A well thought-out data retention and retrieval plan, is crucial for effective Sarbanes-Oxley (SOX) compliance, according to one Canadian expert.
Absence of such a plan may cause a company may “lose” vital information amid the profusion of data stored, said Sunny Handa, a partner with Blake, Cassels & Graydon LLP, a business law firm in Montreal, Que.
SOX requires public companies keep important paper and electronic business documents for a set time period and produce them if required by a court order or a government regulatory request. SOX provisions affect all public U.S. companies as well as Canadian businesses listed on U.S. exchanges.
Handa said when a request for information is made under SOX – be it for a specific document or bunch of e-mails – the information must be capable of being retrieved quickly and easily. If that doesn’t happen because no one knows where the information was stored and when, the company may open itself up to legal problems, he said.
While agreeing that there is need for effective data management and retrieval policies, another industry insider says prioritizing information is a vital prerequisite for implementing any such policy.
Companies must clearly determine what must be retained for regulatory compliance and what may be discarded, said John Relihan, a director of sales with Computer Associates (CA) in Mississauga, Ont. Not all information is equal and too many companies make the mistake of treating it as if it were, he noted.
For instance, an e-mail containing sensitive corporate or financial information will likely have to be retained much longer than an e-mail that says, ‘Hi Dear, Can you buy milk on the way home?’ “[Most] folk we deal with are just starting to understand that they need to put policies in place that assist them in managing the vast amounts of information they [keep],” the CA executive said.
These days, information policy management software that specifies how and where to retain documents is gaining interest among companies that face compliance difficulties with regulations such as the SOX, as well as an increase in litigation-related document discovery obligations. Enterprise content management vendors, such as EMC, FileNet, IBM and Open Text, offer products with version control, records management, collaboration and workflow features.
Some vendors have recently launched software tools that help companies practice discrimination in what they store and what they discard.
For instance, PSS Systems Inc., a Mountain View, Calif.-based company has unveiled a software designed to help businesses automate decisions about which documents to save, and which to toss.
The company’s Atlas Information Policy Management (Atlas IPM) suite looks to help companies create and manage policies for document retention, disposal, preservation and production. Once a company configures its policies, Atlas IPM enforces those policies across disparate data sources, including files stored on PCs, file servers and in data repositories.
Atlas IPM can help companies reduce their document discovery and storage costs, and improve user productivity, says Deidre Paknad, president of PSS Systems, which was founded in 2001. It retains only a single instance of each document and disposes of unnecessary versions or records that have reached their end-of-life stage. On the legal front, the software is designed to help companies more easily find the documents they need to produce.
Companies often have retention policies, but they aren’t always uniformly enforced across distributed sites. At the same time, companies store massive amounts of information that don’t need to be preserved – which can complicate electronic discovery efforts, says Paknad, who founded CRM vendor CoVia Technologies in 1996 and most recently was a vice-president at regulatory compliance software maker Certus.
PSS Systems’ software complements those companies’ suites, Paknad says. “There’s a whole diversity of information systems that keep certain kinds of business information, and generally those are unique to a business unit and department,” she says. For example, a company might keep financial information in an SAP system and legal contracts in a separate content management system. “Atlas IPM acts as an overlay across all of the disparate systems and stores where companies keep data.”
Both Handa and Relihan disagreed with the suggestion that legislation such as SOX may inadvertently help create more opportunities for fraud. The argument was advanced by a senior executive of a leading privately held software company in an interview carried last month in a section of the IT press. The issue is whether a company could use the vast amounts of information stored in response to SOX to hide compromising information. In effect, deliberately hiding the needle in the haystack and hoping no one finds it.
“That particular spin on SOX [is] not something I’ve discussed with anyone before,” said Relihan. “What we are seeing is many companies are just starting to learn what the compliance regulations mean to them.” Handa said the fraud argument does not really wash as it would require a company to deliberately hide information – something that is not in in its best interests.
With files from Ann Bednarz, Network World (US)