Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Product Liability Law & StrategyLJN NewslettersNewsSections

Practice Tip: Avoiding E-mail Compliance Traps

By Alexandra Wrage
January 31, 2014

According to an article in The Wall Street Journal, a marketing manager at British drug maker GlaxoSmithKline specifically instructed her sales team members to use their personal e-mail accounts, rather than their work accounts, to conduct some of their business. Portions of the e-mail were made public in light of allegations that the company had bribed doctors in China in order to encourage them to prescribe its drugs. Although GSK had been embroiled in allegations of bribery in China since 2010, the company received renewed attention when it was disclosed that Chinese authorities had recently detained several former GSK employees, and that those employees had since admitted to making payments to doctors.

Technology Challenge

Whether or not the allegations are true, the story illustrates the challenge that technology as simple as e-mail can pose for compliance officers. In May, the Securities and Exchange Commission (SEC) settled charges against Institutional Shareholder Services Inc. involving allegations that a senior account manager there used his personal e-mail to leak sensitive client information on shareholder voting in exchange for expensive meals, airline tickets, and other perks.

And with persistent advancements in technology, it is a problem that is not likely to resolve itself anytime soon. For companies wanting to get a handle on the compliance risks they face through e-mail (mis)uses and other forms of technology, here are five tips to follow:

1. Encourage Communication Between Compliance and IT Departments

A robust program to manage e-mail usage and other electronically stored data starts and ends with a good working relationship between compliance officers, in-house counsel, and IT teams. Everyone tends to approach this area from a different perspective: IT departments usually focus on disaster recovery and security concerns, while compliance departments are often more concerned with preservation of data, privacy, and other legal obligations.

2. Map Out Your Universe of Data

With employees increasingly using their mobile devices for work, storing company data in the cloud, and taking their work home with them to do on their personal computers, one of the biggest challenges companies face is understanding where all of their data resides. Before developing any policies or procedures to address e-mail usage, companies should spend time understanding how their employees are using technology to conduct their work.

Are employees in the field using personal devices to do their work remotely? Are employees working from home sending e-mails from their personal accounts? Are others using Google Docs and similar web-based apps to store information in the cloud? Whenever possible, compliance procedures should aim to match how technology is already being used, not define it.

3. Know Your Obligations '

' then develop an established set of policies and procedures around them. All companies are generally required to retain relevant e-mails in the context of litigation or a government investigation. If a compliance team already has a good sense for how the company's employees use technology, it should be well positioned to identify its risks and craft corresponding policies and procedures.

4. Train Employees to Speak Up

No matter what policies are written down, technology should ultimately be viewed as a moving target. Who can predict what new app or device might be developed that employees will find useful in their day-to-day work? With training and a strong compliance culture, employees can learn to judge for themselves whether such new uses in technology raise compliance red flags (yes, they do).

5. Stress-Test Your Program

Periodically, compliance teams should send out questionnaires, audit their business processes, and perform internal monitoring to keep abreast of any changes in the ways employees are using e-mail and technology to do their work. If company policy forbids work-related e-mails on personal accounts, companies should monitor to see whether employees are sending out work information to their personal addresses. This should be done on a regular basis, as the worst time to realize the scope of your electronic data concerns is during a crisis.

Alexandra Wrage is the president of TRACE, an antibribery compliance organization. This article also appeared in Corporate Counsel, an ALM sister publication of this newsletter.

According to an article in The Wall Street Journal, a marketing manager at British drug maker GlaxoSmithKline specifically instructed her sales team members to use their personal e-mail accounts, rather than their work accounts, to conduct some of their business. Portions of the e-mail were made public in light of allegations that the company had bribed doctors in China in order to encourage them to prescribe its drugs. Although GSK had been embroiled in allegations of bribery in China since 2010, the company received renewed attention when it was disclosed that Chinese authorities had recently detained several former GSK employees, and that those employees had since admitted to making payments to doctors.

Technology Challenge

Whether or not the allegations are true, the story illustrates the challenge that technology as simple as e-mail can pose for compliance officers. In May, the Securities and Exchange Commission (SEC) settled charges against Institutional Shareholder Services Inc. involving allegations that a senior account manager there used his personal e-mail to leak sensitive client information on shareholder voting in exchange for expensive meals, airline tickets, and other perks.

And with persistent advancements in technology, it is a problem that is not likely to resolve itself anytime soon. For companies wanting to get a handle on the compliance risks they face through e-mail (mis)uses and other forms of technology, here are five tips to follow:

1. Encourage Communication Between Compliance and IT Departments

A robust program to manage e-mail usage and other electronically stored data starts and ends with a good working relationship between compliance officers, in-house counsel, and IT teams. Everyone tends to approach this area from a different perspective: IT departments usually focus on disaster recovery and security concerns, while compliance departments are often more concerned with preservation of data, privacy, and other legal obligations.

2. Map Out Your Universe of Data

With employees increasingly using their mobile devices for work, storing company data in the cloud, and taking their work home with them to do on their personal computers, one of the biggest challenges companies face is understanding where all of their data resides. Before developing any policies or procedures to address e-mail usage, companies should spend time understanding how their employees are using technology to conduct their work.

Are employees in the field using personal devices to do their work remotely? Are employees working from home sending e-mails from their personal accounts? Are others using Google Docs and similar web-based apps to store information in the cloud? Whenever possible, compliance procedures should aim to match how technology is already being used, not define it.

3. Know Your Obligations '

' then develop an established set of policies and procedures around them. All companies are generally required to retain relevant e-mails in the context of litigation or a government investigation. If a compliance team already has a good sense for how the company's employees use technology, it should be well positioned to identify its risks and craft corresponding policies and procedures.

4. Train Employees to Speak Up

No matter what policies are written down, technology should ultimately be viewed as a moving target. Who can predict what new app or device might be developed that employees will find useful in their day-to-day work? With training and a strong compliance culture, employees can learn to judge for themselves whether such new uses in technology raise compliance red flags (yes, they do).

5. Stress-Test Your Program

Periodically, compliance teams should send out questionnaires, audit their business processes, and perform internal monitoring to keep abreast of any changes in the ways employees are using e-mail and technology to do their work. If company policy forbids work-related e-mails on personal accounts, companies should monitor to see whether employees are sending out work information to their personal addresses. This should be done on a regular basis, as the worst time to realize the scope of your electronic data concerns is during a crisis.

Alexandra Wrage is the president of TRACE, an antibribery compliance organization. This article also appeared in Corporate Counsel, an ALM sister publication of this newsletter.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.