October 27, 2014
With #ARMA14 now underway, it is a good time to address some of the key forces that are leading organizations to re-examine their records and information governance initiatives.
Driving force #1: Regulatory
I'll give this top spot as it has been noted in numerous recent surveys indicating that increasing regulatory complexity is a top concern. There are multiple CIO-focused surveys (e.g. CIO Magazine, Gartner, Forrester) where this is noted, but here's a few other C-level examples:
- CEO: Gartner's 2014 CEO and Senior Executive Survey: "'Risk-On' Attitudes Will Accelerate Digital Business" lists regulatory change as the #2 external trend shaping business strategies (following macroeconomic growth)(1)
- GC/CLO: Norton Fulbright's 10th Annual Survey of Litigation trends cites regulatory/ investigations as a top concern for 41% of corporate litigators surveyed, up from 23% in 2013)(2)
- CFO: Deloitte & Touche LLP's 2014 CFO Signals Survey notes, “Concerns about additional regulations, lack of clarity, costs of compliance and unintended consequences made regulatory concerns the most consistently voiced” (http://deloitte.wsj.com/riskandcompliance/files/2014/07/signals_Q2_2014_high_level.pdf)(3)
These concerns are not without merit. In fact:
- In the recently released SEC FY2014 Report ((http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370543184660#.VEQkuxYx5i_), the SEC reported a record 755 enforcement actions, with penalties and sanctions totaling $4.16B, up from $3.1B in 2013. This included charging 135 parties with violating reporting and disclosure requirements;
- FINRA reporting fines related to email supervision increased 132% in 2013, while the broader category of books and records (i.e. retention management) increased by 20% (http://www.finra.org/Industry/Enforcement/DisciplinaryActions/MonthlyActions/2014/)
- The US Department of Health & Human Services (HHS) reported that the number of HIPAA related corrective actions increased to 3,470 within a record number of investigations of 4,463 in 2013 (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/indexnumbers.html)
So, what key InfoGov preventative actions can be extracted from this data? Here's the top 4:
- Automate Policies: the importance of automated policy definition and - as importantly - enforcement has never been higher given the continuing explosion of data growth and increasingly complex regulatory environment. Regulatory risk calls not only the remediation of junk, but - more importantly - the classification of data that is potentially sensitive to regulators
- Robust Systems: several of the noteworthy cases within the sanctions totals above directly related to dependence on systems that were not designed to deal with the volume and variety of data in use by organizations today. Examining how current systems will address an environment where data is expected to double again in the next 18 months is something worth examining before your next support renewal arrives
- Extended Control: clearly, regulatory risk lives beyond managed repositories - as can be illustrated by cases such as the "Tweeting Broker" and Regulation FD mishap of NetFlix. Social, cloud, BYOD will only continue to press the need to expand compliance control into the wild;
- Enhance Reporting: as simple as it sounds, reporting systems must be nimble, flexible and enabling fast response to the increased frequency and unpredictable arrival rate of regulatory inquiry. FINRA, SEC, FFIEC, HIPAA, FDA and other regulators are all stepping up their game and improvement of reporting rigor and inquiry response time should be key requirements in the evaluation of any new information governance project
How Proofpoint Can Help
Proofpoint’s Information Governance portfolio helps regulated organizations to address compliance complexity with solutions to manage information according to policy, enabling more efficient discovery and supervision, with unsurpassed data privacy and information security protection. This includes Proofpoint Enterprise Archive to securely manage email, IM, and social media, Enterprise Governance to track and control files and documents in place and the Social Platform for Archiving to capture and control leading social media channels including Twitter, LinkedIn, Facebook, Salesforce Chatter, and Microsoft Yammer.
Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.