Thursday, January 15, 2009

Electronic Evidence is Everywhere.....Get A Grip!!!

The 2008 failures in worlwide economics is far unlike the econimic crash during Great Depression of 80 years ago (October 1929). In our current legal system there will be a relentless effort by the Government, Reulatory Agencies and the Consumer to point a finger away from itself.


Corporate entities can't just lose, shred or burn the paper away to escape accountability. The untracebales are even traceable. Especially now that electronic document transmission is now the most common form of communication. The influx of law and industry regulation to measure accountability and responsibility of corporations has lead to the creation and adaptation of laws designed to keep pace with how companies conduct business.

Electronically Stored Information (ESI)
= The Double Edged Sword.

I expect that 2009 will be full of Government and Regualtory Agency investigations across all Industries. These events could cost companies their existence if they dont get knowledgeable about how to respond to electronically stored information document requests. See Ralph Losey's post about D.C. Appeals Court Affirms Order Requiring a Non-Party to Spend $6 Million, 9% of its Total Annual Budget, to Comply with an e-Discovery Subpoena

The idea that a company can sit and wait to see if the lambs blood will protect it from big brother is not enough in this era of eDiscovery and digital forensics. Inside Counsel and Corporate IT departments along with outside Counsel must take steps to get a grip on ESI. In most cases establishing some basic common sense approaches along with written policies provide adequate protections. This apporach will also bring greater awareness to managing ESI from a legal perspective as well. Implementation of technology to automate the process of ESI identifiation and preservation will provide the level of compliance to respond to discovery request with ease and minimal 3rd party costs.

"America was built on the premise of blood, sweat and tears
as it equated to hard work....Today, we survive by working smarter through use of technology"

The following article published by, Lucas Mearian and Computer World, continues to re-enforce the fact that many Corporate Entities in vaious Industries today will be caught with no real protection other than the blood of the lamb and unfortunatley it won't stop the clouds from sweeping in low looking for evidence.....:

Wall Street crisis brings lax e-discovery law enforcement to light
IT managers expect U.S. to add new regulations, boost enforcement

Lucas Mearian

The financial crisis on Wall Street has prompted numerous investigations into the lending practices of financial services firms, all with a similar focus: Who knew what, and when did they know it?

Strong electronic records retention plans could help users quickly answer such questions. However, industry observers note, few of the records-retention regulations enacted over the past decade have been strongly enforced, and most companies have done little to comply with them.

Analysts warn that the fallout from the Wall Street meltdown will lead quickly to stronger enforcement of existing laws -- including the Sarbanes-Oxley Act, the Electronic Signatures in Global and National Commerce Act, the U.S. Security and Exchange Commission's Rule 17A-4, and the Gramm-Leach-Bliley Act -- and perhaps some new ones targeting the financial services industry.

At the same time, the health care industry faces more scrutiny as it hastens to move to a national e-health system.

Today, only 10% to 15% of U.S. corporations have electronic records retention systems in place, according to Gartner Inc. "In terms of a good electronic records systems, I would say it's closer to zero," said Debra Logan, an analyst at the consulting firm.

"There will be an increase in regulations," predicted Hugo Torres, IT director at Coral Gables, Fla.-based Great Florida Bank. "We've gotten wind of it. We'll be more heavily regulated than before."

Until two years ago, Torres said, it was common for four bank examiners to audit Great Florida Bank annually. Last year, as the crisis grew, 12 examiners inspected its records. Torres said he's bracing for even more auditors in 2009, as state and federal agencies scour every commercial and consumer loan to make sure that banks performed adequate due diligence to determine the borrowers' ability to pay.

Logan said that stronger retention systems will also help companies to better defend themselves against legal action by disgruntled customers or employees.

"The amount of litigation that's going to be generated out of this Wall Street meltdown is going to be unbelievable. The regulators will be asking the banks what happened," she said. Lawsuits stemming from problems at government-backed mortgage finance companies 'Freddie Mac and Fannie Mae will result in systemic change," Logan added.

Bill Savarino, a partner at Washington-based law firm Cohen, Mohr LLP and an expert in e-mail retention and other regulatory issues, said he expects that Congress will overreact to the Wall Street crisis and enact new legislation.

"I don't know if it's necessary," he said. "If they enforce the stuff they've got, we should be fine."
Savarino, who has been advising IT managers on data retention issues for the past seven years, said that companies that are implementing retention systems today often do little more than keep data for 30, 60 or 90 days and then hit the delete button. In such cases, legacy documents are unavailable, and it isn't possible to show trends over time, he noted.

"I do not subscribe to the 30-, 60-, 90-day policy. I think they are woefully inadequate, and I don't think they comply with most rules and regulations," Savarino said. "When regulators audit regularly and investigate regularly, that's when they're going to start discerning who's keeping e-mail and who's not. They just haven't been doing that on a regular basis."

Savarino said IT managers and corporate legal departments should take the following three steps to prepare for the coming oversight onslaught:

  • Learn what the data retention laws require specific industries to do.

  • Install packaged archival and retrieval tools because it's too difficult to handle those tasks manually.
  • Utilize outside legal counsel.

"I know that sounds self-serving," Savarino acknowledged, "but outside lawyers can help companies figure out what the laws are and establish retention schedules and determine how to set up electronic archive 'buckets' to hold on to e-mail and documents."

Lawyers can also help set policies, procedures and parameters to deal with litigation holds, which require firms that have been notified about a potential lawsuit or government investigation to retain all potentially-relevant electronic documents. Two years ago, Congress approved the Federal Rules of Civil Procedure, which set a baseline for which electronic documents must be retained and retrievable by corporate litigants in a court case.

After completing an initial public offering two years ago, Great Florida Bank installed a complete electronic-documents archive and e-discovery system to deal with the additional regulatory oversight facing publicly-held financial institutions.

The e-discovery system, from Santa Clara, Calif.-based Mimosa Systems Inc. -- along with two Hitachi storage-area networks (SAN), and Exchange and a SQL server cluster upgrade -- cost $500,000, and it was worth every penny, Torres said.

Now all of the bank's e-mail and electronic documents are automatically indexed and stored on the two SANs, which replicate the data for disaster recovery.

Torres said the system is very helpful in the auditing process and will likely help the bank deal with any lawsuits filed against it by ex-employees or customers.

Great Florida Bank, which employs 275 people and has 26 branch offices in three counties, maintains 32 servers in its data center.

Many health care firms are turning to such systems as the federal government increases emphasis on electronic health records systems, setting up systems and enforcing the Health Insurance Portability and Accountability Act.

In addition, an increase in the number of lawsuits against health care providers has forced them to implement measures to better protect patient data and store it for set periods of time.
Wyoming Valley Health Care System Inc. turned to
CommVault Systems Inc.'s Simpana e-discovery software last March after a lawsuit was filed against one of its hospitals.

Howard Dowell, a network analyst at the Wilkes-Barre, Pa.-based health care provider, said the software automatically indexed four years' worth of e-mail over a weekend and provides a Google-like search engine for retrieving documents.

"Our system is giving us results in seconds," Dowell said, noting that it can be used to search by keyword, date, the name of the sender or a phrase. "Basically, I get it back like a Google search page with all the hits, I can save it as a PFT or .Zip file and examine it later," he added.

Wyoming Valley Health Care's data center runs 200 servers, 90% of which are Wintel boxes, and it has 1,200 e-mail users. Electronic documents are indexed on two servers and then stored on an EMC Clariion SAN.

However, Logan said, most companies "are standing there like deer in the headlights," Logan said.

"We have to have a more disciplined process for working with electronic records regulations," she said. "We need to have people in charge of managing information for the entire company. Today, everyone's expected to manage their own data."

As e-discovery pressures grow, companies and regulators must work together to determine which business documents are truly critical, Logan added. "People have to start throwing stuff away. It's not all precious," she said. "There needs to be some change to separate the wheat from the chaff."

Monday, January 12, 2009

Obama's big idea: Digital health records....Change is here

In response to my most recent post, "Insurance Discovery Readiness....Don't be caught drowsy", the article below touches on the core of the debate and rising concern that more attention must be paid to how the Insurance and Medical Care providers account for record keeping...

article courtesy of

President-elect wants to computerize the nation's health care records in five years. But the plan comes with a hefty price tag, and specialized labor is scarce.

By David Goldman, staff writer
January 12, 2009: 4:05 AM ET

NEW YORK ( -- President-elect Barack Obama, as part of the effort to revive the economy, has proposed a massive effort to modernize health care by making all health records standardized and electronic.

Here's the audacious plan: Computerize all health records within five years. The quality of health care for all Americans gets a big boost, and costs decline.

Sounds good. But it won't be easy.

In fact, many hurdles stand in the way. Only about 8% of the nation's 5,000 hospitals and 17% of its 800,000 physicians currently use the kind of common computerized record-keeping systems that Obama envisions for the whole nation. And some experts say that serious concerns about patient privacy must be addressed first. Finally, the country suffers a dearth of skilled workers necessary to build and implement the necessary technology.

"The hard part of this is that we can't just drop a computer on every doctor's desk," said Dr. David Brailer, former National Coordinator for Health Information Technology, who served as President Bush'shealth information czar from 2004 to 2006. "Getting electronic records up and running is a very technical task."

It also won't come cheap. Independent studies from Harvard, RAND and the Commonwealth Fund have shown that such a plan could cost at least $75 billion to $100 billion over the ten years they think the hospitals would need to implement program.

That's a huge amount of money -- since the total cost of the stimulus plan is estimated to cost about $800 billion, the health care initiative would be one of the priciest parts to the plan.

The biggest cost will be paying and training the labor force needed to create the network. Luis Castillo, senior vice president of Siemens Healthcare, a company that designs health care technology, said the laborers will have the extremely difficult task of designing a a system that "thinks like a physician."

"Doctors cannot spend hours and hours learning a new system," said Castillo. "It needs to be a ubiquitous, 'anytime, anywhere' solution that has easily accessible data in a simple-to-use Web-based application."

But highly skilled health information technology professionals are as rare as they come, and many IT workers will need to be trained as health technology experts.

Early government estimates showed about 212,000 jobs could be created from this program, but Brailer said there simply aren't that many Americans who are qualified.

Furthermore, ensuring the privacy of patients' records in a nationalized computer network will be tricky. There are obvious concerns about hackers and system failures. And new online health record systems, such as Google Health are not currently subject to the Health Insurance Portability and Accountability Act, the national health privacy law.

"HIPAA was never intended for the digital age, because the laws never anticipated the emergence of Web-based records," said Brailer. "Congress can pass one of numerous policy proposals for change, it's just a question if they have the will to do that."

Jobs and savings for the future

The Obama transition operation declined a request to elaborate on Obama's proposal. The president-elect said Thursday in a speech on the economy that the benefits of a modernized national health record system go beyond just cost savings.

"This will cut waste, eliminate red tape, and reduce the need to repeat expensive medical tests," said Obama. "It just won't save billions of dollars and thousands of jobs -- it will save lives by reducing the deadly but preventable medical errors that pervade our health care system," he added.

Still, compared to the $2 trillion a year that the industry spends, the$100 billion experts say it may cost to implement Obama's plan is a drop in the bucket.

"We must reduce waste to become more efficient" said Brailer.

The savings of such a plan could be substantial. Brailer estimates that a fully computerized health record system could save the industry $200 billion to $300 billion a year.

That could ultimately slow the rapid rise of health care premiums, which have cut into Americans' paychecks. While wages are rising at a rate of around 3% a year, health care costs are growing at about three times that rate.

"Obama's support for electronic medical records is one of the key efforts of health reform that actually will deliver lower costs for hard-working American families," said Larry McNeely, a health care advocate at U.S. Public Interest Research Group. "Long-term savings can't happen unless we have 21st century health information technology."

Massachusetts has developed a plan to fully computerize records at its 14,000 physicians' offices by 2012 and its 63 hospitals by 2014. After a pilot program, the state legislature estimates it will cost about $340 million to build the statewide computer system, with a cost of about $2 million per hospital.

"[Obama's] timeframe is very ambitious, but there is a need to be able to track data on patients and talk across providers and health care systems," said Dr. JudyAnn Bigby, Secretary of Health and Human Services for Massachusetts. "The program will allow for greater patient safety."

Some say some of the hard work has begun. The Bush administration laid much of the groundwork for the program, leading to several pilot programs in a handful of states, as well as a standardization of medical records.

"The whole structure has already been developed," said Stephen Schoenbaum, executive director of The Commonwealth Fund's commission on a high performance health system. "It's feasible to at least make a lot of progress on this in the next five years."

Thursday, January 8, 2009

Insurance Discovery Readiness....Don't be caught drowsy

For the last 6 months I have been researching the impact of the regulatory agencies as it relates to the Health Care Industry and the impact of ESI (electronically stored information) discovery in response to litigation. Ironically, to me it seems as though most people in the insurance industry have the same perceptions as commercial corporations with regards to being prepared for litigation in this electronic era;

"....doesn't affect me until it hits me...."

This view is even more troubling to me, as the Health Care Professionals are the only link between me and maintaining my personal privacy. I consider this far more important than a commercial corporation losing a couple million bucks for patent infringement, securities fraud or being negligent in accounting or fixing stock options.

Most of my conversations have been with primary care physicians and hospital administration professionals. The common thread is they all agree that maintaining patient records in an electronic form makes sense on many levels. Including the ability to access and update patient information with ease. Thus providing the patient with a higher level of proper care and diagnosis as the sharing of information between medical professionals is streamlined. Not to mention that with the emerge of electronic record keeping the medical billing process is also streamlined to generate more accurate billing and less likely to miss revenue from the three Tylenol that someone forgot to record in the chart.

The common theme in each conversation was the upstart costs to implement such a system to maintain the electronic data in a secure environment as indicated by the regulatory agencies. Therefore most physicians in private practice have been slow to implement an electronic record management system to date. They still rely on traditional...excuse me...pre-historic carbon copy records and steel file cabinets to maintain patient records. There are even those who still utilized thermal fax machines. The difference is that most hospitals are making the investment to "connect" their systems and policies in accordance to the rules of the regulatory agencies and law.

Perhaps the root of the problem is that most companies in the insurance industry realize that the fines imposed for their negligence by the regulatory commissions and statues, once identified, are not as significant in comparison to damages imposed following a civil law suit. And for now they are willing to take that risk of not being "totally" compliant.

I will continue to follow the industry trends and provide additional solutions that are simple and cost effective means to becoming compliant.

The article below I find to be very striking and hopefully will resound loud into the decision makers ears of the insurance industry:

Compliance Technology Investment: Risk and Benefit, by Larry Danielson, Principal, Deloitte Consulting LLP

The insurance industry is one of the most regulated industries, with states controlling company licensing, producer licensing, and product, financial and market regulations, with an end goal to protect consumers.

Insurance carriers have to comply with regulations such as the Gramm-Leach-Bliley Act (GLBA), Sarbanes Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Federal Rules of Civil Procedure (FRCP), and various statutory reporting requirements. The regulatory environment is also constantly changing and expected to become more complex in light of the current credit crisis and turmoil in the financial services industry. Recently, Treasury Secretary Paulson proposed more federal control of regulations for the insurance industry, at the expense of state oversight.

Return on Investment for Regulatory Technology Projects
The response of insurance organizations to these regulations is mostly reactive. Too often, the decision to invest in regulatory technology is made through a return on investment calculation that pits the cost of fines against the cost of technology. However, organizations are not thinking about the impact on brand value and reputational risk from non-compliance to regulations. The cost of reputational damage is immense, and in addition to the fines, also includes soft costs such as decline in share price and associated erosion of market capitalization, lost business, management diversion, etc. The cost of reputational damage often can run into tens to hundreds of millions of dollars and, in extreme cases, can cause regulators to revoke the insurance carrier's license to operate. Accordingly, compliance systems must be recognized as a "must have," and investments in them should be made with respect to the magnitude of exposure insurers face, with special attention to reputational risks.

Planned Approach to Understanding Data and Requirements
In this context, insurance organizations' investment in regulatory technology is a matter of strategic planning. If planned appropriately, regulatory necessities can serve as a catalyst to a better understanding of the organization's data and associated processes for all purposes. Structured efforts, systematically analyzing and classifying data up-front can lead to a significant cost reduction from data rationalization, reduction in data redundancy, and reduced business and IT effort needed to reconcile data. In addition, appropriate data classification can also yield broad business and operational benefits through better knowledge of an organization's information assets. A world-class regulatory technology platform would combine this knowledge to specific statutory requirements that are different for life, health & annuities and property & casualty carriers.

Synergies with other Initiatives
A planned response to regulatory technology also includes exploring synergies with an insurer's other proposed and in-flight initiatives. For example, regulatory reporting can leverage existing or planned enterprise data warehouses. Similarly, when complying with record retention requirements, organizations should leverage any broader enterprise content management (ECM) initiatives. Regulatory technology can be beneficial to other initiatives as well. For example, data analysis and data classification can support information lifecycle management (ILM), business continuity/disaster recovery or any other initiatives that could benefit from data analysis and classification.

Sponsorship and Governance
Often it is unclear who should sponsor regulatory and compliance technology initiatives – whether the business, CIO, chief risk officer or the CEO. A well-planned regulatory technology initiative requires appropriate executive sponsorship and a governance structure that has representation from business, IT and regulatory/compliance. The cross-functional nature of the governance structure will ensure that regulatory technology initiatives are informed by the perspectives necessary to make them successful.

to see full article