ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
5 Tips for Avoiding Email Compliance Traps
In this electronic age, ubiquitous email can be the smoking gun that enforcement agencies rely on to demonstrate corporate wrongdoing. But the savvy and unscrupulous look for new ways to erase their email tracks and avoid detection. For compliance officers, that means having a clear understanding of how employees may be misusing technology to dodge the rules.
1. Encourage communication between compliance and IT departments
A robust program to manage email usage and other electronically stored data starts and ends with a good working relationship between compliance officers, in-house counsel, and IT teams. Everyone tends to approach this area from a different perspective: IT departments usually focus on disaster recovery and security concerns, while compliance departments are often more concerned with preservation of data, privacy, and other legal obligations. Just putting everyone in the same room and getting them to talk about their concerns is a good start—and with time, IT and legal departments tend to move past the legalese and tech jargon and start talking to (and work with) each other more effectively.
2. Map out your universe of data
With employees increasingly using their mobile devices for work, storing company data in the cloud, and taking their work home with them to do on their personal computers, one of the biggest challenges companies face is understanding where all of their data resides. Before developing any policies or procedures to address email usage, companies should spend time understanding how their employees are using technology to conduct their work. Are employees in the field using personal devices to do their work remotely? Are employees working from home sending emails from their personal accounts? Are others using Google Docs and similar web-based apps to store information in the cloud? Whenever possible, compliance procedures should aim to match how technology is already being used, not define it.
3. Know your obligations, then develop an established set of policies and procedures around them
Several laws already regulate how companies in certain industries must manage their electronically stored data. Rule 17a-4 of the Securities Exchange Act of 1934, for example, says that broker-dealers are required to preserve electronic records in a non-rewriteable and non-erasable format for a period of at least three years; similar regulations also exist for pharmaceutical companies. All companies are generally required to retain relevant emails in the context of litigation or a government investigation. If a compliance team already has a good sense for how the company’s employees use technology, it should be well positioned to identify its risks and craft corresponding policies and procedures.
4. Train employees to speak up about new uses in technology
No matter what policies are written down, technology should ultimately be viewed as a moving target. Who can predict what new app or device might be developed that employees will find useful in their day-to-day work? An employee may have perfectly good intentions to adopt new technology that allows them to, say, encrypt their emails and delete them remotely (yes, that technology already exists). But with training and a strong compliance culture, employees can learn to judge for themselves whether such new uses in technology raise compliance red flags (yes, they do). Experience has shown that even the best compliance procedures and technology cannot replace training or mitigate human error or bad judgment.
5. Stress-test your program
Periodically, compliance teams should send out questionnaires, audit their business processes, and perform internal monitoring to keep abreast of any changes in the ways employees are using email and technology to do their work. If company policy forbids work-related emails on personal accounts, companies should monitor to see whether employees are sending out work information to their personal addresses. This should be done on a regular basis, as the worst time to realize the scope of your electronic data concerns is during a crisis.