Flynn: And from my perspective, and not to sound like a broken record, but the biggest issue is just the combination of content and education. Do your regulated employees truly understand what content is appropriate, what content is banned, what content is appropriate and are they free to use and have they truly been educated, again, about you know, you’re a regulated employee, but do you really understand what is a business record, what must be retained, what do you need to stay away from in terms of content? And with regulated employees, now they have another layer of content concerns that non-regulated employees don’t have.

Priscilla Emery: Well, and Judy, are there any more questions?

Operator: No ma’am, it does not appear so.

Priscilla Emery: Okay, well with that, I want to thank everyone for sitting and listening and also participating in today’s roundtable. We all appreciate you sitting out there and asking questions and please watch this space. Again, the website to continue tracking what the council is doing is www.te3c.org and we will continue to keep people abreast of the different types of education and information that we’ll provide for this growing area. Thank you.

Richard Marshall: Thank you.

GO TO TOP
  HOME  |  PRIVACY POLICY  |  CONTACT US
  Copyright © 2007 TE3C.ORG | The Electronic Communications Compliance Council

OVERVIEW
MESSAGE FROM CHAIR
CHARTER MEMBERS
CONTACT INFORMATION
MEMBERSHIP INFO
FAQ
WHITEPAPERS
SURVEYS
TE3C EVENTS
INDUSTRY EVENTS
PRESS RELEASES
TE3C IN THE NEWS
INDUSTRY NEWS
MEDIA CONTACT
POLICY BUILDER
ASK THE EXPERT
TE3C NEWSLETTER
USEFUL LINKS