The other big issue is spoliation. Most companies have a data destruction policy, but with EDD (electronic data discovery), there is a concept of duty to preserve data. So how do you balance those two things? IT will be brought in to help resolve this. If there is reasonable knowledge in the company that you are going to be served, you can’t destroy data. But it still happens. It’s a very gray area.
TCN: So you can get in trouble with the law if you destroy data, even if you didn’t know about a pending case?
MR: That’s right.
TCN: What can a CIO do to help protect a business in this regard?
MR: It comes to showing best effort and when should you reasonably have known about a case. If you have a "quick destroy, don’t keep anything policy," that’s not going to sit well with the judge if there is no evidence. In terms of managing costs, sometimes there is cost-sharing between the requester and the one being served.
TCN: What are we talking about in terms of discovery costs?
MR: I have seen cases where it runs into hundreds of thousands of dollars. You may have to take three full-time IT people and legal counsel out of their roles for a few months. For a smaller company, something like this could put you out of business.
TCN: Anything else a CIO can do to prepare for being served?
MR: The Sedona Working Group [www.thesedonaconference.org/wgs] has some guidelines. But basically, you need a policy outlining duties and responsibilities if you are served. You need retention and destruction policies. And when it comes to technology, I recommend a complete image of all your laptops and workstations, and also advanced searching tools.
TCN: How concerned should CIOs be about other regulations?
MR: A lot of these regulations have lost their teeth. There has been no enforcement mechanism in many cases. For instance, there was recently a major credit card processing company [Heartland Payment Systems] that was hacked, but the SEC hasn’t looked at them.
TCN: How can the government pass these regulations and then ignore violations?
MR: Sometime after these regulations were passed, the government changed course and decided that the SEC wouldn’t after all be more proactive with businesses on enforcement. They also don’t have the manpower to investigate and enforce. This is the same for HIPAA, even though HIPAA still scares a lot of people because there haven’t been any cases that have made the headlines yet.
TCN: Does this suggest that CIOs might not have to make as much of an effort to comply with these regulations?
MR: With the Obama [administration], you will see more tightening of regulations due to the economy, and there will be more oversight. CIOs should continue to be vigilant. It’s part of your fiduciary responsibility. You have to know what is coming in and what is going out. It saves money in the long term, even though it costs money to be compliant. What’s going to start happening is that as companies start to go downhill financially, they will try and sue others to stay afloat. For instance, suing other companies around employee poaching, if suddenly a bunch of workers at a company that is not doing well go across the street to the competitor.
TCN: Yet it’s tough to keep spending money on compliance right now, when many companies are just trying to keep the lights on.
MR: That’s true—compliance is costly so it’s hard to support it in tough times. But think of it like insurance protection. You can get in far more trouble by not being compliant, as with a shareholder lawsuit. Due diligence is important regardless of the financial climate.