One reader writes in to ask: "I have been in the IT field for over 20 years, in several different companies. Why does it seem like in the past year I spend more time meeting with lawyers than the business people? I understand Sarbanes-Oxley issues, but my current company has been public for seven years, and we have always had "compliance" reviews, but I have been in six meetings in the past eight months with our chief counsel and other lawyers in attendance. Is this happening everywhere, or should I be concerned that something is up?"
It's not just you; we've gone crazy. As if IT weren't hard enough, now you can't boot your laptop without a lawyer getting in the middle.
Why? There have been astounding levels of legislation passed or pending in the past few years directly relevant to the use, misuse and downright abuse of data. Privacy issues alone are going to keep annoying lawyers employed for many years. The Sarbanes-Oxley Act, while not new, is being so violently contested that your company will be spending a fortune on legal fees whether you comply or not. Either way, the lawyers win.
No one likes lawyers. It's not even one of those "you hate them until you need them" things; I hate them even though I need them. It's not lawyers personally, mind you. I like most of the lawyers I am forced to use. It's the fact that I'm forced to have them (if ever there were a better self-propagating group of folks than lawyers, I can't figure out who it would be). They write the laws, then sit on both sides of those laws. They have guaranteed employment. Even the crappy ones do OK because there are always dumber, crappier people somewhere down the legal food chain who can't navigate the system because the system was designed by lawyers, for lawyers. It's even enforced by lawyers turned judges and ensured sustenance by lawyers turned politicians. It's brilliant if you think about it.
Auditors once held the title of "best business idea ever," since they forced lawyers to write laws stating that companies had to have independent audits. Then the auditor finds things wrong and very conveniently provides consulting services to fix them so you can have a report telling the lawyers that you adhered to the law they enacted, which the auditors wrote. Genius.
Corporate compliance has many faces in many lands. Privacy laws have been legal fodder in Europe well before the U.S. paid attention. The U.S. lawyer vs. IT didn't really take off until after 9/11. The federal government rightfully realized that the Wall Street folks had woefully silly disaster recovery plans since their DR sites were three miles away. They wanted to make sure DR sites were far, far away and that there were more than one. They got banks and brokerage houses and other folks -- who have all the dough -- together and came up with grand plans that were promptly shot down because those folks were able to convince said government that doing the right thing wasn't technically feasible. So we did nothing.
That exercise opened up one bright lawyer's eyes however, and New York District Attorney Elliot Spitzer started realizing that some of those big companies might not have the best motivations for their behaviour. He started calling people on the carpet for lying and cheating. He made things change because he made it very public when big companies did dirty things.
Then the politicians got back into it and started enacting laws. The Securities and Exchange Commission came up with a slew of broker/dealer laws in order to protect individual investors and keep people in the old-boy network from continuing to hand one another huge piles of money by cheating. Part of those laws required you to keep records -- no more pathetic "We can't do it" or "We tried our best" excuses. The lawyers on the good side put tougher laws in place to say, "Thou shalt keep stuff, electronic or other, so that we can see it when we think you're a lying dirtbag." The lawyers on the bad side then started making more money, first by trying to show their clients how to skirt the issue, and then by showing them how to comply.
There are now a zillion laws that affect IT. Most are around record retention -- making sure stuff is there when someone asks for it. They were a boon to the storage industry, and now in the computer industry not only do you have to keep stuff forever, but you have to do the heretofore unimaginable -- i.e., you have to find the stuff. Electronic discovery has quickly moved from a nice, quiet little service business to a huge market. Now that CEOs go to jail for being caught doing dirtbag things, most would rather avoid that fate. Not knowing is no longer a valid excuse. Not knowing gets you a new friend in a small room. Knowing, finding and proving is what matters. Fines are no longer slaps on the wrist -- they are millions and millions of euros, baby.
Wait until encryption is mandated by law. That will be another boondoggle for both lawyers and industry.