Every technology conference, no matter how valuable, has its dull moments. But one of those dull spots led me to an epiphany about unified communications (UC) and regulatory compliance last week. Here's what happened: I glanced at the woman sitting next to me as she worked her personal digital assistant to "keep in touch" with her office.
First, she "read" a voicemail, and then she used her instant messaging function to give a price approval and edit a contract. Last, she took a call from her stockbroker that was routed through her office line. (And no, I did not use the opportunity to get any stock tips. It's hard to believe there are any valuable stock tips these days.)
What hit me like a cartoon anvil was the fact that her activities jeopardized the confidentiality, privacy and integrity of all the business data and business rules she touched.
No one doubts that unified communications solutions improve information availability; enable convergence among different networks, systems and devices; and substantially enrich the returns on investments in mobile technologies and remote computing. After all, you want your employees out visiting customers and attending conferences while also keeping on top of everyday activities like contract approvals and pricing issues.
But what you don't want is what I most likely witnessed -- usage of mobile technologies putting your company at risk.
So what can you do?
Design UC rules with compliance in mind
First, recognize that UC cannot avoid any of the usual regulatory compliance obligations. Most legal and regulatory requirements apply, regardless of the technologies employed by a company or other regulated entity.
These requirements typically establish rules for retaining certain kinds of communications, and for controlling and protecting certain information categories such as personal information or health records. The legal rules are both domestic (within the U.S.) and international. For example, the U.K. has published various regulations that clarify that recordings of telephone conversations, instant messages, chats and similar communications must be retained under the Markets in Financial Instruments Directive.
The trouble is that companies often craft their corporate policies and procedures to focus on specific technologies. That means that whenever they implement a new technology like UC, they need to revise or integrate their policies -- but might overlook this step. At a high level, they need to create a unified policy management system. This would involve an examination of all policies and then revisions until the policies work across all communications applications and solutions. The company would then need to create a system to centrally manage the policies. All of this is no small task, and trying to undertake such an initiative on the fly could easily sink the UC project at hand.
Evaluate each UC solution for compliance
In that case, what the CIO needs to do is focus on the UC project. Evaluate the solution for its impact on the compliance duties of the company. You have to ask yourself (and your design and implementation team): "How could these solutions create compliance risks? How can we make sure those risks are controlled?" Include the answers to these questions in your business case. Make sure you consider all compliance-related procedures and map any required changes into your implementation plans. Policies and procedures in the following areas should be included:
- Records and information management (especially for stored communication records).
- Electronic discovery ("e-discovery") practices.
- Security controls on personal information
- Security controls on access to communications
- Corporate policies on confidentiality
- Corporate policies on appropriate business use.
 |
|
|
|
|
You have to ask yourself (and your design and implementation team): "How could these solutions create compliance risks? How can we make sure those risks are controlled?
|
|
|
|
|
|
|
|
|
|
Thinking back to my conference neighbor, what would have happened in that case if her company had figured unified communications into its design?
First, the company would keep a copy of either the voice recording or the text translation -- not both. Second, the price approval would have been handled through a secure Web portal that would separately preserve the contractually significant record. Third, the contract edits would be used to update the control record of the contract, eliminating any previous drafts. And, finally, the personal phone call would have been blocked as an inappropriate inbound personal communication. The end result -- keeping up to date with personal and company business -- would have been the same.
Taking these first design steps will help protect the ROI you are most likely already reaping from empowering your mobile employees with UC solutions. They will keep the rewards of your employees' messaging efficiency but jettison any compliance, security or privacy risks that your UC solutions may be innocently enabling. And then you can focus on building a unified policy management system, so you'll be ready the next time you have a new technology to deploy.
Jeffrey Ritter, Esq., is CEO of Waters Edge Consulting LLC in Reston, Va. Waters Edge offers strategic consulting services to develop improved information governance. Write to him at editor@searchcio-midmarket.com or Jeffrey@wec-llc.com.
