Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

Shop Talk, Compliance Risks in New Data Technologies

advertisement 
Shop Talk: Compliance Risks in New Data Technologies
By Jaclyn Jaeger — July 7, 2010
THE PANELISTS
The following executives participated in the June 22 roundtable on ediscovery and social media.
Benton Armstrong,
Principal, Analytic & Forensic Technology Consulting,
Deloitte
Caryl Athanasiu,
EVP, Chief Risk Officer,
Wells Fargo & Company
Kristin Chambers,
Esq., Vice President, Compliance & Privacy,
Kaiser Permanente Northern California
Mark Gosling,
VP, Internal Audit,
VeriSign, Inc.
Harvey Jang,
Corporate Compliance Counsel,
Hewlett-Packard Company
David Karas,
Senior Director, Ethics & Business Conduct,
Hitachi Data Systems
Compliance Week can be found at http://www.complianceweek.com. Call (888) 519-9200 for more information.
Brian Martin,
SVP, GC, & Corporate Secretary,
KLA-Tencor Corporation
Charmaine Mesina,
VP Corp. Legal Affairs & Ombudsman,
Applied Materials
Tom Moyer,
Chief Compliance Officer,
Apple, Inc.
William Sailer,
Senior VP & Legal Counsel,
Qualcomm, Inc.
Lewis Segall,
Senior Ethics & Compliance Counsel,
Google
Jeff Seymour,
Principal,
Financial Advisory Services
Petrie Terblanche,
Director, Internal Audit, Compliance,
Brocade Communications
Amyn Thawer,
Senior Director, Global Compliance,
eBay, Inc.
Matt Tuchow,
VP, Global Compliance & Ethics,
McKesson Corp.
Jay White,
Manager, IT Compliance,
Chevron – Global Downstream
Compliance Week can be found at http://www.complianceweek.com. Call (888) 519-9200 for more information.
Jeremy Wilson,
Senior Manager, Ethics Program,
Cisco Systems, Inc.
Marianne Wisner,
Principal Compliance Officer,
Activision Blizzard, Inc.
Forward-thinking companies know that the next generation of data technology—online
social media services, cloud computing, shared data storage centers, and the like—can be
valuable business tools if used wisely.
Encouraging employees to use them wisely, however, and preparing for the compliance
and litigation risks that come when they don’t, is the hard part.
That was the central concern expressed by 16 compliance, risk, and legal executives
during an editorial roundtable in San Francisco last month hosted by Compliance Week
and Deloitte. Few complained about the technologies per se; most even praised social
media as a great way to interact with employees and customers, and cloud computing as a
useful way to cut IT costs. But all were acutely aware that encouraging the unchecked use
of those technologies is a recipe for disaster.
“It’s all about teaching people how to effectively communicate, while protecting the
organization,” said Benton Armstrong, Deloitte’s global leader of analytic and forensic
technology consulting, and co-host of the roundtable.
Almost immediately, the discussion veered to social media: Facebook, Twitter, LinkedIn,
and many other sites, that allow users to amass large groups of online followers and share
thoughts and opinions—not all of them well formed. But most attendees still embraced
the fundamental concept. Charmaine Mesina, vice president of corporate legal affairs for
Applied Materials, noted that her CEO writes a blog that anyone can view. “It’s been a
very good tool for communicating to employees,” she said.
Cisco Systems’ chief executive does the same but takes it one step further, according to
Jeremy Wilson, senior manager of Cisco’s ethics office. The company recently purchased
Flip Video—the maker of low-cost portable video cameras—and now CEO John
Chambers uses one to communicate with employees by shooting quick video clips and
posting them to his blog.
Wilson also stressed that social media can be an excellent way for employees to
communicate among themselves. For example, he said, Cisco previously had an ethics
Compliance Week can be found at http://www.complianceweek.com. Call (888) 519-9200 for more information.
hotline where workers could call and get advice. Now the company has expanded that to
ethics discussion forums, to make conversations about ethics much more interactive and
instructive to a wider audience.
The challenge, however, is “how to be sensible and prudent in managing the risks,” said
Lewis Segall, senior corporate counsel for Google.
Those challenges can be formidable. The Federal Rules of Civil Procedure were last
amended in 2006, when social media was in its infancy. They essentially force
corporations to apply retention policies developed for e-mail to the much more diffuse
world of social media, where data might change over time or be owned by another party.
As one attendee said, “We’re kind of in an unknown world now, where the demands of ediscovery are there, and yet we can’t retain [data] according to the old rules.”
Caryl Athanasiu, head of compliance and enterprise risk at Wells Fargo, said the
fundamental problem is that current laws and regulations were established to oversee
formal records, rather than conversations. But social media activities “are really a
conversation that leaves a permanent record,” she said, which raises additional issues of
legal discovery and liability.
For example, an employee who “likes” a comment or product on Facebook or LinkedIn
could be construed as giving a formal endorsement of a third-party—which can run afoul
of the Financial Industry Regulatory Authority. That distinction between internal and
external communications “in some cases is very clear,” said Jeff Seymour, Deloitte’s
Northeast leader of analytics and forensic consulting. “In other cases, I think the social
media dynamic is starting to blur that in certain ways.”
The more mundane, back-office technologies such as cloud computing (keeping
corporate data on storage space leased from a third party) endured their share of criticism
too. Seymour noted that “cloud providers” can occasionally prove unreliable or unsecure,
which leaves the corporate customer with compliance worries. “You don’t always know
how these arrangements are back-ended by providers, so it also involves the dual
challenge of dealing with sub-contractors,” he said.
Armstrong predicted that e-discovery questions related to cloud computing and social
media have only just begun to appear, let alone be answered by courts. “Clearly, the
requirements and expectations around preservation and production of data from social
media sites is still very much emerging” and will continue to develop in years to come.
Information Management Strategies
To combat that proliferation of new data technologies, most roundtable participants said
companies must strive to develop one strong policy about information management
regardless of any specific technology. Otherwise, compliance departments will end up
cranking out a new policy every time a new data tool comes along, overwhelming
employees and compliance officers alike.
Compliance Week can be found at http://www.complianceweek.com. Call (888) 519-9200 for more information.
“It’s a matter of translating similar principles,” one attendee said. “It’s really technology
agnostic because the issues are identical, and it’s just a different way of communicating.”
Wilson agreed, and cited Cisco’s policy about social media as an example. The
company’s policy blandly states: “Do not post confidential or copyrighted information.”
But a policy that simple, he said, can apply to all manner of social media technologies out
there. Moreover, “when it’s that simple, the employees self-enforce a lot of it,” he said.
“A simple and straightforward policy actually helps to shape the culture, too,” Wilson
added. “This way, employees can’t say, ‘How was I supposed to know?’”
Others echoed that theme of driving the corporate culture to be more aware of the risks in
social media and similar technologies. Harvey Jang, chief privacy counsel for HewlettPackard, said that education alone can reduce some of the risks. “We need to help people
understand that what they post on blogs or chat rooms can live on in perpetuity,” he said.
“Often times, people don’t fully appreciate the permanence and potential discoverability
of their communications or the fact they are sharing this information with the world.”
Jay White, manager of IT compliance for Chevron, said inculcating that culture of
understanding is critical, “because inevitably, we can’t control how that message is
broadcasted.”
Hence many roundtable participants said they find a principles- or values-based approach
to compliance—as opposed to a risk-based approach—to be the most effective way to
achieve a strong compliance program. And the policies and procedures developed along
those lines should reflect the culture of the company.
Still, that’s not to say risk is disregarded altogether in forming compliance policies. eBay,
for example, “looks at the company’s highest concentrations of risk,” said Amyn Thawer,
senior director and counsel of global compliance at the online auction site. “If we
pinpoint the risk areas, I think it becomes a little more digestible.”
The company also targets various groups within its operations for special attention,
Thawer added. For example, eBay has a corporate blogger who tweets about the
company’s earnings calls—definitely an activity that carries regulatory risk—and that
person has been given a specific set of guidelines about how to behave.
As for winning over boards of directors, attendees generally agreed that boards aren’t
necessarily looking for a specific metric about the risks or usage of social media. Rather,
“they want to make sure they see that all risks are identified and covered,” and remain so
even as new technologies come along, said Brian Martin, general counsel of KLA-Tencor
Corp. “Boards want to know that there is some type of enterprise risk management
process in place, that there are people on the major risks.”
Armstrong’s advice was that regardless of a company’s specific ideas about social media,
cloud computing, or anything else, “All of this needs to fit in with your information
Compliance Week can be found at http://www.complianceweek.com. Call (888) 519-9200 for more information.
management strategy. So the first question is, do you have an information management
strategy?”
If not, a compliance officer would do well to gather his or her fellow executives and hash
one out—because employees are going to use social media regardless, and rival
companies will find ways to use it to a competitive advantage.
“I think in the future we’re going to see a lot more of it in the workplace,” Wilson of
Cisco said. “It will be something we’ll be using more of.”
Amyn Thawer, senior director of global
compliance at eBay, said some policies are
based on risk.
Benton Armstrong of Deloitte, co-host of
the discussion, center. At right is Brian
Martin, general counsel of KLA-Tencor.
Charmaine Mesina, vice president for legal
affairs at Applied Materials, argued that social
media can serve many corporate purposes.
Compliance Week provides general information only and does not constitute legal or
financial guidance or advice.
Compliance Week can be found at http://www.complianceweek.com. Call (888) 519-9200 for more information.
Related documents
Air Canada Files for Protection Under Companies
Air Canada Files for Protection Under Companies
Developing a Personal Ethics Check
Developing a Personal Ethics Check
A model for ethical decision-making
A model for ethical decision-making
Have integrity
Have integrity
Public Health Act (Repeal)
Public Health Act (Repeal)
Download
advertisement