Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

The Need for e-Policy... or how to avoid jail time

Presentation on the need for e-Policy using The e-Policy Handbook by NancyFlynn, 2009 as a reference.
by

Greg DiGiorgio

on 4 December 2011

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of The Need for e-Policy... or how to avoid jail time

ESI FRCP HIPAA SOX ERISA ESI Electronically Stored Information Any data that is posted, downloaded, entered, transmitted, uploaded, stored, backed up via IM, texting, email, voice, blog, social network, etc; not limited to just business records! FRCP Federal Rules of Civil Procedure 2006/2010 All ESI is subject to discovery in Federal litigation. The alphabet soup of federal
regulations and regulatory bodies forces requirements for e-Policy. What is a business record? "It's the content that counts, not the tool used to create it" Electronic or paper document that
provides evidence of business-related
activities, events, transactions, negotiations,
purchases, sale, hiring, firing, etc. Compliance Tips Know ESI retention rules and their source in your organization.
Clearly define “business record” and communicate it in a consistent manner to employees.
Establish and enforce written procedures on the retention/disposition of ESI.
Employ technology to help enforce procedures and ensure compliance. Policy? What policy? “Litigation hold” policy Suspend destruction of documents that would otherwise be purged if you know or even suspect that a claim or lawsuit will be filed. Must be applied consistently. “Routine, good-faith operation” Product of documented procedures and adherence to organizational standards. Requires a combination of policy, consistent practice, training, and technology. Spoliation Accidental or intentional destruction or alteration of evidence; viewed negatively by courts; must be avoided.

e-Policy is an effective deterrent against spoliation! How about ERISA (Employee Retirement Income Security Act)
Email related to benefits plans to be kept indefinitely. Destructive retention policy?
Purge policies vary from days to years to never. depending on retention requirements.
Employees keep email locally & copy others, pushing data deeper into the Internet.
Getting rid of email prematurely could render you as the only party in a courtroom that cannot produce copies of your email. Some companies now opt to keep email forever. Is this a good or bad idea? Personal email can transmit business records! Tip: Disallow “Underground Archiving” – storage of email in electronic or printed form in any location other than an email archiver. What should e-Policy address? Define “business record”.
Define ESI as proprietary organizational property.

Establish an "Acceptable Use Policy" (AUP):
No expectation of privacy.
Theft, misuse, or distribution of ESI via unofficial methods could result in termination and/or criminal/civil charges.
Explain Internet as a business system intended primarily for business-related commerce, communication, research, etc.
Explain unauthorized use of computer resources: upload/download/print/view/copy/transmit objectionable, harmful , or materials that otherwise violate organizational or departmental policies.
Get the word out on e-Policy... Identify a champion with appropriate authority to lead e-Policy charge.
Get your legal department involved from the outset. This is not an IT issue. This is not a Finance issue. This is an organizational issue!
e-Policy must be enforceable policy, not a guideline.
Institutionalize e-policy: incorporate into organizational policies and new employee or position training.
Make training and documentation readily available.
Explain copyright law, confidentiality, privacy, ESI, and personal use.
Explain what constitutes misuse.
Explain consequences to employees.
Have employees sign acknowledgement forms. Specific topics to address Password policy - expiration time? Who has the right to request a password change and how do we identify that person?
Who should authorize OU administrators?
What is the retention policy and who has final authority?
What is the stand on e-Discovery?
Need mobile device policy for BBs, laptops, netbooks, etc
How about WiFi hotspots and accessibility by the public?
Require AV at home to tie into work?
What sites and/or data stream types should be blocked?
Is the organization willing to make it “policy”? If not, is it worth doing as it will likely provide no legal protection? e-Policy: Making the case for Let's start with this initiaI premise as the impetus for this presentation... Local governments are reluctant to adopt
e-Policy due to perceived costs, political obstacles, budgetary constraints, lack of resources, or a lack of management wherewithal even though consequences of not adopting e-Policy may outweigh the costs of doing so. e-Policy? What the heck is that? 1. A set of policies and procedures adopted by
public or private organizations to govern the
lifecycle management of ESI (electronically
stored information). 2. A category of organizational policy and procedures governing e-Procurement, e-Discovery, e-Mail, e-Government, etc.
Note: This definition is beyond the scope of this presentation, but is included to indicate the breadth of e-Policy as a study area. Lifecycle Management?
e-Discovery?
ESI? Lifecycle Management? The policies, methods and technology that govern how ESI is managed from the time it's created, used, stored, touched, modified, copied, or displayed until the time it is passed on, archived or deleted. It gets worse! Ignore e-Policy and... Why's that? NLRB EEOC EPA ? Useful Links Did U Know?

21% of companies have had employee e-mail subpoenaed by courts & regulators.
13% of companies have battled lawsuits triggered by employee e-mail.
65% of companies lack e-mail retention policies.
94% of companies fail to retain & archive IM.
46% of companies offer employees NO e-mail policy training.
50% of workplace IM users send/receive in risky content including attachments, jokes, gossip, confidential info, porn.

Source: E-Policy Handbook http://i.bnet.com/logos/whitepapers/ePolicy_Handbook_Final.pdf

http://www.epolicyinstitute.com/training/index.asp

http://www.epolicyinstitute.com/

http://www.epolicyinstitute.com/survey2006Summary.pdf

http://www.pewtrusts.org/our_work_detail.aspx?id=66

http://www.cpt.unc.edu/documents/ediscovery09.pdf

Sample e-Policy: http://doit.sfsu.edu/aup.html
Address communication methods:
Personal email/IM accounts.
Blogging - use a disclaimer.
IM, e-Mail, and Social networking.
Cell phones, texting, phone cameras; official use; while driving.
Address software copying and piracy.
Address netiquette best practices.
Address personal web surfing/”video snacking”.

Don't forget copyright violations, which include product slogans and logos, images used in presentations, lyrics from songs - potentially any printed material, graphical or otherwise. What else? Anything Else? Training, training, training! If you have the world's greatest policy and your employees don't know a thing about it, you may better off with no policy.

And don't forget... Guidelines are not policy. Best practices
are not policy. Only policy is policy. It must be enforceable, institutionalized, and consistently practiced for the courts to accept it is policy. Your HR department may be able to help in this area, considering their expertise with organizational policy. Enforcement? e-Policy can be enforced in a number of ways:
Human Resources disciplinary action for egregious acts like producing hate speech.
Procedures that produce an audit trail like signed paperwork or the use of documented workflow.
Embedding of e-Policy rules in technology like Active Directory, McAfee e-Policy Orchestrator, LANDesk desktop management, web filtering and so on. And the Cloud? Just because data does not reside on your site doesn't make you any less liable for producing it. So, all the same rules apply: backups, ability to retrieve data, ability to archive/freeze it in the case of a litigation-hold.

Do you know where all the data in your organization is? Do you know what cloud providers are used? Do you know how data is distributed? Do any departments use vendor-hosting? Any data stored by a state agency? Do you know what data stores you would have to touch to comply with a litigation-hold or a court-ordered discovery? Do you know where your data is? Giving credit where credit is due... Sources "E-Policy Handbook" by Nancy Flynn ( a primary source for this presentation).
Various issues of Public Administration Review dealing with policy, social networking, and silo IT models.
Lexis Nexis to research court cases, though court cases are not cited in this presentation.
"E-Discovery in North Carolina" by K.A. Millonzi.
"The Federal Rules of Civil Procedure" (2006 and 2010 updates).

Disclaimer: While proper academic citations and quotes were not used, credit is given to the sources above for the content of this presentation. This presentation was not intended to stand alone, but rather as a summary of properly cited research papers. FRCP "Safe Haven" Clause “Routine, good-faith operation” A locality's safe haven against e-Discovery issues in federal lawsuits results from a combination of e-Policy, enforcement, consistent business practices, and employee education. Greg DiGiorgio
oasysco@cox.net
Full transcript