Managing regulatory compliance

Managing regulatory compliance

Stephen Mason, BarristerDirector, Data Protection Research & Policy Group

Outline

1. Overview

2. The business - legal interaction

3. Governance

4. Records management

1. Overview

The business perspective• Dependence on IT infrastructure in running the business

of the organization across jurisdictions

• Virtually all correspondence, papers, contracts and such like are now created by computers

• Varying degrees of confidentiality and privacy attributed to documents means they must be protected

• Data must remain available

• The integrity of documents should be considered

• Balance the costs of security and storage against the value of information and the risks

The liability

• Vicarious liability

• Falls at the highest levels

• There is a need to take appropriate measures to

– Manage the infrastructure safely and securely

– Prevent or detect improper or illegal activities taking place

– Comply with legal and regulatory requirements

• The issue is how we adapt to and control the use of the technology

2. The business - legal interaction

Control of data

Value of e-mail correspondence: contract

Employees

Data protection

Retention of documents

Evidence

Litigation

Controlling access to data

• Basis of control– The organization owns and controls the

communications infrastructure– Various legal duties are imposed by judges, politicians

and regulatory authorities

• Private use increases the risk to the organization• Where private use not permitted, it must still be

enforced by the organization

Contracts and e-signatures

England and Wales

• Hall v Cognos Limited

• Pretty Pictures Sarl v Quixote Films Ltd

United States of America

• Roger Edwards LLC v Fiddes & Son Ltd

Singapore

• SM Integrated Transware Pte Ltd v Schenker Singapore (Pte) Ltd

E-mail and employees

• Defamation– Western Provident v Norwich Union

• Sexual discrimination (e.g of retaining e-mails for defensive reasons)– Carina Coleman v Lansdowne Capital Limited & Alan Dargan

• Forwarding inappropriate images– Sangster v Lehman Brothers Limited

• Criminal offences– Miseroy v Barclays Bank plc

Data protection: EU

• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (23.11.95 OJ I281/31)

• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (12.1.2001 OPJ L8/1)

General global guidance

• Protection of workers’ personal data (International Labour Office, Geneva, 1997)

• Code of Practice for e-Work across Borders (Ethical Guidelines for World Wide Work, 2000 http://www.unomondo.org)

Human rights: comparisons

United Kingdom• Halford v United Kingdom (1977) EHRR 523France• Onof v Nikon France Decision no 4164, October

2, 2001 (99-42.942)United States of America• Fraser v Nationwide Mutual Assurance 135 F

Supp 2d 623 (E D Pa 2001) [amongst others] - no interception

Retention of documents

• Organizations need to keep certain types of document or record for both commercial and legal reasons

• There is no need to retain every document for ever• Document retention periods are set against different criteria:

– Retention periods prescribed by law– Rules issued by regulatory bodies– Best practice

• IT may be the custodians of the documents, but must be advised by legal, company secretary, compliance, HR, data protection

• The policy should:– Provide for the extension of time limits and the suspension of the disposal

of documents where legal action is anticipated or has begun– Be reasonable, measured and appropriate

Evidence

• Digital documents are adduced in evidence in all types of forum

• There is a practical problem: many digital documents remain in an unstructured medium

• The content determines the nature of the document

• Some digital documents must be retained, whilst others can be legitimately deleted

E-documents in litigation

• Litigation is expensive (legal fees, court fees, directors time, IT time, media interest, reputation issues)

• The Fulbrights & Jaworski 2nd annual ‘Litigation Trends Survey’ (2005) illustrated an increasing problem:

– Electronic disclosure is a serious issue– Most numerous types of dispute: employment, contract, product liability, IPR,

personal injury

• What documents have you got to prove your case? How do you find them?

• All documents are admissible in legal proceedings, although judges have the discretion to exclude evidence

• Once a document is admissible, the next question is the weight of the evidence

• In deciding weight, the question is: how reliable is the evidence?

3. Governance

The law and governance interweave

United States of America

Legislation

• Sarbanes-Oxley Act of 2002 (Public Law 107-204 of the 107th Congress)

Regulation

• US Securities and Exchange Commission

• Financial Accounting Standards Board (http://www.fasb.org/)

European Union

• Report of the high level group of company law experts on a modern regulatory framework for company law in Europe (2002)

• Commission Recommendation of 16 May 2002 Statutory Auditors’ Independence in the EU: A Set of Fundamental Principles (OJ 19.7.2002 L 191/22)

• Communication from the Commission to the Council and the European Parliament reinforcing the statutory audit in the EU (OJ 2.10.2003 C 236/02)

• Report on European Governance (2003 - 2004)

• Modernising company law and enhancing corporate governance in the EU (http://europa.eu.int/comm/internal_market/smn/smn32/a17_en.htm)

• Proposal for a Directive of the European Parliament and of the Council on Statutory Audit of Annual and Consolidated Accounts

United Kingdom: legislation

• Companies Act 1985 (International Accounting Standards & other Accounting Amendments) Regulations 2004 SI 2004/2947

• Companies Act 1985 (Operating & Financial Review and Directors’ Report etc) Regulations 2005 SI 2005/1011

• Companies (Audit Investigations and Community Enterprise) Act 2004

United Kingdom: guidance

• Cadbury Report on the Financial Aspects of Corporate Governance (1992)

• Greenbury Recommendations for best practice in determining and accounting for Directors’ remuneration (1995)

• Turnbull Report on Internal Control Guidance for Directors on the Combined Code (1999) (Reviewed by Douglas Flint, 2004)

• Combined Code on Corporate Governance (2003) [supersedes and replaces the Combined Code issued by the Hampel Committee on Corporate Governance in1998]

• Higgs Review of the role and effectiveness of non-executive directors (2003)

• Tyson Report on the Recruitment and Development of Non-Executive Directors (2003)

Global and regional

• OCED– Principles of Corporate Governance (1999)

• Commonwealth Association for Corporate Governance– Guidelines (1999)

4. Records management

Some issues to consider

Some considerations

• Litigation• Freedom of Information requests• Protection of data (personal and corporate)

– Internally– From outside attacks– Legal privilege

• Issues of confidentiality as between jurisdictions• Balancing:

– Internal audit and risk– Ease of use of IT system– Development of the technical architecture– Limitations of the technology– Human behaviour

The response• Priorities need to be agreed:

– IT needs to be higher on the agenda

– Revenue and growth are not incompatible with security and privacy

– In the commercial field, the Logica-CMG (2004) survey demonstrated that shareholders rate IT security as a high priority

• The pressure to do something to take control of digital data is coming from the need to comply with laws and the regulatory framework

• The balancing act:– the cost of retaining documents + security + storage + retrieval + business

continuity + disaster recovery

against

– the value of information and the risks: especially regulatory and legal

Concluding remarks

A networked world

• Business processes and the law are inextricably intertwined

• Whatever your business, your data is central– Employees data

– Customers data

– Intellectual property

• End user security is sloppy

• Data and communications tend to be handled recklessly

• Attitudes must change

• IT are only the custodians of the data

The eternal triangle

1. Politicians pass laws

2. Best practice and good governance

3. Judges interpret laws

These closely interrelate: somebody has to balance them

Stephen MasonDirector, Digital Evidence Research Programme

British Institute of International and Comparative LawCharles Clore House17 Russell SquareLONDONWC1B 5JP

Direct telephone number: + 44 (0)20 7862 5436Telephone number: + 44 (0)20 7862 5159Facsimile number: + 44 (0)20 7862 5152http://www.biicl.org

Main publications:Electronic Signatures in Law (LexisNexis Butterworths, 2003)Networked communications and compliance with the law (xpl publishing, 5th edn, 2005)

General Editor of the e-Signature Law Journalwww.e-signaturelawjournal.co.uk