20 December 2007

FRE 502: Evidence & Digital Discovery...

What could the implications of this ruling be for employees in New York state? Scott v Beth Israel Med. Ctr. Inc.

The writing is on the wall with the attorney-client privilege and Federal Rules of Evidence 502. A review of current e-mail policy may also be in order at your institution if you plan on achieving "A Defensible Standard of Care."

On December 11, 2007, Senator Patrick Leahy, Chair of the Senate Judiciary Committee, introduced S. 2450, a bill adding new Evidence Rule 502 to the Federal Rules of Evidence. The legislation addresses waiver of the attorney-client privilege and work product protection and is identical to proposed Evidence Rule 502, which was approved by the Judicial Conference of the United States and transmitted to Congress for its consideration in September 2007.

Here are comments by the BLT:

If approved, the legislation would allow litigants to avoid waiving privilege on inadvertent disclosures if parties took reasonable efforts to vet the documents and asked for the return of any privileged information in a timely manner.

"The surging use of email and other electronic media has forced parties to spend billions of dollars and countless hours to guard against the unintentional release of such information," Leahy's office reported. Specter added that the new rule would help ensure that "the wheels of justice will not become bogged down in the mud of discovery.”

Stephen D. Whetstone, Esq. of Stratify says this:


Given the increased risks and costs, it is no surprise that many companies are trying to wrest control over the discovery process. More companies are now directing outside their counsel to leverage technology to automatically organize huge data collections, help understand foreign languages and detect privilege and thereby drive down the costs and mistakes that result from fatigued human review. The rule-makers get it, too. The Advisory Committee Notes to proposed FRE 502 provide: "Depending on the circumstances, a party that uses advanced analytical software application and linguistic tools in screening for privilege and work product may be found to have taken 'reasonable steps' to prevent inadvertent disclosure."

In short, in the 12 months since adoption of the new discovery rules, the sky did not fall. But, for some, it grew darker and more expensive to prop up.

In case you haven't noticed your CIO in the General Counsel's office lately, you soon will. The use of automated tools for Electronic Content Management (ECM) have converged with the tools for Disaster Recovery Management (DRM). In the middle of the pile of documents, email and other electronically stored information (ESI) is something called effective Records Management.

Managing information that is discoverable through email from Party A to Party B using the internal e-mail system provided by the employer to the third parties outside of the organization including lawyers is the nexus here. How can an organization make sense of it all and keep the GC from pointing fingers at the CIO?

The answer begins with building awareness and education with all employees in the organization, not just the legal staff and IT. It begins the moment any employee opens the word doc or excel spreadsheet. The second you reply to that IM or e-mail on your PDA . Only through effective education and policy management will the enterprise learn how to modify behavior regardless of what tools and systems are put in place to organize, sort and query ESI.
"Whether building the castle walls or defending the crown jewels, knowing the right questions can make all of the difference."

The beginning of your educational journey starts here: CastleQuest

22 November 2007

The GC: The Truth Can Be Adjusted...

If you are a General Counsel (GC) today for an organization doing business on a global basis, your Blackberry must be "buzzing" every few minutes. The legal risk being encountered will always be a factor of the number of deals, the number of employees and the growing number of countries you do business in.

As a corporate GC of a global enterprise, you have a fiduciary responsibility to protect the enterprise from adversaries such as the rogue employee, the government regulator, competitors and plaintiff class actions. The Rule of Law in your organization is in your hands. How you transfer the "Talking Points" on ethics and legal messages to your employees, partners, suppliers and adversaries is critical. The effectiveness of your relationship with internal CSO, CISO and Internal Audit leadership could mean the survival of the company and your job.

In the latest hollywood movie Michael Clayton with George Clooney, he plays the role of a prominent law firm's "Fixer." He finds himself taking care of the messes corporate clients put themselves into and even the internal firm problems with senior litigators who have decided to do secret battle with a prominent clients General Counsel. The GC in this film takes every precaution to ensure the settlement of a pending class action suit that has achieved over +30,000 billable hours by Michael Clayton's law firm.

While this fictitious story displays the extremes of the world many GC's live in with their outside counsel, it sets the stage for gaining insight into the legal ethics and corporate challenges global institutions face on a continuous basis. The Yin / Yang of corporate compliance and governance is consistently wrestling with the pressure to save people from losing their reputations and the longing to do the right thing. The goal is to achieve a defensible standard of care and to have peace of mind. To be able to stand behind the fiduciary duty to uphold the law and enforce the rule of law in corporate business.

When was the last time a GC took the "Ethics" and "Rule of Law" program directly to the employees in face to face sessions? To give the employees, partners or suppliers first hand opportunity to meet, greet and engage with the General Counsel of the enterprise. By doing this you are directly engaging with the people on the front line to be the "eyes and ears" for the company. To be that early warning system of potential conflicts of interest, fraud and corruption. As an example, Scott Chaplin at Stanley Associates says this:

"I deal with a wide range of issues on any given day. I support not only our business operations but also corporate support. Our recurring issues include corporate governance and securities, and we're active in the mergers and acquisitions area -- we've done several deals recently. I handle labor and employment issues on a daily basis, along with government contracts issues, litigation, IP and compliance work. I'm also the ethics officer for the company, responsible for our ethics compliance program, as well as secretary of our board of directors, where I act as legal adviser to the board."

"I recently completed our annual ethics training at a number of our offices. After each training session, I would have a line of employees waiting to speak with me about various issues. That got me thinking that a lot of employees don't feel they have a direct line of communication to me at corporate. They might not feel that the issue is important enough to bring up with the GC. It made me realize that in-house lawyers need to get out of headquarters more often and go to the employees, instead of waiting for the employees to come to us. We have to get out to the field and foster the client relationship a little bit more."

Scott is absolutely correct and what a better time than to emphasize SOX Section 806. Protecting the rights of corporate whistle-blower's is the GC's responsibility in combination with an external ethics hot line for employees. While there have been plenty of other people calling for reform on other burdensome and expensive components of SOX, no one is going to touch Section 806. Employees don't understand the implications of the law and corporate management can't under estimate the impact of this in terms of potential litigation it may face.

Achieving a Defensible Standard of Care requires a General Counsel with the vision to address a spectrum of legal and ethical risks in the modern enterprise. When this is finally accomplished, the Michael Clayton's in law firms around the globe, will be looking for a new career.

01 November 2007

Red Flags: The Oracle of Omaha...

What do you do when you see a "Red Flag"? This was the question posed to Directors in a recent poll by Corporate Board Member Magazine in the November/December 2007 issue. C. Warren Neel the Executive Director of the Corporate Governance Center, at the University of Tennessee could not have answered this any better:

I don't want to see it; I want to "hear" the red flag before I see it. I want to hear about it before it happens. And I don't want to just know it happened, I want a diagnostic as to why it happened. I want a postmortem. What led us down that track? How did it start? Was it personnel-based? Process-based? Because of a malfunctioning system? Did we have the wrong strategy? Or what?


Welcome to the world of Operational Risk Management Mr. Neel. These are the scenarios that are played out on a continuous basis in the midst of the daily humming of business throughout the organization. These Ops Risk professionals are testing, exercising, stressing, and "Thinking of the Unthinkable" everyday so you do hear it before it happens. It may not be weeks, or even days. It could be hours or minutes. And then what will the Board of Directors do next?

This is perhaps one of the largest worries these professionals have. They don't know you, the Board or the steps you might or may not take once you get the warning, the news or the prediction. As the Board of Directors it's imperative that you learn all you can about who the Operational Risk experts are in the enterprise and to know them personally. Otherwise, how are you ever going to have an early warning system that you can trust and gets you the answers sooner than later?

What you need is an extension to the "Whistleblower" mechanism that tracks potential ethics violations and other wrong doing of corporate policy. It's a risk management method integrated with your current fraud management systems and combined with the ongoing behavioral analysis of "High" risk employees. Without this early warning process and supporting system in place the Board is forever doomed to be on the "reactive" end of the spectrum, continuously wondering how to respond to an incident that has already occurred.

How did Warren Buffet get the "Red Flag" on Freddie Mac even years before their implosion with senior management?

The charges against Brendsel were filed three years ago by the Office of Federal Housing Enterprise Oversight, which regulates Freddie Mac and its larger government-sponsored sibling Fannie Mae. OFHEO, which blames the accounting scandal on management misconduct is seeking damages and penalties against Brendsel totaling nearly $1 billion, including $24 million in severance benefits and stock awards.

Buffett said he was uncomfortable, among other things, about an investment by Freddie Mac that was unrelated to its business as the nation's second-largest financer of home mortgages.

"I follow the old dictum: There's never just one cockroach in the kitchen," Buffett said.

Details of his testimony were reported in Wednesday's editions of The Washington Post. They were confirmed by people familiar with the proceeding, speaking on condition of anonymity because they weren't authorized to speak about the case publicly.

Regardless of the outcome of this proceeding, the point could be made that the board had a huge "Red Flag" that Warren was selling his stake in the company. Predictions are based upon a number of factors and there must have been many pieces of information that added up to "somethings not right" at Freddie Mac. Today, there are ten positions open at Freddie Mac for operational risk related jobs and here is what they are seeking:

Position is part of a team supporting Operations as an operational risk management partner. Significant time will be spent as the face of the Audit Liaison function. Engages with the business areas to fully understand the operational process in order to coach and support the group in identifying and assessing operational risk and designing appropriate controls to mitigate the risk. Provides subject matter expertise on operational risk management systems and Freddie Mac operational processes.

Ensures all operational risk deliverables are completed within established timeframes with a high level of quality especially the mitigation of outstanding major/critical issues and monitoring of status on all outstanding issues. Deliverables include Operational Breakdown and Loss Event Reporting, Risk and Control Self-Assessments, SOX Assessments, Internal and External Audit Responses. Also supports Quality Assurance testing of SOX Key Controls and Root Cause Analysis.

  • Skills/Knowledge needed:
  • Indepth knowledge of operational risk management and controls with minimum 2 years experience.
  • Knowledge of key principals of auditing.
  • Knowledge of key principals of mortgage operations.
  • Knowledge of financial industry operations and/or accounting is preferred.
  • Ability to work independently with strong organizational skills to meet frequent deadlines.
  • Strong interpersonal skills with ability to build working relationships.
  • Flexibility and ability to multitask.
  • Strong analytical skills.
One might wonder why they are looking for someone with in depth knowledge of operational risk management (ORM) with only two years of experience. Sadly, this is because the organization relied for too many years on their financial auditors and their armies of freshly minted MBA's from some of the best business schools in the nation. However, the main reason is that the science of ORM is new compared to other disciplines in the accounting profession.

As organizations evolve their ORM departments and combine the attributes of fraud management, systems testing, continuity of operations, records management and employee behavioral analysis the Board of Directors will have a better opportunity to predict "Red Flags". They will ultimately become more preemptive in their actions and follow through to protect the shareholders assets. Until that happens, keep your eyes and ears on the "Oracle of Omaha"...

19 October 2007

3rd Party Outsourcing: Compliance Management...

Hedge Funds who require outsourcing products or services in conjunction with their broker-dealers and clearing banks are still under the "Regulators" microscope. The focus on "Red Flags" is a continuous challenge in addition to the latest operational risk mandates and due diligence on 3rd parties.

This was highlighted by Geofrey L. Master of Mayer Brown last May in one of his articles from Mondaq:

"Further, and even more significantly, hedge funds must deal with many compliance requirements that are applicable to other parties that are part of the fund’s operating environment. An example of such indirectly applicable requirements is the compliance obligations faced by the fund’s investment advisor, its broker-dealers, and its clearing banks. These parties face distinct, and often significant, legal and regulatory requirements that necessarily impact the fund’s operations. In addition, the demands of fund investors, as well as other business environment realities, result in a variety of selfimposed operational requirements that function effectively as (and in some cases may actually become — through fraud claims, for example) legal requirements." "With regard to laws applicable to the service provider, compliance requirements range from licensing and authority-to-do-business issues to those directly impacting service performance, such as health and safety and environmental regulations and data safeguarding requirements."

The Governance, Regulatory, and Compliance (GRC) business process within the ranks of the hedge fund has a fundamental requirement to assure that outsourced entities are executing their responsibilities. Service providers are an extension of the Hedge Funds supply chain of information services and financial intelligence that investors have taken as a natural extension of the funds operational infrastructure. The EU Market in Financial Instruments Directive (MiFID) takes effect on November 1, 2007 and directly intersects with outsourcing services to 3rd parties.

Mark A. Prinsley also of Mayer Brown sums up the impact of MiFID on firms and how they are currently managing the risk associated with outsourced services:

In substance, the rules should largely reflect no more than sound and prudent practice in any outsourcing relationships. However, in relation to the management of the outsourcing relationships, firms will be required to retain skills and exercise risk management not just for the services provided by the service provider, but also in relation to the way in which the firm manages its outsourced activities. Inevitably, this will lead to the need for more resources and skills in the areas of management and audit to be retained by firms in the financial services sector that outsource their activities.

It is also important to note that the new rules will apply retroactively. Thus, while firms will not be required to re-write their existing outsourcing arrangements, it will be prudent for them to confirm, particularly for arrangements that may not have been "material contracts" - and therefore not previously notified to the FSA - that the arrangements do meet the new rules in areas such as retention of appropriate skills and resources and management of risk.

One solution for addressing this increased scrutiny within the EU and other firms who are looking to enhance their outsourcing resilience can look no further than the BS 25999 standards for Business Continuity Management.

"Continued operations in the event of a disruption, whether due to a major disaster or a minor incident, is a fundamental requirement for any organization. BS 25999, the world’s first British standard for business continuity management (BCM), has been developed to help you minimize the risk of such disruptions.

By helping to put the fundamentals of a BCM system in place, the standard is designed to keep your business going during the most challenging and unexpected circumstances – protecting your staff, preserving your reputation and providing the ability to continue to operate and trade.

BS 25999 has been developed by a broad based group of world class experts representing a cross-section of industry sectors and the government to establish the process, principles and terminology of Business Continuity Management.

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. It also contains a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle."

This new standard utilizes the same Plan-Do-Check-Act life cycle that many practitioners are already familiar with from previous implementation standards such as ISO 27001 for Information Security Management Systems. BS 25999 is suitable for any organization, large or small, from any sector. It is particularly relevant for organizations which operate in high risk environments such as finance, telecommunications, transport and the public sector, where the ability to continue operating is paramount for the organization itself and its customers and stakeholders.

20 September 2007

A Defensible Standard of Care: Six Million Reasons...

There are 6,000,000 reasons why Operational Risk at TD Ameritrade is in the Red Zone this week as a result of what seems to be a case of malicious code discovered last week, or over a year ago.

This author received a recent letter from TD Ameritrade regarding their so called pseudo "breach". And we quote:

"While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain information stored in one of our databases, including email addresses, to be retrieved by an external source."


What is absolutely amazing is the request to visit www.amtd.com for more information and a list of Frequently Asked Questions (FAQs) and an additional message from me, (The CEO Joe Moglia). The link to this message requires you to run Windows Media Player for what must be a sincere apology. However, the PR department must not know how many malicious code exploits are associated with .wmv files. Nor, how many people still do not have broadband connections as a consumer.

But that is not even the most fascinating aspect of this whole incident. The story gets even more disturbing if it is indeed true:

Scott Kamber of Kamber & Associates, a New York law firm that sued Sony BMG last year for its use of a rootkit, told InformationWeek on Monday that the lawsuit initially claimed that Ameritrade knew about the data breach last November. However, he says he now has information that the company knew about the ongoing breach a full year ago.

Kamber, who filed the suit this past May, had recently filed a preliminary injunction asking the court to compel Ameritrade to disclose the data breach and the compromised information to current and prospective customers. The company was given a two-week adjournment and made the public announcement during that recess.

"I am glad customers finally know of the compromise of their personal information," said Kamber. "I'm not pleased it took the company so long to do that."

Hillyer said she could not comment on ongoing litigation but said, "As soon as we discovered it, we stopped it. And as soon as we had gathered enough information, we notified our clients."

Ameritrade notified the FBI and the U.S. Securities and Exchange Commission last week, according to the spokeswoman.

It's apparent that the nexus of Information Security, Digital Forensics, eDiscovery, Legal Risk and Reputation Management have imploded in Bellevue, NE yet this will not be the last place we hear about this kind of incident. If a Rootkit is on a server there, you can be sure that there are others at a another broker or investment management firm near you.

Being vigilant about protecting privacy and doing the right thing with customers in the event of a breach has significant legal ramifications, that is for certain. What is less known at this point are the processes and corporate behavior that could be even more of a source of liability for TD Ameritrade. Who what how and why is now under investigation and will play out in a court room again soon.

The degree that any firm in the industry is "Litigation Ready" or has adequately prepared for this particular nexus between the elements of Information Security and the Law will determine the amount of Operational Risk they are potentially exposed to in incidents like this one. How can any firm prepare for an event similar to this?

1. Conduct a Litigation Readiness Audit of the firm.

2. Develop a strategic plan for achieving a "Defensible Standard of Care."

3. Train the stakeholders on Crisis, Command and Control.

4. Implement an early warning data analytics system to preempt potential threats.

Number four on this list pertains to something that is also in the authors letter. "As part of our effort to protect privacy, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft." Let's just hope these guys didn't load up a CD at their shop handed over to them by TD Ameritrade with 6,000,000 records of personal identifiable information on it.

14 September 2007

True or false: A large corporate private sector company hires an outside counsel to investigate an employee suspected of fraud. The outside counsel hires a fraud examiner to look into the facts. The fraud examiners report to the outside counsel will assist in determining whether a crime has been committed. The report and the communications with the outside counsel are protected confidential work product and is privileged. If you don't know the answer, read on.

Organizations who realize that internal investigations can pose a tremendous risk of litigation are ahead of the Operational Risk Management curve. Being proactive about prudent strategy on how to address the potential internal employee fraud is imperative, especially if you plan to pursue litigation to try and recover the stolen assets.

The two primary areas of emphasis here for the purpose of what information is discoverable is the attorney-client privilege and the work product doctrine: This Texas case from the Texas Bar Journal article by Derek Lisk illustrates the point:

In yet another case in which one party sought to protect documents from an investigation on privilege grounds, the U.S. District Court for the Eastern District of Texas took a more expansive view of the privilege. In-house counsel for Electronic Data Systems (EDS) hired outside attorneys, who in turn hired a consulting firm, to independently analyze and report on alleged misuse and misappropriation of assets by an EDS employee, Mr. Steingraber. In the ensuing litigation, EDS objected to producing documents from the investigation.

Steingraber, like Seibu Corp., argued that the documents were not privileged “because they were made to facilitate a business decision rather than the rendition of professional legal services.” This court, however, sided with the party seeking to protect the documents, finding Steingraber’s interpretation of the privilege “unduly narrow” and disagreeing with Seibu Corporation to the extent it held otherwise. Among other things, the court said, “The fact that the attorneys may have been hired to facilitate a business decision does not mean that such a decision was devoid of legal consequences.” Because EDS hired the outside lawyers to contribute legal expertise, including contract interpretation, risk evaluation, witness interviews, and evidence evaluation, the communications between them were “for the rendition of legal services.”

The status of H.R. 3013 in the US House of Representatives is unknown as it goes to be debated in committees:
7/12/2007--Introduced.
Attorney-Client Privilege Protection Act of 2007 - Amends the federal criminal code to prohibit any U.S. agent or attorney, in any federal investigation or criminal or civil enforcement matter, from demanding, requesting, or conditioning treatment on the disclosure by an organization (or affiliated person) of any communication protected by the attorney-client privilege or any attorney work product.
Prohibits a U.S. agent or attorney from conditioning a civil or criminal charging decision relating to an organization (or affiliated person) on one or more specified actions, or from using one or more such actions as a factor in determining whether an organization or affiliated person is cooperating with the government.
The question on the table here is how much as a corporation do you want to cooperate to prosecute the employee? It may make sense as a corporation to waive some rights to help recover your losses. How you architect a process for engaging outside counsel, independent investigators and fraud examiners in order to mitigate Legal Risk is crucial. The information exchanged, obtained in the process and communicated between parties must be done correctly. Not only to protect the information under the new Federal Rules of Civil Procedure but to insure the integrity and trust of the information itself.

A Board of Directors that oversees the governance of hundreds or thousands of employees is going to be continuously subjected to corporate malfeasance and white collar crime matters. The rule of law within the halls of the organization must be clear and precise. The mechanisms for the company to cooperate with investigators may mean the difference between an employee that creates irreversible economic damage to the enterprise or even worse. Our national security.

30 August 2007

BSA/ AML: Testing the Channel...

Legal compliance with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) is a complex and growing concern by regulators, enforcement and Operational Risk Executives. In the United States, the FFIEC (Federal Financial Institutions Examination Council) has published the latest Examination Manual to provide guidance:

Enterprise-Wide BSA/AML Risk Assessment

Holding companies or lead financial institutions that implement an enterprise-wide BSA/AML compliance program should assess risk both individually within business lines and on a consolidated basis across all activities and legal entities. Aggregating risks on an enterprise-wide basis for larger or more complex organizations may enable an organization to better identify risks and risk exposures within and across specific lines of business or product categories. Consolidated information also assists senior management and the board of directors in understanding and appropriately mitigating risks across the organization. To avoid having an outdated understanding of the BSA/AML risk exposures, the holding company or lead financial institution should continually reassess the organization’s BSA/AML risks and communicate with business units, functions, and legal entities. The identification of a BSA/AML risk or deficiency in one area of business may indicate concerns elsewhere in the organization, which management should identify and control.

When a financial institution utilizes a strategy for it's channel or broker network the goal is to build controls into the consumer application process. These controls help the parent financial institution with compliance issues and give the independent broker or registered investment advisor with the tools and mechanisms for risk mitigation. However, to what degree do these independent brokers who interface with the consumer actually understand, implement and comply 100% with BSA/AML laws?

This question may haunt the minds of many OPS Risk professionals as they try to manage the mountain of data and documentation requirements at the home office or processing center. When there are dozens or hundreds of independent brokers in the client acquisition process your risk exposure increases dramatically. When and how often do you need to audit these important entities in your member or client supply chain?

Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank. Banks that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested. The persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.

Those persons responsible for conducting an objective independent evaluation of the written BSA/AML compliance program should perform testing for specific compliance with the BSA, and evaluate pertinent management information systems (MIS).

This is not any surprise to large banks and securities dealers who have been working diligently on these compliance management problems for decades. Whenever an organization is deploying a distributed and indirect model for acquiring new consumers, high net worth individuals and other business entities for financial-based products and services; BSA/AML programs should be robust. The individuals who are planning to launder money that has been obtained illegally or are part of a fraud scheme will prey on those unsuspecting and naive institutions first. In some cases, it could be an independent broker or business who is the target of a sophisticated and influential individual. They want to find a weak link in the institutions sales channel to gain access to a well known brand to leverage their scheme with new victims.

The criminal trial of ex-Refco Inc. Chief Executive Phillip R. Bennett and two other former executives has been postponed until March 2008, according to court transcripts.

During a telephone conference last month, U.S. District Judge Naomi Reice Buchwald delayed the trial of Bennett; Robert C. Trosten, Refco's ex-chief financial officer; and Tone N. Grant, the commodities broker's former president, until March 17. A transcript of the call was released publicly earlier this week.

The case was originally scheduled to go to trial in October.

The men are facing a variety of charges including conspiracy, securities fraud, bank fraud, wire fraud and money laundering.

Late Wednesday, the litigation trusts representing Refco's creditors announced they had sued Thomas H. Lee Partners LP in federal court in Manhattan, alleging the buyout firm uncovered red flags about Refco and its executives before the buyout firm's 2004 purchase of a controlling stake in Refco, but failed to follow up in hopes of profiting from Refco's initial public offering the next year. Lee has denied the claims.

13 August 2007

ESI: Authenticity of Evidence...

Legal opinions on the admissibility of evidence and electronically stored information (ESI) are becoming more prevalent and increasingly relevant to Operational Risk Management:

In Lorraine v. Markel, authentication of information is a key issue in the ruling. Maryland Courts Watcher caught this ruling and our eye recently. "In its 101 page opinion, the court dedicated at least 90 pages to providing extensive and detailed analysis and guidance on the interrelated evidentiary issues governing the admissibility of electronically stored evidence (ESI), including: analysis under Rule 104, relevance under Rule 401, authentication as required by Rule 901(a), effect of hearsay as defined by Rule 801 and any applicable exceptions, consideration of the form of the ESI being offered under the original writing rule and the admissibility of any secondary evidence to prove its content, and the probative value of the ESI considering potential unfair prejudice or one of the other factors identified by Rule 403."

Whether ESI is admissible into evidence is determined by a collection of evidence rules that present themselves like a series of hurdles to be cleared by the proponent of the evidence. Failure to clear any of these evidentiary hurdles means that the evidence will not be admissible. Whenever ESI is offered as evidence, either at trial or in summary judgment, the following evidence rules must be considered: (1) is the ESI relevant as determined by Rule 401 (does it have any tendency to make some fact that is of consequence to the litigation more or less probable than it otherwise would be); (2) if relevant under 401, is it authentic as required by Rule 901(a) (can the proponent show that the ESI is what it purports to be); (3) if the ESI is offered for its substantive truth, is it hearsay as defined by Rule 801, and if so, is it covered by an applicable exception (Rules 803, 804 and 807); (4) is the form of the ESI that is being offered as evidence an original or duplicate under the original writing rule, of if not, is there admissible secondary evidence to prove the content of the ESI (Rules 1001-1008); and (5) is the probative value of the ESI substantially outweighed by the danger of unfair prejudice or one of the other factors identified by Rule 403, such that it should be excluded despite its relevance.

Authenticity and the chain of custody of ESI will continue to be a major challenge for the general counsels of major corporations in the years ahead. Creating and maintaining trusted information through out the enterprise intersects policy, processes, people and technology. The legal risk associated with non-compliance and missed opportunities is a growing concern in executive management and Board of Directors meetings.

The explosion of information as early as 2001 started a process of discussions on the nexus of information security regarding data integrity and authenticity:

With the explosive growth of data exchange and the availability of access to services over the Web, the Trusted Information requirement is more and more an issue to providers and users of these services. Addressing this security issue, this volume is divided into eleven parts covering the essentials of information security technologies, including application-related topics, and issues relating to application development and deployment:

  • Security Protocols;
  • Smart Card;
  • Network Security and Intrusion Detection;
  • Trusted Platforms;
  • eSociety;
  • TTP Management and PKI;
  • Secure Workflow Environment;
  • Secure Group Communications;
  • Risk Management;
  • Security Policies;
  • Trusted System Design and Management.

Companies like IBM have been talking to clients about trusting their information for decades. However, when the discussions turn to litigation and admitting information stored on hard disks, dvd's, USB Thumb Drives and the data on your VOIP phone system it all starts to become more complex than one could ever imagine. That complexity and the speed that courts are asking for responsive answers puts your legal risk in the center of the discussion.

Achieving a Defensible Standard of Care requires more than a savvy outside counsel. It demands an effective CIO, CSO and Records Manager working in combination with the hundreds of law firms you may have retained to address your ongoing litigation.

17 July 2007

4GW: Trusted Information Class Actions...

The SEC is in the middle of a Supreme Court battle and they have called in the "A" team to assist. Former SEC officials William H. Donaldson, Arthur Levitt and Harvey J. Goldschmid want to expand investors' abilities to sue in frauds:

The big-money issue has mobilized lawyers who bring class-action lawsuits and the companies and executives they target in one of the most important securities-law issues to reach the Supreme Court in years.

In cases in which fraud-ridden corporations have filed for Chapter 11 bankruptcy protection, investors may not be able to wrest money from the company itself. Lawsuits against business partners and advisers such as accountants and lawyers may present the only rich and viable option for shareholders and plaintiff lawyers, experts said.

What have we learned since Enron? Do we not have a more ethics based atmosphere at the professional services firms? In the long run, will investors be better off with the ability to sue the advisors of the companies as accomplices to wrong doing? You can bet that if the US Chamber of Commerce has it's way, the SEC is in for a real fight on this one.

Some people are behind bars. Some companies are out of business. And the Dow is again at an all time high nearing the 14,000 threshold. All of the legislation, class actions and fraud allegations are all about one thing. Information. Trusted Information.

A number of trends focused on corporate data continue to distract today's IT departments. Shareholders are clamoring for more transparency as a result of the financial scandals that have shaken confidence in corporate governance around the world. Compliance legislation such as the U.S. Sarbanes-Oxley Act (whose impact is reaching far beyond the U.S.) can result in jail sentences for executives who - even unintentionally - report erroneous information. New privacy laws around the world restrict the use of customer information. Increasing global competition has put pressure on organizations to use their expensive information assets more strategically.

All these issues can be summed up in a single concept: trusted information. Simply accessing data is no longer enough. Today's CEOs, CFOs and knowledge-workers must be able to reliably track the information they use for decisions back to the original source systems in order to ensure its timeliness, accuracy and credibility.

Over the last decade, organizations have invested millions of dollars in systems to collect, store and distribute information more effectively. Despite this, information users at all levels of the organization are often uncomfortable with the quality, reliability and transparency of the information they receive.

Today's organizations rarely have a "single view of the truth." Executives waste time in meetings debating whose figures are correct, rather than what to do about the company's issues. Additionally, they worry about the consequences of making strategic decisions using the wrong information, directly impacting the long-term survival of the organization.

This brief essay by Jeffrey Ritter discusses the compelling forces converging at the beginning of the 21st century that are shaping the need to consider trusted information as a vital asset that should be the priority of any organization:

As the 21st century accelerates, digital devices connected to the Net will continue to be indispensable to modern life. But those devices, and the services provided through them, remain vulnerable to human judgment—the 21st century winners will be those who earn and sustain the trust of those using the devices and the services—whether those are consumers, employees, shareholders, lenders or service providers.

When the law intersects with the validity of information the corporate battle lines are drawn. Think about how much time and dollars are spent proving or disproving the integrity of information in a court of law. Those organizations who know that they are in the "4th Generation Warfare" (4GW) era will survive only if they can grasp this concept. Fourth Generation Warfare removes the front entirely. Attackers rely on a barrage of information salvos and coordinated incidents to paralyze or erode the adversaries political will, rather than seeking decisive hand-to-hand combat. Does this sound familiar to your General Counsel?

We are not talking about Al Qaeda now. We are talking about the class action "Army" that is forming the strategy and the means to wage unconventional battles against your, trusted information. Or is it?

03 July 2007

ECM Security: Trusted Information...

When it comes to Enterprise Content Management (ECM), security is an issue that continues to challenge most vendors. John Newton is in search of topics at AIIM that address the security needs of the market place:
Content Log

  • Common identity. There needs to be a common way of addressing identity between different services whether those services are in the enterprise or outside.
  • Common Models for Rights Management. The big, looming problem in content is the fact that huge numbers of users are adding, accessing or updating an even larger number of pieces of content.
  • Distributed Directory Services. Identity is not sufficient for determining roles or entitlements.
  • Mashup Frameworks for Security. Mashups, the integration of different systems at the browser level, represent the fastest-growing and easiest mechanism to weld systems together. Almost all mashups have no notion of security and only work on public systems.
  • Search and Security. As search becomes increasingly federated, such as through the OpenSearch API, managing identity and entitlements on content becomes very problematic.
Whether John will find the answers is questionable. And that is exactly the issue when it comes to hosting or managing enterprise information. Almost a year ago before Stellant (Sealed Media) was purchased by Oracle, their survey of 29 CIO's who had invested more than $1M. in ECM had these as their top priorities:
The concerns were ranked on a scale of one to eight, eight being the most important.
  1. Guarantee ISO 17799 compliance: 6.03
  2. Protection of intellectual property during offshoring or outsourcing: 5.52
  3. Protection of high- and executive-level communications: 4.79
  4. Improvement of workflow-process automation: 4.41
So what?

If you are an ECM vendor and you only have so many bucks to spend on development of the next generation of your software, what are you going to add and what are you going to fix? So why is number one and two so important to CIO's who have invested so much money in their platforms?

Some of the answers can be found in the root cause of their concerns. We found some relevant discussion in a position paper entitled:

W3C Workshop on Transparency and Usability of Web Authentication by Jeffrey Ritter & Said Tabet

Statement of Issues: The conflict between the potential of Web Services and the inadequacy of web authentication is potentially best described as “a failure to communicate”. As enterprises extend and evolve into more dynamic, real-time facilities, central operations require the ability to express their security requirements in greater detail than can be currently enabled. Corporations must define and adhere to increasingly large directories of requirements in the management of their internal security controls; requiring compliance with those controls by participants in the extended enterprise is becoming essential.

Corporate operations increasingly distribute their computing and data processing requirements across a network of third party services, some of which are engaged and employed for controlled, finite sessions. But those third parties, for so long as they are processing data and functioning as part of the operating whole of the primary corporation, are being pressured to demonstrate their adherence to the security controls of their customers. This requirement is an expression of a requirement for trustworthiness—to be engaged as a part of the extended enterprise is to be trusted to perform in compliance with the applicable controls.

The enterprise who has exposure to continuous litigation is evaluating new ways to look at 3rd Parties who manage their information and this includes law firms. When you hand over management of critical and legally binding information to a 3rd party, trust is a key component of that decision. So how do you know if your law firm(s) and database marketing companies such as Merkle, Inc. or other outsourced service providers have the trustworthiness to be part of your extended enterprise? The fact is you don't unless you require the new and existing parts of the information supply chain in your organization to operate as one seamless trusted entity.

The greatest economic risk companies face with electronic discovery is choosing the wrong law firm. Under the new Federal Rules of Civil Procedure, the amounts at stake are not just legal fees or settlement costs; searching for and recovering electronic business records causes productivity losses and threatens revenue. Bottom line, selecting a law firm that is ill-prepared to effectively manage electronic discovery can cost enormously - internal records preservation and production costs are considered one of the largest uncontrolled expenses in corporate America.
So how do you select the right firm?

For corporations, Evaluating the Electronic Discovery Capabilities of Outside Law Firms: A Model Request for Information and Analysis provides corporate law departments, records management and IT departments an invaluable tool to ensure that the legal risks of e-discovery are competently addressed by their outside law firms.

Here is a peek at the line up so far this year by just one government regulator, the SEC.

30 June 2007

Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the CEO. When Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC last November 16th, 2006, her words were music to our ears:

It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change. The Council on Competitiveness is proud to offer this report, which promotes a strategy of resilience for both the public and private sectors a strategy with clear benefits for our companies’ competitiveness and our nation’s homeland security.

Globalization, technological complexity, interdependence, and speed are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face. Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies. Increasingly, disruptions can come from unforeseen directions with unanticipated effects. Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These new types of risk demand new methods of risk management.

Was this a way for the Chief Security Officers of the Fortune 500 to finally shift their thinking from protection to something less macho? How could "Resilience" become a platform for a mind set shift to justify new funding? After all, now we aren't trying to scare people into the low probability high impact incidents anymore and focusing in on the high probability incidents that may have enough impact to cause a significant business disruption. What are the incidents and areas of risk that insurance won't touch these days? If the insurance companies can write the policy to give you peace of mind then is this necessarily an area that you can ignore because you have transfered the risk to someone else? Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt. And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is operational risk management—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

Back in 2000, the Meta Group (now owned by Gartner) did a study on the cost of an hour of computer downtime by industry group. These numbers are now seven years old:

INDUSTRY SECTOR (Millions)
  • Energy - $2.8
  • Telecommunications - $2.0
  • Manufacturing - $1.6
  • Financial Institutions - $1.4
  • Information Technology - $1.3
  • Insurance - $1.2
  • Retail - $1.1
  • Pharmaceuticals - $1.0
  • Banking - $0.996

We all know that it costs lot's of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP). Yet is this the kind of resilience that is going to make you more competitive to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident that will attack your organization tomorrow.

The threat of Tort Liability and the loss of reputation is top of mind these days with every major global company executive. The threat is real and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term Legal Risk new emphasis and meaning.

Once corporate management understands the need for a "resilience" mentality in place of a "protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive. It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in it's adaptability can be achieved with a new perspective. Compete or die.

Enabling Global Enterprise Business Resilience is just the beginning...

26 June 2007

Insider Threat: Web 2.0 Wild West...

The Insider Threat is an Operational Risk that will never go away. It is without a doubt going to be a continuous issue for the Board of Directors, Corporate Management and shareholders for years to come. Fortunately, justice has recently sent a clear message about the implications of unleashing malicious code on a network.

The former systems administrator convicted this past summer of launching an attack on UBS PaineWebber four years ago was sentenced to 97 months in jail in U.S. District Court in Newark, N.J., on Wednesday.

Roger Duronio, 63, of Bogota, N.J., stood quietly and didn't react as Judge Joseph Greenaway Jr. handed down the sentence. "This is a sophisticated crime," said the judge. "This wasn't an instance when an individual argues that 'I had a bad day and I made a mistake.' Its undoubtedly that Mr. Duronio, having felt wronged, came up with an elaborate, sophisticated scheme to take down a company." Judge Greeaway added that he was struck by Duronio's attempt to not only disrupt the company but to derive financial benefit from it.

Duronio was found guilty of computer sabotage and securities fraud for writing, planting, and disseminating malicious code -- a so-called logic bomb -- that took down up to 2,000 servers in both UBS PaineWebber's central data center in Weehawken, N.J., and in branch offices around the country. The attack left the financial giant's traders unable to make trades, the lifeblood of the company, for a day in some offices and for several weeks in others.

Executives at UBS, which was renamed UBS Wealth Management USA in 2003, never reported the cost of lost business, but did say the attack cost the company more than $3.1 million to get the system back up and running.

"If it doesn't send a message, people aren't listening," said Assistant U.S. Attorney V. Grady O'Malley, a prosecutor on the case. "If giving the maximum for this crime doesn't send a message to people with the ability to commit a crime and to the people who employ them, they're not paying attention. The potential for the impact of an insider is uncalculable."


Whether you have an unknown system admin working against you because they didn't get a raise last year or the corporate espionage ring selling secrets or identities it will continue to increase over time. This has to do with the new generation of employees who have grown up using the Internet and downloading intellectual property or open source software. It's the wild wild West and the policies and ethics workshops are nothing more than a compliance officers single strategy of justifying their existence.

The Web 2.0 is changing these employees attitudes about sharing everything. Many of them come to the organization with a profile on Facebook and don't have any qualms about sharing their own private information. The leaks to the press on major M & A deals should be enough evidence that good old fashioned ethics are in jeopardy.

The Insider Threat in a Web 2.0 world is not only here to stay. It is just getting started.

20 June 2007

White Collar Crime: Enduring Truth...

In the 19th century a famous sleuth by the name of Al Pinkerton was quoted:

"A professional should possess the qualifications of prudence, secrecy, inventiveness, persistency, personal courage, and above all, honesty."

Inside the walls of global enterprises are the ticking time bombs waiting for the next opportunity to rationalize their malicious acts upon the organization. Individuals with advanced degrees, outstanding performance and continuous community service are operating just like Al Pinkerton has described, with one exception. Honesty.

White collar criminals are taking the corporate beaches by storm. Backdating once a common practice has now more than 100 companies under investigation. Yet, good old fashioned theft of corporate assets is running at an all time high and internal fraud is now with more tips and leaks a much more easy crime to detect, prosecute and punish. Why do so many companies look the other way and just fire an employee when company wrong doing is uncovered? Reputation.

The phrase "white-collar crime" was coined in 1939 during a speech given by Edwin Sutherland to the American Sociological Society. Sutherland defined the term as "crime committed by a person of respectability and high social status in the course of his occupation." Although there has been some debate as to what qualifies as a white-collar crime, the term today generally encompasses a variety of nonviolent crimes usually committed in commercial situations for financial gain. Many white-collar crimes are especially difficult to prosecute because the perpetrators are sophisticated criminals who have attempted to conceal their activities through a series of complex transactions.

The most common white-collar offenses include: antitrust violations, computer and internet fraud, credit card fraud, phone and telemarketing fraud, bankruptcy fraud, healthcare fraud, environmental law violations, insurance fraud, mail fraud, government fraud, tax evasion, financial fraud, securities fraud, insider trading, bribery, kickbacks, counterfeiting, public corruption, money laundering,embezzlement, economic espionage and trade secret theft. According to the federal bureau of investigation, white-collar crime is estimated to cost the United States more than $300 billion annually.


A true Operational Risk Management professional has to operate as Al Pinkerton described and with even more capabilities than in his day. They have competencies and subject matter expertise to address:

* Identification
* Assessment
* Design
* Implementation
* Audit
* Supervision

You have to ID the corporate assets to protect and the threats to those assets. You then have to determine the likelihood of occurrence. What are the impact to organization from a loss? One must also have knowledge and expertise in accounting, auditing, interviewing, investigation, legal elements, digital forensics, reporting, testifying and communicating. Not only does the OPS Risk professional today require honesty, it also requires much more.


Hiring good people is the constant headache of every manager in every industry in every part of the world, and bankers have probably complained about the situation the loudest. But if a bank makes a bad hire, the pain will only be felt years later when it comes out in the newspapers that both the employee and several million dollars have gone missing.

The situation should be avoidable, but the fact is that nobody can really know who it is that they are hiring. Consider the case of one senior banker, who was ready to hire a new personal assistant. Besides being the best candidate for the job, he had once known the applicant when he had worked at her previous company. Through a chance meeting with one of his old co-workers at that bank, he found out that his applicant had been fired for embezzlement, although the information had not been made public.

Actual levels of internal fraud across the industry are a closely guarded secret, although each banker will have a good idea how much it costs his or her own bank. While it is commonly agreed that the cost of internal fraud greatly exceeds that lost on credit card and other fraud, expensive systems required by regulators to manage fraud throw a monkey wrench into the works.

Whether you are in search of the facts or are rendering an opinion, the way you operate and behave within your organization and in front of those individuals you are in pursuit of, remains the same. You are a "Citizen Soldier". This means that you are not influenced by the politics nor the power of those who may try to pursuade you to see it their way. You see it as it is and your mission is to uncover the real truth and only the truth. Reputations are at stake. Lives will be changed forever. But the truth will endure.

19 June 2007

FACTA: The Writing is on the Wall...

Now that the financial community is wiping their brow with a sigh of relief on this latest Supreme Court ruling, what can a General Counsel or Chief Risk Officer expect? Will the adversarial train of plaintiff suits slow down and come to a halt. Not likely.

The U.S. Supreme Court's ruling that blocks investors from suing Wall Street investment banks under antitrust laws could save Wall Street firms a bundle by limiting investors to smaller recoveries.

In a case dating back to the dot-com bubble, the high court ruled Monday that antitrust suits would pose a "substantial risk" to the securities market. Damages in antitrust cases are tripled, in contrast to penalties under the securities laws.

The ruling struck down a lower court decision that would have allowed investors to go after Wall Street firms that they say engaged in anticompetitive practices by conspiring to drive up prices on about 900 newly issued stocks in the late 1990s.

Because the well-documented implosion of names like Enron Corp. swallowed any serious money that investors might hope to recover from that and other flame-outs, some investors have turned to the banks and other Wall Street regulars such as accounting firms that did work for such companies.

Wall Street institutions in the case before the Supreme Court were Credit Suisse Securities (USA) LLC, formerly Credit Suisse First Boston LLC; Bear, Stearns & Co. Inc.; Citigroup Global Markets Inc.; Comerica Inc.; Deutsche Bank Securities Inc.; Fidelity Distributors Corp.; Fidelity Brokerage Services LLC; Fidelity Investments Institutional Services Co. Inc.; Goldman, Sachs & Co.; The Goldman Sachs Group Inc.; Janus Capital Management LLC; Lehman Brothers Inc.; Merrill Lynch, Pierce, Fenner & Smith Inc.; Morgan Stanley & Co. Inc.; Robertson Stephens Inc.; Van Wagoner Capital Management Inc.; and Van Wagoner Funds, Inc.

These institutions may not have "Anti-Trust" anxiety from the Supreme Court any longer yet there are plenty of other Operational Risks on their minds. Namely International Fraud.

In an era of data warehousing, metadata management, business process management and the looming BASEL II Accord there are plenty of conversations about what to do about fraud and other regulatory compliance. Multi-factor authentication for online banking systems is not a trivial matter when it comes to Enterprise Risk Management. Is the customer service organization ready for the upgrade? Is the consumer going to be confused on what questions they are being asked to get access to their latest online credit card statement? What is my customer "churn" factor? In other words, how many of my customers are jumping ship as a result of the operational risks that have turned their loyalty into consumer driven class action fraud litigation?

An International Banking Fusion Center is on the horizon and it's not too far from the same justification that addresses Know Your Customer (KYC) and the financing of terrorism.

According to one study respondent, "Organizations are secretive of fraud losses and that inhibits our ability to work together."

"The sharing of intelligence is key to being able to take advantage of the predictability of fraud," First Data's Barwell continues. "Banks are sitting on valuable data that, if analyzed innovatively, could provide fraud intelligence worth sharing. One major bank has shown that if their internal client databases across business lines and geographies are analyzed using sophisticated link analysis tools, spurious networks of accounts can be uncovered and, when fully investigated, could uncover organized networks of first-party fraud accounts."

Barwell adds that several U.S. banks have expressed interest in taking the "quantum leap" to true data sharing.

The International Language of Fraud

"In the last eight to 10 years, fraud has really gone international," says Steve Baker, director of the Midwest region of the Federal Trade Commission (FTC). The FTC maintains a Consumer Sentinel database that includes more than 3.5 million consumer fraud complaints and is accessible to more than 3,000 law enforcement agencies internationally. In 2006, 22 percent of the reported fraud was cross border.

So What? What does information sharing have in common with:

International fraud, Identity Theft and the risk of litigation within the banking or credit card industry. Now the bankers want to sue the retailers and recover losses for the lack of privacy and security controls at the retailers. Since December 2006, plaintiffs’ class action firms in California and elsewhere have filed over 200 nationwide class actions in federal court against a broad spectrum of retailers and restaurants alleging violations of the Fair and Accurate Credit Transactions Act ("FACTA"). In addition to California federal courts, FACTA cases have been filed recently in federal courts in Pennsylvania, Illinois, New Jersey, Nevada, Maryland and Kansas.

16 June 2007

General Counsel: Information Security Nexus...

A "Defensible Standard of Care" is a hot topic these days around the Board of Directors Audit Committee conference table. Information Security standards are consistently being discussed by the CIO and CSO in the context of compliance. So where is the nexus? Why is it so critical to enabling the enterprise business resilience of a global institution?

The answers lie in the fundamental understanding that the Board of Directors and the "C" Suite are both working towards the same focal point. Their motive is almost identical. To be able to provide the evidence and the testimony that keeps their integrity and reputation intact. The ISO 27001 controls addresses this directly:

Clause A.15.1 Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.

15 June 2007

Making the Business Case for Enterprise Content Management...

Making the Business Case for Enterprise Content Management: A Webinar

On July 24, 2007, at 11:00 a.m-noon, EDT, KM World will be presenting a national webinar on how ECM champions can make a more successful business case for new ECM solutions. The webinar will feature Jeffrey Ritter and Walt Whalen of Waters Edge Consulting in a discussion of Waters Edge work in this area. If you wish further information, please contact info@wec-llc.com.

Welcome...

This blog will explore trusted information and the nexus of information security and the law.