In this electronic age, ubiquitous email can be the smoking gun that enforcement agencies rely on to demonstrate corporate wrongdoing. But the savvy and unscrupulous look for new ways to erase their email tracks and avoid detection. For compliance officers, that means having a clear understanding of how employees may be misusing technology to dodge the rules.
According to an article in the Wall Street Journal last week, a marketing manager named Ruiting “Candy” Chin at British drug maker GlaxoSmithKline specifically instructed her sales team members to use their personal email accounts, rather than their work accounts, to conduct some of their business. Portions of the email were made public last week in light of allegations that the company bribed doctors in China in order to encourage them to prescribe the company’s drugs. Although GSK had been embroiled in allegations of bribery in China since 2010, the company received renewed attention last week when it was disclosed that Chinese authorities had recently detained several former GSK employees and that those employees had since admitted to making payments to doctors.
Whether or not the allegations are true, the story illustrates the challenge that technology as simple as email can pose for compliance officers. In May, the Securities and Exchange Commission settled charges against Institutional Shareholder Services Inc. involving allegations that a senior account manager there used his personal email to leak sensitive client information on shareholder voting in exchange for expensive meals, airline tickets, and other perks.
And with persistent advancements in technology, it’s a problem that isn’t likely to resolve itself anytime soon. For companies wanting to get a handle on the compliance risks they face through email (mis)uses and other forms of technology, here are five tips to follow:
1. Encourage communication between compliance and IT departments. A robust program to manage email usage and other electronically stored data starts and ends with a good working relationship between compliance officers, in-house counsel, and IT teams. Everyone tends to approach this area from a different perspective: IT departments usually focus on disaster recovery and security concerns, while compliance departments are often more concerned with preservation of data, privacy, and other legal obligations. Just putting everyone in the same room and getting them to talk about their concerns is a good start — and with time, IT and legal departments tend to move past the legalese and tech jargon and start talking to (and work with) each other more effectively.
2. Map out your universe of data. With employees increasingly using their mobile devices for work, storing company data in the cloud, and taking their work home with them to do on their personal computers, one of the biggest challenges companies face is understanding where all of their data resides. Before developing any policies or procedures to address email usage, companies should spend time understanding how their employees are using technology to conduct their work. Are employees in the field using personal devices to do their work remotely? Are employees working from home sending emails from their personal accounts? Are others using Google Docs and similar web-based apps to store information in the cloud? Whenever possible, compliance procedures should aim to match how technology is already being used, not define it.
3. Know your obligations, then develop an established set of policies and procedures around them. Several laws already regulate how companies in certain industries must manage their electronically stored data. Rule 17a-4 of the Securities Exchange Act of 1934, for example, says that broker-dealers are required to preserve electronic records in a non-rewriteable and non-erasable format for a period of at least three years; similar regulations also exist for pharmaceutical companies. All companies are generally required to retain relevant emails in the context of litigation or a government investigation. If a compliance team already has a good sense for how the company’s employees use technology, it should be well positioned to identify its risks and craft corresponding policies and procedures.
4. Train employees to speak up about new uses in technology. No matter what policies are written down, technology should ultimately be viewed as a moving target. Who can predict what new app or device might be developed that employees will find useful in their day-to-day work? An employee may have perfectly good intentions to adopt new technology that allows them to, say, encrypt their emails and delete them remotely (yes, that technology already exists). But with training and a strong compliance culture, employees can learn to judge for themselves whether such new uses in technology raise compliance red flags (yes, they do). Experience has shown that even the best compliance procedures and technology cannot replace training or mitigate human error or bad judgment.
5. Stress-test your program. Periodically, compliance teams should send out questionnaires, audit their business processes, and perform internal monitoring to keep abreast of any changes in the ways employees are using email and technology to do their work. If company policy forbids work-related emails on personal accounts, companies should monitor to see whether employees are sending out work information to their personal addresses. This should be done on a regular basis, as the worst time to realize the scope of your electronic data concerns is during a crisis.
Unfortunately, there will always be employees who find loopholes or ignore compliance procedures and abuse technology to perpetrate wrongdoing. As the Department of Justice and SEC have said in the past [PDF], “No compliance program can ever prevent all criminal activity by a corporation’s employees.” It is no excuse, however, to blame technology. Companies that haven’t thought through these issues and developed appropriate policies and procedures to prevent and detect misuse of technology place themselves in jeopardy of being found liable for their employees’ illegal behavior. On the other hand, companies that follow these five steps are well on their way to addressing future technology compliance risks, in whatever manner those risks may evolve.