Reviewing Your Email and Internet Usage Policies

Written by Sue Walsh on January 2, 2009

As the year comes to a close it’s good time to review your Email and Internet usage policies and insure that they are clear and comprehensive. The folks over at SmartBiz have published some helpful tips to assist you. Here’s an excerpt:

As the Internet and email have become a big part of our everyday lives, employers need to make clear the separation between work and non-work. What someone would consider appropriate with friends may be out of line in the workplace. Each practice needs to have a clear, written policy in place to eliminate confusion by the employees on what is and is not acceptable.

Such policies are critical in this day and age. It only takes one email or dubious website to cause your business a lot of trouble in the form of viruses, security or confidentiality breaches, even lawsuits. So keep your policy updated and easily available to all your employees!

SEC Files Settled Foreign Corrupt Practices Act Charges Against Siemens AG for Engaging in Worldwide Bribery With Total Disgorgement and Criminal Fines of Over $1.6 Billion

The Securities and Exchange Commission filed a settled enforcement action on December 12, 2008, in the U.S. District Court for the District of Columbia charging Siemens Aktiengesellschaft (“Siemens”), a Munich, Germany-based manufacturer of industrial and consumer products, with violations of the anti-bribery, books and records, and internal controls provisions of the Foreign Corrupt Practices Act (“FCPA”). Siemens has offered to pay a total of $1.6 billion in disgorgement and fines, which is the largest amount a company has ever paid to resolve corruption-related charges. Siemens has agreed to pay $350 million in disgorgement to the SEC. In related actions, Siemens will pay a $450 million criminal fine to the U.S. Department of Justice and a fine of €395 million (approximately $569 million) to the Office of the Prosecutor General in Munich, Germany. Siemens previously paid a fine of €201 million (approximately $285 million) to the Munich Prosecutor in October 2007.

The SEC’s complaint alleges that:

Between March 12, 2001 and September 30, 2007, Siemens violated the FCPA by engaging in a widespread and systematic practice of paying bribes to foreign government officials to obtain business. Siemens created elaborate payment schemes to conceal the nature of its corrupt payments, and the company’s inadequate internal controls allowed the conduct to flourish. The misconduct involved employees at all levels, including former senior management, and revealed a corporate culture long at odds with the FCPA.

For more see

Local Government Botches E-Discovery and Legal Hold — County Underestimates Value of Its Own E-mail Records

Some public agencies don’t realize that in ligation their own good records can be their best defense.

Commonly a defendant in a lawsuit is reluctant to search through its e-mails – and incredulous that a court would force it to dig deep for them. In Toussie v. County of Suffolk, 2007 WL 4565160 (E.D.N.Y. Dec. 21, 2007), a New York county made the process of e-discovery excessively difficult and expensive for itself.

Plaintiffs sued the county for allegedly barring them from participation in a real estate auction to which they were entitled. After the lawsuit started, the county did a poor job of preserving its e-mail records. Then, when the plaintiffs demanded – in the “discovery” phase of the lawsuit — that the county search for and disclose relevant e-mail, the county faltered. It initially turned over only two e-mail records.

For more see

Lack of policy adds to e-discovery cost and complexity — Large percentage of companies lack legal holds

IT and legal teams must work together to establish e-discovery policies. In fact, one-third of companies lack formal policies and procedures for legal holds, according to a recent poll of attorneys and executives conducted by Deloitte. A legal hold is the process by which companies preserve evidence subject to discovery for lawsuits and other legal and regulatory matters. In this increasingly litigious society, it’s likely IT will have to hand over e-mails and backup files.

“Given the relatively low cost of establishing a policy framework and processes to address legal hold issues, it is surprising to see such a large percentage of corporate America lacking in this area,” says Jeff Seymour, a principal with Deloitte Financial Advisory Services analytic and forensic technology practice.

Respondents indicated responding to discovery requests has become significantly more complicated and costly. And less than one-third indicated their companies are very or extremely effective in managing the readiness aspect of the discovery process. Worse, 5% said the guidance provided to IT on litigation hold polices was unclear and 35% said it was only somewhat clear.

For more see

Comply Or Die: Data Disposition Must Be A Priority

IT groups rethinking the “save everything forever” approach find deletion and retention policies and tools must be razor sharp to cut through a morass of regulations.


While the oil and gas refined by CVR Energy will someday run out, the company generates a seemingly inexhaustible supply of data: 3 to 5 TB of information in 2008 alone, says CIO and senior VP Mike Brooks. He expects that load to double every year for the foreseeable future. 

Though disk may still be cheap, Brooks says, it just doesn’t make financial sense for CVR to store every bit of electronic information indefinitely. Besides raising hardware, software, and utilities costs, outsized data stores make backups and enterprise search less efficient, and legal e-discovery more burdensome. When you’re paying lawyers hundreds of dollars an hour to review e-mail and documents, a smaller pile means a smaller bill.


That’s why CVR, a $3 billion-a-year refinery based in Sugar Land, Texas, is undertaking a massive data disposition project, hammering out policies that will govern how long the company stores its information and when it can be disposed. Between deletions based on the new rules and other technology approaches, such as deduplication, Brooks hopes to cut CVR Energy’s disk use in half.


He isn’t alone. More organizations are evaluating–if not yet implementing–data disposition strategies. By 2013, half of all Global 2000 companies will have formal records management systems to shepherd data through its life cycle, Gartner estimates.


But this is one area CIOs must approach with caution. There are significant technological, regulatory, and organizational hurdles to clear before organizations can eliminate data with confidence. At the top of the list are compliance and legal. Every industry has government-mandated retention requirements. On the legal side, general counsel and human resources may worry that critical pieces of information that could support their positions–in case of employment discrimination or harassment claims, for example–may be destroyed. 

Technological and organizational challenges are just as daunting. Before you can dispose of information, you must identify it and know every place it resides–not a simple task. And users aren’t quick to give up the mail and documents they produce. As with NRA members, you may have to pry PST files and PowerPoint decks from their cold, dead hands.

For more see

Financial Firms Still Coming to Grips With E-Discovery

Despite the penalties for inadequate e-discovery capabilities, many firms still are challenged to establish effective programs.

By Melanie Rodier 

A year and a half after amendments to the Federal Rules of Civil Procedure (FRCP) ushered in critical new e-discovery obligations for parties to lawsuits in federal court, Wall Street firms still are scrambling to come to grips with the e-discovery burden.

“I would have thought corporations would have recognized and responded much more quickly to the new amendments, get their papers in order and have a litigation plan ready,” relates Hope Haslam, director of consulting services at Epiq Systems, a provider of integrated technology products and services for legal proceedings. “But that’s not happening as often as I would have hoped.”

Legal counsel, Haslam adds, can be intimidated by the technology needed to recover documents in an e-discovery case, and as such may not encourage firms to engage in the process. “There’s a possibility that they don’t want to go to their fellow executives and say, ‘We need help,'” she contends.

Following the FRCP amendments, businesses must have clear policies on data retention so that they can easily identify what data is applicable to a discovery motion. They also must address e-discovery issues — including preserving discoverable data, developing a plan for producing the data within a reasonable amount of time and determining the format in which the data will be handed over — upon the filing of a case. When a company cannot produce data subject to discovery, regulators can slap them with huge fines — as Morgan Stanley and UBS, among others, have found out in what emerged as landmark e-discovery cases in the securities industry.

Nevertheless, Haslam asserts, with the exception of publicly traded companies, many corporations don’t have adequate e-discovery procedures in place and are playing Russian roulette — they’re just hoping they won’t get sued, she says. “This is because the e-discovery requirements talk about how you don’t have to be prepared until litigation is anticipated,” Haslam explains.

Some experts say firms underestimated the impact of e-discovery regulations. “When the rules came into effect, some wondered if it was going to be another Y2K issue and much ado about nothing without any tangible results,” says John Patzakis, chief strategy officer at e-discovery vendor Guidance Software. “But this proved not to be the case.”

One of the main e-discovery problems with which firms have been grappling is skyrocketing data volumes. According to a study by The Radicati Group, in 2007 a typical corporate e-mail account was expected to generate around 4.3 gigabytes (GB) of electronic data. The number is forecast to grow to 6.7 GB per year by 2011.

One executive at a top buy-side firm on Wall Street with expertise in the area, speaking on condition of anonymity, says things are only going to get worse as people find new messaging streams. “You can’t limit the data, but you can have technology to cull data and search through it,” he says.

According to Lisa Walkush, managing director at SMART Business Advisory and Consulting, increasing data volumes make it even more critical for firms to have strong records management policies in place. “Companies really need to understand where their data resides and have really good retention policies,” she adds. “And when the record-retention time frame is up, you want to get rid of it. So someone needs to be managing record policies.”

For more see

Datamaps Mitigate Risk under the Federal Rules of Civil Procedure and Meet Evolving Attestation Requirements under Section 404 of Sarbanes Oxley Act

Employees perform,collaborate and execute tasks more efficiently when able to find the information they need when they need it; there are legal discovery cost savings to consider as well.

The impetus for developing a so-called datamap comes from the Federal Rules of Civil Procedure, specifically the procedural requirements of Rule 26(f), which requires parties to discuss ESI (electronically stored information) at the outset of each case. The commentary to the new rule states in pertinent part that:

When a case involves discovery of electronically stored information, the issues to be addressed during the Rule 26(f) conference depend on the nature and extent of the contemplated discovery and of the parties’ information systems. It may be important for the parties to discuss those systems, and accordingly important for counsel to become familiar with those systems before the conference. With that information, the parties can develop a discovery plan that takes into account the capabilities of their computer systems. In appropriate cases identification of, and early discovery from, individuals with special knowledge of a party’s computer systems may be helpful.

It is easier said than done, but organizations need help with the design and development of a reliable process for understanding where information is stored there are broader organizational benefits to consider.

A reliable and defensible datamap could address potential deficiencies in internal technological controls and enable organizations to institute key processes in compliance with a series of evolving requirements under the Public Company Accounting Reform and Investor Protect Act of 2002 (“SOX”) as related to records and information management.  See J. Randel L. Kuhn, Jr., “Electronic Records Management and Sarbanes-Oxley Compliance: A Case Study of the COBIT Approach,” The Icfai Journal of Audit Practice, Vol. 4, No. 4 (Oct. 2007) (“Kuhn Study”).

The management and handling of ESI should be considered an entity level control examined as part of the SOX 404 attestation process. The Kuhn Study focused on utilizing the COBIT (Control Objectives for Information and related Technology) framework to comply with Sections 302 and 404 requirements, specifically as they relate to the retention and availability aspects of electronic document management. Id. The Study examines reported IT material weaknesses in internal controls over financial reporting specific to electronic records management and presents the findings of a case study where a global conglomerate applied the COBIT framework to successfully comply with SOX.

To comply with SOX attestation requirements, “global organizations face a daunting task of defining financial records, identifying and implementing appropriate records management procedures, and coordinating efforts across business units and geographic locations to ensure consistent application of prescribed policies and procedures.” Id. By putting in place a process for identifying the location of unstructured and structured information stored on network systems, organizations will be able to meet these evolving controls requirements under SOX.

When considering all the benefits of being able to find what you need when you need it, don’t loose sight of how a comprehensive datamap will improve internal controls and help satisfy evolving requirements under SOX 404.