Records management: BEWARE, PREPARE
Increases in data breaches and the development of electronic discovery (e-discovery) are prompting firms to closely re-examine their records retention and management policies. New breaches seem to be reported monthly, if not weekly. In August alone, data breaches were announced at Countrywide Financial, Bank of New York Mellon and Best Western, potentially affecting millions of customers. Such violations point to the need for companies to destroy electronic records and documents they no longer need, because additional records mean additional potential liability.
Destroying unneeded records also helps companies in terms of storage costs. The sheer volume of e-mails, attachments and other electronic records is growing rapidly, says Bobby Balachandran, chairman and CEO of Exterro, a company that provides legal hold and discovery management software solutions. That volume carries a cost, too, in the additional time it takes attorneys, accountants, etc., to go through unnecessary electronic records, Balachandran adds.
According to Chris Bradley, VP of marketing for MessageGate, nearly 80 percent of electronic discovery cases involve e-mail, so firms should employ tools that store e-mails based on the type of information in the messages. E-mails should be classified and stored according to importance: e-mail with information like cafeteria menus in one place; basic business information in another; and highly sensitive e-mails, such as communiqués between attorneys and clients, stored in yet another.
Such classification and storage enables a firm to purge the unimportant e-mails after a short period and establish rules for retention of other e-mails; it also lets employees retrieve pertinent e-mails more quickly in the event of a court case, according to Bradley.
"Companies tend to store a lot more information than is required," says James C. Bourke, partner with the accounting firm of WithumSmith+Brown. When companies first shifted to electronic records from paper ones, they tended to store everything. While that may be appropriate for some records, others are unnecessary after a few years. Most firms keep too much information rather than too little, Bourke adds.
However, as Bourke, Balachandran and others point out, the need for data destruction must be balanced with the need for records retention, particularly today, when, as Balachandran puts it, virtually all court cases involve some element of electronic discovery.
Complicating matters, according to Patrick Queen, manager of new business development at Océ Business Services, is the "safe harbor" rule. Under the rule, designed to protect companies in certain instances from sanctions for the loss or alteration of electronically stored information, "absent exceptional circumstances, a court may not impose sanctions ... on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system."
The rule goes on to discuss the routine destruction of electronic documents, but leaves plenty of room for interpretation of what companies can destroy under routine circumstances and when they should intervene to override automated destruction of electronic records.
"In my opinion, there will be a lot of wait and see in terms or e-discovery" record retention and destruction rules, Queen says. However, he and Balachandran agree that a company would be unwise to expect a "routine destruction" argument to be enough to protect it, if records expected to be part of court cases are destroyed by an automated system.
Therefore, any records involved in court cases must be managed in such a way that they are not automatically destroyed, even if the typical time frame for maintaining them has expired. Balachandran says firms can use software tools to designate records for automated destruction after a certain time period and to designate those records in use in active court cases so they aren’t automatically purged.
Queen adds that simple technology tools can aid in the records management task. IBM Lotus Notes, Microsoft Outlook and similar document management tools can help administrators manage some aspects of electronic records retention and destruction.
However, technology alone isn’t the answer, Queen cautions, "Simply pressing the delete key doesn’t necessarily destroy a document, it just makes it harder to access."
Many companies opt to manage the retention and destruction of their own documents. For those firms, several best practices can be followed for effective record management and destruction.
Experts recommend that companies develop policies and processes for record retention that fit their business and their industry. Queen says, "No set of rules is appropriate for everyone."
Océ has developed a checklist for records retention, with the caveat that it is "meant to serve as a guideline and should be augmented with types of documentation unique to [each] business."
Under the proposed checklists, audit reports, financial statements, capital stock and bond records, property appraisals, patents, labor contracts, appraisals and some other papers should be kept indefinitely, while items like budgets and projections, internal reports, memos, work orders and freight bills should be kept for only a couple of years.
Queen recommends that firms look outside the rules that apply specifically to their businesses to develop best practices for records retention and management. For example, although many firms don’t have to abide by it, Queen suggests considering some of the
recommendations in the Model Requirements for the Management of Electronic Records (MoReq), which provides best practices for records management for Europe.
Among the best practices MoReq recommends is storing the retention and disposition schedules for records and document titles as metadata values that can be kept in a metadata database, making the information easily and quickly retrievable.
Reed Irvin, director of product management for information governance at CA, recommends involving a firm’s risk officer in establishing records retention rules. By centralizing the responsibility, firms can better manage records throughout the enterprise.
"Most firms think of the data repository as the center of the universe," Irvin says. But e-mails and collaborative tools such as Microsoft’s SharePoint and other applications typically will create and store records outside that repository. So a centralized authority can help a company map where it has records in order to effectively manage them.
As courts make more decisions under the safe harbor rules, some of the records retention requirements under that law will become more clear, experts agree. But even while waiting for those court opinions, companies should take some time to examine how they are storing records to maximize their efficiency in recovering them if they are needed.