Although we have no equivalent to the United States’ Sarbanes Oxley laws or Australia’s CLERP 9 regulations we should not be complacent. So says Symantec — and local commercial lawyers Glaister Ennor.
They say we should not be complacent about compliance when it comes to keeping records as a wealth of laws already on the New Zealand statute books require appropriate records be kept regarding company structure and commercial transactions. The risk of legal disputes also means it is sensible to retain anything that could be used as evidence in a form that would be admissible in court.
The vulnerable parties range from directors, who may be held responsible for irregular dealings, to employees at all levels, who may have to defend themselves against allegations that they dealt with information improperly.
And the spectrum of what is considered a record of a commercial transaction, or an agreement, is an ever-widening one. It already includes emails, which may be the only record of a binding contract, says Symantec senior technical director Tim Hartman.
It also potentially includes instant messages, too, as use of these is endemic among the rising generation that is now moving into significant decision-making jobs.
Glaister Ennor’s Kim Gordon rattles off a list of pertinent legislation here: the Public Records Act; the Companies Act; the Tax Administration and Goods and Services Acts; the Evidence Amendment Act No 2; the Social Security Act; the Privacy Act, and the Financial Transactions Reporting Act, among others.
The Electronic Transactions Act, although recent and still unclear in its application, refers directly to electronic data, giving it the status of “written record”.
And with many NZ companies having overseas offices, and being engaged in international joint ventures, there is an increasing need to keep records that are up to US, European and Australian standards.
“There is a lot of inertia [about compliance of electronic records] in New Zealand,” says Gordon. Companies often shy away from it, seeing it as being too big an issue, or they let the IT team drive it when it is really a business issue.
Postponing setting up relevant systems often means a company sooner or later has to take reactive measures when threatened with litigation, says Gordon.
Companies have to be able to produce records, and to show that record traceability is good, so it can be convincingly demonstrated that, say, a record of an alleged agreement never existed, rather than that it was destroyed.
Symantec is using its acquisitions of Veritas, with its secure long-term backup applications, and of network access control specialist Sygate to build a repertoire of applications known as the Control Compliance suite. This will identify vulnerabilities and deviations from policy, and so boost record-keeping and abuse detection, and remediation.
The suite is available now in the US and will be released here next year.