• Safety in the Digital Storm

    Safety in the Digital Storm

    Do you feel you are in uncharted territory in the age of the digital explosion? Read More
  • A Safe Harbour

    A Safe Harbour

    Get measurable results for better information management. Read More

You Can't Manage What You Don't Measure™


 Information Governance as part of the Due Diligence Process

  BY ALLISON WALTON ON JULY 24TH, 2013

LPL

The recent $7.5 million fine imposed by the Financial Industry Regulatory Authority (FINRA) on investment firm LPL, LLC (LPL) is evidence of three main points all organizations, regulated or not, need to follow for best practices.


Those three considerations have chronological and operational implications. In chronological order they are: information governance as a necessary part of the due diligence process (for every merger or acquisition), content v. technical control (iterative analysis as new data sources and systems are integrated), and finally the need for a compliance department (that not only develops policy around compliance, but can subsequently measure it).


Organizations must realize that there are multiple areas of vulnerability for improper information governance. In the case of LPL we initially see this is in the
form of the largest fine in FINRA history for an email case.  In addition to the fine, LPL was also required to set aside a $1.5 million fund to compensate brokerage customers potentially affected by their failure to produce email. What is unclear is whether LPL will also be subject to sanctions for spoliation and/or failure to issue proper litigation holds in future lawsuits given their lack of information governance compliance.
 
Information Governance and the Due Diligence Process
 
The LPL case is a prime example of disparate business structures and IT systems. Because many LPL independent contractors were not archived on the internal systems when they joined the organization, yet they were conducting business via email, many email accounts and transactions went unmonitored.
 
This is a classic case of putting the cart before the horse. The independent contractors generating revenue were allowed to conduct business as independent operators on behalf of LPL. While from an employment law standpoint they may not have been employees, if they were operating in a regulated business the onus is on the organization to ensure compliance.

Organizations must plan for information integration at the outset of a merger or acquisition in order to avoid inconsistencies that are expensive and damage an organization’s brand. All leaders should be looking at how deals are booked, and how their representatives are corresponding, in addition to focusing on revenue. In today’s environment, all these information pieces are linked and it is up to the stakeholders of the organizations to treat information just like any other asset or liability that needs to be managed.
 
 
Content v. Technical Control
 
Another common area of failure in the realm of information governance is the disconnect between the content of the policy and whether or not IT systems can execute the policy. For example, Symantec has a product called Compliance Control Suite (CCS); this product can take regulations from any regulatory body and set compliance policies from an IT perspective. While this type of testing is crucial to achieve compliance, it does not replace the work an organization must do to develop records information management and classification policies for both document retention and data loss prevention. Organizations are unique and so is their information, which is why this aspect of compliance takes planning and humans to implement.
 
What many organizations miss is the coordination of content control with technical control. One cannot exist without the other in order to achieve maximum compliance. This means organizations must work on their content classification and workflows in addition to implementing the IT compliance aspect. Both the content and IT control need to match up to the most recent form of regulation or legislation. This iterative multi-stop process is not impossible to achieve, but one must also remember it is not a game of perfection.  It is an ongoing obligation.
 
Compliance Departments
 
The compliance department is now quite large at LPL, LLC. They state they have added 137 compliance professionals to the department in the past two years. These individuals not only have the task of ensuring that the correct policies have been constructed, but they must subsequently measure if compliance has a) been understood by the employees and b) (in conjunction with IT) the technological capabilities within the firm to truly implement what the policies mandate.
 
One of the key issues for any organization to grapple with is that standard bodies issue regulations, without any mention of specific technology or a vendor. This is understandable as technologies change so quickly and promoting one vendor’s capabilities over another is not the role these standard bodies should play. There is however, a gap created between the regulations, and what physically needs to happen in an organization’s policy and IT capability to effectuate compliance. This results in an ongoing requirement for compliance departments to continually stay abreast of what technologies are available and how they interplay with current IT environments, provide training to employees with meaningful testing, and to work with regulators and internal information stakeholders alike for holistic information governance.
 
LPL’s alarming fine from FINRA is a reminder that information governance is a serious requirement for all organizations. LPL is not alone in addressing this challenge; this is an issue we all face. Information is the backbone of an organization’s activities and, without a properly deployed archive, fines and sanctions for spoliation will likely follow. Analyzing the way information is classified, collected and monitored in an environment is important to day-to-day operations, in the event of investigations, and also to comply with the law. Organizations should also want their IT policies and systems to be compliant so that they are able to sufficiently monitor and investigate for their own internal purposes.
 
 

Legal Hold Demo

Ensure that employees understand their obligations for legal hold and reduce risk for the organization

 

Watch the Demo

eDiscovery Best Practices

This module is an indispensable tool for organizations that want to reduce the costs and risks associated with litigation.

 

Watch Demo

Want to be a Quay Partner?

If your organization would like to explore these opportunities, please contact us with your ideas.

 

Inquire Now

Contact Us

(805) 640-5626
 
Fortis Quay, Inc.


support@fortisquay.com
 

Definition: Fortis Quay

Fortis Quay/ fȯr-təs kē / 

: Your safe harbor from the digital storm

: Measureable results for better information management

: Best practices for eRisk reduction and defensible eDiscovery

: Remember, You Can’t Manage What You Don’t Measure™