paul johnson

21
Looking after it all – Records Management & e-Discovery Paul Johnston – Senior Manager, Group Records Management, NAB 15 April 2011

Upload: ark-group-australia

Post on 12-Jul-2015

284 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Paul Johnson

Looking after it all – Records Management & e-Discovery

Paul Johnston – Senior Manager, Group Records Management, NAB15 April 2011

Page 2: Paul Johnson

Outline of Topics

Meeting the legal requirements

Storage, recall and security requirements

Building an effective risk framework to protect your records

Records Management Culture at NAB

Page 3: Paul Johnson

Management Response to RM Risk

YES, we really must

do something about this!

Page 4: Paul Johnson

Meeting the Legal requirements

Since 2005 there have been over 260 million individual records that have been lost – with many of these records containing sensitive business data or individuals’ personal identification information. Cost to companies to reproduce a record is approximately $200*

Risks and Costs include:

Regulatory fines (i.e. Austrac, APRA, ASIC, FSA, MAS, Basel II etc.)

Reputational damage

Courts

External third party legal fees

External auditor costs

Technology costs - capture, retrieval and restoration

People costs

Loss of customers

* Source – Quantum March 2010 newsletter

Page 5: Paul Johnson

Paying the Penalties

Recent overseas penalties for AML/CTF breaches have included:

in the US:

in September 2006 a settlement agreement in the amount of US$7.5 million between Bank of America Corporation (BAC) and the Manhattan District Attorney stemming from BAC's deficiencies in handling foreign money service business clients and AML controls; and

in December 2005 ABN AMRO agreed to pay US$80 million in fines and penalties for various defects, including AML internal controls and failures to identify, analyse, and report suspicious activity;

in the UK:

in 2005 the FSA imposed financial penalties of £175,000 on Investment Services UK Limited and £30,000 on its managing director; and

in 2004 it imposed fines of £1,250,000 and £375,000 on the Bank of Scotland and Bank of Ireland respectively.

in Japan:

in September 2004 the Japanese financial authorities ordered Citibank NA Japan to suspend its private banking operations for a number of violations including some relating to anti-money laundering.

Note - Austrac penalties - Businesses that breach the laws can be fined $11 million, while individuals within the company could receive penalties of up to $2.2 million.

Page 6: Paul Johnson

Planning for e-Discovery

When does the e-Discovery clock start ticking?

The duty to preserve relevant documentation may commence upon:

initiation of a lawsuit by or against the institution

institution is put on notice by a party that litigation is or may be imminent or

institution has knowledge of facts that indicate litigation is reasonably anticipated

Page 7: Paul Johnson

Planning for e-Discovery

Identify a centralised Coordinator for all special preservation requests

Regular discussions with your Litigation team

Legal and Coordinator must be the first to know of any potential litigation

Organise meetings with business key stakeholders (i.e. IT, forensics)

Prepare an action plan (i.e. steps you are taking to identify, preserve, collect and restore.) Also document all your communications including actions!

Understand what records are impacted (customer, corporate, employees and what regions are impacted?

Understand how far back you have to go?

Think about creating a virtual team to support e-discovery

Maintain legal professional privilege in all your communications relating to the case

Page 8: Paul Johnson

Challenges of e-Discovery

Knowing where the information is stored

NAB is a global organisation (across 5 countries)

Different database systems (current)

Historical database systems (legacy)

Knowledge management

Documents incorrectly classified due to lack of knowledge of policy

Have records already been destroyed pursuant with the records retention policy requirements? (this may reduce the high costs on discovery)

Mergers and acquisitions – multiple systems

The time required to identify records across all systems

What resources do you have at your disposal? (the virtual search team)

Page 9: Paul Johnson

Storage gone wrong

Page 10: Paul Johnson

Challenges of capture and storage

People need to be made aware of the requirements to capture records in either:

Physical

Electronic

or both (though look to prevent duplication)

Burden of storing physical records due to environmental and sustainability reasons

Victorian Evidence Act 2008 and admissibility of computer-generated records

Page 11: Paul Johnson

Challenges of identifying records

Records kept to compensate

Records needed,but not located

‘ Needle in the haystack’

In the past when the Bank needed to preserve records, it would place a blanket

embargo to compensate for the way in which records were captured.

This has changed

Page 12: Paul Johnson

Challenges of identifying records

Configuration of computers workstations and file servers

Mirror disks

Removable media (diskettes, fobs, tapes, etc.)

Metadata

Temporary files and fragments

Histories

Embedded comments

Audit trails and log files

Legacy Systems

Internet information

Corporate intranets

Email

Computers and laptops

PDAs

Backup tapes and facilities

“Deleted” files

Sharepoint

Non-textual electronic devices

Page 13: Paul Johnson

Culture

Page 14: Paul Johnson

NAB Records Management Program 09/10

Policy/Framework

Regulator Liaison &

Regulatory Change

Governance and Reporting

Training and Communication

Monitoring & Testing

Advisory

Records Management Centre of Excellence

Records Management Risk Framework

Page 15: Paul Johnson

Building the right Culture at NAB

Training staff at day 1 to reduce our future e-discovery costs

Induction course includes records management

E-learning training module on records management (mandatory)

Group Records Retention Policy

Regular Change communications (regulatory updates etc.)

Assurance and monitoring (do staff really follow the policy?)

Risk sign-off required on a wide range of aspects, projects etc. impacting the records management lifecycle

Page 16: Paul Johnson

NAB Records Management Program 2010

Compliance with Group Policy

Mitigate records management risks

Improve Processes and Controls to provide an improved level of service

Reduce costs

Reduce our Environmental impact

Improve and Sustain awareness of records management culture

Litigation Hold (Special Preservation Procedures)

Develop on our current records management framework

Post-Implementation Compliance and Auditing

Page 17: Paul Johnson

Records Management overview

NAB focuses on six key phases that make up the records management lifecycle

Each Phase has a set of internal principles which we adhere to

All impact how we comply with e-Discovery requirements

Create Maintain Retain Retrieve Archive Destroy

It’s not just here

Page 18: Paul Johnson

Understand your business to help reduce your discovery costs.

Number of technology systems used to capture records

What and why third parties hold records for you?

Test your controls around e-discovery (i.e. time to produce documents v’s tight request deadlines)

Can you identify only those records that are required (why recover everything if not required)?

The increased volume of Technology storage devices (map out what you use and where)

Work with - IT, Forensics, Legal, Risk teams and third party legal teams to understand what they require and in what format (native, PDF, TIFF etc..)

Controls around ‘temporary’ storage

Mandate electronic channel into third party offsite storage

Do your staff understand what is expected of them in the records management lifecycle?

Page 19: Paul Johnson

19

Conclusion

BE PROACTIVE AND NOT REACTIVE

Page 20: Paul Johnson

Disclaimer

The materials, ideas, opinions and information expressed are the personal views of the presenter. In no event shall National Australia Bank Limited or its related entities be liable for any damages whatsoever resulting from any action arising in connection with the use of this information or its publication, including any action for infringement or copyright or defamation.

Page 21: Paul Johnson

21

QuestionsPaul Johnston

National Australia BankEmail: [email protected]

Phone: 0458 346 208