Moderator: Donald Griffith, Senior Counsel Foley & Lardner LLP
Panelists: Gregory Lawler, Senior Vice President and CIO, SWBC; Tim Talbot, Senior Vice President and CIO, PHH Arval; John von Stein, Executive Vice President and CIO, The Options Clearing Corp.
The afternoon panel, billed as “Avoiding Bad Press and Staying Out of Jail,” was all about regulatory compliance, and for the most part managed not to turn into a bash Sarbanes-Oxley fest, which is no small accomplishment. The fact that the session turned into a lively back and forth with the audience – the panel only got through the first three slides of its presentation – was even better.
Most of the conversation focused on what to do about e-mail or other data that a company may need during litigation. There were some easy answers. First, everyone agreed that companies need to have a policy that states how you treat e-mails and other communications. Second, everyone agreed that it was not the CIO’s job to come up with the policy – although the CIO can play an important advisory role. That’s about where the easy answers ended, however. The CIO role when it comes to applying the policy varied between enforcement and monitoring. At one point, the panel asked the audience who had an instant messaging policy. Most of the audience raised their hands. Only about half knew if that policy was being followed and even fewer had a way to detect if it was being followed. (More fun unscientific findings from the audience: only a little over half the audience knew if their company had a litigation hold policy, which prompted Don Griffith to say “you better find out.” Also more than half the audience had been subpoenaed for e-mail records.)
There were a few questions that no one knew the answer to — do you need to save e-mails from low-level employees, and what do you do about employees who save e-mails to their hard drives? But in the end it came back to some pretty simple advice: Have a policy and make sure that you follow it.