"If it really costs millions to do that [e-discovery], then you're going to drive out of the litigation system a lot of people who ought to be there." This quote by Supreme Court Justice Stephen Breyer cuts to the heart of current issues surrounding eDiscovery. A recent DCIG blog highlighted how out of control litigation costs have become and have left companies with hard decisions on whether it is best to settle cases based solely on the cost of eDiscoveryattempt to litigate or . But as companies face unprecedented economic pressure, a key question comes to mind, "Are these costs driving risky data retention strategies such as destroying all of your data?"

A December 2008 poll at Law.com showed immature processes is the rule across corporate America when it comes to eDiscovery. The survey found 30% of companies in the survey lacked even basic policies for preserving evidence for litigation discovery. So based on these statistics, it is reasonable to assume this lack of knowledge in eDiscovery coupled with immature processes could lead to higher risks being taken by companies.

But a question I regularly hear is, "Why not set a policy that mandates the quick destruction of data and delete everything quickly?" The thought process behind this is simple. If an eDiscovery event occurs, simply point to the policy and attempt to show a routine and good faith destruction of data and avoid the associated costs. While it is a tempting to adopt this policy in order to try to avoid the costs of eDiscovery, it is a flawed approach and could result in more harm than good for your company.

The "Safe Harbor" eDiscovery provision, otherwise known as Rule 37(f), provides a means for companies to limits sanctions if (and I quote): "Absent exceptional circumstances, sanctions cannot be imposed for loss of ESI resulting from a routine, good faith operation of an electronic information system." Under this rule, a court may not impose sanctions on a party for failing to provide electronically stored information lost as a result of the routine, good faith operation of an electronic information system.

Based on this wording it would appear reasonable why companies might take a risk and attempt to limit their legal risks by quickly and routinely deleting documents such as email. But there are several areas of concern for businesses that rely on routine data destruction processes when it comes to their eDiscovery strategy, such as;

• eDiscovery is still evolving and the rules can be a moving target. Even when safe harbor would appear to extend to your company, the courts can bring a new wrinkle as it pertains to eDiscovery and suddenly your company could be facing a huge sanction. For example, a court ruling in the recent case titled Phillip M. Adams and Associates, LLC v. Dell, Inc., provided sanctions against ASUS for not preserving e-mails dating back to 1999, even though the plaintiff didn't bring a claim against ASUS until 2005. This has cast serious questions on the future of rule 37(e).

• What you view as routine destruction could in fact be spoilation. The above cited case is another good example of a company thinking they would be covered by safe harbor, and instead their idea of reasonable destruction of data through routine maintenance of their information system, was instead viewed by the court as spoilation of data that should have been held for litigation.
• Legal hold of data is open to interpretation. Legal hold of data is a process for holding all relevant information pertaining to a case when litigation is reasonably anticipated. The term reasonable is open to interpretation by the courts, and court interpretation is rarely predictable.

The sheer volume of e-mail and its impact on eDiscovery continues to be a pain point for companies searching for answers to costs. Products such as Estorian's LookingGlass provide an answer for companies looking to control the costs and complexities of e-mail in litigation. LookingGlass provides structure to historically unstructured data as well as providing search functionality for answering eDiscovery requests which becomes a valuable resource in controlling e-mail review costs.

In today's economic climate it is understandable why companies are tempted to try and avert costs through risky data retention strategies. But, this high risk strategy will fail and the costs and consequences could financially ruin your company. Proper preparation and deploying technologies such as LookingGlass provide a vastly lower risk point than attempting to rely on policy and pray for safe harbor.

• The cost of an eDiscovery associated for Microsoft is between $10 and $20 million dollars for each and every lawsuit.
• Losey recently wrote in his blog about a case where the Washington D.C. Appeals Court affirmed an order requiring that the Office of Federal Housing Enterprise Oversight (OFHEO) spend $6 million, or 9% of its annual budget, to comply with an eDiscovery subpoena request.
• Litigation is becoming too expensive so organizations are opting not to go to court and instead just settle.
• The American system of justice is very different than Europe's. Europe permits the voluntary disclosure of information so European companies may only choose to disclose information that helps them in a court case. The American System of Justice requires organizations to turn over all relevant information whether it hurts or helps them in a case.
• The written word has evolved over the centuries to become considered the best form of evidence. Since lawsuits involve events that occur in the past (often years ago), organizations need to be prepared to go back years to produce written documentation. The written word today now almost exclusively exists in the form of electronic communication.
• In 2006, Networkworld cited a study conducted by the Butler Group that employees now spend as much as 25% of their day searching for the right information to complete a given task. Losey now believes that the percentage of time employees spend looking for stuff is closer to 40%.
• The best estimates available are that during an eDiscovery organizations can only retrieve about 22% of the writings that are relevant to a case.

• Be proactive, not reactive, about information management.  The first step in the Electronic Discovery Reference Model (EDRM) is "Information Management" and yet most organizations start managing their information only after they receive an eDiscovery request and then are forced to start with some step in the middle of the process - such as the collection stage.

That is what gets companies into trouble. Starting with the collection of data as a means to do eDiscovery in a chaotic environment becomes very expensive. As a result, much of the money that organizations spend on an eDiscovery is wasted since so little relevant information is retrieved during the process.
 
A better way for organizations to start is by managing and archiving their email using software like Estorian LookingGlass. Software like this gives them a means to capture and manage the flow of information in and out of their organization while making it accessible and searchable if and when an eDiscovery occurs.

• Prepare for a future where a random sampling of electronically stored information (ESI) becomes the norm. While it is unlikely organizations ever retrieved 100% of relevant information when it was stored in paper, achieving that level becomes even more unlikely that it is stored electronically. So to adapt to this new environments, organizations need to prepare to employ methods of random statistical sampling of their ESI and then prepare to defend this method of eDiscovery in court to keep eDiscovery costs from spiraling out of control. Losey says, "Common sense dictates that sampling and other quality assurance techniques must be employed to meet requirements of completeness."

DCIG has posted several blogs discussing the economic downturn, the banking crisis and the role that hedge funds played in the seemingly endless stream of bad news and frauds that have graced the headlines. So, when it was announced that the prominent hedge fund was shutting down due to the SEC reopening an insider trading probe, it was another sign that the largely unregulated hedge fund industry is back once again in the SEC's crosshairs.

When I started looking into the alleged insider trading scandal I found not only interesting facts on Pequot, but also some interesting insight into how the SEC investigated the allegations of insider trading. Pequot was founded by Arthur Samberg and has been a respected hedge fund since 1998. The fund reportedly manages $3 billion in assets but at one time reportedly managed $15 billion. But, with investors already highly suspect of any bad news based on previous scandals, Samberg decided it was in everybody's best interest to close the fund.

With that recent history aside, insider trading allegations regarding Pequot were actually discussed in front of the U.S. Senate Committee on the Judiciary in December of 2006. According to testimony by Director of Division Enforcement, Linda Chatman, there were 10 transactions occurring between February 2002 and April 2005 that were forwarded to investigators working on the Pequot investigation. Investigating attorney Gary Aguirre claims he was fired for his requests to interview persons relevant to the case but, after all of the investigative work was done, Pequot Capitol was found to have not executed transactions based on insider knowledge.

What really caught my attention was in the "Case Closing Recommendation" documents there are several specific instances involving Pequot and insider trading allegations. During these investigations it became clear that the SEC is very conscious of email communications and looks closely at email in any investigation regarding insider trading. Email communications between Arthur Samberg are highlighted throughout to show either a link to possible wrong-doing or, more importantly, where email exonerates wrong-doing.

A specific example is in the investigation of Pequot accumulating Heller stock and shorting GE stock before a GE acquisition announcement of Heller was made public. Within the documentation the SEC specifically states it "reviewed the emails obtained from Pequot to identify other potential tippers. The staff then compiled information about each person identified, including searching for relevant documents in the database of emails provided by Pequot."

Pequot was also closely scrutinized in a trade involving Microsoft stock after Pequot hired former Microsoft employee David Zilkha in April of 2001. Before starting work for Pequot, David Zilkha started providing information about Microsoft by email to Samberg.

There were two emails that were particularly scrutinized by the SEC that preceded an earnings announcement by Microsoft. Pequot had a net positive result of over $2 million dollars in profit based on two trades in Microsoft that were theorized by the SEC to be the result of the email information received from Zilkha.

There were also several other examples of possible insider trades that the SEC investigated involving Pequot Capital and through these investigations Pequot provided 19.8 million pages of electronic mail to the SEC.

Based on the sheer volume of email presented by Pequot the SEC asserted on page three of Linda Chatman's presentation to the Senate that "our staff has become particularly adept at sifting through all available forms of evidence, including...emails."

Although originally Pequot Capital was cleared of insider trading, it now appears that the SEC is coming back and taking another look at this hedge fund but instead of facing the mounting investor scrutiny, Arthur Samberg has decided to scuttle the fund altogether. Yet what interested me most was the sheer volume of emails given to the SEC as well as the SEC's focus on email to not only look for evidence of wrong doing of Arthur Samberg but also to develop leads on other "tippers" of inside information.

This case is a good example of why companies need email management technology such as Estorian LookingGlass. As the SEC has shown, it is very adept at reviewing email documentation and having the ability to rapidly provide email information that can clearly show a company followed the rules will pay huge dividends in any investigation or information gathering exercise. An ability to provide transparency in any investigation or eDiscovery exercise can exonerate a business even if a government agency, such as the SEC, comes back to take a second look and help prevent taking such drastic measures as shutting down the business as Samberg obviously felt obligated to do.

Another area of interest within this bill is the inclusion of the wording "each appropriate Federal banking agency" which extends this bill to Banks, Savings and Loans, and Credit Unions. So, it would appear the Federal government fully intends to ensure that all credit lending institutions will fall under this complete overhaul of the "Consumer Credit Protection Act."

Now that all banking agencies fall under this act, what technology issues should they be aware in this bill? One main area of concern is highlighted in SEC.103 Limits of Fees and Interest Charges, under the Opt-Out piece of the legislation. This basically gives consumers the right to opt-out of over-the-limit transactions if fees are imposed. Under paragraph (2) (A) and (B) titled Notification by Consumer there is an interesting piece of language that refers to technology:

(A) "through the notification system maintained by the creditor under paragraph (4); or

(B) "by submitting to the creditor a signed notice of election, by mail or electronic communication, on a form issued by the creditor for purposes of this subparagraph."

What this bill lays out in paragraph 4 is there are several defined notification system options such as a toll free number, Internet address, and website. So, in addition to these specific areas defined, there is also the ability for banks to use electronic communication such as e-mail, in addition to those specific areas noted in paragraph 4, to submit and receive a signed notice of election to opt-out of those transactions.

Now that e-mail could very well be one of the opt-out vehicles used by a banking institution that falls under this act, it makes more sense than ever for banks to archive in order to have a strict accounting of e-mail transactions. By using products such as Estorian's LookingGlass, banks have the ability to use their existing e-mail infrastructure as a communication vehicle to transmit and/or receive signed notices of election. Without the ability to give a strict accounting of those notices banks limit their customer's options in providing signed notices of election.

Although it might be debatable whether this type of legislation actually helps consumers, it does demonstrate how consumer outrage toward a specific business sector can stoke a bipartisan fire. It also shows how the Federal government views technology as a way to ensure consumers can effectively and efficiently communicate their desired approach as it pertains to the services mandated within regulation.

As the Federal government continues its accelerated regulatory path, it stands to reason that there will be continuing emphasis on technology as the preferred means of communication between businesses and consumers. By using products such as LookingGlass, companies can continue to leverage their existing infrastructure to deliver services, as well as continue to meet current and future regulatory requirements.

On March 15^th, 2009, a new law went into effect in the European Union (EU) that set in motion a controversial new course for government access into digital information.  The EU Data Retention Directive was derived from the perceived need of the EU's member states to protect national security or public safety. Its goal is to provide law enforcement the access to information it needs to protect public and national interests but it may go too far by capturing too much public information that the public may not view as so public

Most individuals will generally welcome more protection in their lives from hostile terrorist attacks but it is unclear how much they are willing to accept government intrusion into their electronic communications.  Therefore a delicate balancing act is needed and this law may just go too far in the eyes of many as the mandates set forth in this EU directive are abundant, complicated to meet, require the capture of a plethora of electronic information and give governments the authority to access this information for a lengthy period of time. 

A review of the directive highlights the following areas:

• Article 6 titled "periods of retention" states Member States shall store all communication from customers no less than 6 mos., but no longer than 2 years.

Article 5 of the Directive spells out that the communication information must be stored. However there are some of the areas of concern as to what is stored. For instance:

• "Fixed" network telephony and mobile telephony. It will store the calling telephone number as well as the name and address of the subscriber.
• Internet access, Internet e-mail, Internet telephony. This calls for the retention of the user's Id, telephone number, name, address and IP address.
• Data necessary to identify date, time, and duration of the communications.
• Concerning e-mail - Date and time of the log-in and log-off from the ISP, IP address (static or dynamic), user ID of the subscriber or registered users. 

Article 8 of the Directive goes into the storage requirements for retained data by specifying that "data must be retained in a way that can be transmitted upon request to competent authorities without undue delay."  This is a key provision in that it not only requires the need for ISPs to store mountains of data but also puts a burden on them to search the data as well as determine if data meets any previously set criteria and then forward data that meets that criteria to the appropriate authorities without delay. 

Article 3 goes further and specifically calls out providers of public communications networks within the jurisdiction of the member state as the parties responsible for retaining the communication information noted in Article 5. 

Although this is an EU directive, organizations here in the United States need to be mindful of this regulation for a few reasons. First, we are talking about Internet communications that encompass the entire globe and not just the citizens of those Member States of the EU are charged with collecting data, though it is unclear how this would be enforced in the US. 

Second, if a government regulation such as this can pass muster in the EU, it stands to reason the US may follow suit at some point with legislation of this scale, especially with heightened role that the US government has been assumed in private industry.  Finally, Internet Service Providers (ISP) may have to bear the costs associated with this complying with this regulation so Internet access costs may increase. Equally unclear is as ISPs begin to act as cloud storage providers for businesses, how much of this private data will be stored as "public" information in these repositories because it traverses the Internet and is captured by these ISPs.

Organizations now need to begin to ask, "How does this law impact what data they send outside the organization over the public Internet?"  Although there are written safeguards on who can have access to the information and what information need to be stored, history is replete with examples that have shown that these safeguards are not always followed as is evidenced in a recent example that occurred here in the US. 

Email is a prime example of where confidential corporate information could easily end up outside of corporate fire walls and inside one of these "public" data repositories. How or if it may ever be accessed is anyone's guess but an advisable approach that organizations should consider taking is making sure it never ends up there in the first. Blocking the e-mail before it is ever sent using such products as Estorian's LookingGlass ensure that it never ends up in some data repository at an EU ISP that may come back to unexpectedly haunt you at some later point in time.

On the surface, this EU directive appears rooted with well meaning but poorly informed legislators who are looking to better protect their constituents. However, given the growing propensity of government to delve into the affairs of private business, organizations are advised that the less confidential and potentially incriminating data that they make accessible to the government, the safer they are. Technologies such as Estorian LookingGlass can help companies put in place email policies that ensure email communications that never should go outside corporate fire walls never do.

The case in question is Phillip M. Adams and Associates v. Asus Computer International. It is important to note that Asus is only one of many well known industry heavyweights named in this lawsuit but this ruling singled out Asus and how it responded to this eDiscovery request. The lawsuit revolves around a patent granted in 1992 to Dr. Phillip Adams for software that identified defects in floppy disk controllers. It is alleged that ASUS gained access to his software, reversed engineered it to illegally test their motherboards, and then required chip manufacturer Winbond to modify the chips sold to ASUS using Dr. Adams technology.

Although ASUS stated no documents pertaining to the case had been destroyed since 2005, ASUS provided very few documents related to the eDiscovery request. Due to this there were numerous questions as to the reasons behind the lack of documentation, and more specifically, why so few emails pertaining to the case were released. Based on the lack of produced documents the Plaintiff asked for sanctions due to spoliation. ASUS provided an interesting response to the allegation of missing document by saying:

• Its email servers were not designed for archival purposes and employees were instructed to assume responsibility for preserve any emails of long term value.
• It is its routine practice that its employees download to their individual computer those emails the employee deems important or necessary to perform his or her job function or comply with legal or statutory obligations. 
• Any information not saved by the employee was erased.
• Determination of "long term value" was determined by the employee.

From that explanation came the following quote from the court:

"An organization should have reasonable policies and procedures for managing its information and records."  [Citation omitted.]  'The absence of a coherent document retention policy' is a pertinent factor to consider when evaluating sanctions."

In short, if an organization does not have a document retention policy guiding its approach to electronically stored information (ESI) such as e-mail, then it will be a pertinent factor in deciding sanctions against your company.  The court also stated, "It is clear that ASUS' lack of a retention policy and irresponsible data retention practices are responsible for the loss of significant data." 

This plainly lays blame on ASUS and could very well lead to a large sanction against it because of it. These are powerful statements made by the court and show just how serious the courts are in regards to policies and procedures and retention of e-mails pertinent to an eDiscovery request.  Relying on employees to retain and produce relevant e-mails based on the Federal Rules of Civil Procedure (FRCP) just cannot happen in today's legal environment.

Only through the use of technologies such as Estorian's LookingGlass can companies answer email eDiscovery requests in a complete and timely fashion, and without worry of whether emails pertinent to the case are either missed or destroyed. Although ASUS' email servers may not be designed for archival purposes, using LookingGlass fills this void by ensuring emails are archived, preserved, and searchable. 

This case serves as a good lesson to those companies who continue to debate the necessity of technologies such as LookingGlass, as well as whether they need polices and procedures guiding document retention. Not only are they needed, but they are mandatory when faced with litigation involving eDiscovery. As was demonstrated in this case, relying on your employees' judgment is not an acceptable document management and retention policy and failing to the take the necessary steps to define and retain documents from spoliation will certainly lead to costly sanctions.

This became more evident on March 10^th, 2009 when BofA CEO Vikram Pandit said he expected BofA to turn a profit in Q109. Again, you can count me among the ranks of the confused as turning a profit this quickly just doesn't seem to fit into the equation considering BofA was just bailed out just a few months before. Rather it looks like BofA is taking out a cash advance using government monies as a Visa card and then telling its shareholders BofA just received a pay raise. 

This is only one of the interesting and questionable uses of bailout funds by banks. Another involves JPMorgan Chase admitting in October 2008 that it would not use the bailout funds to make loans like anticipated but instead would use the monies to purchase other banks. Already BofA used part of its bailout to increase its stake of a bank in China while at the same time cutting off funding for companies

So what else can customers expect? 10 percent of BofA customers can expect their credit card rates to rise though BofA isn't the only bailout recipient to announce such confiscation of their customer's income. Citigroup, and JPMorgan Chase have also made such rate increase announcements. Other banks have announced other forms of fee increases as well with Wells Fargo announcing increases in late and cash advance fees while Chase is introducing a $120 yearly charge on low interest credit cards.

These mounting fees and rates have caught the eye of the federal government. Already a federal committee that oversees the bank bailout program announced it is investigating  rising rates, fees and continued predatory lending practices of those banks that have received bailout funds. 

As the government probes these financial institutions and consumers continue to raise their voice in opposition to government funding both sides of banks' bottom lines through bailouts and fee increases, it stands to reason that government intervention will continue to rise for all organizations. But as is the case with any investigation, in order for companies to exonerate themselves, it is best to have supporting evidence ready.

When civil litigation is anticipated, presenting documentation such as e-mails in accordance with the Federal Rules of Civil Procedure (FRCP) is now a key factor to ensuring success during litigation. Using technologies such as Estorian's LookingGlass to retain, search and present e-mails needed in an investigation allows a company to properly respond to allegations of misconduct such as those faced by the banks.

As recent history shows, banks continue to act as though they have learned nothing from the current crisis.  Select banks continue to press for public money and guarantees for assets in which they have speculated on, all the while using tax payer bailout dollars for ventures that have had nothing to do with lending. Worse yet, taxpayers have to worry about expanded predatory lending practices from the same banks that their tax dollars are helping to keep afloat. 

Banks such as BofA, JPMorgan Chase, Citigroup, and Wells Fargo are now literally biting the hand that feeds them by rapidly and aggressively expanding the fees and rates charged to customers that are expected to foot the bill for their bailouts. The bailout oversight committee is rightly taking the steps to investigate these practices, but, for the foreseeable future, taxpayers will continue to fund multiple revenue streams to banks even as they claim a gimmicky profits such as Bank of America is doing. 

• Kasten v. Doral Dental USA, LLC, 2007 Wisc. LEXIS 405 (Wis. June 22, 2007), the Wisconsin Supreme Court reversed and rejected the findings of the trial court's conclusion that email was a communication rather than a document. They concluded that "Company documents" in the company's operating agreement was, in fact, a broader term than "records" and included drafts and emails that were not private communications.
• Roth v AON Corporation (N.D. Ill. January 8, 2009), Magistrate Judge Morton Denlow held that an e-mail and attached draft of disclosure language circulated for comment among corporate employees and in-house counsel was protected from eDiscovery by plaintiffs in a pending securities fraud action.

• Citing Sedona Principles, Court Allows Forensic Imaging of Former Employee's Home Computer. In this case, the court stepped in so that unintentional destruction of relevant evidence on home computer was halted
• Court Denies Motion to Suppress E-mail Evidence Obtained from Internet Service Providers. The court found that the Stored Communications Act (SCA) does not provide a suppression remedy and concluded that the government's reliance on the SCA was objectively reasonable.
• Court Denies Employee's Claim of Privilege in Email Sent from Employee Email Account over Employer Server. The court agreed that corporate email is to be used solely for business purposes and that employees have no personal privacy rights in any material created or communicated on the company computer systems.
• Court Orders Production of Relevant Material in Spite of Alleged Computer Incompetence.  This statement pretty much says it all

• Prosecution and court programs
• Planning, evaluating, and improving technology programs

On January 13^th, 2009, a ruling in the S.E.C. v. Collins & Aikman Corp was handed down in what is sure to become a landmark ruling. What makes this an important ruling?  Judge Shira A. Scheindlin ruled that the SEC had to abide by the Federal Rules of Civil Procedure (FRCP) just "like any other litigant." This could have ramifications across government entities as the FRCP increasingly touches federal, state and local governments. It is already a well documented fact that the FRCP is changing how private industry manages its data but this ruling sets out numerous areas in which the SEC failed in its internal eDiscovery processes and rightly was held accountable.

The case originated from a claim of securities fraud by the SEC and called into question the SEC's obligations in producing documents, and how the SEC failed to perform sufficient searches for the requested information.  The defendant's made document requests in 54 separate categories, and the SEC produced 10.6 million pages.  The defendant objected and stated "the SEC failed to identify documents...supporting particular factual allegations and instead preferred to dump a huge volume of documents." 

During the court proceedings the SEC contended they had fulfilled their discovery obligations by producing the millions of pages of documents as maintained in the usual course of business.  The court explained that when records do not result from "routine and repetitive" activity there is no incentive to organize them into a predictable system and stated the purpose of Rule 34 is to "facilitate production in a useful manner...thus it is reasonable to require litigants who do not create and/or maintain records in a routine and repetitive manner to organize the records in a usable fashion prior to producing them."  The SEC had to produce 175 file folders that very well might affect their case strategy due to their original unorganized document dump.

Another very interesting part of this case is the SEC initially did not produce any email or attachments generated or received by the SEC.  This was due to the SEC's failure to do an appropriate search.  The SEC argued that nearly all responsive emails would be privileged or subject to court's non-disclosure order and that the search would be a costly and time consuming effort.  The court rejected the SEC's blanket refusal to produce email without an attempt to negotiate search terms to eliminate privileged or irrelevant emails.  The parties were ordered to meet and attempt to negotiate search terms. 

The government learned is what private companies have known for some time: the FRCP is time consuming, expensive and the failure to properly manage the process can be devastating to a case. But, automating email eDiscovery process through products such as Estorian's LookingGlass can eliminate problems such as what the SEC is facing.  As this case showed it is not acceptable to claim the process is too expensive or too time consuming.  Automating the process of producing only relevant email needed in an eDiscovery request through the use of LookingGlass can lower both the time and cost, as well as avoid negative inference from inadvertent or malicious destruction of vital documents.  

All too often government writes laws or regulation that increase cost and time burdens upon companies without thought as to how it will affect those who are not government.  But, the explosion of electronically stored information (ESI) crosses all boundaries whether it is a private company or government.  Now this ruling declares that the government must act like any ordinary litigant and comply with FRCP but it appears the government is woefully unprepared to respond to litigation requests originating from the FRCP. 

Now whether the agency is Federal, State, or Local Government, this ruling has showed they must be prepared to comply with eDiscovery standards or possibly face the same problems currently encountered by the SEC.  Government can learn much from the private sectors struggles with the FRCP but it appears of these hard lessons will be learned in the court and at taxpayer's expense.

If the market needed any further reason to feel investor angst, Research In Motion (RIM) (NASDAQ: RIMM) seemed more than happy to step in and fill the gap. Already there are plenty of headlines to feed the pessimism in the economy ranging from Madoff Hedge Fund scandal a month or so ago to the more recent Stanford Group scandal. But when the SEC announced on February 17, 2009, that several current and former executives at RIM had reached a settlement involving an options fraud scheme, it is being to feel like greed and fraud knew no bounds.

RIM is not an unregulated hedge fund or a too good-to-be-true return on a certificate of deposit as was the case with Madoff Hedge Fund and Stanford Group. No, this was a well known and well respected tech company that helped to revolutionize and is still revolutionizing the mobile market. But when details about this scandal emerged and the SEC released details of the settlement, it showed a systematic fraud perpetrated at the expense of the company and its shareholders.

In the press release issued by the SEC, it alleged that Dennis Kavelman, RIM's former CFO, Angelo Loberto, RIM's former VP of Finance and James Balsillie and Mike Lazaridis, RIM's Co-Chief CEO's, "illegally granted undisclosed, in-the-money options to RIM executives and employees by backdating millions of stock options over and eight year period from 1998 through 2006."

The SEC release also stated "RIM and its highest level executives engaged in widespread backdating of options which provided them and other employees with millions of dollars of undisclosed compensation" All of the executives agreed to settle the matter without admitting or denying the allegations with several terms attached as well as fines levied for the fraud. The SEC contended this misconduct caused RIM to falsely disclose in its annual reports and file false and misleading financial statements. Balsillie and Lazaridis prepared, reviewed, signed and/or certified RIM's filings with the SEC.

As the SEC put this case together is appears that email played a large role in uncovering this fraud. Several examples emerged from the SEC complaint:

• Kavelman (former RIM CFO) asked a manager not to document improper pricing in email.
• On page 14 of the complaint was another example that showed in May 2001 an employee complained that her exercise price for her stock options was too high so her supervisor asked that the options agreement be changed. This was captured in e-mail as Kavelman acknowledged that the SEC reports had already been prepared but the employee was given a lower backdated exercise price.
• Page 15 Loberto copied Kavelman in e-mail stating the reports had been completed and their attorney had advised them to use the start date for pricing of the options as was the company's policy. Even with this advice, Loberto granted the backdated price that preceded the employee's hire date and agreed to fix the agreements.
• Page 19 showed Balsillie e-mailed Loberto (copying Kavelman) asking to process another 10,000 options for a RIM Vice President, and for them to pick a low point in the past 30-60 days.

The examples are all over the report and emails show top executives were well aware and actively participated in this fraudulent activity.

When top level executives are involved in this type of activity, who are the shareholders, employees, and board of directors to trust? Well, as these documents illustrate, one thing the SEC is trusting and putting its faith in is the email these individuals are sending. Email is the preferred communications medium in corporations and shareholders should insist a robust accounting of email communications from all levels of management be kept in accordance with federal standards. Products such as Estorian's LookingGlass are examples of third party products that directors, employees, and shareholders can look at to protect their interests to ensure executives act in the best interests of the organization.

If there is still reluctance by organizations to deploy this type of technology, RIM's management's breach of trust should help to alleviate these concerns. Today more than ever protecting a company's interest from fraud at all levels should be a top priority for governance. Products like LookingGlass enable companies to cooperate with any audit and compliance requirement whether it is internal or external and provides organizations the transparency that they need if faced with a situation such as this.

This SEC investigation shows that email will continue to play a huge role in ensuring corporate transparency. The continuing frauds that are being uncovered by the SEC such as the one perpetrated by RIM executives has the ability to shake companies to their core and, in the current economic environment, this can be devastating to a company.

There is much to learn from this since it is now apparent that expecting RIM's executives to operate within the bounds of ethics and laws was too much ask though through the SEC's use of email records, it was able to shine a light on RIM's fraud activities. However all organizations should expect if they are investigated for similar purposes to be put under the same type of scrutiny of their email to which RIM was subjected and ultimately found guilty, whether through negative inference during litigation proceedings or through documented wrongdoings in their email archives.

If you have followed the news lately it would appear that the media and President Obama feel the economy is firmly entrenched somewhere between disaster and Armageddon, which has framed much of the debate surrounding the stimulus bills that are in both houses of Congress. When the Senate passed their version of the bill on February 9^th, it promised $838 Billon dollars for spending projects designed to jump start the economy.  But like most things in government there is a lot more in the details than the headlines.  Now that the stimulus bill is out in the open, DCIG has a more clear view of where health care regulation is going and how IT will be affected. 

It is no secret that President Obama is making a huge push into the Electronic Medical Record so it is important to understand what the government deems an Electronic Health Record (EHR).  The government defines this term as an "electronic record of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual."

Until now it has not been known for sure how the government will regulate this Electronic Medical Record initiative but recently released documents provide some clarity as to where we are headed with regulation in the near-term and a road map to future regulation. There are several areas that can be pointed to for guidance:

• The Creation of a National Coordinator for Health Information Technology. This post will monitor electronic health records to the federal government and ensure treatments are within what the government approves.
• Business Associates working on behalf of a Covered Entity. A Business Associate is anybody who isn't an employee who, on behalf of the covered entity, participates in a function or activity involving the use or disclosure of individually identifiable health information. A Covered Entity is defined as a health care provider who transmits health information in electronic form. Both of these will now be subject to the same privacy and security rules and regulations that previously only covered entities such as hospitals and health care providers. An example of this is online personal health records which did not exist when the original regulation was written. This bill closes that gap.  
• Provides Transparency. Patients can request an audit trail showing all disclosures of their information made through an electronic record. This will be a huge undertaking for health care as auditing, logging and work flow will need to become much more robust than it is now to ensure that this can occur. 
• National Data Breach Notification Law. Data breach laws have expanded greatly on a state level since California's SB1386. The Federal government will now mandate disclosure to patients that have had their Protected Health Information (PHI) breached. The only safe harbor from disclosure is encryption of the breached data. 

This stimulus bill does some other things as well. It increases penalties for non-compliance, State Attorney Generals can pursue investigations as well as federal investigators and a major overhaul of HIPAA privacy legislation is assured to pass (think HIPAA II) now that the electronic medical records and funding are cemented into the nation's economic recovery plan. 

These electronic records become protected health information based on HIPAA and the identifiers set out by the HIPAA statute.  Needless to say, these are broad and far reaching descriptions and identifiers that ensure most everything pertaining to health records falls under this classification and is thus subject to disclosure if a breach occurs. 

Although healthcare has been making a private push into Electronic Health Records for some time, it is now a certainty EHR will become a central focus for healthcare across the United States. The details of the stimulus bill give us a more definitive look into where healthcare regulation is going and it will clearly have a profound effect on healthcare IT going forward.  Specifically IT will now need products such as Estorian's LookingGlass that can detect and prevent the inappropriate or illegal distribution of healthcare data to ensure EHR is protected in all phases as the distribution of health records gathers momentum.

Before entering healthcare technology, I spent numerous years in government and as a private consultant helping both public and private attorneys with technology purchasing decisions.  Although I never expected my attorney clients to be well versed in technology, the explosion of digital data, changing state eDiscovery laws, and the Federal Rules of Civil Procedure (FRCP) have markedly changed attorneys' view of technology.  Now when I talk to attorneys there is a measurable difference in how they perceive technology and how it can affect litigation. 

Recently, I had a passing conversation with an attorney about FRCP and as we were talking, he kept bringing up areas that concerned him. So I asked him, "What is your biggest eDiscovery concern?" Without hesitation he replied, "Having a judge issue 'Death Instructions'."

As he expanded on the dreaded "Death Instruction" decree, it became clear why this was such an area of concern. If a judge issues the "Death Instructions" to a jury, you most likely have lost your case and a large judgment against your company is almost a guarantee. So as companies continue to develop an eDiscovery strategy, it is important to understand what they need to do to avoid the dreaded "Death Instructions" decree.

The "Death Instructions" decree is commonly referred to as "negative inference"; or simply a court judge telling a jury that they can negatively infer that your failure to act in good faith by providing electronic evidence during an eDiscovery can be held against you.  In other words, a jury can assume you are hiding something damaging to the case and assume the worst.  There are numerous examples like the following;

• Doe v. Norwalk Community College, 2007 U.S. Dist. LEXIS 51084 (D. Conn. Jul. 16, 2007). After Defendant was informed that a sexual assault claim might be filed, they failed to halt the destruction of relevant electronic information. The court found that Defendant was not entitled to the Fed. R. Civ. P. 37(f) good faith exception to sanctions for routine destruction of data and held that Plaintiff was entitled to an adverse inference sanction regarding such data.
• Hawaiian Airlines, Inc. v. Mesa Air Group, Inc. (In re Hawaiian Airlines, Inc., Debtor), 2007 Bankr. LEXIS 3679 (Bankr. D. Haw. Oct. 30, 2007). The airline's Executive Vice President and CFO used a wiping program on his company computers after being informed of a litigation hold. As the company had not made copies of the hard drives to preserve relevant data prior to these computer systems being wiped, the court issued adverse inference sanctions against them. 

Where this type of judgment has been levied, and avoiding this situation takes an understanding of how to avoid spoliation.  In the case of Hawaiian Airlines v. Mesa Air Group, the spoilation and negative inference led to an $80 million dollar judgment.

Spoilation is the intentional destruction of a document or an alteration of it that destroys its value as evidence.  This could also be an act that a Judge interprets as a willful disobedience to a court order, such as not preserving digital evidence that was demanded in a discovery order, or failure to preserve digital evidence that reasonably should have been considered relevant to the case.  In either scenario, failure to provide evidence that is material to a case is a damning and severe sanctions are a certainty. 

With email being central to business processes and often the preferred means of communication for both internal as well as external correspondence, it stands to reason that protecting these communications is central to any eDiscovery strategy.  The difficulty is how to know where important email communications are located within a corporate network, how to retrieve email that is only relevant to the case, preserving an unaltered copy of a conversation, and tracking who sent and received the email.  These are all areas that can be problematic in providing a clear and accurate answer to an eDiscovery request. 

Estorian LookingGlass provides answers to problems faced by corporations in establishing an eDiscovery strategy as it pertains to email communications by:

• Centralizing email by eliminating the need for distributed PST stored mail.  Companies can confidently search all email for its case relevance without worrying about missing something material to a case due to the inability of knowing where an email resides on the network.
• LookingGlass facilitates an accelerated review process by reducing email down to only relevant email.  After email is indexed into a structured format, you have the ability to reduce costs by only sending relevant information to external providers, or outside counsel.
• Integrity and authenticity of email is kept in tact by preservation of header and metadata.  This ensures accuracy of the communication and provides the ability of being able to track the emails recipients.

Any time a case goes before a jury there is a risk the results will not favor your side.  But not taking the proper steps to preserve digital information can make that risk a certainty.  With judges having a wide discretion in leveling large penalties for spoilation of evidence, it makes sense that avoiding this situation would be a top priority for attorneys.  Products such as Estorian's LookingGlass provide companies the ability to properly answer eDiscovery requests and avoid a judge issuing the sinister sounding death instructions. 

• In part 1, I looked at the impact of the elimination of the "up-tick" rule and the role hedge funds have played in this current financial crisis.
• In part 2, I highlighted the efforts by Senator Grassley (R-IA) to bring hedge funds under the purview of the SEC, and Rep. Kanjorski's after-the-fact hearings on the Bernie Madoff scandal in the 111th Congress.  In part 2 I also brought out how the SEC tried to reign in the hedge funds and how a ruling from the U.S. Court of Appeals in the D.C. District negated their inability to regulate the hedge fund industry.

• Create an IT infrastructure that provides the ability to rapidly assess and report on critical events. Examples of events would be those that may materially affect a company's operations or financial reporting.
• Put in place a robust records management program. Organizations need to rapidly respond to regulatory demands and legal disputes. Knowing what data you have, where it is located and how long to retain data is a necessity as it pertains to regulation and legal requests. Understanding the content of data and not just the type of data are keys to best managing regulatory data requirements and answering legal challenges.
• Converge, simplify and centralize data to ease regulatory compliance burdens. It is important to understand how convergence in areas such as data security and compliance, as well as simplified reporting, and centralization of data, can help organizations meet  the internal requirements for checks and balances and mitigate the risk that forthcoming regulations pose.     
• Deploy content management solutions that focus on email retention. Whether administrative, fiscal, or general operational email correspondence, information in these categories can have a material affect on a company as it pertains to both compliance and legal proceedings;
• Understand thresholds as it pertains to document retention. A solid understanding of legal retention thresholds as defined by federal or state law is necessary to guide an organization so they can know when data such as email can be destroyed and they can justify why specific data was removed. Improper destruction of documents can be at best a weakness in a case, or worse criminal negligence.

• Set policies and be alerted in real time when company standards regarding content have been breached. Alerts can be set based on company specific criteria such as regulatory compliance, control of intellectual property, or offensive material. Policies then decide if the e-mail should be blocked, quarantined for review, or allowed.  LookingGlass provides the ability to report on activities through the use of standardized or customizable reports.  
• Centralizes email communications by providing a central repository for all e-mail.  This centralization eliminates the need to access and search individual PST file repositories through its real-time capture and indexing of all e-mails and centrally storing them for future reference. The indexing makes emails quickly searchable and also brings email under the umbrella of an organizational records management policy. Organizations can then set data retention policies that eliminate the ability of users to delete materially necessary information that is needed for regulatory compliance or to answer a legal eDiscovery notice.

This blog is the second in a series that will examine the current economic crisis and the role technology might play in future regulation. 

In the first blog entry of this series Congressman Paul Kanjorski (D-PA) Chairman of the Subcommittee on Capital Markets, Insurance, and Government Sponsored Enterprises confirmed that 2009 is shaping up as a year of regulation. But as Congress looks for answers into how and why this financial crisis occurred, more hearings will most assuredly convene and squarely in its focus are the SEC, hedge funds and the financial industry. But how did we get in this predicament in the first place and why did the SEC exercise so little control over these hedge funds that have contributed so heavily to today's economic crisis?

A hedge fund is a private pool of investment money that uses sophisticated stock trading techniques such as short selling to make a return for its investors and is traditionally a closed fund that is limited only to wealthy investors. Most people are familiar with mutual funds which are similar to hedge funds as they both invest a collective pool of money. But the big difference between the two is how they are regulated. Hedge funds are largely allowed to function without regulation whereas mutual funds are heavily regulated.

That began to change beginning in February 2005 where hedge funds were required to register under the Investment Advisers Act of 1940 since, up until this time, hedge funds had avoided this type of regulation.  The SEC made the rule change since it perceived hedge funds as being engaged primarily in the business of investing, reinvesting, or trading in securities. The SEC also noted "hedge funds typically remain secretive about their positions and strategies, even to their own investors." 

This SEC action was designed to effectively bring hedge funds under the purview of the SEC so as to maintain communication and make them subject to reviews for fraud by giving the SEC the freedom and power to walk in and say at any time, "Let me take a look at your business practices."

But here is where it gets interesting. In 2006 when the rule for hedge funds to register was to take effect, the District of Columbia US Court of Appeals overturned it. In short, the court said the SEC overstepped its bounds and, on June 23^rd, 2006 the hedge fund rule was ordered to be vacated and remanded.  The basis of this opinion by the Court was heavily vested in what the definition of a "client" was.  The District Court found that the SEC bringing hedge funds with fifteen or more advisors under the Advisers Act was an arbitrary act on the part of the SEC. The downside to this ruling was that it once again left hedge funds unregulated. 

In May, 2007 Senator Charles Grassley (R-IA) recognized this loophole and introduced a bill titled the "Hedge Fund Registration Act of 2007." This bill was designed to amend the Investment Advisors Act of 1940 and require hedge funds to register with the SEC.  It also strived to bring transparency to the hedge fund industry. Senator Grassley said at the time, "This bill will allow the SEC to oversee these advisers and prevent them from operating in secret."

He also said that this type of oversight was important because hedge funds affect not just wealthy investors but regular investors and the market overall. However the Hedge Fund Registration Act bill he proposed did not become law so hedge funds once again continued to operate without any outside regulatory oversight.

In Q2 2008, hedge funds had total assets of $2.973 trillion dollars. As we now know, the collective assets of these hedge funds had the ability to result in substantial stock market moves that had an negative effect on all investors as well as our overall economy.

But more disconcerting, this lack of transparency and oversight by the SEC has led to scandals such as the recent Bernie Madoff Ponzi scheme. Even more significant, incidents like this have added further shock to the psyche and confidence of an already shaken market from out of control hedge funds. 

Right now it is in vogue to put some of the blame for the current financial crisis at the feet of the SEC. Granted, they did not do everything right. However there is clearly evidence based on the D.C. US Court of Appeals ruling that the SEC had no prior authority to regulate the hedge funds so even when the SEC or government officials like US Senator Grassley sought to make these needed changes, they were stopped in their tracks.

As the 111^th Congress convenes and President Obama assumes office, they will surely debate the economy and what regulations they need to pass to avoid this scenario in the future. But in order for new regulations to have any affect and for regulators to use new technologies such as Estorian's LookingGlass to gain insight into what is going on, courts cannot continue to undermine existing laws and Congress cannot sit on its hands until the crisis is already at a peak. 

• UK Ministry of Defense Loses Memory Stick with Military Secrets
• Service Canada employee loses flash drive
• Reproductive Medicine Center doctor loses patient data on flash drive
• Stolen Hong Kong Child Assessment Service flash drive

• FBI: Flash Drive Used to Steal Countrywide Data

This blog is the first in a series of blogs that will examine the current economic crisis and the role technology might play in future regulations.

Warren Buffet has a saying about business that goes "In the business world the rear view mirror is always clearer than the windshield." So in today's business environment, that quote just begs the question, "Just how dirty was the business world's windshield leading up to this current economic crisis?" With uncertainty around every corner and bad news being topped by even worse news on an almost daily basis, it would seem 2009 could very well be the year of regulation as President Elect Obama and the Democratic majorities that control both houses of Congress appear to have a clear cut mandate from the US population to take a hard look in the rear view mirror.

If there was ever any doubt that Congress will delve deeper into how this crisis transpired and take steps to prevent it from occurring again, a recent statement that DCIG obtained from Representative Congressman Paul E. Kanjorski (D-PA), Chairman of the Subcommittee on Capital Markets, Insurance, and Government Sponsored Enterprises should remove it. Congressman Kanjorski shared with DCIG that beginning on January 5th, 2009, he will convene hearings into the Madoff case and stated, "The hearing will help guide the work of the Financial Services Committee in the 111th Congress as it begins to undertake the most substantial rewrite of the laws governing the U.S. financial markets since the Great Depression."

The motivation behind these new regulations is to start to restore the confidence of investors who have seen the Dow Jones Average fall from its all time record high of 14,164.53, on October 9th, 2007 to its recent close of 8668.39 on December 30th, 2008. Furthermore, illegal and questionable activities such as the recent $50 billion dollar Ponzi scam carried out by Bernard Madoff and out of control hedge funds has everybody up in arms calling for further government oversight in this industry. In fact, it has gotten so bad that even hedge fund managers acknowledge that stricter oversightof their industry is warranted. But what becomes more interesting as we start to look in the rear view is the timeline of events that have led up to the situation we find ourselves in now.

To understand where this all begins, we actually need to go all the way back to the 1920's. At that time, short selling raids played a significant role in the 1929 stock market crash which resulted in the creation of a rule in the 1930's called the "up-tick rule". This simply required a buyer to be willing to purchase a stock for more than the amount of the last sale before a stock could be shorted. This was done to prevent the short selling bear raids on stocks which contributed greatly to the rampant selling in 1929.

But what the SEC failed to take into account at the time it did the test was the fact that the Dow Jones was in the middle of a bull market so it did not fully understand what the impact of the law would be in a bear market. So essentially what happened in 2008 was the same thing that occurred in the 1920's -bear raids on financial stocks. When bear raids occurred on large financial companies stocks, financial companies such as Bear Stearns, Lehman Brothers and others bore the brunt of this panicked selling. As a result the credit markets froze that helped to contribute to a deep and protracted worldwide recession.

The SEC has been taking enforcement action and numerous examples of this enforcement are available on their web site. A recent example is the announced emergency court order stopping "investment clubs" that have defrauded Haitian-Americans of over $23 million dollars. But, Rep. Kanjorski plans on bringing the SEC into the spotlight in the upcoming hearings regarding the Bernie Madoff case. As part of Rep. Kanjorski's statement to DCIG, he also communicated, "These proceedings will help us to discern whether or not the Securities and Exchange Commission had the resources needed to get the job done; how such a sizeable scheme (Madoff's Ponzi scheme) could have evaded detection for so long; and, what new safeguards we need to put in place to protect investors."

As these proceedings convene it appears that the SEC and hedge funds will be front and center in determining how best to regulate and protect the markets and investors. If past history is any indicator, technology will play a large role to help enforce in these sweeping new changes. Protecting communications, ensuring data is archived and retrievable, and being able to provide that information in a timely manner will most assuredly be part of this equation and software such as Estorian LookingGlass will clearly be needed to meet the demands of these forthcoming regulations. In my next blog entry I will expand upon the hedge fund timeline and dive deeper into this issue.

Recently I had an opportunity to attend an interesting presentation by John Mallery of BKD, LLP that was given to a group of IT industry professionals regarding how to protect trade secrets and the use of forensics to identify wrongdoing. A large part of his speech focused on eDiscovery and FRCP and how companies must understand the importance of having an eDiscovery strategy.  But, the part that really struck home with me was when the presenter asked the crowd of around 60 or so participants who knew what eDiscovery and FRCP was. Stunningly, only three people, including myself, raised their hands. Now this is by no means a scientific measurement of companies and their knowledge of eDiscovery, but it was surprising to me none the less and, unfortunately, it is probably closer to reality than most of us would like to admit. 

As companies are faced with lawsuits involving eDiscovery one thing that is quickly discovered is a lawsuit today is much different than in the past. With the advent of electronic records and the associated mass quantity of records being generated, opportunities that could be helpful or, conversely, detrimental to a case can be identified. In either scenario costs are involved, and only through understanding how to approach mass volumes of electronic documents and how to retrieve the proper information can informed decisions to be made that best protect a company. Using this information to build a proper defense is vital and there is no substitution to being prepared and understanding the evidence against you.

Parsing through large amounts of ESI (electronically stored information) is only part of the cost company's face; legal fees, lost time and productivity as well as damage to a company's reputation should also be considered. Due to these factors when considering going to trial a look at the totality of the circumstances is warranted.  Some areas to consider are:

• How much is the lawsuit worth?
• How long of a trial is the company facing?
• After an honest assessment of the evidence what are the chances of winning a trial?
• Could there be unfavorable publicity?

Once these questions are answered, and as hard as it might be to face, sometimes a more cost effective strategy is to settle the lawsuit. A recent study of civil lawsuits showed the cost of getting it wrong as to when to go to trial was $1.1 million dollars for defendants.  This cost was directly attributable to making a mistake or a miscalculation on when to go to trial versus when to settle. Understanding the risks associated with going to trial is key to making the right decision, and evidence contained in electronic information such as e-mail plays a huge role in this decision making process.

Products such as LookingGlass by Estorian provide the information you need to make an informed eDiscovery decision. LookingGlass gives you the ability to:

• Provides necessary legal retention and management of e-mail - By managing e-mail archives with LookingGlass companies are better able to search, retrieve and examine all e-mails relevant to an eDiscovery request. 
• Reduce pre-case assessment and review costs - LookingGlass reduces large volumes of e-mail into relevant information based on a companies search criteria. This provides counsel relevant information in a timely manner so as to better facilitate decision making. By only sending relevant data to outside counsel or providers, an accelerated review process is possible and costs are reduced.
• Ensures integrity and authenticity of discoverable data - LookingGlass archives all e-mail data to include all metadata. Capturing header information and metadata ensures authenticity of the communication. 

After reviewing the evidence and information in an eDiscovery request the reality is something wrong might have occurred and at that point a company has a decision to make as to whether to settle or defend the case. Without having the ability to retrieve and review documents such as e-mail, companies are putting themselves at a severe disadvantage in terms of making an informed decision. 

It makes sense that companies position themselves to reduce risks by enabling the archiving and searching of electronic information such as e-mail.  Providing counsel the ability to make informed decisions, and, if necessary, settle a lawsuit is necessary to protecting a company's assets. Without a clear picture of the evidence, companies run the risk of making the wrong decision and thus incurring a much larger cost than if they had the right information and could make the right decision at the outset. 

The risks inherent to the payment card industry (PCI) and the consumers using credit cards are well documented. High profile PCI data breaches such as the TJX data breach are a painful reminder of the importance of securing consumer information and the need for security standards such as the Payment Card Industry Data Security Standards (PCI-DSS). Originally created when Visa, Mastercard, Discover and American Express aligned their individual data security policies, PCI-DSS version 1.2 that was released in October 2008 provided clarification and updates to meet today's payment card security challenges. One such example is anti-virus software will be required on all systems regardless of operating system.

PCI-DSS compliance levels are dependant upon the number of card transactions within a company during a 12 month period. The number of transactions will determine the Level (1-4) that the company falls within and, in turn, the steps they need to take to ensure compliance. Using the PCI-DSS framework to aid in the risk assessment process provides 12 specific security areas that are organized into six categories, one of which calls for the creation and enforcement of an information security policy for the cardholder data.

Compliance within this specific category calls for companies to:

• Securely collect and store cardholder data. Companies need to ensure all collected data logs are secure and available for audit review and analysis. This includes a log management policy to address how the data logs will be stored and reviewed, separation of log review duties, how long logs will be kept, and proper access controls over the data logs. Cardholder data at rest should be kept in an encrypted format and proper encryption key controls should be in place. Any logs relating to key management should be reviewed for compliance with key change policies.
• Report on the status of the archived cardholder data. Companies must prove they are in compliance to the auditor by providing evidence that proper security controls are in place and protecting card holder data. Some of the events an auditor will be looking for are: all individual user accesses to cardholder data; what individuals have access to audit trails; use of authentication and identification technology; and creation and deletion of objects.
• Monitor and alert companies as to how archived cardholder data is accessed. Monitoring and alerting is crucial to compliance with PCI-DSS. Some of the areas auditors will look at are: access controls to cardholder data; how is access monitored; physical controls to areas that contain cardholder data, what technologies are in place that alert when cardholder data has been accessed; what policies and procedures are in place that guide the security of cardholder data; what processes defined in policy are in place to ensure compliance; and, are those processes being followed.

The focus of the PCI-DSS standard is to ensure that companies are locating and securing cardholder data as well as providing a means to justify the level of penalties that are imposed on companies that are not complying with the standards and then experience breaches of their cardholder data. Penalties for these breaches can result in fines that reach half a million dollars, cardholder legal action and the possible loss of privilege of accepting credit card transactions.

As part of enforcing compliance with the PCI-DSS standards companies are required to "Protect Cardholder Data", as evident through PCI-DSS requirements 3 and 4. A large part of this requirement is ensuring cardholder data in e-mail is protected through encryption as it is transmitted across untrusted networks, as well as protecting stored cardholder data in areas such as PST files. It is a given that cardholder data is finding its way into corporate email so companies need to a way to detect when and if cardholder data is accessed and prevent it from being sent to unauthorized parties.

Estorian's LookingGlass provides a solution to these problems by:

• Providing unlimited indexing capability so companies can track emails as they are sent and received. This creates an audit trail for any email that could contain cardholder information and whether or not security is being compromised.
• Real-time alerts and policy enforcement. Companies can use LookingGlass to establish policies in line with PCI-DSS standards and then generate real-time alerts for those persons responsible for compliance when emails containing cardholder data is sent and/or received.
• Transparent handling of encrypted email. If cardholder data is contained in email, encryption goes beyond encrypting that data in transit and needs to follow the cardholder data to the mailbox, PST file or its archive. LookingGlass provides visibility into the encryption process during its archiving of encrypted email. With the mandate that cardholder data be encrypted across untrusted networks, LookingGlass provides companies the ability to follow the encrypted cardholder data even as it is archived state.

PCI-DSS version 1.2 provides a needed upgrade to the ability to mitigate security risks as it pertains to cardholder data. This standard is designed to protect consumers and spread the financial risks back to the offender allowing a more proactive and easier to understand set of rules to follow. But it is important for companies to understand how their current information security policy addresses the risks associated with PCI-DSS and how a company's current e-mail system fits within this standard.

When identifying and protecting cardholder data in email, products such as Estorian's LookingGlass provide the ability to track cardholder data over email as well as give companies the ability to alerts and policy enforcement as it pertains to cardholder data and e-mail. LookingGlass also handles email encryption and allows encrypted email to be securely archived by preserving the e-mails encrypted status. All of these areas are crucial in ensuring that cardholder data within -mail meets the "Protecting Cardholder Data" standard within PCI-DSS. Without the proper controls in place, the risks associated with non-compliance with these standards can put the ability to accept credit card transactions in jeopardy and thus eliminating a vital revenue stream.

There is no question that the current economic uncertainty will continue to impact organizations on a global scale for some time to come and every organization is taking a much harder look at their IT budgets for 2009. Gartner notes that it projects IT budgets in 2009 will increase a meager 2.3 percent, down from the earlier projection of 5.8, while IDC has slashed how much it forecasts US IT budgets to grow to below 1% growth for 2009. But just because IT budgets for 2009 are getting cut does not mean the government is going to cut companies any slack in regards to meeting new compliance requests or giving them more time to satisfy them.

If anything is going up at this time it is the number of enforcement actions that the SEC is carrying out. While it seems the SEC is always involved in high-profile cases, the number of them is at all-time highs. A quick look at the SEC's involvement in 2008 reveals how hard they are cracking down of offenders by seemingly working around the clock to investigate, enforce and punish any wrongdoing. Just last month the SEC announced their Fiscal 2008 Enforcement Results that showed a general uptrend in litigation that it forecasts will extend well into 2009 and beyond. For example:

• 2008 is the second year in a row that the SEC returned more than $1 billion back to investors, not including the $50 billion earmarked as preliminary settlements with six of the largest firms in the auction rate securities market
• The SEC brought 671 enforcement actions during the just-completed fiscal year
• Insider trading cases were up more than 25%
• Market manipulation cases were up more than 45%
• There are more than 50 ongoing investigations relating to the subprime market
• It brought a record number of enforcement actions against market manipulators
• It is now working its highest case load ever of insider trading

While on one hand everyone is probably grateful that the SEC is doing its job, on the other hand everyone is also probably wondering how long it will be before the SEC (or some other government agency) is knocking on their door. This is not as far-fetched as it may sound, especially when one considers that Congress is promising to pass even more regulations in 2009 that may well extend beyond just financial institutions to encompass businesses in other verticals. Taking a look the SEC website under 'Taking Swift Action to Stabilize Financial Markets' and 'Enhancing Transparency in Financial Disclosure ' one can easily see that the SEC is already taking steps to increase its effectiveness in 2009 by producing regulations that will require companies to:

• Expose more of their internal, day-to-day details of corporate business. Proposed SEC regulations will mandate still higher levels of accounting and reporting that will force companies to "stay clean" as it will detect irregularities much earlier and quicker in the litigation process
• Expedite reporting by having standardized reports available at any time during investigation and litigation periods. Just as the assembly line helped Ford produce more cars, quicker and standardized reporting will help the SEC get to the bottom of investigations quicker

In addition to these two points, it is a widely accepted fact that companies will need to disclose much more information than ever before. And since more corporate data is kept in the form electronically stored information (ESI) and especially in the form of email, these new regulations will place an overwhelming burden on IT to effectively store and quickly discover information during litigation proceedings.

But to respond to this, companies will need to obtain the appropriate expertise and appropriate tools through some combination of hiring talented personnel, contracting with experts or equipping IT staff with the needed tools to respond to these eDiscovery requests. In this last regard, emerging, innovative technologies such as Estorian's LookingGlass enable companies to collect, save, review and produce the material they need to quickly and effectively comply with current and emerging eDiscovery obligations.

The SEC realizes that within the corporate setting email has become the prevalent means for business communication and that the dissemination of most information within business is most often done using inline email text and email attachments. Estorian's LookingGlass puts companies in a position to dramatically accelerate the review process by reducing millions of messages to a subset of accurate and relevant information.

Analyst firms like Gartner and IDC are cutting IT spending forecasts for 2009 but that does not mean companies plan to stop IT spending, it just means that they plan to spend less even as government agencies such as the SEC step up their enforcement efforts. As these changes occur, companies need to get more value for their IT dollar while still responding to these new legal eDiscovery requests. Estorian LookingGlass gives companies the means to quickly implement and change policies while creating the type of agile infrastructure that companies need to respond to current and future litigation demands.

When President Bush signed S.2550 into law on September 19, 2008, the Federal Rule of Evidence (FRE) 502 went into immediate effect.  This law brought much needed clarity to section 26(b) (5) (b) of the Federal Rules of Civil Procedure (FRCP). When the FRCP was amended in 2006, the addition of 26(b) (5) (b) was recognition that the sheer volume of documents in an eDiscovery request would lend itself to the accidental disclosures of data that could jeopardize the attorney-client privilege.  Attorney-Client privilege is quite simply a court recognized protection of communications between a client and their attorney.  This protection is designed to allow open and honest communication between clients and attorney's so as to aid in the legal process.  

A recent example of this occurring was a May 2008 ruling in Maryland that an accidental disclosure of 165 documents during the eDiscovery process had waived attorney-client privilege for a company embroiled in an intellectual property infringement case.  Although 26(b) (5) (b) was a welcome attempt to bring a standard response to the issue of accidental disclosure, it has not held up in court and FRE 502 was born. 

FRE 502 speaks specifically to a standardization of the procedure on privilege waiver where an inadvertent disclosure of information protected by attorney-client privilege or work protection occurs as a result of a legal eDiscovery request. This is an important clarification to the loss of attorney-client privilege as it pertains to accidental disclosure of documents.  If the courts rule a disclosure of documents has waived this privilege, it can have a devastating effect on the defense of a case. FRE 502 provides that inadvertent disclosure in a federal proceeding does not waive attorney-client privilege provided:

• The disclosure was indeed inadvertent
• The holder of the disclosure took reasonable steps to prevent the disclosure
• The holder promptly took steps to rectify the error

eDiscovery becomes extremely difficult to discuss without talking about the associated costs and staggering amounts of data that can be subject to review. Even though FRE 502 attempts to reduce the costs associated with eDiscovery, it does not reduce the vast amounts of data associated with these types of legal eDiscovery requests that companies need to cull, especially in the arena of email.

The challenge is managing these growing email data stores while ensuring a reasonable standard can be applied to any accidental disclosure so as to not jeopardize attorney-client privilege. Applying this standard to large amounts of data such as email is paramount to ensuring companies control their eDiscovery processes while mitigating the associated risks.

Estorian's Looking Glass introduces these desired controls over email data stores as well as ensures a reasonable standard is present in this very important part of the eDiscovery process. It helps to prevent accidental disclosure of confidential emails by allowing companies to proactively index, track and search email communications when responding to eDiscovery requests. 

Estorian's Looking Glass addresses the issues defined in FRE 502 and helps safeguard attorney client privilege through several features such as:

• A proactive approach to email archive management. Email archives greatly improve a company's ability to search, retrieve and examine all emails in an organization without relying on the need to access and search end user .pst files.
• Legal retention of email with active monitoring. Companies no longer need to employ an after-the-fact fire drill to produce important email documentation.  LookingGlass provides for the storing and indexing of all email as well as permits legal holds and searches of emails for eDiscovey purposes.   
• Email can be flagged and forwarded based on user defined parameters that match your eDiscovery needs.  E-mail can be automatically monitored in real-time and reported against for adherence to policies based on internal and external requirements. 

The federal government acknowledging the depth of data and the cost of eDiscovery is a welcome and needed change to the FRCP but FRE 502 still does not completely alleviate the associated risks of disclosure. It does, however, introduce a reasonable standard to the process of eDiscovery that could inadvertently waive attorney-client privileges and implementing LookingGlass goes a long way towards demonstrating that companies are putting in place reasonable steps to prevent such accidental disclosures.

Whether or not FRE 502 does anything to reduce the associated costs of eDiscovery still remains to be seen but companies can be guaranteed that email volumes will continue to mount. It is only through adopting a proactive approach to managing this data that companies can minimize the risks associated with accidental disclosure and ensure they do not inadvertently waive their attorney-client privilege rights now or in the future.

Today's financial crisis is not the first one to occur and likely will not be the last. However like previous stock market crashes, such as in 1929, we can expect to see new legislation take effect. Out of the crash of 1929 came the passage of the Securities Act in 1933 and the Securities Exchange Act in 1934 which ultimately resulted in the establishment of the Securities and Exchange Commission (SEC) in 1934. Since then, the SEC has been actively involved in making changes of the financial regulatory system anytime financial crisis occur and it is safe to say this one will be no exception.

For proof of this, one only needs to look at a web page that the SEC has dedicated to tracking its actions during this crisis which illustrates the flurry of activities currently going on.

• The SEC is undertaking sweeping enforcement measures against market manipulation and aggressively combating fraud that has contributed to the subprime crisis and the loss of confidence in credit markets. More than 50 pending SEC investigations are in the subprime area.
• The Enforcement Division announced what will be the largest settlements in the history of the SEC for investors who bought auction rate securities from Citigroup, UBS, Wachovia, Merrill Lynch, RBS Capital Markets Corp. and Bank of America.
• The SEC brought a landmark enforcement action against a trader who spread false rumors designed to drive down the price of stock.
• The SEC charged two Bear Stearns hedge fund managers for fraudulently misleading investors about the financial state of the firm's two largest hedge funds and their exposure to subprime mortgage-backed securities
• The SEC charged two Wall Street brokers with defrauding their customers when making more than $1 billion in unauthorized purchases of subprime-related auction rate securities.

Notice the severity of the pending investigations, dollar figures and use of words such as "largest" and "landmark" when describing these actions. These actions are just the tip of the iceberg and give rise to questions to what the true extent of the regulatory fallout from this financial crisis will be. But rest assured, history shows that what happens in the financial industry will most assuredly be imposed upon all public companies and non-compliance will not be an option.

Regardless, companies must be ready for the fallout. Ensuring your company is compliant and ready to meet emerging compliance requirements means you will have to do more than just store electronic information and then go through corporate fire drills to perform eDiscoveries. A better solution is to act now and put in place solutions that automate the monitoring and managing of ESI before auditors and/or regulators show up and force you to run you through the drill.

Estorian LookingGlass puts companies in a position to create the policies and procedures that they need to change eDiscovery from a fire drill into an orderly process. With the LookingGlass solution, IT can offer interactive intelligence to electronically store information and place the power of policy building, searching and retrieval in the hands of the stakeholders who need access to ESI, whether that is Legal, HR, Security, Risk Managemen, or Compliance. Stakeholders can then use LookingGlass to build the enforcement or controls to maintain current compliances and perform discoveries for future litigation as the need arises.

Under the Federal Records Act each federal agency, with help from the National Archives and Records Administration (NARA), is required to maintain records that document their organization, functions, policies and activities. It is explicitly noted that Federal records should not be destroyed except when in accordance with the procedures described in Chapter 33 of Title 44, United States Code. Recently, in the Washington Post, we find out that not only does the White House lack a comprehensive email archiving solution but past solutions have been riddled with numerous record-keeping problems:

• Several years of electronic communications have been lost that might have documented administrative happenings around the Iraq war
• The White House has recently admitted that they have problems with archiving and finding emails
• The National Security Archive, along with the Citizens for Responsibility and Ethics in Washington, has accused the White House in lawsuits of violating the Federal Records Act.
• The House Oversight and Government Reform Committee released details in a 2005 White House study that identified 473 separate days in which no emails were stored for multiple offices

Losing email or recorded communication is not a new occurrence in the White House. Similar issues were raised around the Clinton administration when congressional probes found that hundreds of thousands of White House emails had been lost. The Government Accountability Office (GAO) might take the stance that certain administrative offices did not implement adequate record management practices. Frankly, we would go one step further and say they implemented just enough that it still gave them the freedom to tweak and manipulate record management practices. After all, how could so many electronic pieces of information get "lost" during such important times in American history when government agencies traditionally have access to the best technology that money can buy?

The Washington Post report also makes the point that even though the White House records management system was finally fixed by the end of the Clinton administration, the current Bush administration decided to phase out the system. This makes no sense in light of what technologies are available for the email system used by the White House. It has moved to Microsoft Exchange (used by over 60% of American businesses and for which reliable email archiving software is readily available) and, according to a recent White House affidavit, utilizes two systems to store electronic messages:

• Backup tapes that could be used in a DR scenario
• An archive that is part of its e-mail software (we are assuming this archive is Microsoft Exchange's native archiving solution but not positive)

The fact that the White House has decided to implement email retention with both tape backup and Microsoft Exchange's options present some interesting problems, especially when you take into consideration its inability to adequately perform eDiscoveries against either of these two email repositories. Backups are great for creating a point-in-time recovery of information but are unable to recover to the point of failure--any deletes or newly created emails that might have occurred between the last backup and the failure are likely permanently lost. And storing data on tape using backup software is no guarantee it will be available for recovery (as we have seen during prior White House administrations, tapes are too easily and mysteriously over-written) and data on tape is certainly not easy to retrieve and search.

All government agencies, including the White House irrespective of what party is in power, need to get in step with the times and comply with today's Federal records management laws that they impose upon those who they govern and who they expect to comply. Centralized email archiving solutions such as Estorian LookingGlass offer these governmental agencies ample features and functionality (centralized email archives, enforcement of preset retention policies, data reduction and much more) that there is no reason that email stores for any government agency should be viewed as inaccessible, unrecoverable or unsearchable. The laws concerning email retention and protection are clear and the technologies are available to make it happen. The only problem it seems is finding people smart enough (or ethical enough) to administer these systems and that is something no technology will unfortunately ever fix.

Phishing as a security risk has come a long way since its infancy and while phishing has changed its style; one thing that hasn't change is its effectiveness in attracting victims. By combining modern technology and social engineering to gain access to information such as credit card numbers or passwords, criminal activity is flourishing across the Internet. In the May 29^th, 2008, Quarterly Trends and Analysis Report by US-CERT (United States Computer Emergency Readiness Team), the top reported security incident was phishing. The documented risk noted by US-CERT bears itself out in statistical evidence tracked by organizations such as the Anti-Phishing Working Group (APWG) which showed the number of unique phishing sites reported between January and March of 2008 was a combined 81,215. These staggering numbers highlight the reasoning behind the FTC Red Flag Rules.

Armed with this type of information it seems reasonable the FTC would take the steps necessary to control the subsequent identity theft stemming from this type of security risk.  Thus phishing prevention is a part of the FTC's Red Flag Rules and detecting phishing attacks is critical to preventing personally identifiable information from being released.  There are several tell tale signs of phishing e-mails such as:

• Unsolicited requests for personal information. Legitimate companies understand today's security environment and will not ask for personal information from out of the blue. 
• E-mails addressed to "Customer". If you are a customer of the organization sending the e-mail, chances are high that they will address you by name and spell it correctly. 
• E-mails have you click on links to access your account. If an HTML formatted e-mail is received, then the e-mail can act like a web page with links and forms associated with them, but chances are high the link will take you to a phony web site. 
• IP Velocity. If you receive a numerous e-mails in rapid succession from the same IP address, then chances are the e-mail is not legitimate. This type of activity is a big red flag (pardon the pun) that a targeted phishing attack might be in progress. 

Compliance with the Red Flag Rules mandates covered entities counteract phishing, along with an implementation program that detects, prevents, and mitigates risks that are prevalent in identity theft.  When implementing your identity protection plan, products such as Estorian's LookingGlass provide the ability to take control over this activity through features that allow:

• Validation of e-mail. Looking Glass looks at each individual email header and metadata and indexes the email so it can be easily retrieved. Using this email metadata provides a detailed look at to whether or not the emails are valid as well as an easy way to search for those emails to determine if phishing attempts have been sent to multiple users. 
• High Risk Reporting Requirements. Using Estorian's powerful reporting capabilities, companies can set thresholds that take advantage of LookingGlass's granular view into incoming emails and does real-time reporting against these thresholds. Using these features, you can set thresholds against high risk signs of phishing such as IP velocity and receive real-time notifications that a possible phishing attack is being launched against your organization.  You can then report against those thresholds and take the internal steps necessary to mitigate this risk.   

If you act as a creditor in any way, you are subject to the FTC Red Flag Rules and need to give serious attention to phishing in your risk assessment process. Continued success of these attacks has shown this is a tremendously popular and effective way to gain personally identifiable information on your customers and their accounts. Only by being proactive and implementing software such as Estorian LookingGlas can you mitigate these high risks while building an identity theft protection program that complies with the new FTC Red Flag Rules. Failure to do so and odds are that your company will become one of the statistics while unnecessarily exposing itself to new financial penalties that these Rules introduce.