SolutionsCompliance is not an option
Compliance is not an option: the regulators are now targeting directors and senior management with fines or even gaol where they believe that insufficient attention or perceived obstruction has been given to compliance.
The issues of compliance have come to a head indirectly because of computers, and, in particular, the Internet. The ability to conduct business electronically has arrived. We can contract via email, our partners, suppliers and customers have access to corporate resources, and our own staff can directly access corporate facilities from anywhere in the world. This surge in technology does not change the underlying legal, regulatory and judicial requirements to be met. It just places new challenges on an organization. How do we manage all these communication mechanisms? How do we secure the business records created electronically to provide the level of evidence that we had in the paper world?
It may not seem obvious, but the first question to answer is ‘What are the laws and regulations that I need to comply with?’ In some circumstances a company need have no physical presence in a country or region yet may still be subject to its laws.
Having established all the laws and regulations to be met, it is possible to build up the set of required practices, procedures and processes that need to be put in place, and, fundamentally, which records have to be maintained and for how long. The increasing dependence on computers and electronic data means that in order to survive a regulatory investigation, commercial or civil litigation, a criminal investigation, or even survive a criminal attack, organizations must have a properly implemented record capture, storage and retrieval capability.
For further details please email us.
Demonstrating compliance
Record management is the key, because to demonstrate compliance, an organization must keep appropriate records and be able to present them on demand, in some cases within 24 hours. Even Sarbanes-Oxley section 404, which is widely seen as the application of automated Identity Management and Access Management solutions, requires that the logs and audit trails be maintained to demonstrate that the controls were indeed in place.
Many mistakenly concentrate on the area of records management and retention. For example, a product that claims compliance to SEC regulations by retaining email for two years is missing the point. Regulators make specific demands on what records they want kept and for how long. The law also makes demands, but these demands often will be more onerous than those of the regulators. Two years may satisfy SEC, but the courts require data to be retained whilst there is the possibility of litigation. Failure to do so can lead to serious consequences.
But there is a further, far more challenging issue facing the organization. Even after identifying all the relevant records and retaining them, how do you demonstrate that these records have not been tampered with. How should they be retained in order to satisfy the apparently competing requirements of data protection, privacy, and evidential weight? And what other requirements does the law place on records?
All regulations are subject to the jurisdiction and requirements of the courts, and it is these that must be met irrespective of the requirements of a specific regulation. This can lead to apparent anomalies, for example a regulation may seem to prohibit deletion of a record during the retention period but the courts have the power to order an incorrect record to be deleted or amended. Typically, retention periods required by the courts are longer than those defined by regulators as the courts require the record to be available until the need for that record expires under the statute of limitations. Regulators only define a retention period to cover the period that they have specific interest in the record.
Regulations tend to focus on which records need to be retained and for how long. Some go further, particular in the Financial Services, Pharmaceutical and Health Care sectors, and address the issues of integrity and authenticity of records in electronic form. This leads to the cornerstone of compliance, be it paper-based or electronic, which is demonstrating evidential weight for records. Evidential weight is a concept that needs to be recognized as part of the discussion on compliance; an organization needs to be in a position to demonstrate that the records it retains are the actual business records used and none has been added, changed or deleted.
Compliance is a cost of doing business
The principles of record management described here for electronic records apply equally well to paper records and it is a common mistake to conclude otherwise. What is significant is that the ability to do business electronically throws up a range of technical issues that need to be addressed in order to give the same level of confidence, of evidential weight, to the record in electronic form. Compliance has always been a requirement for conducting business, but the advent of the computer age and recent high profile corporate scandals have raised the profile.
Compliance should be seen as a cost of doing business. However, done properly, compliance can become a profit centre. (See the paper ‘Compliance is free’.)
For further details please email us.
Evidential weight is the cornerstone of demonstrating compliance
A lot of marketing currently equates compliance with a product’s ability to ‘provide legal admissibility’. This turns out to be misleading due to the confusion that exists between the concepts of legal admissibility and evidential weight. In most jurisdictions virtually any electronic data can be submitted before a court of law, i.e. is legally admissible. The real question is that of evidential weight. Evidential weight is the extent to which the court can rely upon the electronic information.
Regulations tend to focus on which records need to be retained and for how long. Some go further, particular in the Financial Services, Pharmaceutical and Health Care sectors, and address the issues of integrity and authenticity of records in electronic form. This leads to the cornerstone of compliance, be it paper-based or electronic, which is demonstrating evidential weight for records.
Record integrity
Evidential weight is more than just document retention. Evidential weight requires that all aspects of data are retained; the existence or occurrence, the data itself, any access to the data contents, any attempt to edit or delete the data, ensuring that the data created is the data that is stored and demonstrating that no data has been lost or inappropriately deleted. For example, in the email or document archiving arena just storing a backup or snapshot of a messaging system is insufficient as is a system that provides a policy for storing information after a period of time has passed or where the choice of whether or not to store the information is placed under the control of each user.
If an organization cannot prove that every required record has been retained for the correct period then they have not satisfied the evidential weight requirements. After all, if gaps in the record store exist then the suspicion is either that the store is unreliable or that those gaps were created to hide or destroy inconvenient information. In fact all organizations have an obligation to maintain records that could be used in a dispute for as long as a dispute may arise, as well as a general obligation to maintain records as the cost of conducting business. Organizations that operate in highly regulated industries, however, must meet additional specific requirements set down by their industry regulators. Irrespective of how they arise, the record keeping requirements are subject to the rules of evidence, which are quite separate from the regulatory record keeping requirements and which apply in addition to those requirements.
Evidential weight is a key concept
Evidential weight is the key concept that needs to be recognized as part of the discussion about compliance; an organization needs to be in a position to demonstrate that the records it retains are the actual business records used and none has been added, changed or deleted.
For further details please email us.
© 2011, Kalypton International Limited