Safely Navigating the Cyber-Minefield: Information Management Across Borders
Thursday, May 13, 2010
By John J. Tracy CMC FIMC and Kenneth N. Rashbaum, Esq.
Most companies consider information to be among their most valuable assets, but the ability to manage information can be elusive when data is transferred across borders.
The complexities of cross-border information transfer and global records management, including emails between employees in Europe, Asia, South America and Australia, include the potential for violation of foreign privacy or data protection laws, some of which carry criminal penalties. But as with many regulatory thickets, this presents liabilities for multinational corporations and opportunities for management consultants.
The Multinational Information Challenge
As business expands its global footprint, this problem looms larger yet, at the same time, creates new opportunities for management consultants.
Today, over 90% of all business information is digital. This includes email and attachments, social media, and all types of transaction documentation, such as contracts, purchase orders, invoices, and interim agreements. The information may be "virtual,” but the headaches can be big-time real. There is an increasing need to preserve electronic business information in a manner which complies with a mosaic of laws.
As if these complexities weren’t enough to move Records Management personnel and business owners to demand combat pay, layered on top are the myriad accelerating demands for digital information, from government oversight agencies, commercial partners and competitors, and courts.
We’re Not in Kansas Anymore
Digital information is the primary form of evidence needed for dispute settlement in the U.S., the U.K., Australia, Europe and elsewhere. But in terms of privacy and data protection beyond U.S. borders, it’s different over there.
Many countries prohibit the transfer of "Personal Information” beyond their borders without consent. The U.S. is an exception. Email is considered "Personal Information” because it can be traced to an identifiable individual. Thus, contracts, invoices, purchase orders, proposals, etc. that include individuals’ names may also be "Personal Information.”
Multinational Information Governance Solutions
Management consultants transform the complex into the manageable by understanding the problem, breaking it down into pieces that business units can attack, and devising practicable solutions. Cross-border information governance may be a thornier problem, but that only means that consultants will require larger and sharper shears.
To assuage risk, Data Management programs implemented by consultants, working with knowledgeable legal counsel in the U.S. and the countries where the corporation has facilities, must clearly document Policies and Procedures for handling data from outside the U.S.; provide training and documentation on the Protocols; and establish Compliance Monitoring and Information Security Standards (privacy, access control, breach and loss prevention, etc.). For example, personal data from European Union member states may be sent to the U.S. so long as appropriate protections for the data are in place, as set forth in Data Transfer Agreements with "Model Clauses” approved by every E.U. member state. The U.S. Department of Commerce Safe Harbor Program provides for personal data transfer in accordance with a Privacy Statement, in which the U.S. entity agrees to abide seven principles of data confidentiality and security. The challenge, and the opportunity for management consultants, is to prepare information management policies and procedures which adhere to those principles, design training materials for the workforce, and monitor compliance.
Records retention and information management rules are not consistent among trading partners, however. Neither Canada, Australia, nor any Asian countries participate in the Safe Harbor Program and they do not recognize the E.U.’s Model Contract Clauses. Further, in several of those countries, privacy laws proscribe retention of personal data for longer than necessary to accomplish the purpose for which it was processed. This can cause migraines when the company is enmeshed in U.S. litigation.
To meet the global information management challenge, consultants and counsel should prepare records retention policies and procedures to account for internal Governance and external Risk and Compliance (including foreign litigation disclosure) needs.
Consultants should also facilitate an interdisciplinary work group that includes IT, Records Management, in-house counsel, U.S.-based counsel with cross-border information transfer experience and business owners (such as department chiefs), and document the work flow to show due diligence in the event that Records Management is challenged by a court or regulators.
Global commerce complexities have created roles for consultants and counsel. Opportunities abound to establish best practice awareness in records management and information governance, and these opportunities should increase in virtual lockstep with advances in information technology. Our challenge is to grasp them.
Kenneth N. Rashbaum, Esq., Principal of Rashbaum Associates, LLC, counsels the health care and life sciences industries and multinational corporations on information management and compliance with privacy and data protection laws. A thought leader in these areas, he frequently speaks at venues across the U.S., and in Europe and Asia.
John J. Tracy CMC FIMC, President of Tracy-Hayden Associates Inc., consults Fortune-listed and smaller enterprises on strategic, organizational and operational issues related to supply management, process effectiveness and customer service performance. Also a thought leader, John works, writes and speaks in domestic and many global venues.