at the crossroads – privacy and information security 20 th annual national training conference...
TRANSCRIPT
At the Crossroads – Privacy and Information Security
20th Annual National Training ConferenceFiduciary and Investment Risk Management Association Inc. ™
Julia Kirby, Senior ManagerDeloitte & Touche, LLPRegulatory Consulting GroupApril 11, 2006
Copyright © 2006 Deloitte Development LLC. All rights reserved. 22
Agenda
The purpose of this presentation is to briefly describe regulatory developments related to privacy and information security. Deloitte & Touche LLP is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte & Touche LLP shall not be responsible for any loss sustained by any person who relies on this presentation. For complete regulatory requirements, please refer to the text of the rules themselves.
Overview
Driving Forces
The Challenges
Critical Success Factors
Questions and Answers
Copyright © 2006 Deloitte Development LLC. All rights reserved. 33
Overview – At the CrossroadsOverview – At the Crossroads
Copyright © 2006 Deloitte Development LLC. All rights reserved. 44
The Balancing Act – Privacy & Information Security
Customer privacy
Information security
Convenience of electronic services
Ethical behavior
Local/state laws
Federal regulations
Regulatory agency guidelines
Investigations and litigation
Expectations Compliance
Financial institutions must balance growing expectations while complying with the current legal environment.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 55
A Tool to Help Along the Way
Records management is a risk-focused tool that can help manage expectations and maintain compliance.
FactorFactor How Records Management Can HelpHow Records Management Can Help
ExpectationsExpectations
ComplianceCompliance
Centrally-managed security facilitates changes in procedures and technology
Records management provides consistent standards for managing customer and corporate information
Conforming to records management policy guidelines promotes ethical corporate behavior throughout the organization
Centrally-managed security facilitates changes in procedures and technology
Records management provides consistent standards for managing customer and corporate information
Conforming to records management policy guidelines promotes ethical corporate behavior throughout the organization
Retention is no longer sufficient - retention, retrieval, destruction, and security are now considered in regulatory examinations
Legal environment is constantly changing – a flexible framework is needed to adapt to new retention periods and record types
Records management aids document discovery in investigations and lawsuits
Retention is no longer sufficient - retention, retrieval, destruction, and security are now considered in regulatory examinations
Legal environment is constantly changing – a flexible framework is needed to adapt to new retention periods and record types
Records management aids document discovery in investigations and lawsuits
Copyright © 2006 Deloitte Development LLC. All rights reserved. 66
Objective
The goal of records management is to control and mitigate an organization’s exposure to risk.
LitigationReputation
Compliance– Retention Requirements– Customer Privacy
– Sufficient vs. Excessive Recordkeeping
– Government Investigations
– Regulatory Sanctions
– Media Headlines
RISK
Copyright © 2006 Deloitte Development LLC. All rights reserved. 77
Compliance Risk
Recent compliance failures have placed greater public scrutiny on corporate records management practices.
CompanyCompany FailureFailure FineFineSanctioning Body
Sanctioning Body
Banc of America
Securities
Banc of America
Securities
Violations of “the recordkeeping and access requirements of various securities laws” (March 2002)
Violations of “the recordkeeping and access requirements of various securities laws” (March 2002)
$10 million
$10 millionSECSEC
J.P. MorganJ.P. Morgan“Failed to preserve for three years…all electronic mail communications” (February 2005)
“Failed to preserve for three years…all electronic mail communications” (February 2005)
$2.1 million$2.1
millionNASD, NYSE,
SECNASD, NYSE,
SEC
Brokerage Firms (4)
Brokerage Firms (4)
Violations of “recordkeeping requirements concerning business-related internal e-mail communications” (August 2004)
Violations of “recordkeeping requirements concerning business-related internal e-mail communications” (August 2004)
$3.1 million$3.1
millionSECSEC
Brokerage Firms (5)
Brokerage Firms (5)
Violations of “record-keeping requirements concerning e-mail communications” (December 2002)
Violations of “record-keeping requirements concerning e-mail communications” (December 2002)
$8.25 million$8.25 millionSECSEC
Copyright © 2006 Deloitte Development LLC. All rights reserved. 88
Litigation Risk
The risk of incurring litigation or failing to meet legal responsibilities can also have financial impact for an organization.
CompanyCompany EventEvent Monetary Impact ($)Monetary Impact ($)
UBS Warburg LLC
UBS Warburg LLC
In Zubulake v. UBS Warburg LLC, UBS was ordered to search and retrieve relevant e-mails from its archives (July 2004)
In Zubulake v. UBS Warburg LLC, UBS was ordered to search and retrieve relevant e-mails from its archives (July 2004)
$300,000$300,000
Merrill LynchMerrill LynchConflicts of interest “revealed in internal e-mail communications” during an investigation by Elliot Spitzer (May 2002)
Conflicts of interest “revealed in internal e-mail communications” during an investigation by Elliot Spitzer (May 2002)
$100 million$100 million
Bear, Stearns & Co., Inc.
Bear, Stearns & Co., Inc.
Failed to respond in a timely and effective manner to a subpoena by the State of Illinois Securities Department (June 2005)
Failed to respond in a timely and effective manner to a subpoena by the State of Illinois Securities Department (June 2005)
$10,000$10,000
PAZ Securities,
Inc.
PAZ Securities,
Inc.
Failed to effectively respond to NASD subpoena of various records (October 2005)Failed to effectively respond to NASD subpoena of various records (October 2005)
Expelled from NASD
Expelled from NASD
Copyright © 2006 Deloitte Development LLC. All rights reserved. 99
Reputational Risk
Investigations and/or negative media headlines can result in dramatic changes in the market value of a company.
CompanyCompany EventEvent Change in Market Value
Change in Market ValueTimeframeTimeframe
Merrill LynchMerrill Lynch Announcement of investigation by NY AG Elliot Spitzer (April 2002)Announcement of investigation by NY AG Elliot Spitzer (April 2002) $11 billion$11 billion1 month1 month
AIGAIG
Investigation by NY AG Elliot Spitzer and the SEC led to the resignation of AIG's CEO and Chairman Hank Greenberg (January 2006)
Investigation by NY AG Elliot Spitzer and the SEC led to the resignation of AIG's CEO and Chairman Hank Greenberg (January 2006)
$59 billion$59 billion11 months11 months
Insurance Firms (4)Insurance Firms (4)
NY AG Elliot Spitzer files civil complaint against Marsh & McLennan, ACE, The Hartford, Munich American Risk Partners (October 2004)
NY AG Elliot Spitzer files civil complaint against Marsh & McLennan, ACE, The Hartford, Munich American Risk Partners (October 2004)
$26 billion$26 billion4 trading days4 trading days
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1010
Driving ForcesDriving Forces
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1111
The growing importance of records management has led to changes in the marketplace, government, and industry.
Driving Forces in Records Management
ForceForce ImpactImpact
Consumer Needs
Consumer Needs
Convenience and cost are forcing new information delivery strategies that paper-based systems cannot deliverConvenience and cost are forcing new information delivery strategies that paper-based systems cannot deliver
TechnologyTechnology Increasing reliability and decreasing costs lead to limitless applications of technologyIncreasing reliability and decreasing costs lead to limitless applications of technology
MarketMarket Traditional records management firms are hungry for new revenues and view electronic services as a logical next stepTraditional records management firms are hungry for new revenues and view electronic services as a logical next step
Records Retention
Costs
Records Retention
Costs
Unit prices of traditional vs. electronic records retention (at scale) are incomparableUnit prices of traditional vs. electronic records retention (at scale) are incomparable
RegulationRegulation Government and industry are aligned to implement laws that encourage the elimination or reduction of paperGovernment and industry are aligned to implement laws that encourage the elimination or reduction of paper
Legal Discovery
Legal Discovery
Electronic discovery is becoming more common as electronic records management increasesElectronic discovery is becoming more common as electronic records management increases
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1212
Vast and Complex Environment
The universe of retention requirements applicable to an organization’s activities has grown to several thousand and is continually evolving.
Court DecisionsCourt Decisions
Universe of Record Retention Requirements
for International Financial Institutions*
State LawState Law
Internal Revenue
Code
Internal Revenue
Code
Bank RecordsFederal Laws
Federal Laws
Federal Regulations
Federal Regulations
Foreign Jurisdictions
Foreign Jurisdictions
Banking RegulationsBanking Regulations
International Supervisory
Body Requirements
International Supervisory
Body Requirements
Securities Laws
Securities Laws
Evolving Technology
Evolving Technology
*These are provided as an example. Seek counsel’s advice regarding requirements applicable to your organization.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1313
Implementation IssuesImplementation Issues
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1414
Implementation Issues
Each of the major components of records management presents different implementation issues.
Key Components
Policy
Retention Schedule
Governance Structure
E-Mail/Electronic Management
Warehouse
Processes/ Procedures
Records Management ProgramRecords Management Program
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1515
Policy
IssueIssue
ApprovalApproval
TrainingTraining
ConsistencyConsistency
EnforcementEnforcement
DescriptionDescription
Approval may be required from all business units, a lengthy process which can significantly delay implementationApproval may be required from all business units, a lengthy process which can significantly delay implementation
Logistical obstacles must be overcome in training all employees and new hiresLogistical obstacles must be overcome in training all employees and new hires
Records management must be consistent with existing bank policies, i.e. ethics, data security, e-mailRecords management must be consistent with existing bank policies, i.e. ethics, data security, e-mail
Enforcement of the policy must be incorporated into the self-assessment or audit processesEnforcement of the policy must be incorporated into the self-assessment or audit processes
A comprehensive policy is critical to communicating and implementing a records management program.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1616
Retention Schedule
IssueIssue
ScopeScope
Ease of UseEase of Use
ComplexityComplexity
MaintenanceMaintenance
DescriptionDescription
Applicable requirements are dependent upon the structure of the organization, i.e. bank holding company, financial company, non-bank subsidiaries
Applicable requirements are dependent upon the structure of the organization, i.e. bank holding company, financial company, non-bank subsidiaries
Business users must be able to easily lookup a record and determine its retention periodBusiness users must be able to easily lookup a record and determine its retention period
Requirements originate from a number of sources, i.e. legal statutes (federal, state, local), regulatory guidance, industry guidelines, foreign jurisdictions
Requirements originate from a number of sources, i.e. legal statutes (federal, state, local), regulatory guidance, industry guidelines, foreign jurisdictions
Organizations must be able to easily update the retention schedule to account for new requirementsOrganizations must be able to easily update the retention schedule to account for new requirements
The retention schedule must capture all applicable requirements while remaining user-friendly for the business units.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1717
Governance
IssueIssue
ResourcesResources
CommunicationCommunication
AccountabilityAccountability
Management Support
Management Support
DescriptionDescription
Records management responsibilities must be added without overburdening existing rolesRecords management responsibilities must be added without overburdening existing roles
Communication is key to establishing a culture where records management is emphasizedCommunication is key to establishing a culture where records management is emphasized
Every employee impacts records management, from the CEO to the new hireEvery employee impacts records management, from the CEO to the new hire
Consistent commitment from the top facilitates compliance throughout the organizationConsistent commitment from the top facilitates compliance throughout the organization
Commitment and communication are vital to successful program governance.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1818
Processes/Procedures
IssueIssue
RetrievalRetrieval
SecuritySecurity
StorageStorage
DestructionDestruction
DescriptionDescription
Legal and regulatory inquiries demand that records be retrieved in a timely manner by content, date, or creatorLegal and regulatory inquiries demand that records be retrieved in a timely manner by content, date, or creator
Retrieval, storage, and destruction processes must be invulnerable to unauthorized access of dataRetrieval, storage, and destruction processes must be invulnerable to unauthorized access of data
Storage of off-site items must be documented and transported consistentlyStorage of off-site items must be documented and transported consistently
Complicated destruction procedures are needed to offset advances in forensic recovery analysisComplicated destruction procedures are needed to offset advances in forensic recovery analysis
Secure processes are required to ensure effective storage, retrieval, and destruction of bank records.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 1919
Warehouse
IssueIssue
LoggingLogging
ContractContract
Vendor Reputation
Vendor Reputation
Business ContinuityBusiness
Continuity
DescriptionDescription
A consistent logging procedure is necessary to ensure storage, retrieval and destructionA consistent logging procedure is necessary to ensure storage, retrieval and destruction
Third-party vendor requirements must be appliedThird-party vendor requirements must be applied
The reputation of the vendor will directly correlate with the reputational risk to the bankThe reputation of the vendor will directly correlate with the reputational risk to the bank
Warehouses must be integrated with business continuity plans to recover from disasterWarehouses must be integrated with business continuity plans to recover from disaster
Third-party warehousing has far reaching consequences beyond records management.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 2020
E-Mail and Electronic Records
IssueIssue
System Functionality
System Functionality
MisconceptionsMisconceptions
VolumeVolume
Desktop ArchivingDesktop Archiving
DescriptionDescription
Management of electronic records is dependent on system search, backup, and restoration capabilitiesManagement of electronic records is dependent on system search, backup, and restoration capabilities
All e-mails are business records, regardless of the contentAll e-mails are business records, regardless of the content
System storage capacity is finite and average industry volume is excessiveSystem storage capacity is finite and average industry volume is excessive
E-mail records on personal workstations are accessible as part of a legal or regulatory inquiryE-mail records on personal workstations are accessible as part of a legal or regulatory inquiry
Effective e-mail management mandates changes in systems as well as corporate behavior.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 2121
Critical Success FactorsCritical Success Factors
Copyright © 2006 Deloitte Development LLC. All rights reserved. 2222
Initial Approach
Assess existing:
- Documentation types
- Retention processes
- Security procedures
- Staffing commitment
- Storage opportunities and capabilities
Assess existing:
- Documentation types
- Retention processes
- Security procedures
- Staffing commitment
- Storage opportunities and capabilities
Forming a team requires:
- Cross-functional leadership
- Commitment from senior management
- Defined roles and responsibilities
Forming a team requires:
- Cross-functional leadership
- Commitment from senior management
- Defined roles and responsibilities
3.Organize a
Team
3.Organize a
Team
4. Develop a
Vision
4. Develop a
Vision
1. Review Policies and Procedures
1. Review Policies and Procedures
2. Identify Existing
Records
2. Identify Existing
Records
Evaluating the current state and envisioning the ideal state are the first steps to be taken.
Conduct an inventory of existing records to determine:
- Record types
- Storage media
- Security classification
- Record location
- Volume
Conduct an inventory of existing records to determine:
- Record types
- Storage media
- Security classification
- Record location
- Volume
A records management program must consider:
- Corporate culture
- Infrastructure
- Timing
A records management program must consider:
- Corporate culture
- Infrastructure
- Timing
Copyright © 2006 Deloitte Development LLC. All rights reserved. 2323
Critical Success Factors
– True organizational commitment and effort
– Training and communication
– Effective warehouse management
– System solutions
– Understanding of support infrastructure
– Access to legal and regulatory expertise
– Focus on practical and implementable policy
PracticalityPracticality
InfrastructureInfrastructure
Long-Term Vision
Long-Term VisionExpertiseExpertise
CommitmentCommitment
– Anticipate long-term needs and trends
Critical Success Factors
Copyright © 2006 Deloitte Development LLC. All rights reserved. 2424
Questions and AnswersQuestions and Answers
Copyright © 2006 Deloitte Development LLC. All rights reserved. 2525
Contact information:Julia KirbyDeloitte & Touche LLP555 12th Street N.W., Suite 500Washington, D.C. [email protected]