Keeping Up With Keeping Up

Compliance — dotting all the i's and crossing all the t's in a regulated business — has always been difficult. The slightest error can lead to fines, a business shutdown or even jail time for executives.

And the compliance burden is ever-growing, as legislators create new laws that a business must obey. At times it seems that a compliance officer or general counsel almost needs an entire law firm simply to keep up with which laws to keep up with.

In fact, purely from an administrative perspective, each new regulatory program often requires licensing of software that must be installed and maintained. Filing all of the required reports on time can require additional full-time employees.

Consider, for example, just the most recent additions to the compliance checklist. Today, businesses must satisfy such diverse rules as Sarbanes-Oxley and Patriot Act edicts, and consider the effect of the war on terror on existing financial-services regulations.

With implications for personal and national security, privacy issues have also exploded from a technology sidelight to a financial-services and operational floodlight glare. On top of those burdens, businesses have constantly faced new interpretations of complex employment and immigration rules, intricate Environmental Protection Agency (EPA) and Occupational Safety and Health Administration (OSHA) duties, and more. And the legislation (and regulation) keeps coming. To paraphrase a euphemism: “No one's compliance plan is done while Congress is in session.”

Even worse than new compliance laws burdening business, however, is the impact of constantly improving workplace technology on compliance programs. Constant improvements in technology have transformed the already difficult goal of corporate compliance into a moving target.

Good compliance planning in a technology-driven world, therefore, cannot stop with specific responses to known risks. Instead, compliance officers must build into compliance plans the ability to adjust to new technologies as they develop “on the fly.”

With Darwinian certainty, entrepreneurial employees will rush to adopt the newest innovations if they think they can provide a competitive edge. In their competitive zeal, they will “install first, ask questions later.” As a result, new technology will enter the workplace and business practices whether or not compliance officers know about it, much less have analyzed it for regulatory-compliance implications.

Who' s Minding the Store?

Ideally, someone in the back office will monitor such developments, learn how they work and analyze the regulatory impact. In practice, however, compliance is often overlooked. When technology is so new or different that it doesn't fit existing regulatory pigeonholes, many compliance officers will do nothing, rather than risk doing the wrong thing.

Consider how compliance programs handled e-mail because of its nearly universal adoption by business. Originally, it created many uncertainties for compliance programs, from recordkeeping to employment practices to antitrust to litigation discovery. The proper handling — or mishandling — of e-mail challenged Main Street businesses far beyond the high-powered Enron and Arthur Andersen debacles.

For example, when employees began using Internet e-mail widely, many companies either didn't log it, or kept only paper records that employees happened to print out. Corporate networks may not have yet existed, and many managers did not yet perceive that e-mail was a “real” communication that had to be treated the same as traditional paper or faxed messages under existing compliance policies.

As a result, businesses may have critical recordkeeping gaps beginning in the 1980s — some may even still have one. But missing e-mail can affect everything from employment disputes to discovery in ongoing litigation. The fact that many firms suffer those gaps may not matter to compliance regulators or juries.

But old gaps can't be fixed. Compliance planners today should instead ask what new technologies they aren't tracking or monitoring — and the risks those oversights will create for the future. e-Mail was certainly not the only business avenue where compliance was slow to catch up – privacy rights, information security and intellectual property rights also fall into that category. Technology has also expanded the number of locations where compliance policies must apply. Those regulatory recordkeeping gaps could include missing data when employees began using personal laptops or home computers. Today, wireless phones with e-mail capabilities and Blackberries are all just new versions of the same problem.

The popularity of instant-messaging programs with clients worsens the problem, because that software doesn't make it easy to retain required copies of messages. Not only do IM programs not archive messages, absent special preparation, but they frequently can be accessed from any computer, anywhere.

The technical archiving dilemmas raised by instant messaging point to another struggle with the changing nature of compliance: Because the pace of innovation introduces new technologies into the workplace so rapidly and broadly, the compliance office must evaluate which ones will survive long enough to justify an investment in what are ascertained to be the proper compliance systems. It must, for example, ferret out the next big advance early enough to put compliance systems in place when employees begin to use it — as well as distinguish it from the next Zap Mail or Newton. No one wants to champion an expensive initiative to support a technology that is withdrawn from the market even before its compliance program is rolled out.

On the other hand, doing nothing until regulators catch up to the latest advances, or waiting until the market picks a winning technology, creates its own risks. Compliance rules regulate behavior, not technology. The fact that no one anticipated that existing rules might cover a new method won't suspend or relax the regulation of the underlying conduct – or the rules for reporting it.

Inventions: The Parents of New Information

Of course, no one can predict which of today's innovations will achieve success in the marketplace. Even such recent inventions as cell-phone cameras, thumb drives and Blackberries are now “old hat,” and appear to be easy to fit into current regulations.

Inventions that break the mold, however, that create new product categories, will always challenge compliance efforts – such as business e-mail did a decade ago. Therefore, those who first understand how business can use – and abuse – the latest developments will be best able to profit from firms eager to pay for advice to avoid massive compliance penalties.

Fortunately, technology can assist in “keeping up with keeping up” to satisfy the compliance burden. Diligent compliance officers can use Internet tools and various software options to update themselves on the latest risks. For example, many government agencies now offer e-mail newsletters reporting on regulatory changes, or providing reminders of key compliance dates. Google's Alerts feature (www.google.com/alerts) provides automatic, free notices of online reports of specified information. Alerts can be set to monitor regulatory changes and trends, as well as to track information about a client.

RSS feeds are another automatic way of receiving notice of regulatory changes. An article on our sibling Web site, Law.com, for instance, features a discussion of many legal RSS applications. See it at www.law.com/ jsp/ltn/pubArticleLTN.jsp?id=1122627913641. Industry Web sites can also provide notice of regulatory developments in real time. However, be careful of bias, because they are often sponsored, or even produced, by firms selling compliance products or services.

Online discussion groups can provide extremely detailed and practical assistance with compliance problems, as well as a window on industry compliance trends, but one never knows who may be reading a posting — a competitor, a regulator or even an opposing counsel may all get unintended information from a request for assistance that is a bit too detailed. Depending on the industry and the question, moreover, online conversations among competitors can raise antitrust concerns.

Expertise is Available

But not everyone is willing to “bet the house” on do-it-yourself compliance. Fee-based compliance-management services offer the hope of keeping your firm up-to-date, and the potential for greater reliability than a firm's own attempts. Unfortunately, even paying an outsider to keep your firm up-to-date won't protect against all liabilities. An error by a compliance contractor won't absolve your firm's compliance responsibility. And in the uncertain compliance environment created by technological change, even a skilled consultant may not predict the correct compliance strategy. Also, whatever theoretical comfort may be derived from turning compliance over to an “expert” won't survive a reading of the typical liability-limitation provisions of most consulting contracts: most cap monetary liability, usually at no more than the amount received under the contract. Under a typical contract boilerplate, a firm generally won't be compensated for many indirect losses suffered as a result of a missed compliance burden.

For example, sales and profit may be lost during the period of reduced or shut-down production while fixing the source of the regulatory problem. Productivity may plummet as employee morale declines during the fallout from a compliance problem. Worse yet, a firm's reputation with the regulators it must work with daily may be harmed by a regulatory violation, particularly if caused by a contractor who doesn't have that firm's level of familiarity with those officials. And because courts have given regulators great discretion in interpreting rules, an unhappy court or regulator could make life miserable by never giving an apparently non-compliant business the benefit of the doubt on close questions.

Business compliance has never been easy. But technological changes have increased the burden, by taking away the relative certainty of static rules. Instead, compliance officers must always look beyond the printed rules, to assess what is actually happening in a business, and what changes to compliance duties the happenings may trigger. As a result, firms that don't keep up with technology don't just risk falling behind competitors — competitors that exist and those they never dreamed of; indeed, until they realize that even the most well done compliance program will never be complete, they could also become regulatory targets before they even know that an issue exists.

Compliance — dotting all the i's and crossing all the t's in a regulated business — has always been difficult. The slightest error can lead to fines, a business shutdown or even jail time for executives.

And the compliance burden is ever-growing, as legislators create new laws that a business must obey. At times it seems that a compliance officer or general counsel almost needs an entire law firm simply to keep up with which laws to keep up with.

In fact, purely from an administrative perspective, each new regulatory program often requires licensing of software that must be installed and maintained. Filing all of the required reports on time can require additional full-time employees.

Consider, for example, just the most recent additions to the compliance checklist. Today, businesses must satisfy such diverse rules as Sarbanes-Oxley and Patriot Act edicts, and consider the effect of the war on terror on existing financial-services regulations.

With implications for personal and national security, privacy issues have also exploded from a technology sidelight to a financial-services and operational floodlight glare. On top of those burdens, businesses have constantly faced new interpretations of complex employment and immigration rules, intricate Environmental Protection Agency (EPA) and Occupational Safety and Health Administration (OSHA) duties, and more. And the legislation (and regulation) keeps coming. To paraphrase a euphemism: “No one's compliance plan is done while Congress is in session.”

Even worse than new compliance laws burdening business, however, is the impact of constantly improving workplace technology on compliance programs. Constant improvements in technology have transformed the already difficult goal of corporate compliance into a moving target.

Good compliance planning in a technology-driven world, therefore, cannot stop with specific responses to known risks. Instead, compliance officers must build into compliance plans the ability to adjust to new technologies as they develop “on the fly.”

With Darwinian certainty, entrepreneurial employees will rush to adopt the newest innovations if they think they can provide a competitive edge. In their competitive zeal, they will “install first, ask questions later.” As a result, new technology will enter the workplace and business practices whether or not compliance officers know about it, much less have analyzed it for regulatory-compliance implications.

Who' s Minding the Store?

Ideally, someone in the back office will monitor such developments, learn how they work and analyze the regulatory impact. In practice, however, compliance is often overlooked. When technology is so new or different that it doesn't fit existing regulatory pigeonholes, many compliance officers will do nothing, rather than risk doing the wrong thing.

Consider how compliance programs handled e-mail because of its nearly universal adoption by business. Originally, it created many uncertainties for compliance programs, from recordkeeping to employment practices to antitrust to litigation discovery. The proper handling — or mishandling — of e-mail challenged Main Street businesses far beyond the high-powered Enron and Arthur Andersen debacles.

For example, when employees began using Internet e-mail widely, many companies either didn't log it, or kept only paper records that employees happened to print out. Corporate networks may not have yet existed, and many managers did not yet perceive that e-mail was a “real” communication that had to be treated the same as traditional paper or faxed messages under existing compliance policies.

As a result, businesses may have critical recordkeeping gaps beginning in the 1980s — some may even still have one. But missing e-mail can affect everything from employment disputes to discovery in ongoing litigation. The fact that many firms suffer those gaps may not matter to compliance regulators or juries.

But old gaps can't be fixed. Compliance planners today should instead ask what new technologies they aren't tracking or monitoring — and the risks those oversights will create for the future. e-Mail was certainly not the only business avenue where compliance was slow to catch up – privacy rights, information security and intellectual property rights also fall into that category. Technology has also expanded the number of locations where compliance policies must apply. Those regulatory recordkeeping gaps could include missing data when employees began using personal laptops or home computers. Today, wireless phones with e-mail capabilities and Blackberries are all just new versions of the same problem.

The popularity of instant-messaging programs with clients worsens the problem, because that software doesn't make it easy to retain required copies of messages. Not only do IM programs not archive messages, absent special preparation, but they frequently can be accessed from any computer, anywhere.

The technical archiving dilemmas raised by instant messaging point to another struggle with the changing nature of compliance: Because the pace of innovation introduces new technologies into the workplace so rapidly and broadly, the compliance office must evaluate which ones will survive long enough to justify an investment in what are ascertained to be the proper compliance systems. It must, for example, ferret out the next big advance early enough to put compliance systems in place when employees begin to use it — as well as distinguish it from the next Zap Mail or Newton. No one wants to champion an expensive initiative to support a technology that is withdrawn from the market even before its compliance program is rolled out.

On the other hand, doing nothing until regulators catch up to the latest advances, or waiting until the market picks a winning technology, creates its own risks. Compliance rules regulate behavior, not technology. The fact that no one anticipated that existing rules might cover a new method won't suspend or relax the regulation of the underlying conduct – or the rules for reporting it.

Inventions: The Parents of New Information

Of course, no one can predict which of today's innovations will achieve success in the marketplace. Even such recent inventions as cell-phone cameras, thumb drives and Blackberries are now “old hat,” and appear to be easy to fit into current regulations.

Inventions that break the mold, however, that create new product categories, will always challenge compliance efforts – such as business e-mail did a decade ago. Therefore, those who first understand how business can use – and abuse – the latest developments will be best able to profit from firms eager to pay for advice to avoid massive compliance penalties.

Fortunately, technology can assist in “keeping up with keeping up” to satisfy the compliance burden. Diligent compliance officers can use Internet tools and various software options to update themselves on the latest risks. For example, many government agencies now offer e-mail newsletters reporting on regulatory changes, or providing reminders of key compliance dates. Google's Alerts feature (www.google.com/alerts) provides automatic, free notices of online reports of specified information. Alerts can be set to monitor regulatory changes and trends, as well as to track information about a client.

RSS feeds are another automatic way of receiving notice of regulatory changes. An article on our sibling Web site, Law.com, for instance, features a discussion of many legal RSS applications. See it at www.law.com/ jsp/ltn/pubArticleLTN.jsp?id=1122627913641. Industry Web sites can also provide notice of regulatory developments in real time. However, be careful of bias, because they are often sponsored, or even produced, by firms selling compliance products or services.

Online discussion groups can provide extremely detailed and practical assistance with compliance problems, as well as a window on industry compliance trends, but one never knows who may be reading a posting — a competitor, a regulator or even an opposing counsel may all get unintended information from a request for assistance that is a bit too detailed. Depending on the industry and the question, moreover, online conversations among competitors can raise antitrust concerns.

Expertise is Available

But not everyone is willing to “bet the house” on do-it-yourself compliance. Fee-based compliance-management services offer the hope of keeping your firm up-to-date, and the potential for greater reliability than a firm's own attempts. Unfortunately, even paying an outsider to keep your firm up-to-date won't protect against all liabilities. An error by a compliance contractor won't absolve your firm's compliance responsibility. And in the uncertain compliance environment created by technological change, even a skilled consultant may not predict the correct compliance strategy. Also, whatever theoretical comfort may be derived from turning compliance over to an “expert” won't survive a reading of the typical liability-limitation provisions of most consulting contracts: most cap monetary liability, usually at no more than the amount received under the contract. Under a typical contract boilerplate, a firm generally won't be compensated for many indirect losses suffered as a result of a missed compliance burden.

For example, sales and profit may be lost during the period of reduced or shut-down production while fixing the source of the regulatory problem. Productivity may plummet as employee morale declines during the fallout from a compliance problem. Worse yet, a firm's reputation with the regulators it must work with daily may be harmed by a regulatory violation, particularly if caused by a contractor who doesn't have that firm's level of familiarity with those officials. And because courts have given regulators great discretion in interpreting rules, an unhappy court or regulator could make life miserable by never giving an apparently non-compliant business the benefit of the doubt on close questions.

Business compliance has never been easy. But technological changes have increased the burden, by taking away the relative certainty of static rules. Instead, compliance officers must always look beyond the printed rules, to assess what is actually happening in a business, and what changes to compliance duties the happenings may trigger. As a result, firms that don't keep up with technology don't just risk falling behind competitors — competitors that exist and those they never dreamed of; indeed, until they realize that even the most well done compliance program will never be complete, they could also become regulatory targets before they even know that an issue exists.