In this three-part e-book, Don DeLoach walks public sector organizations through the key elements needed to respond quickly and accurately to open records requests: identifying what information needs to be retained and archived, best practices and procedures for retaining communications, finding and implementing an automated solution, and the important roles stakeholders play in the records response process.
- The challenges of archiving communications
- Choosing the right archiving solution for your organization
- Internal policies and rules
Results from the 2017 Electronic Communications Compliance Survey show that the current compliance landscape has continued to become increasingly broad, complex, and heavily scrutinized. In addition to trying to keep up with an ever-expanding number of non-email communication options, firms are dealing with an unprecedented increase in regulatory actions, with 2016 shattering the record for the amount of fines levied on the financial services industry. With more employees than ever clamoring for the collaboration and knowledge sharing communication tools that have become essential to growing a successful business, it’s increasingly important for compliance teams to understand how other firms are managing the challenges posed by supervising new channels and platforms. In this report, you’ll find out: Want to compare against last year’s survey report? You can find it here.
Results from the 2017 Electronic Communications Compliance Survey show that the current compliance landscape has continued to become increasingly broad, complex, and heavily scrutinized. In addition to trying to keep up with an ever-expanding number of non-email communication options, firms are dealing with an unprecedented increase in regulatory actions, with 2016 shattering the record for the amount of fines levied on the financial services industry.
With more employees than ever clamoring for the collaboration and knowledge sharing communication tools that have become essential to growing a successful business, it’s increasingly important for compliance teams to understand how other firms are managing the challenges posed by supervising new channels and platforms.
In this report, you’ll find out:
Want to compare against last year’s survey report? You can find it here.
Upcoming Webinar: Key Findings from the 2017 Electronic Communications Compliance Survey
June 15, 2017, 10am PT / 1pm ET
Smarsh conducted it’s annual survey of compliance firms and found an industry facing a barrage of new communications and compliance concerns.
With more comprehensive regulatory exams and a growing chorus of clients and employees clamoring to use new communications channels like text messaging for business, compliance teams have seen a transformative and tumultuous year.
It’s time to take stock of the compliance landscape, and to understand how other firms are managing the challenges posed by supervising new channels and platforms.
Many financial services firms still struggle to understand and fully embrace social media and mobile communication rules. In light of the emerging technologies and communications, FINRA recently published Regulatory Notice 17–18: Social Media and Digital Communications, providing further guidance on the FINRA rules governing social media and text messaging communications for member firms.
FINRA’s updated guidance further clarifies the rules governing communications with the public via social media, and the use of personal devices for business communications. The Notice also reminds firms of the recordkeeping, supervision, and content requirements for such communications.
Here are some important takeaways:
- Recordkeeping. Firms are reminded of their obligation to keep records of business communications under SEA Rule 17a-4(b)(4). Also, firms must train and educate their advisors regarding the distinction between business and personal communications, and the requirements to retain, supervise and produce business communications.
- Text messaging. Firms that communicate or allow advisors to communicate through text messaging or chat services for business purposes must retain records of those communications, in compliance with SEC and FINRA rules.
- Personal communication. Advisors can share firm information that is not related to their firm’s product or services without becoming subject to FINRA Rule 2210. For example, an advisor may share their firm’s post about a charity event that the company sponsors. However, if the communication does pertain to the firm’s products and services, then the content is subject to FINRA Rule 2210.
- Third-party content. Regulatory Notice 10–06 states that posts by customers or other third-parties on a firm’s social media accounts are not considered ‘communications with the public’ by the firm or advisor, under FINRA Rule 2210. Regulatory Notice 17–18 reiterates this point. However, there are some exceptions, including situations where a firm pays for, prepares, controls, or explicitly endorses content posted by third-parties. In these scenarios, a firm must comply with FINRA Rule 2210.
- Hyperlinks to third-party websites. FINRA reminds firms that Regulatory Notice 11–39 states firms cannot link to any third-party website that contains false or misleading content. The Notice further clarifies that a firm ‘adopts’ third-party content when it shares or links to it, and as a result must ensure the content complies with communications rules.
- Endorsements and testimonials. Unsolicited third-party comments or opinions posted on a firm’s social media aren’t firm communications, or testimonials under FINRA Rule 2210. However, if the firm or advisor likes or shares a comment/testimonial, that is considered adoption of content, and is subject to the communications rules.
- Note: Registered Investment Advisors should still comply with SEC Rule 206(4), which prohibits promotion of client testimonials and endorsements.
- Native advertising. Firms may use native advertising if it complies with the provision of FINRA Rule 2210. In particular, native advertising must disclose the firm’s name, disclose any relationship between the firm and any other entity or individual who is also named, and mention the products or services offered by the firm.
What does this mean for firms?
FINRA makes it clear that firms must archive all electronic communications, including content from social media, text messaging, and other mobile platforms.
In response to the guidance, firms should review their social media and mobile policies and procedures. Specify the difference between personal communications and business communications. Training and ongoing education are critical, especially as advisors become acclimated to social media, text messaging and mobile apps to communicate with prospects and clients.
The digital landscape continues to evolve and firms must leverage technology for compliance and supervision. Smarsh provides the tools and platform to capture and supervise all incoming and outgoing business communications. It’s simply not realistic or cost effective for a firm’s compliance officer to manually spot check all of their firm’s social media profiles and mobile messages. The Archiving Platform from Smarsh automatically captures social media and mobile content in its native format and flags communications based on client-set lexicon policies if further review is needed. As a result, a compliance officer can focus their time and energy on the most pressing items for review, rather than searching for risk in all the wrong places.
In Part 3 of our interview, Don DeLoach, former Chief Information Officer for City of Tallahassee and consultant to local government firms, gives us an inside look at the internal policies and rules public sector organizations need to have in place—and which stakeholders should be involved in creating them.
Who are the stakeholders within a public sector organization that are responsible for responding to records requests?
Before we discuss who is responsible for responding to records requests, we should talk about the business process that comes along with handling them. The first thing the organization should consider is who oversees the records. Is it the Clerk of Records? The IT department? Who is responsible for finding those records and getting them to legal to have sensitive or exempt information redacted? The answers to these questions lay the foundation for how the organization will handle records requests.
Who is responsible for determining and implementing the business process?
There are four stakeholders who should create the process: The Chief Information Officer (CIO), Public Information Officer (PIO), the Clerk of Records (Clerk), and Legal. These four should get together to come up with the process that best fits their needs as an organization. This must be a collaborative effort because records need to move through a series of steps before they can be released in response to a request.
In most organizations with a manual process, the Clerk is where the request starts. Someone in IT or the CIO is responsible for finding the records, which are typically in an archive. The Legal department reviews the records and redacts any information that is exempt to public view, such as home addresses or sensitive, personally identifying information. The PIO is responsible for articulating the process to the public and disclosing any costs associated with records requests. In essence, the PIO plays a marketing role in how the public interacts with the organization. Everything is connected in the business process, and if any part of the team falls off or behind, the process will derail.
How does it differ with an automated process? Will these four stakeholders still need to collaborate?
First and foremost, if the stakeholders implement an automated solution, IT doesn’t have to get involved once the solution is in place, which is the ideal scenario. It takes a lot of time and effort to manually locate the requested records. With an automated system, the Clerk could quickly and easily locate all records across email, social media, text messages, or whatever was requested. Once found, the records could be sent straight to Legal for redaction, then to the Clerk who releases them to the requestor—streamlining the workflow from four teams to two. Because it’s cheaper and easier for the organization to produce the records as soon as possible, it’s in their best interest to find a tool that allows that to happen. If you don’t have the right business process and tools in place, it can become a very expensive task. You can also damage the relationship between you and the community. Releasing the records shows your organization is transparent and accessible.
What should you look for in an automated solution that would help the organization determine and adhere to their workflow and policies?
Just like we discussed in Part 2: Choosing the Right Archiving Solution for Your Public Sector Agency, you want to look for an automated solution that’s easy to use. If it’s not easy, you will have to find someone in IT—or hire someone with an IT background to help you with records requests—which is exactly what you’re trying to avoid. Your automated archiving solution should have a robust search function, and its eDiscovery tool should be self-explanatory so anyone can review the information. You also want an automated solution that can grow with your organization as it adopts new communications types, such as social media and text messaging. If your solution lacks these features, you’re back to stretching your staff thin or hiring additional employees to handle records requests. More time, more people, more effort, more money. Even if you have the in-house staff to fill those extra roles, you’re still racking up a hefty tab.
Is there any reason a manual process would be preferred?
What you’ll find is the manual process is more in the workflow than the pulling of the records. If you have to manually track down and search through records, it’s going to be a very long and tedious process. However, if you have a discovery tool that can pull email and other types of records quickly, the process will be expedited. The organization might have a workflow-management tool that is tracked in a database and sends emails to the people in the right flow, but most organizations use a manual checklist: Where did the record start? Did it get through the clerk? IT department? CIO? Legal? Most of the time, that manual checklist will be released along with the records to prove the correct workflow. If an organization has an electronic document management system in place, they can probably build it to adapt that system into their workflow.
Is it a best practice to review your workflow? Is it a matter of public record?
Yes, if it’s in writing, and has been approved by the commission, city manager, or ordinance that addresses the workflow, it is a legal public document and must be produced if requested. You should always review your workflow periodically, not just to make sure it’s up-to-date, but to make sure it still works for the organization and to ensure that you’re doing the right thing, according to law.
Don DeLoach has more than 32 years of state and local government involvement. Don was the Chief Information Systems Officer for the City of Tallahassee, and was responsible for all of the city’s technology needs. He is also a former president of the Florida Local Government Information Systems Association, and a former member of the board of directors for Public Technology Institute. Don was recognized in 2008 as a Premier 100 CIO by Computer World Magazine.
As an advisor, do you have one or more accounts on social media platforms, such as Twitter, Facebook or LinkedIn?
If so, are you ready for the SEC’s adopted amendments to Form ADV and the Advisers Act books and records rule?
Registered investment advisors filing an initial Form ADV or an amendment to an existing Form ADV on or after October 1, 2017 will be required to provide responses to the adopted form revisions. This includes the new requirement that advisors disclose their firm’s social media platforms in Section 1.I of Schedule D in Form ADV.
The change in social media disclosure signifies a big shift in the way that the SEC will approach and evaluate an advisor’s risk profile.
What’s the big deal?
Up until now, advisors only needed to list their corporate websites on Form ADV. However, advisors will now be required to list all their corporate social media accounts, including corporate social media pages and other publicly-available, business-related profiles on LinkedIn, Twitter, Facebook, and so on.
This has implications for an advisor’s compliance procedures and risk exposure. The specific inclusion of social media signifies the SEC will heavily scrutinize an advisor’s corporate social media accounts during an examination or audit, which is stated in the final Form ADV and Investment Advisers Act Rules.
It’s not too late to prepare
Now that social media accounts are under the microscope, it’s critical that advisors archive and supervise their corporate accounts. The SEC will ask for social records, so firms must find the most efficient and thorough way to retain and produce this type of content.
A comprehensive archiving platform provides the solution that allows firms retain and produce social media alongside other frequently requested communication records, including email, text messages, and website content. Records can be located and produced quickly in the event of an examination, so regulators can review social media conversations and information exchanged with clients or prospects across various communications channels.
For instance, if a conversation between an advisor and a prospective client starts on a website, moves to email, and concludes on Facebook, records within a firm’s comprehensive archive will show the entire interaction with across multiple content channels.
If you use Facebook, Twitter, LinkedIn, or any other publicly-available social media platform to communicate with clients and prospects, now is the time to revisit your social media policies and recordkeeping processes and ensure they are ready for regulatory scrutiny.
Companies keep business records for regulatory and legal reasons, with IT departments and records managers typically holding the keys to the records kingdom, sometimes assisted by outside vendors. In financial services, records are frequently examined for compliance purposes, and comprehensive record keeping is a specialty of its own. In addition, protecting proprietary and business IP is vital, as is safeguarding confidential customer information.
But when employees use their mobile devices for personal and business communications, danger lurks. Text messages are the fast-growing source of business record risk.
Nearly all employees text, and many mix business and personal messages. A business record may be created every time an employee taps out a text, and the records can quickly multiply when the text is answered, shared, forwarded, revised, or deleted.
What happens to all these texts?
It’s hard to say because text message record keeping policies and procedures are in their infancy.
However, companies that don’t incorporate text messages into their business record archiving systems are squarely in harm’s way.
Text message archiving sounds daunting, and with good reason. Most messaging systems lack functions for message capture, search and retrieval, identification and preservation. And there are many different devices, service providers, and text messaging systems (some promising disappearing messages, anonymity or encryption), with unique features and operations. Adding to the challenge, record keeping rules aren’t uniform — their applicability depends on the type of record, type of business, regulatory agency involved and other factors. User privacy is also a thorny records management issue.
How do you know if texts are business records?
Rule of thumb: If a text message includes information about business activities or functions, it’s usually an official business record. A 2015 court case involving government employees’ text messages provides a good example of this rule. The Washington Supreme Court said business-related texts on private cell phones were public records under the Washington Public Records Act: “Records can qualify as public records if they contain any information that refers to or impacts the actions, processes, and functions of government.”
If a company can’t produce its business records, it can’t defend legal claims against the organization, or prove lawful conduct in a supervisory exam. Inability to produce text message records can undermine corporate claims and defenses. In some courtrooms, judges reject claims of “lost” mobile device records, and allow negative inferences to be drawn about what incriminating evidence may have been in the missing electronic communications.
There are other risks, too. Experts say most mobile-based security breaches are caused by employees. Compounding this, employees using their own mobile devices don’t feel particularly responsible for loss of company data on those devices. Some employees disable company-required security on their phones. A 2016 Verizon Data Breach Investigations Report also notes few organizations prioritize securing mobile devices.
Companies can no longer pretend they don’t know their employees use text messaging for business communications. However, they can reduce the risks by adopting text message policies and enforcement guidelines. Here are some first steps that companies can take to begin the process:
- Train employees on business record keeping responsibilities, so they understand what business records are and why they must be kept.
- Establish business texting policies and guidelines. May business be done by texting to or from an employee’s personal accounts? What restrictions apply? Examples: No deleting business text messages from devices without permission; no encryption apps or burner phones may be used to hide business messages;
- Establish and communicate consequences for employee text message violations.
- Implement the policies, audit for compliance, apply sanctions when necessary.
With the unanimous Supreme Court ruling, California joins other states, including Washington and Florida, and the Federal government in issuing a clear statement that all records regarding government business, even private email or text message accounts, are subject to open records laws.
The ruling may have monetary implications for the City of San Jose; the City may be required to pay the plaintiff’s costs and attorneys’ fees. Also, some states have statutes that include personal fines or criminal penalties for egregious violations of public records laws.
In the City of San Jose v. Superior Court of Santa Clara County, the City of San Jose argued that the City should not be required to disclose communications on the personal phones lines or email accounts of government employees or officials. The City also argued that privacy law protected their employees’ personal text messages and email messages from public disclosure.
Consistent with other states rulings, the California Supreme Court ruled that emails and text message communications are not excluded from disclosure under the California Public Records Act when they are on a personal account or device. Rather, the court ruled that it is the content, not the location of a communication, that determines whether an email or text message is a public record. Like San Jose, many other state and local agencies also assume that privacy law protects communications on employee personal phones or accounts. However, the California Supreme Court specifically held that individual privacy rights are not subservient to public records disclosure.
The rule is clear: all agency communications are subject to open records requests (with limited statutory exceptions) regardless of the channel of communication. The ruling is also consistent with California’s very strong public policy favoring the public’s fundamental right of access to information regarding public matters, as set forth in the CPRA.
3 Tips for Compliant Records Requests Programs after The City of San Jose
Without prescribing a specific policy or procedural framework, the Supreme Court in The City of San Jose discussed how agencies may implement policies to ensure all public records can be produced. So, what policies and procedures should an agency use?
- Make Sure Your Record Request Policy is Clear.
Many states, along with California, have held that a record is a public record if it is about public business, no matter where it’s located. Agencies need to review and update the definition of ‘public record’ in their policies and procedure documents. The definition should be stated clearly so government employees and officials understand the agency’s disclosure obligations.
In addition, policy and procedure documents need to make it clear that when there is a request for records which may be located within an employee’s or government official’s private account, the individual must perform a good faith search of their accounts or devices for all public records and sign an affidavit attesting to such search. Here’s sample text for California:
Records Subject to Disclosure. Every record made or received by the Department is presumed to be a public record that members of the public may inspect or obtain a copy upon request. Records made by Department officials or personnel about Department business, whether within the possession of the Department or not, are presumed to be public records.
Only records that are exempt from public disclosure under federal, state and/or local law may be withheld. Examples of records the Department is prohibited from disclosing or may decline to disclose include: [Department to list statutory exemptions].
- Train, Communicate, Repeat.
The League of California Cities provides a resource on the CPRA that public entities may use to train employees and officials. To ensure employees and officials understand the CPRA, it is essential that public entities provide initial, in person training for each employee or official and continue to provide training on an annual basis thereafter. Further, cities, states, and agencies must ensure training includes information about which channels of communication are approved for agency business and which are prohibited. Employees and officials must understand that if they choose to use unapproved channels, such as personal text messages or email accounts, then those accounts may become searchable. In the extreme scenario, personal information may be subject to judicial review to determine whether a record is a public or personal record.
A good training program must be supported by an ongoing communication plan. Agencies must build awareness through repeated intra-agency communications. Agencies may send email updates, newsletter articles, create awareness campaigns, or find other venues to make announcements. Repeated reminders will help build a culture of compliance.
Using the records request process is another way to generate awareness and educate employees and officials. With each record request received by the public entity there is an opportunity to educate employees and officials on the CPRA and an individual’s obligations with respect to the CPRA. Agencies should consider including educational statements with records requests notices. Such statements might say:
The purpose of the California Public Records Act is to ensure transparency in government activities. Records under the California Public Records Act include any record about the business of the [Department]. As a public entity, we are required to produce all records which are responsive to the request and which are not excluded under [applicable statute].
This includes records that may be sent through personal accounts or devices. Government personnel are required to perform a good faith search of their personal accounts or devices for communication related to public business.
- Require a Good Faith Search + Employee Affidavit.
The California Supreme Court made it clear that the onus is on the city, state, or agency to ensure production of all responsive records. California is not alone. Many other courts have concluded the same. Cities, states, and agencies need to either ensure their employees are not using unapproved communication channels for public business or they need to update their policies to require a good faith search by employees where appropriate. An employee’s good-faith search for public records on his or her personal device can satisfy an agency’s disclosure obligations under the statute in some states (See Nissen v. Pierce County).
After an employee performs a good faith search, the agency should require the employee to submit an affidavit stating they performed a good faith search of all communication channels and provided all records related to public business. It’s important to note the employee should not determine which records are or are not responsive to the public records request. The employee should produce all records that involve the public entity’s business.
Smarsh Can Help
Public records requests can require a great deal of effort on the part of a public agency, especially if the agency doesn’t have technology in place to help dramatically streamline the process. Agencies are usually required to locate, search, redact, and produce responsive records with limited personnel and budget devoted to handling requests.
The Archiving Platform from Smarsh gives government agencies a centralized platform to manage record requests across the entire range of digital communications, including email, social media, websites, instant messaging and mobile messaging. Agencies can easily search across all communication channels for responsive content and export the content at the click of a button – making the process faster and more efficient for the agency and ultimately the tax payer.
For more information on text message risks and policies, visit:
Public Sector Guide to Text Message Policy and Retention: 2017 Edition
5 Actions to Take for an Airtight Mobile Use Strategy in Government
3 Ways Text Messaging Exposes Government Organizations to Massive Risk
Text messaging is an immediate and simple way of communicating, so many government employees prefer it over email or other traditional methods. However, FOIA laws require all electronic communications used for business to be archived and available for public record requests. It doesn’t matter whether an employee uses his/her personal or government-issued cell phone, both are fair game.
In this guide we’ll show how public sector organizations can build an airtight mobile strategy. Learn about device scenarios, policy creation, mobile device management, and the archiving process.
- Device ownership scenarios – advantages and disadvantages
- Key questions to answer for an airtight policy
- How to retain & report text message content