In 2005 the corporate heat was on—Telstra executives had been forced to hand over confidential emails following claims the telecommunications giant had breached corporations law. The Australian Securities and Investment Commission wanted all documents, emails, and sensitive data containing Telstra’s broadband plan. If Telstra was not able to produce these documents it could have stood accused of failing to comply with the Commonwealth Evidence Act 1995 as well as the ruling of the court—an offense in itself. Luckily it produced what was required.
This was not the first such directive for Telstra. Back in 1995, in a case put up by BT Australasia, the telco was burned. During ongoing litigation against Telstra, the court agreed with one of BT’s complaints that Telstra was taking too long to present important electronic documents it said were imperative to the case. After three years of waiting, the judge issued an administrative order for the telco to present email documents in a short and specified period of time. Telstra had no excuse but to trawl existing backups and produce the required email—and in this case it wore the burden of both the cost of the case as well as the costs incurred by BT, which trawled through its own email correspondence with Telstra to come up with the material. Discovery orders force companies to produce content in response to a judge’s request, with no questions asked.
Kumar Parakala, vice president of the Australian Computer Society and the global COO of the information risk management practice of audit, tax and advisory service KPMG, says litigation for areas of compliance is on the rise as stakeholders in companies become more demanding and individuals become much more informed about the law and their rights. “I receive three to four invites each week to be an expert witness in ICT-related cases alone in the courts, which is far higher than I have seen in the last few years,” he says.
But while this may be the case, most analysts and industry insiders will agree that despite companies facing increasing pressure to adopt comprehensive compliance procedures, many key business people still have their heads in the sand.
When you look at some examples of individual areas that may affect compliance the statistics are anything but rosy. Analyst James Turner of Frost & Sullivan, in Australian Information Security Satisfaction Monitor 2006, found 36 percent of respondents he talked to had no idea of how the NSW Workplace Surveillance Act 2005 affected them. The Act requires employers to give notice of a company’s surveillance practices to employees, limiting an employer’s ability to monitor or block employees’ emails or restrict access to the Internet unless it is acting in accordance with that policy that has been notified to employees.
Turner also found that despite government and education sectors having a high level of concern for the storing by staff of illegitimate files on work networks, the private sector, in particular technology and IT service companies, is minimally concerned. This, he says, highlights some major problems in regards to intellectual property and copyright infringement.
“Then if you look at the Australian Copyright Act, 28 percent of respondents do not know if their organisation is required to be compliant with that,” Turner says. “IT compliance in the IT security space is an area that does require a huge lift in awareness. You have IT managers and systems administrators making operational decisions without being fully informed of their organisation’s legal requirements.”
Security company Centennial Software says in research it conducted into the use of removable devices such as USB storage keys in the office, only 50 percent of Australian companies said there was a policy in place warning staff of illegitimate use. More alarming, 61 percent of respondents said they did not even know what they would write into such a policy, as they had no idea of the laws surrounding this. The use of such devices can pose a copyright threat through the placement of illegal material on PCs. This can also allow confidential, or workplace data, that should be protected under security and risk standards, to be easily walked out the door. Unfortunately these days a company’s list of compliance requirements is a mile long, and in complexity just as wide, which begs the question: how can any organisation expect to be on top of compliance?
Write to the Editor at Technology and Business
* All fields are mandatory.