02 Mar CIOs could keep companies out of hot water in court
Madison, Wis. — CIOs need to check whether they’re adequately handling security and regulatory challenges far beyond passwords and firewalls – including insider theft, lost data, and poor document retention, said panelists at the Fusion2006 CEO-CIO Symposium on Thursday.
Morgan Stanley’s $1.4 billion example in 2005 of how not to produce documents in a court case has put a chill in the hearts of many company officers.
The case was a relatively ordinary one, said Paul Benson, a corporate lawyer with Michael Best & Friedrich. That is, until Morgan Stanley found several times it had failed to produce all available data, such as thousands of e-mails that an IT staffer discovered after the initial round of documents were given up.
The failures added up – to $850 million in punitive damages, on top of the $604 million compensation that Morgan Stanley had to pay.
Saying that IT challenges made information hard to find doesn’t cut it in court, Benson said, even when the challenges are real.
“Judges don’t get it,” Benson said. And the excuses work even less often for organizations that have the most data to collect and organize: “The bigger your company, the more the court thinks you’ve got your act together.”
The solution is written policies. And that’s on two sides of the issue: not just for how to store and retain documents, but on how those documents should be created in the first place. For Benson, that means following the Dragnet rule – just the facts, ma’am – and the grandmother rule – put nothing in an e-mail that you wouldn’t want blown up on a poster board in a courtroom with your grandmother in the front row.
E-mail at work, he said, should not be considered private. And before deleting it, or letting employees delete it, companies need to work out a reasonable standard for doing so.
“If you don’t have a written document retention and destruction policy, you need to create one immediately,” Benson said. “And you don’t have a choice.”
Educate or restrict?
When it comes to document retention, keeping documents in the right hands, or security in general, companies are faced with a choice. Educate employees about good security practices and give them responsibility for keeping their own work secure, or take control away and implement automatic security systems, possibly at the expense of employees’ ability to be flexible.
It’s not an easy decision, but CIOs are doing their best to take a balanced approach in the face of sometimes large and diverse user bases.
“We allow our people to click on links to picture of Britney Spears, and suddenly we’ve bypassed all our security,” said Mike Lettman, chief information security officer of Wisconsin.
Bernard Gay, vice president of IT for Royal Caribbean International, and Ed Meachen, CIO of the University of Wisconsin System, both run organizations with widely distributed users who don’t necessarily have the security of the network on their minds. For the university, it’s students; for a cruise line, it might be travelers who want to use a computer to send pictures from their camera to their families.
And even when all of an IT system’s users are employees, the problems don’t end there. Employees can bring in personal devices that accidentally cause problems, or could even be stealing information from their employers.
“Know your enemy,” said Paul Congdon, CTO of ProCurve by HP. He said keeping the outside entry points to a network is of great importance, but the inside of the network is often also vulnerable. “We think that as long as we’ve got the walls up, everything inside is fine,” he said.
Another approach, where possible, is to make security system so transparent that employees don’t have to worry about them. It’s not always possible, but when it is, the simplicity is compelling.
“When you make a cell phone call you don’t have to realize that’s encrypted,” Congdon said. “You don’t have to do anything.”
In any case, John Thomure, a lawyer with Michael Best & Friedrich specializing in white-collar crime, said that in order to make sure employees don’t cause legal problems around proprietary information companies need to have policies that “make sure they’re coming with nothing and leaving with nothing of yours.”
More Fusion2006 coverage:
• WTN: CEOs and CIOs must be ‘joined at the hip’
• WTN: Simplicity appeals to CIOs, but it’s no easy task