e-Commerce Best Practices

Not If, But When

In today's business climate, litigation and investigation is not a question of if but when. Companies of all sizes are facing greater litigation risks and higher costs than ever before.

According to a recent survey, the average number of lawsuits for companies that generate more than $1 billion a year in revenue has increased to more than 500 cases each year. At the same time, government investigations continue to grow. The U.S. Department of Justice investigated 490 corporate-fraud cases in 2007 alone, resulting in 171 indictments and 124 convictions.

The electronic discovery process is a critical part of these challenges. Legal teams want to keep their organization out of the media spotlight by ensuring that government fines, court sanctions and negative verdicts do not occur because of internal failures in managing the e-discovery process. They also want to make better, faster decisions on legal strategy and tactics based on real-time information about the documents and e-mail in their enterprise systems. In addition, every organization needs to contain costs by finding better methods to improve the predictability of electronic discovery while reducing its cost.

“Reactive” e-discovery means waiting until you face a legal matter and then scrambling to find what you need scattered around the organization. “Proactive” e-discovery means putting processes in place in advance that can be used to classify, organize and manage (retain/delete) information so that when faced with a discovery request, the parties concerned can respond quickly, easily and at a much reduced cost. A crucial component, one that significantly reduces a company's risk and cost, is to dispose of old and obsolete data that the company is no longer required to retain.

Information Management

Good information management requires the ability to classify and index all data, especially unstructured ESI. The goal is to quickly identify and retrieve relevant information.

The first part of smart records management is to establish retention and deletion policies in line with corporate or industry-specific compliance mandates as part of an intelligent information-management technology strategy for the entire company. The ideal next step is to leverage that technology to establish data-topology reports and to automate policy enforcement across all data sources, enterprise-wide. This might be something as simple as a policy about when to delete records so that they no longer become a corporate liability and incur costs downstream.

Companies need good records-management policies that systematically expire and purge obsolete documents. Reducing the overall storage content not only reduces storage cost, but it has a direct cost-savings impact on e-discovery tasks that arise later.

Some of the key issues an organization should consider include:

• How to identify, classify and store information;
• The types of systems and tools that can be used to manage and archive information; and
• What data should be targeted for protection, retention-policy development and how/when to trigger a hold on information if/when a legal matter arises.

Knowing What You Have and Where It Is

Every organization should prepare an auditable data map of active ESI, including IT architecture and an examination of how information flows throughout the company. Network servers, e-mail servers, content management systems, storage systems and PCs are all key elements of a data map, and help IT and legal departments understand what information exists, how it flows through the organization and which custodians are implicated in these information conduits.

A data map is a visual reproduction of the ways that ESI moves throughout an organization, from the point it is created to its ultimate destruction as part of the company's document-retention program. At its heart, a data map addresses how people within the organization communicate with one another, and with others outside the organization.

A comprehensive data map provides the legal and IT departments with a guide to the employees, processes, technology, types of data and business areas, along with physical and virtual locations of data throughout a company. It includes information about data-retention policies and enterprise content-management programs, as well as identifying servers that contain data for various departments or functional areas within the organization. This highly effective form of information organization also takes into account high-risk issues such as the type of litigation a company is facing or is likely to face. e-Commerce companies, more so than many others, need a clear picture of how data from transactions moves through the system and where it resides once the transaction or contract is completed, in case a dispute arises from that transaction and/or contract.

Data maps can help organizations better prepare for legal-discovery conferences, which will improve their ability to negotiate with opposing counsel. Organizations can also control litigation costs through the ability to plan strategies based on accurate, timely information. Equally important, organizations can protect sensitive business information to help ensure the support of regulatory-compliance and corporate-information governance policies.

Optimized Records Management And Destruction

Faced with possible liabilities, many organizations fall back on a “save everything” approach, resulting in soaring storage costs and increased difficulties in accessing the right information at the right time.

In order to proactively prepare while still maintaining cost control, record storage needs to be optimized according to corporate, legal and regulatory requirements. Organizations can properly discover, classify and retain all information according to business value and risk. ESI is culled to the minimum subset of potentially responsive data, reducing costs, from review-tool loading through legal review. Information should be retained only as required by retention rules and schedules, and old records should automatically be deleted, based on records-management policies.

Solutions for Protecting Information

Keep sensitive data where people who need it want it to be ' within the enterprise to support information-protection and compliance requirements. This will mean that the number of data hand-offs will be reduced, which will minimize potential chain-of-custody issues. Organizations also need an audit trail of all actions performed during collection, preservation, culling and production.

Developing Retention Policies

All too often, businesses discover the need for a document-retention policy only when it is least convenient to implement. Particularly in today's litigious society, when any and all document types can be used in litigation, being proactive in this regard can save an organization from headaches and excessive costs. A document-retention policy provides for the systematic review, retention and destruction of documents received or created in the course of business. A policy should identify those documents that must be maintained and contain guidelines for how long certain documents should be kept, and how they should be destroyed after the keep date has passed.

Steps in Developing Retention Policy

1. Identify information assets. Identify types of information assets (especially ESI) that the organization holds (i.e., e-mail, client contracts, vendor service agreements, compliance documentation, product/service logs and similar salient information assets).

2. Identify Legal/Regulatory/Compliance issues. Identify any particular regulatory agencies or statutes that may govern the industry in which the organization is operating. Identify any past/anticipated issues from a litigation, regulatory or compliance perspective.

3. Establish a response team. Identify key decision-makers within the organization in IT, legal, human resources and compliance, as well as C-level executives, and lay out appropriate times for retention or categories of organizational information.

4. Prepare an IT infrastructure roadmap. Companies should map existing IT architecture, including disaster-recovery, storage-infrastructure and backup-media/environments procedures and processes for implementing them, including when to do so and who should implement these steps. Prepare an organizational chart to identify key functional areas within the company or reporting relationships that may have an impact on retention policies. Identify any specific areas that need to be carved out from the general policy (i.e., financial records may need to be kept for seven years, regardless of how the organization's retention policy treats general data).

5. Implement policy. Implement the new policy, monitor enforcement and review policy periodically to ensure any new issues are addressed.

Organizations that have never undertaken the task of developing and implementing an effective data-retention policy often feel overwhelmed with the initiative, which is among the reasons the project gets put off. Working with a qualified external resource such as a data-management solutions provider may prove worth the investment.

Understanding the Data Privacy Landscape

Account for Existing Laws and Regulations on Data Privacy

No one law or regulation governs the whole realm of data privacy and information security. The federal government has taken a sectoral approach to the protection of personal information; laws such as the Health Insurance Portability and Accountability Act (“HIPAA”), and the Graham-Leach-Bliley and Fair Credit Reporting Acts regulate how certain industries protect information.

Many states are enacting breach-notification laws, as well as establishing minimum safeguards for the protection of personal information, including Social Security number protection laws and data-disposal statutes. e-Commerce companies must be aware of this patchwork of laws and regulations, and understand how it applies to their business operations.

Prepare for New Federal, and State, Laws and Regulations

As the data-security legal landscape changes rapidly, e-commerce vendors must stay on top of new and proposed laws that may affect their businesses. Many new laws have wide-ranging impact and require significant preparation for an e-commerce company to be in compliance when the laws and regulations become effective. Recent noteworthy regulations and laws include:

• The HITECH Act. Part of the stimulus bill signed into law by President Obama on Feb. 17, the law imposes notice obligations on entities covered by HIPAA when they suffer a breach affecting protected health information. It requires notice of any breach to affected individuals and to the U.S. Department of Health and Human Services. If more than 500 consumers in a state or jurisdiction are affected, then notice to the media is also required. A breach of some specific electronic health records requires notice to the Federal Trade Commission (“FTC”), in addition to notification of affected individuals.
• Massachusetts data security regulations are set to take effect on Jan. 1, 2010, and they will apply to any company that collects or maintains information on a Massachusetts resident. Among other things, these regulations mandate that companies adopt a comprehensive written security program, encrypt personal information stored on laptops and portable electronic devices, and document actions taken in response to breaches.
• Federal data breach notification legislation (H.R. 2221, the Data Accountability and Trust Act) is moving through the U.S. House of Representatives. The bill would require entities possessing personal information to establish and implement certain data-security measures, and mandate notice to the FTC in the event of a breach. The legislation, as written and drafted as of mid-October, would preempt state breach-notice laws, be enforceable by the FTC and state attorneys general, and would permit civil penalties of up to $5 million for violations.

Managing Organizational Risk

Managing organizational risk in tough times means taking a holistic view. This requires an integrated cross-departmental framework of controls, checks and balances. Key examples of issues facing organizations that have an impact on corporate risk include fraud, new-technology implementation and the advent of global markets.

Fraud

Fraud continues to be a problem for numerous organizations. Oversight and quality-control managers within organizations must be aware of this issue, and develop consistent policies and procedures to address fraud prevention.

New Technology Implementation

In the current business market, organizations are always looking for the latest and greatest innovation to help improve workflows, increase efficiencies and reduce costs. New technologies, however, introduce new organizational risks, and businesses must recognize and prepare for this during the implementation process.

Careless Strategic Decisions

In the current business environment, careless decisions can have a ripple effect across continents and into the global marketplace. The cost of strategic errors and the speed of their consequences on the company are increased, enhancing the overall risk profile of every major decision.

Management Information

Management information also can represent a risk when the information serving for decision-making is incomplete, out-of-date, erroneous, late, irrelevant or in some other way flawed or inapplicable. Organizations can no longer afford to treat risk in silos, or as separate department-level initiatives. Risk management needs to be an integrated, enterprise-wide approach, keeping focus on multiple key indicators that show early warning signs of potential business problems, with preplanned strategies to address potential risks.

Ongoing board-level attention is also required because risk management is no longer tenable as purely a compliance issue, as recent market events have amply highlighted. Globally, organizations are facing uncertain times, and management of risks at the highest level is critical. Only with a systematic but strategically led approach to risk management can organizations today be more assured of avoiding, or better managing, the pitfalls of difficult market conditions.

Conclusion

The rise of e-commerce is uniquely tied to the explosion of electronic data in the last 15-20 years. Without the constraints of physical filing cabinets or the need for storage rooms devoted to documents, there has been a nearly unchecked proliferation of electronically created and stored information. With this growth, organizations must acknowledge the increased risks, not only from the cost of finding and accessing information, but also the increased involvement of these electronic records in legal, regulatory and compliance matters.

In order to survive and thrive in today's economy, e-commerce organizations must be lean, eliminate as much risk as possible, and be able to quickly address requests for information internally and externally. Strategies on information management, retention/destruction of electronic data, data privacy, and risk management are critical to success in the ever-evolving world of e-commerce.

When lawsuits hit, many organizations find themselves scrambling to identify key business records and potentially relevant information.

Organizations must take active steps to help prepare for response and for navigating the rough waters of legal discovery.

Information-management strategies provide companies with the means to quickly zero in on the right custodians and the right data, saving time and reducing expenses in legal matters.

Constant evaluation and careful planning of company information assets allow these organizations to reduce risk to an acceptable minimum, to maintain data privacy and to manage the overwhelming mountains of electronic information generated through day-to-day e-commerce business activities.

All companies today need a plan to manage the massive amounts of electronically stored information (“ESI”) created in the course of ongoing business ' and e-commerce activities, all of which rely heavily on technology, are certainly no exception.

In fact, organizations that operate in an electronic environment need these plans perhaps more than any other type of enterprise due to the significant volumes of electronic records being produced by every transaction.

This article addresses how e-commerce companies can get a handle on managing organizational information, and outlines processes for retaining and managing key business information that could be salient in legal proceedings, regulatory matters or compliance issues. Additional discussion examines the evolving data-privacy and information-security landscapes, as well as general organizational risk factors that tech-heavy e-commerce companies need to consider in managing business operations.

Not If, But When

In today's business climate, litigation and investigation is not a question of if but when. Companies of all sizes are facing greater litigation risks and higher costs than ever before.

According to a recent survey, the average number of lawsuits for companies that generate more than $1 billion a year in revenue has increased to more than 500 cases each year. At the same time, government investigations continue to grow. The U.S. Department of Justice investigated 490 corporate-fraud cases in 2007 alone, resulting in 171 indictments and 124 convictions.

The electronic discovery process is a critical part of these challenges. Legal teams want to keep their organization out of the media spotlight by ensuring that government fines, court sanctions and negative verdicts do not occur because of internal failures in managing the e-discovery process. They also want to make better, faster decisions on legal strategy and tactics based on real-time information about the documents and e-mail in their enterprise systems. In addition, every organization needs to contain costs by finding better methods to improve the predictability of electronic discovery while reducing its cost.

“Reactive” e-discovery means waiting until you face a legal matter and then scrambling to find what you need scattered around the organization. “Proactive” e-discovery means putting processes in place in advance that can be used to classify, organize and manage (retain/delete) information so that when faced with a discovery request, the parties concerned can respond quickly, easily and at a much reduced cost. A crucial component, one that significantly reduces a company's risk and cost, is to dispose of old and obsolete data that the company is no longer required to retain.

Information Management

Good information management requires the ability to classify and index all data, especially unstructured ESI. The goal is to quickly identify and retrieve relevant information.

The first part of smart records management is to establish retention and deletion policies in line with corporate or industry-specific compliance mandates as part of an intelligent information-management technology strategy for the entire company. The ideal next step is to leverage that technology to establish data-topology reports and to automate policy enforcement across all data sources, enterprise-wide. This might be something as simple as a policy about when to delete records so that they no longer become a corporate liability and incur costs downstream.

Companies need good records-management policies that systematically expire and purge obsolete documents. Reducing the overall storage content not only reduces storage cost, but it has a direct cost-savings impact on e-discovery tasks that arise later.

Some of the key issues an organization should consider include:

• How to identify, classify and store information;
• The types of systems and tools that can be used to manage and archive information; and
• What data should be targeted for protection, retention-policy development and how/when to trigger a hold on information if/when a legal matter arises.

Knowing What You Have and Where It Is

Every organization should prepare an auditable data map of active ESI, including IT architecture and an examination of how information flows throughout the company. Network servers, e-mail servers, content management systems, storage systems and PCs are all key elements of a data map, and help IT and legal departments understand what information exists, how it flows through the organization and which custodians are implicated in these information conduits.

A data map is a visual reproduction of the ways that ESI moves throughout an organization, from the point it is created to its ultimate destruction as part of the company's document-retention program. At its heart, a data map addresses how people within the organization communicate with one another, and with others outside the organization.

A comprehensive data map provides the legal and IT departments with a guide to the employees, processes, technology, types of data and business areas, along with physical and virtual locations of data throughout a company. It includes information about data-retention policies and enterprise content-management programs, as well as identifying servers that contain data for various departments or functional areas within the organization. This highly effective form of information organization also takes into account high-risk issues such as the type of litigation a company is facing or is likely to face. e-Commerce companies, more so than many others, need a clear picture of how data from transactions moves through the system and where it resides once the transaction or contract is completed, in case a dispute arises from that transaction and/or contract.

Data maps can help organizations better prepare for legal-discovery conferences, which will improve their ability to negotiate with opposing counsel. Organizations can also control litigation costs through the ability to plan strategies based on accurate, timely information. Equally important, organizations can protect sensitive business information to help ensure the support of regulatory-compliance and corporate-information governance policies.

Optimized Records Management And Destruction

Faced with possible liabilities, many organizations fall back on a “save everything” approach, resulting in soaring storage costs and increased difficulties in accessing the right information at the right time.

In order to proactively prepare while still maintaining cost control, record storage needs to be optimized according to corporate, legal and regulatory requirements. Organizations can properly discover, classify and retain all information according to business value and risk. ESI is culled to the minimum subset of potentially responsive data, reducing costs, from review-tool loading through legal review. Information should be retained only as required by retention rules and schedules, and old records should automatically be deleted, based on records-management policies.

Solutions for Protecting Information

Keep sensitive data where people who need it want it to be ' within the enterprise to support information-protection and compliance requirements. This will mean that the number of data hand-offs will be reduced, which will minimize potential chain-of-custody issues. Organizations also need an audit trail of all actions performed during collection, preservation, culling and production.

Developing Retention Policies

All too often, businesses discover the need for a document-retention policy only when it is least convenient to implement. Particularly in today's litigious society, when any and all document types can be used in litigation, being proactive in this regard can save an organization from headaches and excessive costs. A document-retention policy provides for the systematic review, retention and destruction of documents received or created in the course of business. A policy should identify those documents that must be maintained and contain guidelines for how long certain documents should be kept, and how they should be destroyed after the keep date has passed.

Steps in Developing Retention Policy

1. Identify information assets. Identify types of information assets (especially ESI) that the organization holds (i.e., e-mail, client contracts, vendor service agreements, compliance documentation, product/service logs and similar salient information assets).

2. Identify Legal/Regulatory/Compliance issues. Identify any particular regulatory agencies or statutes that may govern the industry in which the organization is operating. Identify any past/anticipated issues from a litigation, regulatory or compliance perspective.

3. Establish a response team. Identify key decision-makers within the organization in IT, legal, human resources and compliance, as well as C-level executives, and lay out appropriate times for retention or categories of organizational information.

4. Prepare an IT infrastructure roadmap. Companies should map existing IT architecture, including disaster-recovery, storage-infrastructure and backup-media/environments procedures and processes for implementing them, including when to do so and who should implement these steps. Prepare an organizational chart to identify key functional areas within the company or reporting relationships that may have an impact on retention policies. Identify any specific areas that need to be carved out from the general policy (i.e., financial records may need to be kept for seven years, regardless of how the organization's retention policy treats general data).

5. Implement policy. Implement the new policy, monitor enforcement and review policy periodically to ensure any new issues are addressed.

Organizations that have never undertaken the task of developing and implementing an effective data-retention policy often feel overwhelmed with the initiative, which is among the reasons the project gets put off. Working with a qualified external resource such as a data-management solutions provider may prove worth the investment.

Understanding the Data Privacy Landscape

Account for Existing Laws and Regulations on Data Privacy

No one law or regulation governs the whole realm of data privacy and information security. The federal government has taken a sectoral approach to the protection of personal information; laws such as the Health Insurance Portability and Accountability Act (“HIPAA”), and the Graham-Leach-Bliley and Fair Credit Reporting Acts regulate how certain industries protect information.

Many states are enacting breach-notification laws, as well as establishing minimum safeguards for the protection of personal information, including Social Security number protection laws and data-disposal statutes. e-Commerce companies must be aware of this patchwork of laws and regulations, and understand how it applies to their business operations.

Prepare for New Federal, and State, Laws and Regulations

As the data-security legal landscape changes rapidly, e-commerce vendors must stay on top of new and proposed laws that may affect their businesses. Many new laws have wide-ranging impact and require significant preparation for an e-commerce company to be in compliance when the laws and regulations become effective. Recent noteworthy regulations and laws include:

• The HITECH Act. Part of the stimulus bill signed into law by President Obama on Feb. 17, the law imposes notice obligations on entities covered by HIPAA when they suffer a breach affecting protected health information. It requires notice of any breach to affected individuals and to the U.S. Department of Health and Human Services. If more than 500 consumers in a state or jurisdiction are affected, then notice to the media is also required. A breach of some specific electronic health records requires notice to the Federal Trade Commission (“FTC”), in addition to notification of affected individuals.
• Massachusetts data security regulations are set to take effect on Jan. 1, 2010, and they will apply to any company that collects or maintains information on a Massachusetts resident. Among other things, these regulations mandate that companies adopt a comprehensive written security program, encrypt personal information stored on laptops and portable electronic devices, and document actions taken in response to breaches.
• Federal data breach notification legislation (H.R. 2221, the Data Accountability and Trust Act) is moving through the U.S. House of Representatives. The bill would require entities possessing personal information to establish and implement certain data-security measures, and mandate notice to the FTC in the event of a breach. The legislation, as written and drafted as of mid-October, would preempt state breach-notice laws, be enforceable by the FTC and state attorneys general, and would permit civil penalties of up to $5 million for violations.

Managing Organizational Risk

Managing organizational risk in tough times means taking a holistic view. This requires an integrated cross-departmental framework of controls, checks and balances. Key examples of issues facing organizations that have an impact on corporate risk include fraud, new-technology implementation and the advent of global markets.

Fraud

Fraud continues to be a problem for numerous organizations. Oversight and quality-control managers within organizations must be aware of this issue, and develop consistent policies and procedures to address fraud prevention.

New Technology Implementation

In the current business market, organizations are always looking for the latest and greatest innovation to help improve workflows, increase efficiencies and reduce costs. New technologies, however, introduce new organizational risks, and businesses must recognize and prepare for this during the implementation process.

Careless Strategic Decisions

In the current business environment, careless decisions can have a ripple effect across continents and into the global marketplace. The cost of strategic errors and the speed of their consequences on the company are increased, enhancing the overall risk profile of every major decision.

Management Information

Management information also can represent a risk when the information serving for decision-making is incomplete, out-of-date, erroneous, late, irrelevant or in some other way flawed or inapplicable. Organizations can no longer afford to treat risk in silos, or as separate department-level initiatives. Risk management needs to be an integrated, enterprise-wide approach, keeping focus on multiple key indicators that show early warning signs of potential business problems, with preplanned strategies to address potential risks.

Ongoing board-level attention is also required because risk management is no longer tenable as purely a compliance issue, as recent market events have amply highlighted. Globally, organizations are facing uncertain times, and management of risks at the highest level is critical. Only with a systematic but strategically led approach to risk management can organizations today be more assured of avoiding, or better managing, the pitfalls of difficult market conditions.

Conclusion

The rise of e-commerce is uniquely tied to the explosion of electronic data in the last 15-20 years. Without the constraints of physical filing cabinets or the need for storage rooms devoted to documents, there has been a nearly unchecked proliferation of electronically created and stored information. With this growth, organizations must acknowledge the increased risks, not only from the cost of finding and accessing information, but also the increased involvement of these electronic records in legal, regulatory and compliance matters.

In order to survive and thrive in today's economy, e-commerce organizations must be lean, eliminate as much risk as possible, and be able to quickly address requests for information internally and externally. Strategies on information management, retention/destruction of electronic data, data privacy, and risk management are critical to success in the ever-evolving world of e-commerce.

When lawsuits hit, many organizations find themselves scrambling to identify key business records and potentially relevant information.

Organizations must take active steps to help prepare for response and for navigating the rough waters of legal discovery.

Information-management strategies provide companies with the means to quickly zero in on the right custodians and the right data, saving time and reducing expenses in legal matters.

Constant evaluation and careful planning of company information assets allow these organizations to reduce risk to an acceptable minimum, to maintain data privacy and to manage the overwhelming mountains of electronic information generated through day-to-day e-commerce business activities.