Published: March 31 2009, 10:12 AM | no comments
by Bill Manago

Recently, the court systems in Australia and New Zealand have used Facebook to serve legal papers to people who could not otherwise be located and to notify them of legal actions taken against them. In Australia, a court allowed the use of Facebook to notify a couple of a default judgment ruling made against them in a home foreclosure case. The couple failed to appear in court and the judge agreed that the legal notification could be made via Facebook "service in cases where a defendant may be difficult to find or evidence suggests they are deliberately evading documents being served on them."

A similar case was when a New Zealand court authorized the serving of court papers via Facebook in order to notify an individual about an intent to sue. Facebook reportedly has praised the rulings, saying: "We're pleased to see the Australian court validate Face Book as a reliable, secure and private medium for communication. The ruling is also an interesting indication of the increasing role that Facebook is playing in people's lives."

Do you find this alarming or are you not surprised?

Social network sites such as Facebook and MySpace were intended to provide a service to online communities of people who shared common interests and activities or who were interested in exploring the interest and activities of others. Purely social and not at all official. But it did not take long for content found on social networks to be used, legally, against individuals who communicated information about themselves on the sites. We have read about discipline actions levied against individuals by their employers who claimed to be out sick and then posted pictures of themselves at the beach.

Social networks are a new way for people to communicate and share information, informally. I remember when we once considered the advent of email to be an informal means of communication. While it did take years for emails to rise to the level of an official record and for the courts to recognize their legal standings, it will not take long for the courts to rule that content on the so-called social networks may be used in legal settings, for or against you. That time is already upon us "“ at least in Australia and new Zealand. Are you willing to risk the potential for legal consequences for your "unofficial" communications?

Think about what you post. You may be the next person to be served via Facebook. You may not be the first to lose or be denied a job based upon unofficial content that you have posted on the Net.

Published: March 30 2009, 06:35 AM | no comments
by CA GRC Blog Admin

In this on-demand Executive Podcast Discussion, available here on the IT GRC Forum site, Aberdeen Group GRC Analyst Stephen Walker hosts an intriguing dialogue with our own Christopher Fox, John Dimaria of eFortress, and Roland Mosimann of Aline. The discussion covers recent Aberdeen Group IT-GRC survey results and looks at some cost effective measures and best practices organizations should consider to overcome common issues.

Feel free to direct any follow up questions to Chris Fox in the comments to this post.

Published: March 26 2009, 08:35 AM | no comments
by Sumner Blount

Now that the financial crisis has put risk management on the front burner for most companies, we're starting to see much more attention on it across government at all levels. And, regulatory bodies are likely to follow suit once a little of the dust settles.

Treasury Secretary Tim Geithner recently announced that he was going to assign a "Risk Watchdog" across different areas of financial markets (banks, hedge funds, derivatives, etc). The problem that such a person would attempt to address would be the complexity and interdependency of financial risk, to avoid the systemic risk that we saw during the current crisis. The ultimate goal, of course, would be new and more sweeping regulations that would help to prevent similar financial meltdowns in the future.

There can be, and certainly will be, spirited debates about the amount and types of regulatory changes that are required to avoid future crises like this one. But, I personally think it's a positive step that a more holistic view of risk is being undertaken. Better late than never"¦

Published: March 26 2009, 06:28 AM | no comments
by Pete Pepiton

Am I the only person who thinks that there is a Judge's Lounge where Federal Judges decide whose turn it is to remind us to pay better attention to eDiscovery? It seems like Judges Grimm and Facciola were busy this month so the task was assigned to Judge Andrew Peck, Magistrate Judge for the Southern District of New York. Judge Peck issued his self-described "˜wake-up call' to the bar in the form of William A. Gross Constr. Assocs., Inc. v. Am. Mfrs. Mut. Ins. Co., 2009 WL 724954 (S.D.N.Y. Mar. 19, 2009)

The facts describe a fairly routine situation where there is a ton of ESI to search through and one side wants just a few keywords while the other wants a thousand. Judge makes a couple routine points that bear repeating here:

1. There is no "˜Easy' button to get just the right amount of information out of a massive store of ESI. Smart people have to work at getting the right keywords, and you need look at what is coming out of the searches before blindly handing it over or declaring your search to be over. Judge Peck cites both Judge Grimm and Judge Facciola (who must meet on the Washington Beltway to plot how to raise the bar for the bar) in support.




2. 
   Had the parties attempted to cooperate on the best way to get out the most relevant information, the Court's time might not have been taken up with this dispute. Here Judge Peck cites Sedona's Cooperation Proclamation in support.
   

As a near-total aside, Judge Peck points out that had the construction management firm (non-party Hill International, which generated most of the email in question) simply used a standard "Re:" line referring to the project, searching for the pertinent email would have been made much simpler.

This eloquently demonstrates a point that we here at CA try to make all the time. And that is that good records management practices (like classifying your data, even in minor ways) can have enormous payoffs when it comes to litigation. Given the vast amounts of ESI usually present in an organization, anything that can be done to reduce the amount of information in play will have vast benefits downstream. Those benefits include things like lower costs in the collection and review phases, less spending of your goodwill in front of the judge, and reduced chances that you will be the Case Of The Week that all the eDiscovery literati writes about.

Published: March 26 2009, 05:15 AM | no comments
by Sumner Blount

Have you ever wondered what the real, hard benefits of a good compliance strategy and infrastructure are? I recently saw a paper produced by the IT Policy Compliance Group titled "Why Compliance Pays: Reputations and Revenues at Risk" that contains the results of a survey of a number of enterprises that they conducted. The survey was intended to help determine the maturity level of their compliance approaches, and the benefits they achieved. The survey was a little more than a year old, but I think the results are interesting and still very valid.

The survey included data from multiple benchmarks covering different topics areas, and included companies of all sizes. The number of organizations surveyed for each topic varied a little, but it was generally over 1,000 organizations that were included.

The compliance infrastructure of each organization was classified into three categories, based on its level of maturity. Thirteen percent of the organizations were classified as "leading," while 20 percent were included in the "laggards" category. The bulk of the companies were classified as "normative," or in the middle of the compliance maturity spectrum.

They then collected data related to such areas as the number of IT compliance deficiencies that had to be fixed before passing an audit, the number of business disruptions per year from IT security events, the number of data losses, and the expected years to disclosure for publicly exposed data thefts and losses. The report contains lots of charts and graphs, so I will just summarize some interesting statistics here. The numbers below are generally in the middle of the range of values reported for each case (in other words, I've done some simplification for readability).

Here are some of the more interesting stats:

The thing to note here is the very significant improvement from left (laggards) to right (leaders) in this table. And, the improvement is consistent across all areas, and across all maturity levels.

When you consider the significant penalties for such things as public disclosures of consumer data theft (lost customers, reputation impact, fines, settlement penalties), the benefits of a strong security and compliance infrastructure that can help eliminate these events is compelling.