MWLUG Conference 2009

IBM CenterChicago, IL August 27-28, 2009

Empowering the Lotus Community

Creating Effective Compliance and E-Discovery Policies – Best Practices and Procedures

Denny Russell is a Technical Support Specialist for the Domino products at Sherpa Software. He is a contributor to Sherpa’s Domino Blog, Administrator for the Lotus Notes/Domino environment (including Domino 8x, Sametime, Quicker and Blackberry Enterprise Server for Notes) and webmaster for Sherpa's corporate website.

Session: In this session, we will discuss the challenges of developing, implementing and enforcing a corporate retention policy that balances storage demands and those of your Legal and Compliance Teams. Learn about the Do’s and Don’ts of policy design as well as discover potential stumbling blocks and how to address exceptions. Examine how regulatory requirements and e-discovery requests could impact your policy and what to expect on the event of litigation. Lastly, determine if you have the right tools in place to support your policy initiatives and find out what additional tools can help.

Agenda

● Introduction● Compliance: What is it?● Policies & What You Need to Know● E-Discovery & What You Need to Know● What's Available in Domino● What to look for in a Solution● Questions

Compliance: What is it?

Laws, regulations and policies that drive your business and the way you handle your data.

●Space Needs vs. Legal/Industry Regulations

●Corporate Governance

●Federal Regulations

●Legal Restrictions

Agenda•Compliance: What is it?

Compliance: What is it?

Corporate Governance

●Storage Practices

●Internal Procedures

Agenda•Compliance: What is it?

•Corporate Governance

Compliance: What is it?

Federal Regulations

●Sarbanes-Oxley Act (SOX)

●Health Insurance Portability and Accountability Act (HIPAA)

●Gramm-Leach-Bliley Act (GLBA)

●FDA

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations

Compliance: What is it?

Legal Restrictions

●Federal Rules of Civil Procedure (FRCP)

●Litigation Holds

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

Compliance: What is it?

Policies

● Hiring/Termination Procedures● Acceptable Use Policies● Email Retention Periods● Instant Messaging Policies● Preservation Policies● Electronic Discovery Procedures

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies

Policy Enforcement: Best Practices

● Clearly define the purpose for the policy

● Gather support from Legal, Management and IT

● Establish practical rules for effective conduct of business

● Find a solution that fits your infrastructure and budget

● Handle exceptions, e.g. Litigation Holds

● Enforceable, Auditable

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices

What to Include in your Policies

Without a policy in place, legal liability increases● The length of time documents

are kept before they can be destroyed

● Email, Files, IM, Hard Copies, etc. ● Where will data be stored?● What format will the data be in?● Who will have access and what

can they do with the data?● Will there be exceptions to data

or employees that are part of it?

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include

Policy Enforcement Challenges

● Competing interests (corporate retention policy vs. individual and business needs)

● Requirements vs. Resources

● Buy-in & adherence from relevant personnel

● ‘Smoking Gun’ Emails

● Discovery Requirements

● ‘Reduce risk while meeting a business need’

● Lack of well defined rules

● No ‘one size fits all’ policy

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges

Resources for Building a Policy

● http://www.epolicyinstitute.com/● http://www.soxlaw.com/● http://www.hhs.gov/ocr/privacy/index.html● http://www.law.cornell.edu/rules/frcp/● http://www.sherpasoftware.com/blogs/Sher

paBlog.nsf/● http://www.aiim.com

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

E-Discovery and What you Need to Know

The process of collecting data when you become involved in legal issues.

• Placing documents/Users on Legal Hold

• How will you get the data?

• Where will you find the data?

• Who will be included?

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery

E-Discovery: Common Risks

Common risks organizations face with electronic data:

● Not retaining information that should be retained

● Retaining data that has outlived its usefulness

● Not having a defensible process for data management

● Inability to discover and retrieve relevant information, when requested

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks

E-Discovery: Relevant Questions

Questions compliance officers should be asking their IT departments:● Where is corporate data (corporate documents,

emails, contracts, etc) being stored - network shares, databases, local desktops, in PST files, etc.?

● Does the IT department have the ability to reach all of this data and search it?

● Can we retrieve unadulterated copies of this data?

● Is there a process to maintain chain of custody?

● Can we enforce a legal hold and prevent the purging of relevant data, if necessary?

● If we have policies, how are they being implemented? Is the enforcement process validated?

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions

EDRM Model

● Know which process effect you● How you will meet those steps

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions•EDRM Model

What's Available in Domino

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions•EDRM Model

•Available in Domino

Domino provides many tools to help you with this process.

• Journaling

• Archiving

• Searching

Domino Journaling

Journaling

● Capture sent and received messages

● Process based on:●Content within the subject or body

fields

●Recipients or senders

●Roll-over based on age or size

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions•EDRM Model

•Available in Domino•Journaling

Domino Archiving

Archiving● Policies allow you to control● Server or Local Archiving

● Local Archives are a legal/E-Discovery nightmare

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions•EDRM Model

•Available in Domino•Journaling•Archiving

Domino Searching

Individual mail files would need to be searched manually.

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions•EDRM Model

•Available in Domino•Journaling•Archiving•Searching

What to Look for in a Solution

● Flexibility ●Configuration

●Exclusions/Legal Hold

● Friendly to End-Users●Ease of use for the users

●Searchable – Can they easily find their data

● Friendly to E-Discovery Needs

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions•EDRM Model

•Available in Domino•Journaling•Archiving

•What to Look for

Q & A

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions•EDRM Model

•Available in Domino•Journaling•Archiving

•What to Look for•Questions•Contact Info

● Questions

Contact Information

● Denny Russell● drussell@sherpasoftware.com

● http://www.sherpasoftware.com/blogs/SherpaBlog.nsf/

● Twitter: http://www.twitter.com/DennyRussell

● LinkedIn: http://www.linkedin.com/in/dennyrussell

Agenda•Compliance: What is it?

•Corporate Governance•Federal Regulations•Legal Restrictions

•Policies•Types of policies•Best Practices•What to Include•Enforcement Challenges•Resources

•E-Discovery•Common Risks•Relevant Questions•EDRM Model

•Available in Domino•Journaling•Archiving

•What to Look for•Questions•Contact Info