Resources & Articles

What Lies Beneath: Technology That Supports Effective Compliance

Copyright 2004 ALM Properties, Inc. All Rights Reserved. Legal Tech Newsletter
January 12, 2004
SECTION: NEWS; Vol. 21; No. 10; Pg. 1
LENGTH: 2038 words
BYLINE: By Gregory Hanna

Much has been written about the reporting requirements mandated by federal laws such as the Sarbanes-Oxley Act of 2002 [the Act], the Health Insurance Portability & Accountability Act [HIPAA] and the Gramm-Leach-Bliley Act enacted in 1999 [GLBA], but less has been said about the technology that underlies successful efforts to comply. What is clear is that enterprise software and integrated records management are the only viable ways to meet these requirements. The software selected must take into account both changes in these requirements, and the prospect of future state and federal retention and reporting requirements. Since software doesn't exist in a vacuum, hardware and network considerations must be part of the overall system strategy. Law firms with corporate clients and corporate counsel need to be involved in the planning and implementation of such a system.

Since corporations have needs other then compliance with governmental reporting, retention and privacy protection requirements, the integrated enterprise system selected must support multiple needs such as:

Day-to-day business operations;
Business continuity in case of a disaster; and
Compliance with discovery requests in the event of litigation.

Assuming that the enterprise level software meets these requirements, consideration must be given to the data [records management] and the supporting network necessary to support an integrated ERM system.

Managing the Information

Effective enterprise records management [ERM] allows the company to manage all types of content, including documents, e-mail, Web pages, images, rich media, forms, spreadsheets and other digital assets across the full information lifecycle, from creation to archive to deletion. When implemented as part of a complete system, ERM not only satisfies compliance requirements, but also allows a company to leverage its investment by improving overall efficiency and competitive position.

ERM manages compliance issues inside and outside the company, balancing the organizational costs of compliance with the risks of non-compliance, increasing visibility and transparency of corporate practices, and helping to maintain or restore investor confidence. The old days when document management could be done manually, individually and on paper are long gone. The severe penalties for non-compliance, added to other costs such as audit fees, and director and officer liability insurance, mandate the implementation of a completely automated enterprise level system.

The elements of ERM include controlled repositories, process automation, content publishing, collaboration, records management, and business integration. Content must be tagged and categorized to yield maximum value. The creation of intelligent content requires the use of automated coding methods due to the ever-increasing volume of records, particularly e-mail. Leading ERM solutions offer automated metadata extraction and analysis of records, including e-mail, against a records management file plan. With this capability, actionable metadata from new or existing records are identified automatically, expediting information retrieval, supporting personalized content delivery, and enabling business processes for notification and exception handling.

Physical records such as paper, microfilm, and magnetic tape are no longer cost effective or secure enough to ensure compliance. Continuing to rely on these outdated storage methods will have serious financial consequences. Companies should look for ERM solutions that can apply uniform enterprise-wide records management policies to physical records, helping to reduce storage costs, and able to meet the deadlines set by law for filing and retrieval. A viable solution is to replace all physical storage devices with remote, automatic digital storage methods. The advantages of remote digital storage are discussed in more detail in the Network section of this article.

Compliance Software Selection
There are many enterprise wide software choices. Some have been created specifically to comply with one of the acts such as Sarbanes-Oxley [see Some Specific Requirements on page 2]. Others are adapted from existing programs. Software that is too customized may not be flexible enough to meet corporate needs for discovery, disaster avoidance, or business continuity. Software that is adapted may lack flexibility or required features. The most desirable enterprise integration system must:

Be able to handle complex data transformations;
Be B2B and e-commerce ready;
Be scalable for large implementations;
Support data from any platform;
Easily integrate with any application or data source;
Be based on reliable tools that are portable, flexible and robust;
Be adaptable to meet changing or additional requirements;
Require minimal changes to any source or destination application;
Require minimal programming;
Organize files and folders;
Identify, save, and index appropriate metadata;
Support searches and data sampling;
Allow for multiple levels of access controlled by account type;
Automatically apply retention and disposal policies;
Track access and transactions;
Allow data to be viewed and validated before posted;
Generate audit trails;
Support a point and click, graphical and familiar interface;
Employ meaningful automatic quality control protocols;
Provide online filing of required information;
Be secure; and
Be able to operate in the event of hardware, site or other level of failure.

This system must also support different levels of integration of the data, application and user interface, and a method or process for sharing the business logic within the corporation. All common data formats must be supported including plain text, MS Excel, MS Access, ODBC compliant databases such as Oracle, MS SQL, Sybase, etc. [See Selecting the Software on this page for additional questions to ask before selecting ERM software.]

Network Considerations

However a company’s network is configured and whether or not it is self-managed or outsourced, the network must be reliable, secure, fast, able to handle multiple simultaneous complex transactions, and be remotely accessible via an Internet accessible VPN. In order to avoid the consequences for failing to file or deliver documents in a timely fashion, the network must contain multiple fail-safes and redundancies. Considering what is at stake, companies may want to consider outsourcing these tasks to experts whose continuing constant focus is on network accessibility and security. For example, software vendors, network vendors and service providers can create secure Internet/intranet sites on which transactional information can be centralized. The same “outsourced” site may be used to facilitate secure communication and document review between the company and counsel during discovery, and for backup of information and applications necessary to assure business continuity if the local network is not available.

Data is hosted from a centrally located server environment at the provider’s data center. A hosted system has a number of advantages in that it offers a quicker and easier start-up, involves no additional staff, and can be expensed. In addition, a company’s internal technical staff can concentrate on its primary obligations, leaving the hosting company to keep up with both the technology and the rapidly changing compliance requirements.

The bottom line is that data should be available when needed and should be complete. Companies must have uninterrupted access to their information and so should take advantage of real time replication, or high-availability, which continuously monitors the company’s primary servers and creates in real time an offsite duplicate of every bit of data. Real-time replication monitors changes to open files as they occur and replicates these changes to one or more offsite servers over standard network connections. In the event of an emergency, the offsite “secondary” servers automatically stand in if the firm’s primary servers are unavailable. The company can access its data with minimal disruption and confusion. Users in either remote locations or in the main office continue working and may not know that there was a problem. [See Network Redundancy, Speed and Availability Considerations on page 4.]

Security and Disaster Avoidance

The security requirements from the various acts are technology-neutral, stating the requirements and leaving the implementation to the company. For example, the HIPAA rule does not prescribe an authentication method. [See Authentication Methods on this page for specifics.] Covered entities must base choices on individual risk analysis. What is perfectly clear is that there will be little tolerance for companies that fail to meet the retention, reporting, and privacy protection required by the acts. Courts are similarly not amused when deadlines are missed or when documents are not disclosed during discovery, and are not going to accept the excuse that the network went down, the calendar was corrupted, or the tapes that data was stored on were lost or damaged. The ability to recover from or avoid the consequences of a natural or human generated disaster is essential.

Once again the answer may lie in employing an outside provider that can secure data, applications, and the network. Outsourcing allows a company to focus on its core business while the technology experts deal with constantly evolving, potential vulnerabilities. [See Basic Security Precautions on this page.]

In addition to routine security precautions, a company must have a disaster avoidance and recovery plan that is not solely dependent on in- house systems. If all security and data protection measures reside locally, the company is vulnerable.

In the past, information was generally secured by backing it up to a physical medium such as tape or disc, but this is no longer a best practice. In a major disaster it could take days to recover the tapes or discs assuming that they weren’t destroyed. In addition, data might have been lost or corrupted due to the defects or improper storage. The company also has to manage the physical storage system as well as keeping up with the technology. The better solution is to replace or augment traditional physical medium backup with a virtual backup to an online backup and storage facility using an outside vendor to capture, store, and return, as needed, the company’s data. [See Selecting a Vendor For Remote, Digital Data Storage and Retrieval on page 6 for provider selection information.]

The next step up from online data backup is real-time replication or high availability, as discussed earlier. The ability of remotely managed networks to use the Internet to avoid the consequences of a major disaster goes well beyond online backup and storage. The Cadillac of disaster avoidance is a completely virtual office that replicates both data and applications and allows nearly instantaneous access from any location, 24/7. In a disaster that destroys or denies access to the company’s offices, the company continues to function with minimal disruption. This same technology can be used to outsource all network infrastructure day-to-day operations, which also, of course, provides the highest level of disaster avoidance.

Conclusion

A company seeking to balance the needs of regulatory compliance, litigation needs, and business continuity must look to both business and technological best practices. The available technology, in house resources and the advantages of outsourcing should be factored in as the company considers its tolerance for risk and creates its compliance plan. A company of any size can afford an appropriate enterprise records management system, but needs to do its homework, ask questions, consider all of its needs, be willing to discard old technology, and take responsibility for the creation, implementation, maintenance and growth of the technology that will ensure its success.

LOAD-DATE: January 21, 2004

Close This Window