Forensic Update

Reflections on information management within the legal and regulatory arena

Archive for February, 2011

Enterprise E-mail Management…Why it Matters So Much

Posted by Johnny Lee on February 21, 2011

Email Archive

Let’s face it, the thought of enterprise email management simply is not topping the list of sexy, self-evident corporate priorities these days.  Of course, there’s nothing like the negative treatment of genuinely embarrassing news coverage or court sanctions (or worse) to get organizations to revisit the necessity of this vital portion of data governance.

Simply put, it’s hard to fund (much less carry to fruition) an enterprise program that focuses on data management.  While litigation and prosecutions may make headlines, email management is not merely about avoiding culpability and other pitfalls in those arenas.  Properly done, enterprise email management can reduce IT spend, make business processes more efficient, and save hundreds of thousands (if not millions) of dollars annually for companies facing any sort of regulatory scrutiny or civil litigation.

Indeed, companies in every industry and geography are seeing an increase in the rate of litigation and regulatory scrutiny.  This increase is changing not just the way organizations handle such matters but the way in which they do business generally.

According to the latest installment of the annual Corporate Litigation Trends from international law firm Fulbright & Jaworski, many organizations are anticipating not only an increase in litigation and regulatory activity, but half believe that the “legal industry” will permanently change the way their business is conducted.  The survey also highlights the belief that legal and regulatory changes related to corruption and bribery investigations, data privacy, and social media will force organizations to think more proactively about their data governance initiatives.

Of course, there is no shortage of literature detailing why data governance is a good idea.  Despite this, few organizations get this right.  The profound disconnect between stakeholders within IT, Legal, HR, and Finance seems to be the principal explanation for why more organizations are not successful in these programs.  Historically, most companies launch an earnest (though myopic and frequently doomed) effort from the IT group.  When this effort failed for lack of consensus or effectiveness, organizations would effectively shelve effort for another year, chalking it up to insurmountable obstacles.  For a long time, this “charmed life” syndrome was permitted because companies so rarely faced a bet-the-company proposition that hinged on something as mundane as records management.  Today’s legal and regulatory arena makes this attitude a substantial gamble, and fewer executives, boards of directors, and audit committees are willing to tolerate it any longer.

More and more organizations are taking a proactive stance, and they seem to start with what is typically the most substantial data repository: electronic mail.  This is probably a wise gambit, though it should be tackled circumspectly.  While true that corporate users exchanged over 60 billion e-mails daily in 2009, it is sheer folly to consider this issue as strictly a technological headache.

The failure to integrate policy, training, monitoring, and PROCESS is the chief reason cited by courts and regulators for sanctions—not the breakdown of a given technology.  Accordingly, if you are in an organization that is finally seeing the light and embracing data governance, learn from the missteps of your colleagues: treat the enterprise initiative of data governance like…well, an enterprise initiative.  Lead with the notion of a “program” (not a project) and manage change from the top down (i.e., establish policy stances that extend to everyone; design process that aligns with policy; then select technology that aligns with these processes).  Finally, don’t forget about training, custodian acknowledgements, and monitoring controls.

Advertisements

Posted in Data Governance, ECM, eDiscovery, Litigation Hold, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a Comment »

Trade Secrets and Departing Employees…A Cautionary Tale

Posted by Johnny Lee on February 14, 2011

Employers would be wise to review the fact pattern from a Columbus manufacturing company which was involved in a federal investigation related to the theft of trade secrets from a departing employee.  The former employee, Kevin Crow, admitted to stealing highly confidential information from Turbine Engines Components Technologies Corporation (“TECT”) in violation of the Economic Espionage Act.

Crow’s plea deal with the government resulted in a three-year jail sentence, another three years of “supervised release,” and a $10,000 fine.  The deal details Crow’s misbehavior from 1979 until 2007 (when he was laid off), at which time Crow joined a competitor.

Crow admits to walking out the door with close to one hundred (100!) compact discs containing top secret informationincluding blueprints as well as cost and pricing information.  Both TECT and Crow’s newest employer are in the business of “manufacturing and selling engine blades for military aircrafts.”

According to a press release from the United State Attorney’s Office in the Middle District of Georgia, “As an employee of TECT, Crow continually provided policy statements with explicit direction on identifying trade secrets within the company and how to protect those trade secrets. During Crow’s exit interview he signed a document stating that he had returned all documents containing any trade secret information to TECT, when in fact, he had taken approximately 100 computer discs containing multiple pieces of information considered trade secrets from TECT.

Crow was later employed by Precision Components International (PCI) in Columbus, Georgia, a competitor of TECT…After being employed with PCI, Crow made numerous contacts with employees of TECT requesting forging price sheets containing vendor and customer information. He also requested copies of TECT’s 2007 and 2008 contract reviews that contained trade secret information.  Crow admitted in a conversation with a TECT employee that he took computer discs, blueprints, and cost and pricing information belonging to TECT, and admitted that providing the information could be considered industrial espionage.”

United States Attorney Michael Moore said, “This type of industrial espionage is a serious matter, especially when it involves the production of parts for our military aircraft.  The damages alone to TECT and its employees might be calculated in dollars, but the potential harm to our military equipment readiness is still unknown.”  The parties involved in the plea agreement stipulated that TECT suffered losses of up to $14 million.

So, how can companies protect themselves from employees as unscrupulous as Crow?  The above fact pattern makes it clear that this is no easy proposition, but a robust data governance program seems like the most reasonable first step.  When considering the nature and sensitivity of the information used and protected by TECT (and similar firms), it strikes this editor as quite odd that more advanced data leakage and information security protocols were not employed at TECT.

The FBI employs highly competent investigators, and I have little doubt that Crow might have evaded detection for quite some time but for this fact.  Likewise, Crow might not have been caught if he were less overt in his attempts to obtain sensitive information (not to mention his rather myopic and incriminating admissions to former co-workers).  The take-away here is that the technology exists to send up flares long before a problem surfaces, as it did here, “procedurally” (as opposed to tripping a wire via one or more monitoring controls).  But for Crow’s brazen missteps, this theft of information might have gone undetected for a long, long time.

 

 

See also: Microsoft accuses former manager of stealing 600MB of confidential docs

Posted in Computer Forensics, Data Governance, ECM, eDiscovery, Fraud, Information Security, Investigations, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , | Leave a Comment »

Can’t you hear the whistle blowing?

Posted by Johnny Lee on February 8, 2011

Dodd-Frank Act creates new record-keeping requirements for Commodities Traders…

On July 21, President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act.  This law creates significant financial industry changes as well as an “incentive program” that provides monetary rewards to individuals who report securities violations (so long as those reports lead to the government’s recovery of sanctions exceeding $1 million in criminal and civil proceedings).  The law also establishes record-keeping and reporting requirements for swap dealers and major swap participants, and it requires the Commodities Futures Trading Commission (“CFTC”) to adopt rules that prescribe which records must be maintained by swap dealers and major swap participants.

Obviously, there are immediate and impactful changes to companies put on notice about potential whistleblower reports.  The new “bounties” will arguably increase the number of whistleblower allegations, while the language of the new Act will make the careful steps taken by companies and their legal counsel even more important, as they embark upon independent internal investigations “as quickly and accurately as possible to determine the overall scope of the allegations and level of misconduct committed.”

Companies subject to the Act, would be required under the proposed CFTC rules to maintain full and complete transaction and position information for all swap activities.  Further, these records must be maintained in a “manner that is identifiable and searchable by transaction and by counterparty.”  Likewise, the proposed rules would require the retention of basic business records, including corporate governance minutes, organizational charts, and audit/compliance documentation.  The Act’s data retention requirements even extend to certain financial records (such as information related to cash positions or forward transactions used to hedge), records of complaints against personnel, and marketing materials.  The good news in all of this is that those entities already compliant with existing CFTC records rules would see no changes to at least the retention periods.

For an excellent write-up of the broader impacts of the Dodd-Frank Act, click here.  Check dodd-frank.com for a general overview of the Act and for updates on this Act and other important securities laws.

Posted in Computer Forensics, eDiscovery, Forensic Accounting, Fraud, Investigations, Litigation Hold, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , , | 1 Comment »

 
%d bloggers like this: