Compliance technology is only as good as the people from which it finds direction. And much of the time, compliance fails completely, regardless of what technology or platform is used.
In discussing the technologies used to tackle regulatory matters, panelists at “Putting Technology to Work for Compliance: How to Gain Information Insight With Advanced Data Analytics,” a session from the Legaltech portion of Legalweek: The Experience, provided some tips for legal professionals looking to get a grip on compliance. Here are some key points on how counsel and compliance should be directing efforts before, during and after an investigation:
1. Know Your Data It seems like a simple piece of advice to follow, but often it is anything but. Julie Richer, legal operations and discovery manager at American Electric Power, noted that within a company, there are “a lot of the tools [with] all kinds of bells and whistles and features” that collect data, unbeknownst to counsel and compliance officers.
Not having visibility into this data can come back to haunt the corporation during investigations. Keeping up with every data creation tool in-house, therefore, oftentimes means the difference between peril and protection.
Marc J. Shanker, senior global compliance counsel at Oracle, advised counsel to understand the reach of their data around the world, especially amid rapidly changing regulations overseas. With globalization, your data may be stored or moving through the legal and compliance domains of other countries. While organizations can physically stay localized, in this new connected age, data unfortunately cannot.
2. Know Your Regulations Knowing your data is only half the battle. New regulations are being created and disposed of at dizzying speeds, especially with post-election turnovers of an administration. Beyond the United States, elections in Germany and France in 2017 also have the potential to lead to some significant changes to the regulatory climate.
“You need to monitor those and see what’s going down the pipe,” said Chris Sitter, director of Forensic Technology at Juniper Networks. “The GDPR regulation that’s in the EU right now [for example] is changing all the time, we still haven’t seen the final set of what that regulation will mean.”
But for any corporation, keeping up with its data is a daunting and costly challenge. “You can’t hire an army of people to scour through all new regulation laws being debated,” Richer said. “You have to rely on outside counsel.”
What’s needed, Sitter said, is “a good line of communication to privacy and regulatory outside counsel whose job is to notify you when something big is coming.” This, he added, will “save you money.”
3. Keep an Eye on Your Employees Tantamount to understanding data and compliance risk is having a good sense of what data employees are handling.
The challenge in this endeavor, however, is that data can be as mobile as the employee themselves. “More and more of the communications we are seeing are text,” Oracle’s Shanker said. He specifically pointed to the rising use of web messaging platform WeChat by employees based in Asia.
When having to investigate employees for compliance purposes, “more and more, we’ve been imaging cellphones,” Shanker said. He added that, from a technical and compliance standpoint, this can get challenging, as employees often use the same devices for both professional and personal purposes.
Richer also stressed the need of training employees on data handling best practices, but cautioned that keeping track of such training can be a significant undertaking. She pointed to the need to keep track of what certifications employees obtained and when and where such training took place on an ongoing basis.
4. Keep Calm: Don’t Over-Preserve Many might lean heavily on the ongoing preservation of almost all their corporate data to insulate them from fines and reprimands should they ever be the focus of a compliance investigation. And given some of the regulations out there, it’s not difficult to see why.
Sitter noted that some companies who wish to do business with the U.S. government have to meet up to 120 standards before they are approved.
But while seemingly a prudent action, ongoing and over-preservation of data means more information that can be compromised during a cyber incident. This could also lead to future litigation. More to the point, keeping all of this data may not even be necessary.
Sitter said that while some companies may need to make sure they preserve certain data for long periods of time during and after a U.S. Securities and Exchange Commission investigation, other government agencies may allow data under investigation to be disposed of after their regulatory action concludes.
“If you do have a violation, ask [the agency] what closure looks like,” Sitter advised, noting that many times, over-preservation can be a significant burden on a company’s costs.