Wall Street crisis brings lax e-discovery law enforcement to light

IT managers expect U.S. to add new regulations, boost enforcement

The financial crisis on Wall Street has prompted numerous investigations into the lending practices of financial services firms, all with a similar focus: Who knew what, and when did they know it?

Strong electronic records retention plans could help users quickly answer such questions. However, industry observers note, few of the records-retention regulations enacted over the past decade have been strongly enforced, and most companies have done little to comply with them.

Analysts warn that the fallout from the Wall Street meltdown will lead quickly to stronger enforcement of existing laws -- including the Sarbanes-Oxley Act, the Electronic Signatures in Global and National Commerce Act, the U.S. Security and Exchange Commission's Rule 17A-4, and the Gramm-Leach-Bliley Act -- and perhaps some new ones targeting the financial services industry.

At the same time, the health care industry faces more scrutiny as it hastens to move to a national e-health system.

Today, only 10% to 15% of U.S. corporations have electronic records retention systems in place, according to Gartner Inc. "In terms of a good electronic records systems, I would say it's closer to zero," said Debra Logan, an analyst at the consulting firm.

"There will be an increase in regulations," predicted Hugo Torres, IT director at Coral Gables, Fla.-based Great Florida Bank. "We've gotten wind of it. We'll be more heavily regulated than before."

Until two years ago, Torres said, it was common for four bank examiners to audit Great Florida Bank annually. Last year, as the crisis grew, 12 examiners inspected its records. Torres said he's bracing for even more auditors in 2009, as state and federal agencies scour every commercial and consumer loan to make sure that banks performed adequate due diligence to determine the borrowers' ability to pay.

Logan said that stronger retention systems will also help companies to better defend themselves against legal action by disgruntled customers or employees.

"The amount of litigation that's going to be generated out of this Wall Street meltdown is going to be unbelievable. The regulators will be asking the banks what happened," she said. Lawsuits stemming from problems at government-backed mortgage finance companies 'Freddie Mac and Fannie Mae will result in systemic change," Logan added.

Bill Savarino, a partner at Washington-based law firm Cohen, Mohr LLP and an expert in e-mail retention and other regulatory issues, said he expects that Congress will overreact to the Wall Street crisis and enact new legislation.

"I don't know if it's necessary," he said. "If they enforce the stuff they've got, we should be fine."

Savarino, who has been advising IT managers on data retention issues for the past seven years, said that companies that are implementing retention systems today often do little more than keep data for 30, 60 or 90 days and then hit the delete button. In such cases, legacy documents are unavailable, and it isn't possible to show trends over time, he noted.

"I do not subscribe to the 30-, 60-, 90-day policy. I think they are woefully inadequate, and I don't think they comply with most rules and regulations," Savarino said. "When regulators audit regularly and investigate regularly, that's when they're going to start discerning who's keeping e-mail and who's not. They just haven't been doing that on a regular basis."

Savarino said IT managers and corporate legal departments should take the following three steps to prepare for the coming oversight onslaught:

  • Learn what the data retention laws require specific industries to do.
  • Install packaged archival and retrieval tools because it's too difficult to handle those tasks manually.
  • Utilize outside legal counsel.

"I know that sounds self-serving," Savarino acknowledged, "but outside lawyers can help companies figure out what the laws are and establish retention schedules and determine how to set up electronic archive 'buckets' to hold on to e-mail and documents."

Lawyers can also help set policies, procedures and parameters to deal with litigation holds, which require firms that have been notified about a potential lawsuit or government investigation to retain all potentially-relevant electronic documents. Two years ago, Congress approved the Federal Rules of Civil Procedure, which set a baseline for which electronic documents must be retained and retrievable by corporate litigants in a court case.

After completing an initial public offering two years ago, Great Florida Bank installed a complete electronic-documents archive and e-discovery system to deal with the additional regulatory oversight facing publicly-held financial institutions.

The e-discovery system, from Santa Clara, Calif.-based Mimosa Systems Inc. -- along with two Hitachi storage-area networks (SAN), and Exchange and a SQL server cluster upgrade -- cost $500,000, and it was worth every penny, Torres said.

Now all of the bank's e-mail and electronic documents are automatically indexed and stored on the two SANs, which replicate the data for disaster recovery.

Torres said the system is very helpful in the auditing process and will likely help the bank deal with any lawsuits filed against it by ex-employees or customers.

Great Florida Bank, which employs 275 people and has 26 branch offices in three counties, maintains 32 servers in its data center.

Many health care firms are turning to such systems as the federal government increases emphasis on electronic health records systems, setting up systems and enforcing the Health Insurance Portability and Accountability Act.

In addition, an increase in the number of lawsuits against health care providers has forced them to implement measures to better protect patient data and store it for set periods of time.

Wyoming Valley Health Care System Inc. turned to CommVault Systems Inc.'s Simpana e-discovery software last March after a lawsuit was filed against one of its hospitals.

Howard Dowell, a network analyst at the Wilkes-Barre, Pa.-based health care provider, said the software automatically indexed four years' worth of e-mail over a weekend and provides a Google-like search engine for retrieving documents.

"Our system is giving us results in seconds," Dowell said, noting that it can be used to search by keyword, date, the name of the sender or a phrase. "Basically, I get it back like a Google search page with all the hits, I can save it as a PFT or .Zip file and examine it later," he added.

Wyoming Valley Health Care's data center runs 200 servers, 90% of which are Wintel boxes, and it has 1,200 e-mail users. Electronic documents are indexed on two servers and then stored on an EMC Clariion SAN.

However, Logan said, most companies "are standing there like deer in the headlights," Logan said.

"We have to have a more disciplined process for working with electronic records regulations," she said. "We need to have people in charge of managing information for the entire company. Today, everyone's expected to manage their own data."

As e-discovery pressures grow, companies and regulators must work together to determine which business documents are truly critical, Logan added. "People have to start throwing stuff away. It's not all precious," she said. "There needs to be some change to separate the wheat from the chaff."

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon