Ignorance of the law

The best antidote to compliance paranoia is to learn the legal details -- before it’s too late

During the past few weeks, I’ve traveled the country, speaking at a sponsored event about how regulatory compliance and legal issues affect IT. In Washington I had the pleasure of offering a tongue-in-cheek thanks to a group of mostly government employees for helping to create the laws and regulations I was there to discuss.

Compliance and legal issues aren’t topics that deliver the thrills of, say, open source or SOA (service-oriented architecture). Thinking about compliance is in league with cleaning out your gutters each spring -- important but not particularly sexy. New regulations such as Sarbanes-Oxley and HIPAA tend to get all the attention, but there are more basic legal issues that predate those laws. Even if you’re not affected by the more well-known regulations, it pays to be aware of general legal principles and how they might influence IT operations.

There are hundreds of laws that affect IT in various vertical industries, and there’s not enough space in this entire issue of InfoWorld to offer advice on all of them. Putting together a solid compliance strategy at your organization requires input from the CEO, CFO, and legal counsel with specific knowledge of the regulation at hand, but my dive into compliance and legal issues did surface some interesting technical issues that IT managers would be wise to consider in an increasingly litigious and regulated business environment. Simply posing one seemingly simple what-if scenario as an IT manager can be a surprisingly illuminating exercise: What if my company was named as the defendant in a lawsuit in which e-mail was subpoenaed, and I had to produce e-mail for a particular time frame, say, two years ago?

That’s exactly what happened in Linnen v. Robins, a wrongful death lawsuit filed in May 1997 related to the diet drug popularly known as Fen-phen. Wyeth-Ayerst Laboratories, a subsidiary of Robins, was asked to produce e-mails that were thought to be relevant to the case. During the course of the proceedings, the judge learned that Wyeth kept backups going back only three months and then reused the oldest tapes. Unfortunately, Wyeth didn’t stop recycling the tapes for several months after the litigation commenced, meaning that key evidence was being destroyed daily and that there were no backups available between May and September 1997. A continuation of the weak -- but not uncommon -- backup policy prior to the lawsuit was ruled to be “inexcusable conduct” by the court after two IT staffers were called in to explain their policies. Neither staffer was familiar with the backup procedures or retention policies for e-mail during the time period. The judge was not amused.

More backup tapes were eventually found, but that introduced more pain -- the tapes contained e-mail from long defunct systems like VAX All-in-One and OfficeVision. Wyeth claimed that restoring the 149 tapes with the VAX All-in-One e-mail on them would cost between $300,000 and $350,000. Very likely those estimated costs derived from finding and rebuilding systems that were no longer in production just to retrieve e-mail. Could there be a worse nightmare in IT than resurrecting obsolete legacy systems you so gleefully kicked to the curb years earlier?

Well, there might be one -- sitting across from a judge testifying about your backup and retention policies. Just because your company isn’t subject to Sarbanes-Oxley or HIPAA, don’t think you are immune from the long arm of the law.