You Can't Manage What You Don't Measure™

Information Governance as part of the Due Diligence Process

 Information Governance as part of the Due Diligence Process



The recent $7.5 million fine imposed by the Financial Industry Regulatory Authority (FINRA) on investment firm LPL, LLC (LPL) is evidence of three main points all organizations, regulated or not, need to follow for best practices.

Those three considerations have chronological and operational implications. In chronological order they are: information governance as a necessary part of the due diligence process (for every merger or acquisition), content v. technical control (iterative analysis as new data sources and systems are integrated), and finally the need for a compliance department (that not only develops policy around compliance, but can subsequently measure it).

Organizations must realize that there are multiple areas of vulnerability for improper information governance. In the case of LPL we initially see this is in the
form of the largest fine in FINRA history for an email case.  In addition to the fine, LPL was also required to set aside a $1.5 million fund to compensate brokerage customers potentially affected by their failure to produce email. What is unclear is whether LPL will also be subject to sanctions for spoliation and/or failure to issue proper litigation holds in future lawsuits given their lack of information governance compliance.
Information Governance and the Due Diligence Process
The LPL case is a prime example of disparate business structures and IT systems. Because many LPL independent contractors were not archived on the internal systems when they joined the organization, yet they were conducting business via email, many email accounts and transactions went unmonitored.
This is a classic case of putting the cart before the horse. The independent contractors generating revenue were allowed to conduct business as independent operators on behalf of LPL. While from an employment law standpoint they may not have been employees, if they were operating in a regulated business the onus is on the organization to ensure compliance.

Organizations must plan for information integration at the outset of a merger or acquisition in order to avoid inconsistencies that are expensive and damage an organization’s brand. All leaders should be looking at how deals are booked, and how their representatives are corresponding, in addition to focusing on revenue. In today’s environment, all these information pieces are linked and it is up to the stakeholders of the organizations to treat information just like any other asset or liability that needs to be managed.
Content v. Technical Control
Another common area of failure in the realm of information governance is the disconnect between the content of the policy and whether or not IT systems can execute the policy. For example, Symantec has a product called Compliance Control Suite (CCS); this product can take regulations from any regulatory body and set compliance policies from an IT perspective. While this type of testing is crucial to achieve compliance, it does not replace the work an organization must do to develop records information management and classification policies for both document retention and data loss prevention. Organizations are unique and so is their information, which is why this aspect of compliance takes planning and humans to implement.
What many organizations miss is the coordination of content control with technical control. One cannot exist without the other in order to achieve maximum compliance. This means organizations must work on their content classification and workflows in addition to implementing the IT compliance aspect. Both the content and IT control need to match up to the most recent form of regulation or legislation. This iterative multi-stop process is not impossible to achieve, but one must also remember it is not a game of perfection.  It is an ongoing obligation.
Compliance Departments
The compliance department is now quite large at LPL, LLC. They state they have added 137 compliance professionals to the department in the past two years. These individuals not only have the task of ensuring that the correct policies have been constructed, but they must subsequently measure if compliance has a) been understood by the employees and b) (in conjunction with IT) the technological capabilities within the firm to truly implement what the policies mandate.
One of the key issues for any organization to grapple with is that standard bodies issue regulations, without any mention of specific technology or a vendor. This is understandable as technologies change so quickly and promoting one vendor’s capabilities over another is not the role these standard bodies should play. There is however, a gap created between the regulations, and what physically needs to happen in an organization’s policy and IT capability to effectuate compliance. This results in an ongoing requirement for compliance departments to continually stay abreast of what technologies are available and how they interplay with current IT environments, provide training to employees with meaningful testing, and to work with regulators and internal information stakeholders alike for holistic information governance.
LPL’s alarming fine from FINRA is a reminder that information governance is a serious requirement for all organizations. LPL is not alone in addressing this challenge; this is an issue we all face. Information is the backbone of an organization’s activities and, without a properly deployed archive, fines and sanctions for spoliation will likely follow. Analyzing the way information is classified, collected and monitored in an environment is important to day-to-day operations, in the event of investigations, and also to comply with the law. Organizations should also want their IT policies and systems to be compliant so that they are able to sufficiently monitor and investigate for their own internal purposes.

Smoking gun in ‘Fabulous Fab’ case spotlights perils of loose email banter

By: Robert Hilson
Date: Thursday, July 18, 2013
When Fabrice Tourre, the embattled former Goldman Sachs executive whose trial began this week, referred to himself as the “Fabulous Fab” in a 2007 email to his girlfriend, he couldn’t have known that flippant remark would become a smoking gun in a suit by the US government against him.
The US Securities and Exchange Commission has accused Tourre in a Manhattan federal court of misleading a Goldman investor, ACA Management, into believing his firm would invest in a mortgage-backed security that it later bet against. The crucial pieces of evidence, which US district Judge Katherine Forest last week said could be shown to the jury, are the results of a few clicks of “send” Tourre wishes he could retrieve.
The pivotal email, sent in January 2007 as global financial markets neared meltdown, read:
More and more leverage in the system. The whole building is about to collapse anytime now. Only potential survivor, the fabulous Fab, standing in the middle of all these complex, highly levered, exotic trades… created without… understanding all the implications of those monstruosities (sic)!!!
It continues:
Anyway, not feeling to guilty about this, the real purpose of my job is to make capital markets more efficient and… provide the US consumer with more efficient ways to leverage and finance himself, so there is a humble, noble, and ethical reason for my job
; )  amazing how good I am in convincing myself!!!
In other emails, Tourre called the derivative investment he was selling “a product of pure intellectual masturbation” and described it as “a little Frankenstein turning against his own inventor.”
“These emails were personal emails that I deeply regret,” Tourre told a congressional committee in 2010. Goldman is paying for his defense costs.
Despite warnings, sending of candid emails persists
Those communications have taken on new life due to their potential importance in the SEC’s fraud case. Matthew Martens, the head SEC lawyer, read the “Fabulous Fab” passage to jurors as opening arguments began Monday.
Tourre is not the first executive to send a compromising email, nor will he be the last. Six years after that fateful click, and many warnings later, email etiquette among business and legal professionals shows few signs of improving. This year alone has afforded a goldmine of material to those seeking a juicy scandal.
In March, emails by DLA Piper lawyers appearing to make light of over-billing of then-client Adam Victor surfaced in a New York state court suit by Victor accusing the firm of fee-churning. “That bill shall show no limits!” one DLA attorney wrote to another. The firm settled in April.
“I don’t know what [DLA Piper] was thinking. But whatever they were thinking, they were wrong,” Larry Hutcher, attorney for Victor at Davidoff Hutcher & Citron, in New York, told ACEDS.
That firestorm came on the heels of the revelation in January that Morgan Stanley executives, selling derivative investments to a Taiwanese bank, referred to those toxic instruments as the “Nuclear Holocaust,” “Subprime Meltdown” and “Mike Tyson’s Punchout” in internal exchanges. Those emails surfaced in a civil suit by China Development Industrial Bank seeking $240 million in damages, and are thought to play a decisive role in showing Morgan Stanley knowingly misrepresented the investments it sold the plaintiff.
Historical examples are numerous. It was internal emails that laid a trail for prosecutors and civil plaintiffs from convicted fraudster Scott Rothstein to his alleged abettors at TD Bank. In 1999, American Home Products Corp. settled for nearly $4 billion with consumers of a diet pill it sold shown to cause fatal lung disease after an employee email calling the plaintiffs “fat people” with “a silly lung” problem surfaced.
The list goes on.
Language, not method, cause for concern
Taken together, the cases show the perils of engaging in uninhibited electronic messaging in professional settings, where each send leaves behind a potentially compromising record for an adversary’s e-discovery team to excavate. Emails sent under the guise of privacy have wreaked havoc on the careers and reputations of many lawyers and executives. In many instances, the long tail of embarrassment and media scrutiny lasts long after email providers purge their archives.
“The issue is not the sending of the emails,” says attorney Jacob Frenkel, partner at Shulman Rogers in Potomac, Maryland, and head of the firm’s Security Enforcement and White-Collar Criminal practices. “The issue is the thought and wording.”
“Email is useful to lawyers and business people because it confirms a record of communication,” he tells ACEDS. “Nevertheless, the source of regret in litigation is the language.”
Email can be a different animal for lawyers than for other professionals, Frenkel suggests, given its usefulness as a time-keeping device. Attorneys may rely on emails to help calculate time spent with clients and keep a record of attorney-client interactions. Sending an email can also be more convenient than calling.
But the consequences for lawyers can also be starkly different, as evidenced by the DLA Piper debacle. Given their knowledge of the discovery process, there are few excuses for poor email etiquette, one expert says.
“One would think that fear of landing on the front page of the newspaper, or seeing their own clients make poor email choices, would be enough to stop lawyers from memorializing some of their thoughts and actions in writing,” says attorney Allison Walton, CEO of Fortis Quay, an e-risk consulting company in Los Angeles.
“Business executives get more of a pass considering they may not have had exposure to the discovery process and may be unfamiliar with e-discovery altogether,” she tells ACEDS.
Many lessons, few lessons learned 
For prosecutors, plaintiffs attorneys and others, the regrettable email send is a valuable gift that won’t stop giving. Emails can show state of mind and can be used to great effect in front of a jury. Social media and text messaging, to which much of this unrestrained behavior has gravitated, have shown to be equally lucrative sources of ESI. The improvement in search tools and advanced analytics has only made “smoking guns” easier to identify.
“They almost always exist and locating them has become easier with technology,” Walton says.
To be sure, most mature organizations train employees on email etiquette as part of compliance and education initiatives. Walton says doing so should be a mandatory best practice for storage, work process and discovery reasons.
But, in the end, organizations must trust the judgment of the person who is communicating. And that’s often a shaky proposition.
“The reality is that we are dealing with human nature and behaviors that are difficult to change,” Walton says.
Adds Frenkel, “These [executives and lawyers] haven’t learned their lesson, and they will never learn their lesson.”

Link to original article...

The UC Hastings Webcast

In May 2013, thought leaders from the information governance and eDiscovery industry got together to talk about some of the hottest topics facing organizations today. Please listen to the recorded panel and send us any questions or comments through our contact submission box. Enjoy! 

Click to Listen - Part 1 speaker

Click to Listen - Part 2

Click to Listen - Part 3

Click to Listen - Part 4

Click to Listen - Demo Part 1

Click to Listen - Demo Part 2

Click to Listen - Demo Part 3

Legal Hold Demo

Ensure that employees understand their obligations for legal hold and reduce risk for the organization


Watch the Demo

eDiscovery Best Practices

This module is an indispensable tool for organizations that want to reduce the costs and risks associated with litigation.


Watch the Demo

Want to be a Quay Partner?

If your organization would like to explore these opportunities, please contact us with your ideas.


Inquire Now

Contact Us

(877) 463-QUAY
Fortis Quay, Inc.

Definition: Fortis Quay

Fortis Quay/ fȯr-təs kē / 

: Your safe harbor from the digital storm

: Measureable results for better information management

: Best practices for eRisk reduction and defensible eDiscovery

: Remember, You Can’t Manage What You Don’t Measure™