Scary, Scary, Scary: Legislated Records Management

Everyone thinks they know about Sarbanes-Oxley, HIPAA, and similar new regulations like SEC 17a. What few people realize—executives perhaps least of all, because they rarely have time to study the details—is how truly scary and far-reaching these kinds of legislated changes can be. As a CEO or CIO, you may need to take action immediately to avoid business disruption or significant fines.

The Sarbanes-Oxley Act of 2002, for example, makes it clear that certain records, in any form, must be securely retained and holds CEOs accountable for producing specific, content-based subsets of these records on demand, with stiff civil and criminal penalties for non compliance. And certain SEC rules state that electronic information, in any form, including e-mail and instant messaging, has to be logged, saved, indexed for search-and-retrieval, and securely retained for a specific number of years, just like paper records.

So, if you’re a CEO or CIO, what do you do?

First of all, take a good look at your existing records management systems before breaking out in a cold sweat. Many companies have been routinely backing up and storing business-critical documents offsite in safe areas for years. And many more started doing so after 9/11. In addition, to support the compliance needs of legal, engineering and marketing, most large companies maintain document management and e-mail archiving systems in the IT department.

Unfortunately, just having such systems in place does not necessarily ensure compliance with the new requirements—as five top banks found out in December of 2002 when they were assessed over $8 million in fines.

Backup and storage solutions, particularly those that “silo” information, simply won’t do the job. In order to retrieve the right set of information on-demand, you must have content-based records management that can handle all media types. The implications are far-reaching:

You have to decide what constitutes a “record” based on content, and establish rules for how records are captured and stored;

You need a common content infrastructure that lets you see how all records from all sources are related, and enables easy retrieval; and

Your employees need to understand how and when a communication becomes a record, which implies cultural change across the organization.

Let’s look at each of these in turn.

What Constitutes a Record?

For a good portion of their existence, paper and electronic records fall into the realm of content authoring and management tools. At some point, which can be defined by a user or by an automated process, the content can be regarded as being “laminated.” The content then becomes unchangeable and must be treated as a permanent asset that is retained to meet regulatory as well as good business requirements.

Once an object becomes a “record,” it is subject to legal rules for regulatory compliance, retention, access control and eventual disposition—permanently archived, or destroyed. For example, under the Securities and Exchange (SEC) Rule 17a and related regulations, financial services companies must preserve electronic messages (e-mail and instant messages) in a non-rewritable non-erasable storage medium, such as write-once, read-many (WORM) or equivalent, for the required retention period. In addition, a duplicate copy of each record must be stored separately from the first copy (great news for storage vendors.)

And here’s a truly scary thought about records: “In the end, a record is whatever a regulator, government investigator, auditor, or litigator says it is.” 1 The Need for Common Content Infrastructure

As several companies have found out to their chagrin, “the judge” doesn’t care how and where content required for a case is stored. For example, in the Fen-phen (diet pills) product liability litigation, it cost a major pharmaceutical manufacturer between $1.1 and $1.7 million to retrieve e-mails from 15 selected individuals from backup tapes. Even worse, some backup tapes had been overwritten, so the company couldn’t produce all the content the judge asked for. As a result, the company was forced to settle the case in favor of the plaintiffs.

To eliminate the potentially huge cost of such ad hoc discovery and litigation, you need a comprehensive, policy-based program of record retention, supported by technology that can be shown to properly classify and archive all records. The critical success factor for such a program is a common content infrastructure with the following features 2:

A universal content repository providing search and access control across all information types—paper and microfilm, images, revisable documents, and e-mail, common retrieval for all electronic types, and an audit log of all actions on stored content objects;

A standards-compliant records management application (RMA), tightly integrated with the repository user interface and workflow, providing file plan management, record classification and enforced retention management;

Automatic e-mail capture, consisting of a system for automatically classifying as records all outgoing and incoming email and instant messages meeting specified policy-based rules, based on message metadata and content; and

Enterprise content management (ECM) software, to achieve consistency across content types and sources. All items relating to a particular topic need to be searched and retrieved through a single interface, including e-mail, word processing documents and scanned images. Such items need to be available in enterprise-wide business processes and workflows where their value can be leveraged across projects and departments. ECM software also allows efficient storage of large volumes of record data on a choice of media as demanded by the particular application.

By eliminating separate storage silos based on data type, integrated RMA/ECM software can help companies achieve economies of scale in electronic record storage and allow consistent retention and disposition management.

You also want to eliminate storage of what’s not required as well as what is required. The scary thought here is: If you store everything, everything is open to discovery—even when you think it’s not relevant.

Cultural Change Across the Organization

While penalties stemming from noncompliance with Sarbanes-Oxley, HIPAA, SEC Rule 17a, NASD 3010 and various other mandates are enforced at the executive or corporate level, it takes everyone in the organization to assure compliance. Content-based enterprise records management, like any new business processes and applications, requires cultural change. Specifically, it is very important to:

Make sure employees are records-aware. Like any major business process change, you need to communicate the plan ahead of time, garner support and clearly identify what people need to do. The last thing you want is for the whole workforce to be paralyzed by fear that “big brother” is watching over everything, whether they know it or not;

Enable the right people with the right tools. Many employees will only be involved peripherally in records management. But people responsible for active declaration of financial records, medical image records, audit records, proposals and pricing, etc., need to have the right tools at hand and be trained to use them appropriately; and

Automate as much as possible. Besides the potential for human error, you don’t want records-management to become burdensome and interrupt daily routines.

Enterprise Records Management Edition is Documentum’s DoD5015.2-certified solution that makes it easy to click a button or drag-and-drop a file in Microsoft Word, Excel, Outlook or other applications to automatically “laminate” it as a record. In addition, to make sure the content of the record is appropriately identified, Documentum’s Enterprise Content Management platform and Content Intelligence Services use sophisticated algorithms that “understand” what’s in the record and categorize it appropriately. Finally, Email archival, complete with content analysis and classification, is likewise handled automatically, in the background, without involving manual processes and bothering employees.

And what’s the truly scary thought about cultural change? According to The JL Group, legal advisors in electronic records management, “A program that allows any level of employee discretion in the assignment of retention periods, destruction dates, or naming and filing standards is extremely dangerous and a lightning rod for review.”3

So What Should You Do?

No magic bullets exist. Fujitsu Consulting brings proven business and consulting expertise in this area, and Documentum has developed and integrated applications for end-to-end compliance. Fujitsu offers Documentum-specific applications expertise. Properly implemented and socialized within the organization, the suite will ensure the authenticity of records and limit liability in regulated industries.

As the first step towards full confidence that you are in compliance with any regulations that apply to you, Fujitsu Consulting will conduct a two-week review and assessment of your content management technology and business activities. The assessment looks at search and retrieval of e-mail as well as control of corporate disclosure documents. You will receive a findings report identifying potential exposures and risks, plus specific recommendations. Going forward, Fujitsu Consulting will make sure you don’t just get a point solution—which in this case, would defeat the whole object of content-based records management.

In the end, what you really want is the capability to identify, isolate and protect important information throughout the enterprise, in any form, regulated or not. And that really isn’t all that scary—it’s just good business.

A trusted provider of management and technology consulting to business and government, Fujitsu Consulting is the global consulting and services arm of the Fujitsu Group. Fujitsu Consulting integrates the core expertise of Fujitsu companies and its partners to deliver complete business solutions that drive business value. Through its industry-recognized strategic approach, Macroscope, Fujitsu Consulting enables clients to build more value into their investments and drive their leadership in the marketplace.

Documentum provides enterprise content management (ECM) solutions that enable organizations to unite information, tools and teams needed to manage business processes and associated content. Documentum’s integrated set of content, compliance and collaboration solutions support the way people work, from discussion and planning through design, production, marketing, sales, service and administration.

1 Bruce Silver Associates Industry Trend Report, “Answering the Call for Enterprise Records Management”, May 2003

2 ibid

3 “Unenforced Records Management Is Too Dangerous to Overlook,” www.jlgroup.com, 2002

Free

for qualified subscribers

Subscribe Now Current Issue Past Issues

KMWorld 2024 Is Nov. 18-21 in Washington, DC. Register now for Super Early Bird Savings!

Scary, Scary, Scary: Legislated Records Management

How Knowledge Graphs Make Generative AI Consumable in Enterprise Environments

Building a KM Foundation for Enterprise AI

TRANSFORMING ENTERPRISE KNOWLEDGE: THE JOURNEY TO SAFE, SECURE, AND TRUSTWORTHY AI

More

Intelligent Content Management: Game-Changing Technologies and Strategies

Optimizing LLMs with RAG: Key Technologies and Best Practices

What's Ahead in Search: AI, NLP, Knowledge Graphs, and More

Rethinking KM for Agility, Efficiency, and Innovation

More Webinars