Category Archives: Records Management

How important is keeping records?

In September 2010, a pipeline exploded in San Bruno, California, killing eight.  PG&E, the pipeline’s owner, couldn’t find records of pipeline inspections required by regulation.  Lots of fines and civil damages.

As part of the resolution, or as part of their post-crisis communications plan, PG&E placed a full-page ad in The Wall Street Journal on March 21.

Here’s a pdf of the ad.  TheWallStreetJournal_20170321_B005

Doubt if the corporation has that ad in Lucite paperweights.

Does your corporation adhere to regulatory record-keeping requirements?

 

 

Leave a comment

Filed under Board, Compliance, Compliance, Corporation, Directors, Duty, Employees, Governance, Legal, Oversight, Records Management, Requirements

Classification

For years, you have tracked information based on 14,000 categories.  Sort of like record retention categories.  But then they go and change from 14,000 categories to 70,000.  How do you manage the transition?

“70,000 Ways to Classify Ailments,” The Wall Street Journal, September 28, 2015 B1.

Maybe not a big deal for you, but your doctor and nurse and hospital have been spending big bucks to get ready.

 

Leave a comment

Filed under Collect, Definition, Governance, Information, Management, Oversight, Protect assets, Records Management, Use

San Bruno, continued

In 2010, a gas pipeline ruptured in San Bruno, setting fire to a neighborhood and killing 8 people.  In the aftermath, PG&E, the utility responsible for the pipeline, couldn’t locate the required documents showing that 170+ miles of the 200+ miles of  pipelines had been properly inspected.  I’ve followed this for years.

Utility’s Fine for Explosions: $1.6 Billion,” Wall Street Journal, April 10, 2015 B1. After imposing the fine, the utility commission “want[s] to open a new investigation into the safety culture … after finding that [the utility] neglected its vast network of pipelines for decades.”

What was the fine for, then?  Or the lawsuits?  How many times can you dip?

Leave a comment

Filed under Business Case, Collect, Compliance, Compliance, Controls, Culture, Duty of Care, Governance, Internal controls, Management, Oversight, Protect, Protect assets, Records Management, Risk, Use

Teaching example

There’s a lot of furor over Hillary’s decision to set up a server at home to handle all her Secretary of State email.  See “Clinton Urged to Break Silence on Email,” Wall Street Journal, March 5, 2015 A4.

How many lessons here?

  • What limits do laws place on your behavior?  Pesky little things like the Federal Records Act and the National Archivist.
  • How important is it to segregate personal emails from work emails; your employer owns the latter, but can look at the former if you put it on the employer’s equipment? What if you commingle, even a little?
  • Don’t forget about backups.  Were there backups?  What happened to them?
  • Who handles security? Physical (the server itself) and Internet?
  • If you delete it, is it really gone?  Maybe, if you control the server and the backup tapes.
  • What information is in the possession, custody, or control of the State Department?  Does this storage location qualify?  Is it therefore subject to subpoenas to the Department of State?  FOIA requests?
  • What about the application of 18 USC Sec. 1519, which the Supremes tell us does not apply to fish?  If something is deleted or modified to influence the administration of an agency of the US government, is there a felony?
  • Who “governs” the collection?  Does the Government make the decision of what’s personal and what’s work, or does the employee?
  • What culture does this behavior indicate?  How would subordinates view this behavior? What about the impact on all the others who saw this happening and did nothing?
  • How many email addresses can you use?  How do you prove who was typing at the time?

Too bad my class is over for the term.  This would have provided a lot of fodder for discussion and inquiry.  Or the perfect exam question.

Leave a comment

Filed under Business Case, Compliance, Controls, Culture, Duty of Care, Governance, Information, IT, Legal, Oversight, Ownership, Ownership, Policy, Records Management, Requirements, Risk, Security

Beyond the firewall

Information governance focuses a lot of time and attention on internal compliance with law and company policy and the protection/security of corporate information.  One aspect of protecting/securing corporate information is to protect/secure it where it lives, which may not be just within the corporation.

“Firms Raise Hacking Defenses,” Wall Street Journal, October 27, 2014 B5. are looking at how one group of vendors control access and use of the bank’s information: the outside lawyers.

Do your vendors follow your information policies and record retention and disposal processes?  If you have litigation or an investigation, you likely have a duty to preserve and produce relevant information in the hands of your vendors.  Do you audit them, too?

Leave a comment

Filed under Board, Business Case, Compliance, Compliance, Compliance Verification, Controls, Governance, Information, Interconnections, Internal controls, IT, Management, Oversight, Privacy, Protect, Protect assets, Protect information assets, Records Management, Risk, Security, Third parties

Inferences

A longer post than usual.

While compliance with the applicable laws and ediscovery processes is a significant part of information governance, I normally leave strict records/discovery issues to discussion in topical fora dedicated to those topics.

But I’m struck by the comparison and contrast between how the IRS email issue is being handled and how a similar incident in a corporation facing litigation would be handled.

Setting the Stage

Coleman (2005) was an early ediscovery case, initially resulting in a court judgment against a defendant for more than $1 billion, largely due to failing to keep the court informed of the ediscovery process during the litigation and to find documents within the corporation’s control.   Zubulake (2003) was another early ediscovery case (or cases) establishing (among other things) that the duty to preserve attaches when litigation becomes reasonably likely. Other cases have held that failure to follow a company’s internal processes, or the failure of a company to comply with its internal policies or applicable law, can lead to an inference of guilt. 18 USC § 1519 (added as a part of Sarbanes Oxley (2002)) criminalizes hiding or destroying documents (including email) with the intent to influence a matter within the jurisdiction of an agency of the US government. The Federal Records Act of 1950 requires federal agencies to retain certain records and to notify the National Archive if records are destroyed.

Timeline

Imagine a corporation facing this timeline:

  • 2010. Supreme Court decision that permit unlimited private and corporate funding of your competitor
  • 2010. Your senior executive  publicly chastises the Supreme Court for its decision
  • A division manager suggests applying pressure on people who invested in or did business with your competitors
  • Members of your governing Board demand you cause prosecutors to investigate investors in, and people who do business with, your competitors
  • Other division managers meet with your chief executive’s staff, with those meeting recorded in the building’s access logs
  • Non-employees, aligned with you, meet with chief executive’s staff
  • A division manager sends a bunch of emails to other division managers and the chief executive’s staff, and third parties outside your company urging them to act collectively to exclude people doing business with your competitors
  • Investigations are begun against potential investors in, and others who do business with, your competitors
  • Competitors and shareholders complain to courts about your organization’s activity to ensure the chief executive’s re-election and to interfere with your rights to invest where you want and to do business freely
  • No notice to recipients of emails from division manager of  the litigation
  • 2012. Your chief executive elected to another term
  • The hard drive of the key division manager fails, and her emails are unavailable there, but are on the backup tapes
  • No notice to the courts of the hard drive failure, nor to others who may have sent emails to, or received emails from, the division manager
  • No notice to the Archivist
  • Six months later, the last backup tape before the division manager’s hard drive failure is recycled
  • Company employees test the failed hard drive and determine nothing is recoverable; hard drive disposed of
  • Two years pass, during which time your company repeatedly assures the court that all the division manager’s emails are being kept
  • February 2014 your company “learns” of hard drive failure
  • June 13, 2014, you write your Board/the court telling them that the investigation is closed; you mention that the division manager’s hard drive failed and was unrecoverable
  • The next week, you advise the court that 6 other hard drives of people involved in the activity against competitors also failed
  • Later that week, you advise the court that the hard drives for 2 more people involved also failed

Queries

When did the duty to preserve attach?  Would you be prosecuted for obstruction of justice?  Would you be liable for spoliation, not only of the stuff you once had but no longer have, but also for the stuff your other divisions and correspondents once had but no longer have?  What’s the inference the jury is permitted to draw?

 

Continue reading

Leave a comment

Filed under Board, Collect, Compliance, Compliance, Compliance Verification, Controls, Governance, Inform shareholders, Internal controls, IT, Management, Oversight, Protect, Protect information assets, Records Management, Risk, Security, Third parties

San Bruno cont’d

Following a gas pipeline explosion in San Bruno, California, in 2010, PG&E (the responsible utility) admitted that it couldn’t find inspection records for more than 60 miles of its pipeline.

On Tuesday, PG&E was indicted for criminal violations of the Pipeline Safety Act. Twelve separate charges of “‘knowingly and willfully'” failing to keep required records.

“PG&E Utility Charged in Fatal Pipeline Explosion,” Wall Street Journal, April 2, 2014 B1 http://on.wsj.com/1pOWzbs

They made a lot of business decisions without the business records to support them. People died.

Certainly a compliance issue. But also one of culture. Who verified anything?

Leave a comment

Filed under Board, Business Case, Collect, Compliance, Compliance, Compliance Verification, Controls, Definition, Governance, Information, Internal controls, Legal, Management, Operations, Oversight, Protect, Protect assets, Protect information assets, Records Management, Requirements, Risk, Use, Use, Value

Banking data

I was sorely tempted to pick the dumb starbucks story, and the scope of the parody/fair use exemption.  Can you use parody to sell an otherwise infringing product?  Good luck,  “‘Dumb Starbucks’ Creates a Stir in L.A.,” Wall Street Journal, February 10, 2014 B3 http://on.wsj.com/1jqGcBm

But no.  Instead I picked “Barclays Probes Alleged Leak of Customer Data,” Wall Street Journal, February 10, 2014 C3 http://on.wsj.com/1bjR6X7 Documents from a business Barclays closed in 2011 were given to a newspaper last week.  At issue, documents, such as passports and national insurance numbers, vintage 2008, on up to 27,000 people who asked for financial planning advice.

Lessons Learned:

  • Be careful what you keep.
  • Even if it’s no longer online, it’s still at risk.
  • Banks manage money better than information
  • People love to spill the beans two days before your company is to release financial results.

Does someone have an ax to grind?

Leave a comment

Filed under Business Case, Controls, Duty of Care, Governance, Internal controls, Privacy, Protect assets, Records Management, Risk

Compliance’s long tail

£2.3 million fine for Barclays for failing to properly preserve emails from 2002 – 2012. didn’t take steps to laminate them, to prevent subsequent alterations. And other record keeping stuff. FINRA.

“Barclays fined £2.3m over record-keeping,” the Guardian (online), http://www.theguardian.com/business/2013/dec/26/barclays-fine-emails

How long before people figure out what compliance requires?

Leave a comment

Filed under Business Case, Controls, Internal controls, IT, Records Management, Requirements, Risk, Security

3 plus 1

Three blurbs, and a thought piece.

Cost of not getting information right the first time. “Errors Continue to Plague Health Site,” Wall Street Journal, December 14-15, A1 http://on.wsj.com/19JI6E5 (People may not know they need to refile until after they go to doctor).

Background checks on third party’s contractor matter. “Supposed Translator Said to Have Police Record,” Wall Street Journal, December 14-15, A11 http://on.wsj.com/18s8S8U (Translator standing a step from the President reportedly had a violent past).

Vital records debunk conventional wisdom (or “Who really built that?” or “It’s not what you don’t know that kills you; it’s what you do know that just ain’t so.”).  “Country Clubs Dig Up Their Histories,” Wall Street Journal, December 14-15, A16 http://on.wsj.com/1k1nRcB (Documents in safe establish who designed 100-year-old golf course – why do we keep stuff like that?).

How do we learn?  Yes, there’s teaching, but what if students don’t really listen?  What about a study of the mistakes of others?  Are they the second-most important learning tool?  Investors are asking more questions and demanding more data to confirm that they aren’t dealing with the next Bernie Madoff.  “Post-Madoff, Clients Ask Tough Questions,” Wall Street Journal, December 14-15, B9 http://on.wsj.com/1edyJnF  And how do you know what information will turn out to be important later? (see prior paragraph – what do you know that just ain’t so?)  The study of mistakes (yours and others’) is the essence of knowledge management.  Trust but verify.

Leave a comment

Filed under Business Case, Controls, Definition, Information, Knowledge Management, Records Management, Risk, Third parties, Value