How Not to GetBy Kim S. Nash | Posted 2006-08-02 Email Print
Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
When encountering legal or regulatory action, technology managers who fail to get corporate data fast or vouch for its completeness can cost their companies millions of dollars. Learn what happened to WestLB, an investment bank, when it had to exhume 650,Paralyzed">
How Not to Get Paralyzed
WestLB continues to try to right itself financially. It regained profitability last year, making $490 million. Parker has moved on, and is now chief executive of the New York office of Global Investment Holdings, an investment bank in Turkey. Quinby is looking for work as her suit approaches its second anniversary next month.
Still unresolved is an argument over whether Quinby should pay any of WestLB's expenses for retrieving and producing its own data.
Quinby, WestLB argued in a letter to the judge, "was highly compensated during her career and, thus, is able to share costs for a production upon which she insisted." According to court documents, Quinby had a base salary of $175,000 with a guaranteed bonus of $475,000 for 1999. In 2000, she received a $575,000 bonus. In 2001, her bonus dropped to $100,000. She did not receive a bonus for 2002 and was terminated, for the first time, in 2003.
Peratis counters in an interview that when Quinby first complained to HR of discrimination in 2002or when she filed a complaint with the EEOC in 2003WestLB could have reasonably anticipated litigation and kept pertinent e-mail and other documents at the ready by stopping transfers to backup tapes and leaving the documents on the live Lotus Notes servers. "All the money they've spent producing it was due to things that were their fault, not ours," she says.
The situation was avoidable, experts say, with a combination of policy and technology.
Dangerous are the gaps at many companies between the technology, legal and compliance departments, says Cyndy Launchbaugh, director of marketing at ARMA International, the information managers' group.
The Sarbanes-Oxley Act for financial data, HIPAA for health care, and other federal and state regulations that govern specific industries are forcing these departments to work together. But historically, the different groups grew up separately, with different priorities, Launchbaugh says: "All of them hold a certain piece of the puzzle, yet no one of those has it all covered."
The CIO may, for example, install instant messaging to speed communication among different divisions. But corporate lawyers such as Herrmann at Morris, James, warn against it. When choosing new technologies, a CIO must consider potential litigation risks, Herrmann says. His advice on instant messaging: Ban it. The quick conversation IM was built for could cause damage. "People really don't think on IM," he says.
Bawdy talk among WestLB salesmen over instant messaging about "shagging the cleaning lady" and other more explicit activities described in court papers now resides in the public record, thanks to the Quinby lawsuit.
If an outright ban of instant messaging won't work, Herrmann says, don't install a server-based version of IM because you will be liable for saving, storing and producing those messages in a lawsuit. Instead, employees can download individual-use copies of instant messaging applications on their personal computers. "A CIO cannot ignore potential litigation," he points out.
Whatever technology a company adopts, it should createand stick toone consistent policy for archiving and purging data, Herrmann says. A company may decide, for example, to archive e-mail and instant messages daily and purge them after one year. If, during an audit or lawsuit, the company is unable to produce data that its policy says it should have on hand, it risks repercussions. They range from admonishments from a judge or regulatory body to multimillion-dollar fines, as happened to Banc of America Securities and Philip Morris USA.
"The smartest thing a company can do is have a program for managing electronic information so it is destroyed when it should be and not warehoused indefinitely," Herrmann says.
Indeed, before a court battle or regulatory investigation ever arises, companies should assemble an electronic discovery team, advises Jonathan Sachs, a legal consultant at Kroll. Include a mid-level systems staffer who is involved in daily technology work, along with internal and external lawyers, a senior management executive and, perhaps, an outside discovery expert, Sachs says.
Together, the team can devise a plan for collecting, reviewing and presenting data to the other side. Items would include who will be assigned to find and restore backup tapes, procedures for lawyer review and formats for conveying the data, such as Microsoft Word documents, .TIF image files on CDs, or boxes of printouts, stapled and collated.
Specialized software can help companies manage and get at archived data, says Bob Best, CIO of UnumProvident in Chattanooga, Tenn. Producing electronic documents "was a big issue for us two to three years ago," Best says.
UnumProvident, a $10.4 billion insurance company, faced several class-action suits in state and federal courts in 2002 and 2003, by customers who accused the company of illegally denying their claims. In one case, a U.S. District Court judge in New York, Denise Cote, found that pertinent e-mail wasn't preserved, in part because UnumProvident failed to tell its outsourcer, IBM, to keep the messages until two weeks after the court ordered the insurer to save the e-mail, according to her August 2003 opinion. The insurer wasn't fined or punished, but the judge reprimanded the company: "If UnumProvident had been as diligent as it should have been in complying promptly with the [court] order, maybe fewer tapes would have been inadvertently overwritten," Judge Cote wrote.
UnumProvident now uses KVS, an e-mail archiving system sold by Symantec. The software runs about $15,000 for 500 users, and Best says it's necessary so the company can comply with regulations and respond quickly to urgent data requests. "It's just something you have to do as part of the business," he says. "We've worked hard at that."
Finally, create a retention and disposal policy for e-mailand enforce it. Many companies have policies written in employee handbooks that employees never actually follow, says Flynn of The ePolicy Institute. Companies should comply with laws and regulations that dictate saving e-mails, but otherwise e-mail should be deleted regularly, Herrmann adds: "The more information available at the time of litigation, the more difficult it is to manage."
CIO Bigelow is now on to the more traditional technology work of overseeing his outsourcer. Court papers don't say whether WestLB has changed any technology practices, and the company would not discuss them with Baseline. But the case that WestLB lawyer Groman Darringer told the judge last summer was "extremely burdensome" is still open. The issues of sex discrimination and retaliation that triggered the suit have yet to be argued.
At presstime, Judge Pauley hadn't yet decided whether to send the case to trial or award a summary judgment to one side or the other, based on the 650,000 pages of evidence that have surfaced so far.
With reporting by Todd Spangler