24h-payday

Posts Tagged ‘regulatory compliance’

Music piracy the least of your audio worries; Dodd–Frank forces a closer listen

Wednesday, December 11th, 2013

We’re quickly approaching another milestone in the epic implementation of the Commodity Futures Trading Commission (CFTC) rules associated with the Dodd Frank Wall Street Reform and Consumer Protection Act (DFA); the expiration of a very contentious exemptive order that provided relief to cross border swap dealers (SD) and major swap participants (MSP) and foreign groups of US SDs and MSPs. If you follow the heated debate between Wall Street and the CFTC it is quite fitting that the order happens to expire on the winter solstice, December 21st 2013. Let’s hope the day at which the sun comes to a standstill in the sky before reversing direction doesn’t forebode a similar experience in the cross border free markets.

The 848 pages of Dodd-Frank legislation has resulted in (at current count) 67 new rules, exemptive orders, guidance and five ‘other’ actions from the CFTC – the regulatory body tasked with enforcing Title VII of the DFA. Prior to the DFA, the CFTC averaged about four rules per year. eDiscovery nerds will appreciate the fact that the complexity and length of the rules issued by the CFTC requires a website that offers Proximity and Boolean search options to navigate. Within these 67 rules are critical adjustments to the way that organizations, subject to the CFTC’s scope, need to capture, store, manage, search and produce information related to the many flavors of swaps – basically derivatives by which counterparties exchange cash flows of one financial instrument for another. That information includes all data concerning the swap, and communications leading up to the execution of the swap, including any voicemail or phone conversations with relevant information.

While audio discovery is nothing new, especially in regards to criminal investigations, these new regulations, rules and guidance have anointed audio data into the critical content sources category for many enterprises. Let’s discuss what that means for the eDiscovery technology world.

1. Audio search is now must-have eDiscovery functionality

If your organization is categorized as a swap data repository, derivatives clearing organization, designated contract market, swap execution facility, swap dealer, major swap participant and non-MSP counterparty (where most organizations outside financial services will be categorized) you are now subject to new rules for swap record keeping.

First, covered organizations must retain the following:

“…all oral and written communications provided or received concerning quotes, solicitations, bids, offers, instructions, trading, and prices, that lead to the conclusion of a related cash or forward transaction, whether communicated by telephone, voicemail, facsimile, instant messaging, chat rooms, electronic mail, mobile device, or other digital or electronic media.” 77 Fed. Reg. 17 CFR Part 45 (December 8 2010)

Secondly, this data has specific retention and retrieval requirements. At Symantec, we’re keeping track by categorizing them into the 5 & 5, 5 & 3 and 1 & 5 rules:

  • All the data above, except audio files, must be retained for a period of 5 years post termination of the underlying swap.
  • For SDs and MSPs it must be retrievable and producible within 3 days
  • For non-MSP counterparties it must be retrievable and producible within 5 days
  • Audio files, they must be kept for a period of 1-year post termination of the swap and also retrievable and producible within 5 days.

2. A turnkey ‘Dodd – Frank’ solution is unlikely, so a repeatable eDiscovery process is critical

As the CFTC rules were being finalized over the past two years, Symantec invited our customers to discuss the impact of the DFA on their eDiscovery workflows. A primary concern was the belief that the rules required organizations to have a system in place to store and eventually reproduce a trade and associated communications in their entirety. The many lobbyists and organizations that submitted grievances and clarification requests to the CFTC shared this concern. In response, the CFTC adjusted its rules to state that an organization’s swap data need not be categorized and retained in what amounts to a single-swap file, provided that all related information could be retrieved and produced from wherever it resides within the required timeframe.

Although the CFTC isn’t forcing organizations into the implementation of a magical swap data captor, data growth, diversification and dispersion across the organization could still present major challenges to collecting, searching and producing requested swap information on an ad hoc basis. For example, sales and marketing data, research information on commodity markets, email and instant message communications and voice data, would very often be found in multiple systems.

In order to comply, organizations should evaluate whether they have the ability to collect audio files and other information in a timely manner from multiple data repositories. If not retained in a per-swap manner, organizations will need to be able to consolidate all relevant communications and data into a single system so that the review is complete and audit-able for requesting regulatory bodies. But pulling from these various sources is likely to collect a large amount of non-swap data. The ability to confidently exclude the large amount of non-swap related information will help organizations curtail the potential time and costs associated with identifying the proper swap data. Finally, this process should be duplicable for each search, retrieval and production to the CFTC or Swap Data Repositories.

Side note; I’m writing with an eDiscovery-only lens, but the retention and management angle of this particular challenge lends itself to a proactive information governance discussion, one that our friends at eDiscovery Journal have touched upon already.

3. eDiscovery search capabilities must satisfy the unique nature of swap data

The DFA record keeping requirements as it pertains to swaps are unique in that they require the combination of both static, database-like structured data (trade value, time, etc.) and un-structured communications (email, Bloomberg messages, voice mail, etc.) These communications will often bridge multiple systems, for instance, multiple emails and Bloomberg IM’s prior to a phone call confirming the trade. Teams reviewing data prior to production to the CFTC or Swap Data Repositories will be challenged to make sense of the entire communication thread especially under a five-day deadline. This review process is not one to be taken lightly either. Teams need to be extra careful with the search and review of all audio content as they risk mistakenly producing spoken information, not as easily identified as written, that is not related to the trade.

Organizations should consider how quickly they could get the necessary information in a searchable form. Five days to retrieve and produce is slim at best, so even audio processing advantages, like phonetic based audio indexing as opposed to speech to text to transcription could be critical. They should also consider how they can organize swap communications into a coherent form – functionality like discussion threading and topic clustering can help teams quickly understand and identify communication related to a specific swap.

The Symantec eDiscovery team considered the Dodd Frank Act and CFTC rules as we developed our latest release of the Clearwell eDiscovery Platform, from Symantec, now enabling advanced audio processing, search, and review capabilities to drastically accelerate audio discovery efforts. In addition to supporting over 400 file types for electronic discovery, these new capabilities leverage a powerful phonetic engine that can index up to 20,000 hours of recorded audio per day. Whether you are investigating voicemails, call-center recordings, or financial transactions, Symantec makes it easy to find what you are looking for.

 

Twitter Contempt Sanctions Increase Need for Social Media Governance Plan

Thursday, September 13th, 2012

The headline-grabbing news this week regarding Twitter facing possible contempt sanctions is an important reminder that organizations should consider developing a strategy for addressing social media governance. In criminal proceedings against protesters involved in the Occupy Wall Street movement, a New York state court ordered Twitter several weeks ago to turn over various tweets that a protester deleted from his twitter feed relating to the movement’s blocking of the Brooklyn Bridge last year. Twitter has delayed compliance with that order, which has invited the court’s wrath: “I can’t put Twitter or the little blue bird in jail, so the only way to punish is monetarily.” The court is now threatening Twitter with a monetary contempt sanction based on “the company’s earnings statements for the past two quarters.”

At first blush, the proceeding involving Twitter may not seem paradigmatic for organizations. While most organizations do not engage in civil disobedience and typically stay clear of potential criminal actions, the conduct of the protester in unilaterally deleting his tweets raises the question of whether organizations have developed an effective policy to retain and properly supervise communications made through social networking sites.

Organizations in various industry verticals need to ensure that certain messages communicated through social media sites are maintained for legal or regulatory purposes. For example, financial services companies must retain communications with investors and other records that relate to their “business as such” – including those made through social networking sites – for at least three years under section 17a-4(b) of the Securities Exchange Act of 1934. Though this provision is fairly straightforward, it has troubled regulated companies for years. Indeed, almost two-thirds of surveyed asset managers reported that “regulatory recordkeeping” remains their greatest challenge with respect to social media.

Supervision is another troubling issue. With the proliferation of smartphones, burgeoning “bring your own device” (BYOD) policies and the demands of a 24-hour workday, supervision cannot be boiled down to a simple protocol of “I’ll review your messages before you hit send.” Yet supervision is necessary, particularly given the consequences for rogue communications including litigation costs, lost revenues, reduced stock price and damage to the company brand.

Though there are no silver bullets to ensure perfection regarding these governance challenges, organizations can follow some best practices to develop an effective social media governance policy. The first is that companies should prepare a global plan for how they will engage in social media marketing. This initial step is particularly important for groups that are just now exploring the use of social media to communicate with third parties. Having a plan in place that maps out a contact and communication strategy, provides for supervision of company representatives and accounts for compliance with regulatory requirements is essential.

The next step involves educating and training employees regarding the company’s social media policy. This should include instructions regarding what content may be posted to social networking sites and the internal process for doing so. Policies that describe the consequences for deviating from the social media plan should also be clearly delineated. Those policies should detail the legal repercussions – civil and criminal – for both the employee and the organization for social media missteps.

Third, organizations can employ technology to ensure compliance with their social media plan. This may include archiving software and other technology that both retains and enables a cost-effective supervisory review of content. Electronic discovery tools that enable legal holds and efficiently retrieve archived social media content are also useful in developing an efficient and cost-effective response to legal and regulatory requests.

By following these steps and other best practices, organizations will likely be on the way to establishing the foundation of an effective social media governance plan.

APAC eDiscovery Passports: Litigation Basics for the Asia-Pacific Region

Wednesday, June 13th, 2012

Global economic indicators point to increased trade with and outsourcing to emerging markets around the world, specifically the Asia Pacific (APAC) region. Typical U.S. sectors transacting with the East include: manufacturing, business process outsourcing (BPO)/legal process outsourcing (LPO), call centers, and other industries. The Asian Development Bank stated last year that Asia will account for half of all global economic output by 2050 if their collective GDP stays on pace.  The next 10 years will likely bring BRICS (Brazil, Russia, India, China and Japan) and The Four Asian Tigers (Hong Kong, Singapore, South Korea and Taiwan) into the forefront of the global economy. Combining this projected economic growth with the data explosion makes knowledge about the APAC legal system a necessity for litigators and international business people alike.

The convergence of the global economy across different privacy and data protection regimes has increased the complexity of addressing electronically stored information (ESI). Money and data in large volumes cross borders daily in order to conduct international business. This is true not only for Asian countries transacting with each other, but increasingly with Europe and the United States. Moreover, because technology continues to decrease the reliance on data in paper format, data will need to be produced and analyzed in the form in which it was created. This is important from a forensic standpoint, as well as an information management perspective.  This technical push is reason alone that organizations will need to shift their processes and technologies to focus more on ESI – not in only in how data is created, but in how those organizations store, search, retrieve, review and produce data.

Discovery Equals eDiscovery

The world of eDiscovery for the purposes of regulation and litigation is no longer a U.S. anomaly. This is not only because organizations may be subject to the federal and state rules of civil procedure governing pre-trial discovery in U.S. civil litigation, but because under existing Asian laws and regulatory schemes, the ability to search and retrieve data may be necessary.

Regardless of whether the process of searching, retrieving, reviewing and producing data (eDiscovery) is called discovery or disclosure or whether these processes occur before trial or during, the reality in litigation, especially for multinational corporations, is that eDiscovery may be required around the world. The best approach is to not only equip your organization with the best technology available for legal defensibility and cost-savings from the litigator’s tool belt, but to know the rules by which one must play.

The Passports

The knowledge level for many lawyers about how to approach a discovery request in APAC jurisdictions is often minimal, but there are resources that provide straightforward answers at no cost to the end-user. For example, Symantec has just released a series of “eDiscovery Passports™” for APAC that focus on discovery in civil litigation, the collision of data privacy laws, questions about the cross-border transfer of data, and the threat of U.S. litigation as businesses globalize.  The Passports are a basic guide that frame key components about a country including the legal system, discovery/disclosure, privacy, international considerations and data protection regulations. The Passports are useful tools to begin the process of exploring what considerations need to be made when litigating in the APAC region.

While the rules governing discovery in common law countries like Australia (UPC) and New Zealand (HCR) may be less comprehensive and require slightly different timing than that of the U.S. and U.K., they do exist under the UPC and HCR.  Countries like Hong Kong and Singapore, that also follow a traditional common law system, contain several procedural nuances that are unique to their jurisdictions.  The Philippines, for example, is a hybrid of both civil and common law legal systems, embodying similarities to California law due to history and proximity.  Below are some examples of cases that evidence trends in Asian jurisdictions that lean toward the U.S. Federal Rules of Civil Procedure (FRCP), Sedona Principles and that support the idea that eDiscovery is going global.

  • Hong Kong. In Moulin Global Eyecare Holdings Ltd. v. KPMG (2010), the court held the discovery of relevant documents must apply to both paper and ESI. The court did, however, reject the argument by plaintiffs that overly broad discovery be ordered as this would be ‘tantamount to requiring the defendants to turn over the contents of their filing cabinets for the plaintiffs to rummage through.’ Takeaway: Relevance and proportionality are the key factors in determining discovery orders, not format.
  • Singapore. In Deutsche Bank AG v. Chang Tse Wen (2010), the court acknowledged eDiscovery as particularly useful when the relevant data to be discovered is voluminous.  Because the parties failed to meet and confer in this case, the court ordered parties to take note of the March 2012 Practice Direction which sets out eDiscovery protocols and guidance. Takeaway: Parties must meet and confer to discuss considerations regarding ESI and be prepared to explain why the discovery sought is relevant to the case.
  • U.S. In E.I. du Pont de Nemours v. Kolon Industries (E.D. Va. July 21, 2011), the court held that defendants failed to issue a timely litigation hold.  The resulting eDiscovery sanctions culminated in a $919 million dollar verdict against the defendant South Korean company. While exposure to the FRCP for a company doing business with the U.S. should not be the only factor in determining what eDiscovery processes and technologies are implemented, it is an important consideration in light of sanctions. Takeaway:  Although discovery requirements are not currently as expansive in Asia as they are in the U.S., if conducting business with the U.S., companies may be availed to U.S. law. U.S. law requires legal hold be deployed in when litigation is reasonably anticipated.

Asia eDiscovery Exchange

On June 6-7 at the Excelsior Hotel in Hong Kong, industry experts from the legal, corporate and technology industries gathered for the Asia eDiscovery Exchange.  Jeffrey Toh of innoXcell, the organizer of the event in conjunction with the American eDJ Group, says “this is still a very new initiative in Asia, nevertheless, regulators in Asia have taken steps to implement practice directions for electronic evidence.” Exchanges like these indicate the market is ready for comprehensive solutions for proactive information governance, as well as reactive eDiscovery.  The three themes the conference touched on were information governance, eDiscovery and forensics.  Key sessions included “Social Media is surpassing email as a means of communication; What does this mean for data collection and your Information Governance Strategy” with Barry Murphy, co-founder and principal analyst, eDiscovery Journal and Chris Dale, founder, e-Disclosure Information Project, as well as “Proactive Legal Management” (with Rebecca Grant, CEO of iCourts in Australia and Philip Rohlik, Debevoise & Plimpton in Hong Kong).

The Asian market is ripe for new technologies, and the Asia eDiscovery Exchange should yield tremendous insight into the unique drivers for the APAC region and how vendors and lawyers alike are adapting to market with their offerings.  The eDiscovery Passports™ are also timely as they coincide with a marked increase in Asian business and the proposal of new data protection laws in the region.  Because the regional differences are distinct with regard to discovery, resources like this can help litigators in Asia interregionally, as well as lawyers around the world.  Thought leaders in the APAC region have come together to discuss these differences and how technology can best address the unique requirements in each jurisdiction.  The conference has made clear that information governance, archiving and eDiscovery tools are necessary in the region, even if those needs are not necessarily motivated by litigation as in the U.S. 

Take Two and Call me in the Morning: U.S. Hospitals Need an Information Governance Remedy

Wednesday, April 11th, 2012

Given the vast amount of sensitive information and legal exposure faced by hospitals today it’s a mystery why these organizations aren’t taking advantage of enabling technologies to minimize risk. Both HIPPA and the HITECH Act are often achieved by manual, ad hoc methods, which are hazardous at best. In the past, state and federal auditing environments have not been very aggressive in ensuring compliance, but that is changing. While many hospitals have invested in high tech records management systems (EMR/EHR), those systems do not encompass the entire information and data environment within a hospital. Sensitive information often finds its way into and onto systems outside the reach of EMR/EHR systems, bringing with it increased exposure to security breach and legal liability.

This information overload often metastasizes into email (both hospital and personal), attachments, portable storage devices, file, web and development servers, desktops and laptops, home or affiliated practice’s computers and mobile devices such as iPads and smart phones. These avenues for the dissemination and receipt of information expand the information governance challenge and data security risks. Surprisingly, the feedback from the healthcare sector suggests that hospitals rarely get sued in federal court.

One place hospitals do not want to be is the “Wall of Shame,” otherwise known as the HHS website that has detailed 281 Health Insurance Portability and Accountability Act (HIPAA) security violations that have affected more than 500 individuals as of June 9, 2011. Overall, physical theft and loss accounted for about 63% of the reported breaches. Unauthorized access / disclosure accounted for another 16%, while hacking was only 6%. While Software Advice reasons these statistics seem to indicate that physical theft has been the reason for the majority of breaches, it should also be considered that due to the lack of data loss prevention technology, many hospitals are unaware of breaches that have occurred and therefore cannot report on them.

There are a myriad of reasons hospitals aren’t landing on the front page of the newspaper with the same frequency as other businesses and government agencies when it comes to security breach, and document retention and eDiscovery blunders. But, the underlying contagion is not contained and it certainly is not benign. Feedback from the field reveals some alarming symptoms of the unhealthy state of healthcare information governance, including:

  • uncontrolled .pst files
  • exploding storage growth
  • missing or incomplete data retention rules
  • doctors/nurses storing and sending sensitive data via their personal email, iPads and smartphones
  • encryption rules that rely on individuals to determine what to encrypt
  • data backup policies that differ from data retention and information governance rules
  • little to no compliance training
  • and many times non-existent data loss prevention efforts.

This results in the need for more storage, while creating larger legal liability, an indefensible eDiscovery posture, and the risk of breach.

The reason this problem remains latent in most hospitals is because they are not yet feeling the pain of the problem from massive and multiple lawsuits, large invoices from outside law firms or the operational challenges/costs incurred from searching through many mountains of dispersed data.  The symptoms are observable, the pathology is present, the problem is real and the pain is about to acutely present itself as more states begin to deeply embrace eDiscovery requirements and government regulators increase audit frequency and fine amounts. Another less talked about reason hospitals have not had the same pressure to search and produce their data pursuant to litigation is due to cases being settled before they even get to the discovery stage. The lack of well-developed information governance practices leads to cases being settled too soon, for too much money when they otherwise may not have needed to settle at all.

The Patient’s Symptoms Were Treated, but the Patient’s Data Still Needs Medicine

What is still unclear is why hospitals, given their compliance requirements and tightening IT budgets, aren’t archiving, classifying, and protecting their data with the same type of innovation they are demonstrating in their cutting edge patient care technology. In this realm, two opposite ends of the IT innovation spectrum seem to co-exist in the hospital’s data environment. This dichotomy leaves much of a hospital’s data unprotected, unorganized and uncontrolled. Hospitals are experiencing increasing data security breaches and often are not aware that a breach or data loss has occurred. As more patient data is created and copied in electronic format, used in and exposed by an increasing number of systems and delivered on emerging mobile platforms, the legal and audit risks are compounding on top of a faulty or missing information governance foundation.

Many hospitals have no retention schedules or data classification rules applied to existing information, which often results in a checkbox compliance mentality and a keep-everything-forever practice. Additionally, many hospitals have no ability to apply a comprehensive legal hold across different data sources and lack technology to stop or alert them when there has been a breach.

Information Governance and Data Health in Hospitals

With the mandated push for paper to be converted to digital records, many hospitals are now evaluating the interplay of their various information management and distribution systems. They must consider the newly scanned legacy data (or soon to be scanned), and if they have been operating without an archive, they must now look to implement a searchable repository where they can collectively apply document retention and records management while decreasing the amount of storage needed to retain the data.  We are beginning to see internal counsel leading the way to make this initiative happen across business units. Different departments are coming together to pool resources in tight economic and high regulation times that require collaboration.  We are at the beginning of a widespread movement in the healthcare industry for archiving, data classification and data loss prevention as hospitals link their increasing compliance and data loss requirements with the need to optimize and minimize storage costs. Finally, it comes as no surprise that the amount of data hospitals are generating is crippling their infrastructures, breaking budgets and serving as the primary motivator for change absent lawsuits and audits.

These factors are bringing together various stakeholders into the information governance conversation, helping to paint a very clear picture that putting in place a comprehensive information governance solution is in the entire hospital’s best interest. The symptoms are clear, the problem is treatable, the prescription for information governance is well proven. Hospitals can begin this process by calling an information governance meeting with key stakeholders and pursuing an agenda set around examining their data map and assessing areas of security vulnerability, as well as auditing the present state of compliance with regulations for the healthcare industry.

Editor’s note: This post was co-authored with Eric Heck, Healthcare Account Manager at Symantec.  Eric has over 25 years of experience in applying technology to emerging business challenges, and currently works with healthcare providers and hospitals to manage the evolving threat landscape of compliance, security, data loss and information governance within operational, regulatory and budgetary constraints.

The eDiscovery “Passport”: The First Step to Succeeding in International Legal Disputes

Monday, April 2nd, 2012

The increase in globalization continues to erase borders throughout the world economy. Organizations now routinely conduct business in countries that were previously unknown to their industry vertical.  The trend of global integration is certain to increase, with reports such as the Ernst & Young 2011 Global Economic Survey confirming that 74% of companies believe that globalization, particularly in emerging markets, is essential to their continued vitality.

Not surprisingly, this trend of global integration has also led to a corresponding increase in cross-border litigation. For example, parties to U.S. litigation are increasingly seeking discovery of electronically stored information (ESI) from other litigants and third parties located in Continental Europe and the United Kingdom. Since traditional methods under the Federal Rules of Civil Procedure (FRCP) may be unacceptable for discovering ESI in those forums, the question then becomes how such information can be obtained.

At this point, many clients and their counsel are unaware how to safely navigate these international waters. The short answer for how to address these issues for much of Europe would be to resort to the Hague Convention of March 18, 1970 on the Taking of Evidence Abroad in Civil or Commercial Matters (Hague Convention). Simply referring to the Hague Convention, however, would ignore the complexities of electronic discovery in Europe. Worse, it would sidestep the glaring knowledge gap that exists in the United States regarding the cultural differences distinguishing European litigation from American proceedings.

The ability to bridge this gap with an awareness of the discovery processes in Europe is essential. Understanding that process is similar to holding a valid passport for international travel. Just as a passport is required for travelers to successfully cross into foreign lands, an “eDiscovery Passport™” is likewise necessary for organizations to effectively conduct cross-border discovery.

The Playing Field for eDiscovery in Continental Europe

Litigation in Continental Europe and is culturally distinct from American court proceedings. “Discovery,” as it is known in the United States, does not exist in Europe. Interrogatories, categorical document requests and requests for admissions are simply unavailable as European discovery devices. Instead, European countries generally allow only a limited exchange of documents, with parties typically disclosing only that information that supports their claims.

The U.S. Court of Appeals for the Seventh Circuit recently commented on this key distinction between European and American discovery when it observed that “the German legal system . . . does not authorize discovery in the sense of Rule 26 of the Federal Rules of Civil Procedure.” The court went on to explain that “[a] party to a German lawsuit cannot demand categories of documents from his opponent. All he can demand are documents that he is able to identify specifically—individually, not by category.” Heraeus Kulzer GmbH v. Biomet, Inc., 633 F.3d 591, 596 (7th Cir. 2011).

Another key distinction to discovery in Continental Europe is the lack of rules or case law requiring the preservation of ESI or paper documents. This stands in sharp contrast to American jurisprudence, which typically requires organizations to preserve information as soon as they reasonably anticipate litigation. See, e.g., Micron Technology, Inc. v. Rambus Inc., 645 F.3d 1311, 1320 (Fed.Cir. 2011). In Europe, while an implied preservation duty could arise if a court ordered the disclosure of certain materials, the penalties for European non-compliance are typically not as severe as those issued by American courts.

Only the nations of the United Kingdom, from which American notions of litigation are derived, have discovery obligations that are more similar to those in the United States. For example, in the combined legal system of England and Wales, a party must disclose to the other side information adverse to its claims. Moreover, England and Wales also suggest that parties should take affirmative steps to prepare for disclosure. According to the High Court in Earles v Barclays Bank Plc [2009] EWHC 2500 (Mercantile) (08 October 2009), this includes having “an efficient and effective information management system in place to provide identification, preservation, collection, processing, review analysis and production of its ESI in the disclosure process in litigation and regulation.” For organizations looking to better address these issues, a strategic and intelligent information governance plan offers perhaps the best chance to do so.

Hostility to International Discovery Requests

Despite some similarities between the U.S. and the U.K., Europe as a whole retains a certain amount of cultural hostility to pre-trial discovery. Given this fact, it should come as no surprise that international eDiscovery requests made pursuant to the Hague Convention are frequently denied. Requests are often rejected because they are overly broad.  In addition, some countries such as Italy simply refuse to honor requests for pre-trial discovery from common law countries like the United States. Moreover, other countries like Austria are not signatories to the Hague Convention and will not accept requests made pursuant to that treaty. To obtain ESI from those countries, litigants must take their chances with the cumbersome and time-consuming process of submitting letters rogatory through the U.S. State Department. Finally, requests for information that seek email or other “personal information” (i.e., information that could be used to identify a person) must additionally satisfy a patchwork of strict European data protection rules.

Obtaining an eDiscovery Passport

This backdrop of complexity underscores the need for both lawyers and laymen to understand the basic principles governing eDisclosure in Europe. Such a task should not be seen as daunting. There are resources that provide straightforward answers to these issues at no cost to the end-user. For example, Symantec has just released a series of eDiscovery Passports™ that touch on the basic issues underlying disclosure and data privacy in the United Kingdom, France, Germany, Holland, Belgium, Austria, Switzerland, Italy and Spain. Organizations such as The Sedona Conference have also made available materials that provide significant detail on these issues, including its recently released International Principles on Discovery, Disclosure and Data Protection.

These resources can provide valuable information to clients and counsel alike and better prepare litigants for the challenges of pursuing legal rights across international boundaries. By so doing, organizations can moderate the effects of legal risk and more confidently pursue their globalization objectives.

Policy vs. Privacy: Striking the Right Balance Between Organization Interests and Employee Privacy

Friday, March 9th, 2012

The lines between professional and personal lives are being further blurred every day. With the proliferation of smart phones, the growth of the virtual workplace and the demands of business extending into all hours of the day, employees now routinely mix business with pleasure by commingling such matters on their work and personal devices. This trend is sure to increase, particularly with “bring your own device” policies now finding their way into companies.

This sometimes awkward marriage of personal and professional issues raises the critical question of how organizations can respect the privacy rights of their employees while also protecting their trade secrets and other confidential/proprietary information. The ability to properly navigate these murky waters under the broader umbrella of information governance may be the difference between a successful business and a litigation-riddled enterprise.

Take, for instance, a recent lawsuit that claimed the Food and Drug Administration (FDA) unlawfully spied on the personal email accounts of nine of its employee scientists and doctors. In that litigation, the FDA is alleged to have monitored email messages those employees sent to Congress and the Office of Inspector of General for the Department of Health & Human Services. In the emails at issue, the scientists and doctors scrutinized the effectiveness of certain medical devices the FDA was about to approve for use on patients.

While the FDA’s email policy clearly delineates that employee communications made from government devices may be monitored or recorded, the FDA may have intercepted employees’ user IDs and passwords and accessed messages they sent from their home computers and personal smart phones. Not only would such conduct potentially violate the Electronic Communications Privacy Act (ECPA), it might also conceivably run afoul of the Whistleblower Protection Act.

The FDA spying allegations have also resulted in a congressional inquiry into the email monitoring policies of all federal agencies throughout the executive branch. Congress is now requesting that the Office of Management and Budget (OMB) produce the following information about agency email monitoring policies:

  • Whether a policy distinguishes between work and personal email
  • Whether user IDs and passwords can be obtained for personal email accounts and, if so, whether safeguards are deployed to prevent misappropriation
  • Whether a policy defines what constitutes protected whistleblower communications

The congressional inquiry surrounding agency email practices provides a valuable measuring stick for how private sector organizations are addressing related issues. For example, does an organization have an acceptable use policy that addresses employee privacy rights? Having such a policy in place is particularly critical given that employees use company-issued smart phones to send out work emails, take photographs and post content to personal social networking pages. If such a policy exists now, query whether it is enforced, what the mechanisms exist for doing so and whether or not such enforcement is transparent to the employees.  Compliance is just as important as issuing the policy in the first place.

Another critical inquiry is whether an organization has an audit/oversight process to prevent the type of abuses that allegedly occurred at the FDA. Such a process is essential for organizations on multiple levels. First, as Congress made clear in its letter to the OMB, monitoring communications that employees make from their personal devices violates the ECPA. It could also interfere with internal company whistleblower processes. And to the extent adverse employment action is taken against an employee-turned-whistleblower, the organization could be liable for violations of the False Claims Act or the Dodd-Frank Wall Street Reform and Consumer Protection Act.

A related aspect to these issues concerns whether an organization can obtain work communications sent from employee personal devices. For example, financial services companies must typically retain communications with investors for at least three years. Has the organization addressed this document retention issue while respecting employee privacy rights in their own smart phones and tablet computers?

If an organization does not have such policies or protections in place, it should not panic and rush off to get policies drafted without thinking ahead. Instead, it should address these issues through an intelligent information governance plan. Such a plan will typically address issues surrounding information security, employee privacy, data retention and eDiscovery within the larger context of industry regulations, business demands and employee productivity. That plan will also include budget allocations to support the acquisition and deployment of technology tools to support written policies on these and other issues.  Addressed in this context, organizations will more likely strike the right balance between their interests and their employees’ privacy and thereby avoid a host of unpleasant outcomes.

Big Data Decisions Ahead: Government-Sponsored Town Hall Meeting for eDiscovery Industry Coincides With Federal Agency Deadline

Wednesday, February 29th, 2012

Update For Report Submission By Agencies

We are fast approaching the March 27, 2012 deadline for federal agencies to submit their reports to the Office of Management and Budget and the National Archives and Records Administration (NARA) to comply with the Presidential Mandate on records management. We are only at the inception, as we look to a very exciting public town hall meeting in Washington, D.C. – also scheduled for March 27, 2012. This meeting is primarily focused on gathering input from the public sector community, the vendor/IT community, and members of the public at large. Ultimately, NARA will issue a directive that will outline a centralized approach for the federal government for managing records and eDiscovery.

Agencies have been tight lipped about how far along they are in the process of evaluating their workflows and tools for managing their information (both electronic and paper). There is, however, some empirical data from an InformationWeek Survey conducted last year that takes the temperature on where the top IT professionals within the government have their sights set, and the Presidential Mandate should bring some of these concerns to the forefront of the reports. For example, the #1 business driver for migrating to the cloud – cited by 62% of respondents – was cost, while 77% of respondents said their biggest concern was security. Nonetheless, 46% were still highly likely to migrate to a private cloud.

Additionally, as part of the Federal Data Center Consolidation Initiative, agencies are looking to eliminate 800 data centers. While the cost savings are clear, from an information governance viewpoint, it’s hard not to ask what the government plans to do with all of those records?  Clearly, this shift, should it happen, will force the government into a more service-based management approach, as opposed to the traditional asset-based management approach. Some agencies have already migrated to the cloud. This is squarely in line with the Opex over Capex approach emerging for efficiency and cost savings.

Political Climate Unknown

Another major concern that will affect any decisions or policy implementation within the government is, not surprisingly, politics. Luckily, regardless of political party affiliation, it seems to be broadly agreed that the combination of IT spend in Washington, D.C. and the government’s slow move to properly manage electronic records is a problem. Two of the many examples of the problem are manifested in the inability to issue effective litigation holds or respond to Freedom of Information Act (FOIA) requests in a timely and complete manner. Even still, the political agenda of the Republican party may affect the prioritization of the Democratic President’s mandate and efforts could be derailed with a potential change in administration.

Given the election year and the heavy analysis required to produce the report, there is a sentiment in Washington that all of this work may be for naught if the appropriate resources cannot be secured then allocated to effectuate the recommendations. The reality is that data is growing at an unprecedented rate, and the need for the intelligent management of information is no longer deniable. The long term effects of putting this overhaul on the back burner could be disastrous. The government needs a modular plan and a solid budget to address the problem now, as they are already behind.

VanRoekel’s Information Governance

One issue that will likely not be agreed upon between Democrats and Republicans to accomplish the mandate is the almighty budget, and the technology the government must purchase in order to accomplish the necessary technological changes are going to cost a pretty penny.  Steven VanRoekel, the Federal CIO, stated upon the release of the FY 2013 $78.8 billion dollar IT budget:

“We are also making cyber security a cross-agency, cross-government priority goal this year. We have done a good job in ramping up on cyber capabilities agency-by-agency, and as we come together around this goal, we will hold the whole of government accountable for cyber capabilities and examine threats in a holistic way.”

His quote indicates the priority from the top down of evaluating IT holistically, which dovetails nicely with the presidential mandate since security and records management are only two parts of the entire information governance picture. Each agency still has their own work cut out for them across the EDRM. One of the most pressing issues in the upcoming reports will be what each agency decides to bring in-house or to continue outsourcing. This decision will in part depend on whether the inefficiencies identified lead agencies to conclude that they can perform those functions for less money and more efficiently than their contractors.  In evaluating their present capabilities, each agency will need to look at what workflows and technologies they currently have deployed across divisions, what they presently outsource,  and what the marketplace potentially offers them today to address their challenges.

The reason this question is central is because it begs an all-important question about information governance itself.  Information governance inherently implies that an organization or government control most or all aspects of the EDRM model in order to derive the benefits of security, storage, records management and eDiscovery capabilities. Presently, the government is outsourcing many of their litigation services to third party companies that have essentially become de facto government agencies.  This is partly due to scalability issues, and partly because the resources and technologies that are deployed in-house within these agencies are inadequate to properly execute a robust information governance plan.

Conclusion

The ideal scenario for each government agency to comply with the mandate would be that they deploy automated classification for their records management, archiving with expiration appropriately implemented for more than just email, and finally, some level of eDiscovery capability in order to conduct early case assessment and easily produce data for FOIA.  The level of early case assessment needed by each agency will vary, but the general idea would be that before contacting a third party to conduct data collection, the scope of an investigation or matter would be able to be determined in-house.  All things considered, the question remains if the Obama administration will foot this bill or if we will have to wait for a bigger price tag later down the road.  Either way, the government will have to come up to speed and make these changes eventually and the town hall meeting should be an accurate thermometer on where the government stands.

Information Governance Gets Presidential Attention: Banking Bailout Cost $4.76 Trillion, Technology Revamp Approaches $240 Billion

Tuesday, January 10th, 2012

On November 28, 2011, The White House issued a Presidential Memorandum that outlines what is expected of the 480 federal agencies of the government’s three branches in the next 240 days.  Up until now, Washington, D.C. has been the Wild West with regard to information governance as each agency has often unilaterally adopted its own arbitrary policies and systems.  Moreover, some agencies have recently purchased differing technologies.  Unfortunately,  with the President’s ultimate goal of uniformity, this centralization will be difficult to accomplish with a range of disparate technological approaches.

Particular pain points for the government traditionally include retention, search, collection, review and production of vast amounts of data and records.  Specifically, these pain points include examples of: FOIA requests gone awry, the issuance of legal holds across different agencies leading to spoliation, and the ever present problem of decentralization.

Why is the government different?

Old Practices. First, in some instances the government is technologically behind (its corporate counterparts) and is failing to meet the judiciary’s expectation that organizations effectively store, manage and discover their information.  This failing is self-evident via  the directive coming from the President mandating that these agencies start to get a plan to attack this problem.  Though different than other corporate entities, the government is nevertheless held to the same standards of eDiscovery under the Federal Rules of Civil Procedure (FRCP).  In practice, the government has been given more leniency until recently, and while equal expectations have not always been the case, the gap between the private and public sectors in no longer possible to ignore.

FOIA.  The government’s arduous obligation to produce information under the Freedom of Information Act (FOIA) has no corresponding analog for private organizations, who are responding to more traditional civil discovery requests.  Because the government is so large with many disparate IT systems, it is cumbersome to work efficiently through the information governance process across agencies and many times still difficult inside one individual agency with multiple divisions.  Executing this production process is even more difficult if not impossible to do manually without properly deployed technology.  Additionally, many of the investigatory agencies that issue requests to the private sector need more efficient ways to manage and review data they are requesting.  To compound problems, within the US government there are two opposing interests are at play; both screaming for a resolution, and that solution needs to be centralized.  On the one hand, the government needs to retain more than a corporation may need to in order to satisfy a FOIA request.

Titan Pulled at Both Ends. On the other hand, without classification of the records that are to be kept, technology to organize this vast amount of data and some amount of expiry, every agency will essentially become their own massive repository.  The “retain everything mentality” coupled with the inefficient search and retrieval of data and records is where they stand today.  Corporations are experiencing this on a smaller scale today and many are collectively further along than the government in this process, without the FOIA complications.

What are agencies doing to address these mandates?

In their plans, agencies must describe how they will improve or maintain their records management programs, particularly with regard to email, social media and other electronic communications.  They must also move away from such a paper-centric existence.  eDiscovery consultants and software companies are helping agencies through this process, essentially writing their plans to match the President’s directive.  The cloud conversation has been revisited, and agencies also have to explain how they will use cloud-based services and storage solutions, as well as identify gaps in existing laws or regulations that presently prevent improved management.  Small innovations are taking place.  In fact, just recently the DOJ added a new search feature on their website to make it easier for the public to find documents that have been posted by agencies on their websites.

The Office of Management and Budget (OMB), National Archives and Records Administration (NARA), and Justice Department will use those reports to come up with a government-wide records management framework that is more efficient, maintains accountability by documenting agency actions and promotes “appropriate” public access to records.  Hopefully, the framework they come up with will be centralized and workable on a realistic timeframe with resources sufficiently allocated to the initiative.

How much will this cost?

The President’s mandate is a great initiative and very necessary, but one cannot help but think about the costs in terms of money, time and resources when considering these crucial changes.  The most recent version of a financial services and general government appropriations bill in the Senate extends $378.8 million to NARA for this initiative.  President Obama appointed Steven VanRoekel as the United States CIO in August 2011 to succeed Vivek Kundra.  After VanRoekel’s speech at the Churchill Club in October of 2011, an audience member asked him what the most surprising aspect of his new job was.  VanRoekel said that it was managing the huge and sometimes unwieldy resources of his $80 billion budget.  It is going to take even more than this to do the job right, however.

Using conservative estimates, assume for an agency to implement archiving and eDiscovery capabilities as an initial investment would be $100 million.  That approximates $480 billion for all 480 agencies.  Assume a uniform information governance platform gets adopted by all agencies at a 50% discount due to the large contracts and also factoring in smaller sums for agencies with lesser needs.  The total now comes to $240 billion.  For context, that figure is 5% of what was spent by Federal Government ($4.76 trillion) on the biggest bailout in history in 2008. That leaves a need for $160 billion more to get the job done. VanRoekel also commented at the same meeting that he wants to break down massive multi-year information technology projects into smaller, more modular projects in the hopes of saving the government from getting mired in multi-million dollar failures.   His solution to this, he says, is modular and incremental deployment.

While Rome was not built in a day, this initiative is long overdue, yet feasible, as technology exists to address these challenges rather quickly.  After these 240 days are complete and a plan is drawn the real question is, how are we going to pay now for technology the government needed yesterday?  In a perfect world, the government would select a platform for archiving and eDiscovery, break the project into incremental milestones and roll out a uniform combination of solutions that are best of breed in their expertise.

New Utah Rule 26: A Blueprint for Proportionality in eDiscovery

Tuesday, December 20th, 2011

The eDiscovery frenzy that has gripped the American legal system over the past decade has become increasingly expensive.  Particularly costly to both clients and courts is the process of preserving, collecting and producing documents.  This was supposed to change after the Federal Rules of Civil Procedure (FRCP) were amended in 2006.  After all, weren’t the amended rules designed to streamline discovery, allowing parties to focus on the merits while making discovery costs more reasonable?  Instead, it seems the rules have spawned more collateral discovery disputes than ever before about preservation, collection and production issues.

As a solution to these costs, the eDiscovery cognoscenti are emphasizing the concept of “proportionality.”  Proportionality typically requires that the benefits of discovery be commensurate with its corresponding burdens.  Under the Federal Rules of Civil Procedure, the directive that discovery be proportional is found in Rules 26(c), 26(b)(2)(C) and Rule 26(b)(2)(B).  Under Rule 26(c), courts may generally issue protective orders that limit or even proscribe discovery that causes “annoyance, embarrassment, oppression, or undue burden or expense.”  More specifics are set forth in Rule 26(b)(2)(C), which enables courts to restrict discovery if the requests are unreasonably cumulative or duplicative, the discovery can be obtained from an alternative source that is less expensive or burdensome, or the burden or expense of the discovery outweighs its benefit.  In the specific context of electronic discovery, Rule 26(b)(2)(B) restricts the discovery of backup tapes and other electronically stored information that are “not reasonably accessible” due to “undue burden or cost.”

Despite the existence of these provisions, they are often bypassed.  The most recent and notable example of this trend is found in Pippins v. KPMG (S.D.N.Y. Oct. 7, 2011).  In Pippins, the court ordered the defendant accounting firm to continue preserving thousands of employee hard drives.  In so doing, the court sidestepped the firm’s proportionality argument, citing Orbit One v. Numerex (S.D.N.Y. 2010) for the premise that such a standard is “too amorphous” and therefore unworkable.  Regardless of cost or burden, the court reasoned that “prudence” required preservation of all relevant materials “until a more precise definition [of proportionality] is created by rule.”

The Pippins order and its associated costs for the firm – potentially into the millions of dollars – has given new fuel to the argument that an amended federal rule should be implemented to include a more express mandate regarding proportionality.  Surprisingly enough, a blueprint for such an amended rule is already in place in the State of Utah.  Effective November 1, 2011, Utah implemented sweeping changes to civil discovery practice through amended Civil Procedure Rule 26.  The new rule makes proportionality the standard now governing eDiscovery in Utah.

Proportionality Dictates the Scope of Permissible Discovery

Utah Rule 26 has changed the permissible scope of discovery to expressly condition that all discovery meet the standards of proportionality.  That means parties may seek discovery of relevant, non-privileged materials “if the discovery satisfies the standards of proportionality.”  This effectively shifts the burden of proof on proportionality from the responding party to the requesting party.  Indeed, Utah Rule 26(b)(3) specifically codifies this stunning change:  “The party seeking discovery always has the burden of showing proportionality and relevance.”  This stands in sharp contrast to Federal Rules 26(b)(2) and 26(c), which require the responding party to show the discovery is not proportional.

The “standards of proportionality” that have been read into Utah Rule 26 incorporate those found in Federal Rule 26(b)(2)(C).  In addition, Utah Rule 26 requires that discovery be “reasonable.”  Reasonableness is to be determined on the needs of a given case such as the amount in controversy, the parties’ resources, the complexity and importance of the issues, and the role of the discovery in addressing such issues.  Last but not least, discovery must expressly comply with the cost cutting mandate of Rule 1 and thereby “further the just, speedy and inexpensive determination of the case.”

Proportionality Limits the Amount of Discovery

To further address the burdens and costs of disproportionate discovery, Utah Rule 26(c) limits the amount of discovery that parties may conduct as a matter of right based on the specific amounts in controversy.  For those matters involving damages of $300,000 or more, parties may propound 20 interrogatories, document requests and requests for admissions.  Total fact deposition time is restricted to a mere 30 hours.  For matters between $50,000 and $300,000, those figures are halved.  And for matters under $50,000, only five document requests and requests for admissions are allotted to the parties.  Fact depositions are curtailed to three hours total per side, while interrogatories are eliminated.

If these limits are too restrictive, parties may request “extraordinary discovery” under Rule 26(c)(6).  However, any such request must demonstrate that the sought after discovery is “necessary and proportional” under the rules.  The parties must also certify that a budget for the discovery has been “reviewed and approved.”

A Potential Model for Federal Discovery Rule Amendments

Utah Rule 26 could perhaps serve as a model for amending the scope of permissible discovery under the Federal Rules.  Like Utah Rule 26, Federal Rule 26 could be amended to expressly condition discovery on meeting the principles of proportionality.  The Federal Rules could also be modified to ensure the propounding party always has the burden of demonstrating the fact specific good cause for its discovery.  Doing so would undoubtedly force counsel and client to be more precise with their requests and do away with the current regime of “promiscuous discovery.”  Calcor Space Facility, Inc. v. Superior Court, 53 Cal.App.4th 216, 223 (1997) (urging courts to “aggressively” curb discovery abuses which, “like a cancerous growth, can destroy a meritorious cause or defense”).

Tiering the amounts of permitted discovery based on alleged damages could also reduce the costs of discovery.  With limited deposition time and fewer document requests, discovery of necessity would likely focus on the merits instead of eDiscovery sideshows.  Coupling this with an “extraordinary discovery” provision would enable courts to exercise greater control over the process and ensure that genuinely complex matters are litigated efficiently.

If all of this seems like a radical departure from established discovery practice, consider that the new Model Order on E-Discovery in Patent Cases has also incorporated tiered and extraordinary discovery provisions.  See DCG Systems v. Checkpoint Technologies (N.D. Ca. Nov. 2, 2011) (adopting the model order and explaining the benefits of limiting eDiscovery in patent cases).

For those who are seeking a vision of how proportionality might be incorporated into the Federal Rules, new Utah Rule 26 could be a blueprint for doing so.

Watchdog (SEC) v. Watchdog (FINRA): Destruction, Doctoring and Deflection

Monday, November 14th, 2011

In the first settlement of its kind, FINRA settled with the SEC on October 27, 2011 due to allegations over a 2008 incident where a regional Kansas City office of FINRA doctored documents.  The alleged doctored documents were from three internal staff meetings, where information was either edited or deleted and then provided to the SEC with the “inaccurate and incomplete” changes. Mary Shapiro, currently the Chairman of the SEC, is in an interesting spot as she was Chief Executive of FINRA at the time of the alleged wrongdoing.  She apparently had no direct involvement with the decision to take action against FINRA.

The motives for doctoring the documents are unclear, and so is whether or not the alterations of the documents led to any material damage other than FINRA’s diminished credibility.  Ironically, the SEC has had its own struggles in recent months with a slew of articles published in various newspapers highlighting their own challenges with document retention and the improper destruction of documents. Both of these scenarios have been called to light by whistleblowers within their respective agencies.

These antics certainly pose the question: Is it a good use of taxpayer money to have regulatory agencies fighting each other over document retention and record keeping practices? The answer is probably no. But the first question begs the second: If they don’t do it, who will?  While information management is not the sexiest part of the SEC and FINRA’s responsibilities, it certainly is an important one and the foundation of their information intelligence.  Without proper document retention and information governance, the probability of connecting the dots to discover insider trading or other malfeasance is low.  Moreover, in order for agencies to retain credibility they need to be able to locate documents with ease and speed and those documents must be truthful and accurate.

Because FINRA is a self-regulatory firm for securities and is overseen by the SEC, it seems appropriate that they investigate matters like the one at hand.  According to the SEC, the 2008 incident is the third instance in the past eight years where an employee of FINRA, or its predecessor, the National Association of Security Dealers, has provided altered or misleading documents to the SEC.  It remains to be seen if this is intentional on the part of FINRA to conceal undesirable facts or to promote an item on their agenda, or if in fact they are simply negligent with regard to their record keeping policies.  Either way, it is a problem for the SEC and the government in general as it undermines agency credibility and compromises the ability to intelligently leverage information.   This settlement also does no favors for FINRA at a time when they aim to expand their 4,600 base of supervisory authority to include 10,000 more investment advisory firms.

So, what can be done about this behavior and the risks it poses? Corporations and governments are facing the same issues that information governance poses due to the data explosion and the growing complexity of data sources today.  At a minimum, there needs to be a policy in place that governs how data, regardless of form, is handled and disposed of in the information lifecycle.  It also makes sense to form an audit committee within the government that can inspect and assess the information management practices of each agency, as well as serve as a  third party mediator between agencies when these challenges arise.  This is a good idea for two reasons.  One, agencies can focus on their responsibilities instead of getting sidetracked with issues they are not expert in, like document retention or record management.  Next, this problem has reached a point that it’s necessary to appoint an independent group to audit the government due to the data explosion and pace of technology today.  We have the SEC and FINRA to watch the financial industry and provide us with assurance that business is being conducted in a lawful manner.  We don’t need the SEC or FINRA to take up document retention as another responsibility, as there are other professionals that can do that more effectively and independently.

While expansion of government is not the goal of forming yet another committee, this committee could potentially free up agencies to do more of the work they are charged with.  This would also promote standardization across agencies and regulatory bodies, which would be a giant step in the right direction as data volumes grow.  The actions that resulted in this settlement were remedial in nature.  FINRA took decisive action to air a podcast about document integrity and scheduled an agency-wide town hall meeting addressing the same for all current and new employees.  They also hired an independent outside consultant to provide additional staff training on document retention and integrity.  This will be a continual educational process for the private and public sector, and employee training and auditing the process will be the lynchpins for success.  The element of deflection is also at work here, as the SEC is not a model example of best practices for document retention and the moment.

The SEC is working through allegations of document destruction, FINRA is accused of document doctoring, but all these assertions circle back to the central theme of having a document retention policy and compliance with that policy.  This naturally leads to the need for education and training, and the ultimate auditing of the process for compliance.  In this rare case of watchdog bites watchdog, three points become clear: 1) The SEC has a higher and best use other than policing these issues; 2) information management has reached a point that it requires a separate and independent body to monitor and regulate allegations of misconduct; and 3) sometimes it takes a dog biting a dog to truly illustrate the magnitude of a problem.