IT Compliance Institute, January 15, 2008:

Reboot Your Records Retention Strategy

Under the Federal Rules of Civil Procedure (FRCP), organizations must demonstrate that their electronic information is complete, accessible, and reliable. As a result, companies must formalize their retention management strategy and rapidly put in place the organizational and technological changes required to retrieve any given record.

By Mathew Schwartz

What’s the cost of poor records retention practices?

The answer: tens of millions of dollars in fines, at least for not complying with Securities and Exchange Commission retention rules — as organizations including Banc of America Securities and Morgan Stanley have discovered.

Inside the courtroom, companies may fare far worse. Indeed, in 2004, after UBS Warburg employees deleted e-mails in violation of a court order relating to a sexual discrimination lawsuit against the company, the presiding judge instructed the jury to treat the missing records as evidence of guilt. The jury awarded nearly $30 million to the plaintiff. In a different case a year later, after Morgan Stanley withheld records related to a suit brought by Coleman, a judge’s resulting “adverse” jury instructions led to a massive $1.6 billion decision against Morgan Stanley.

While case law put the electronic records retention writing on the wall, a December 2006 revision of the Federal Rules of Civil Procedure (FRCP) made the new requirements official: organizations must demonstrate that their stored electronic information is complete, accurate, accessible, and reliable. In addition, they must also show “reasonable” and “good faith” efforts to comply with the FRCP.

The primary requirement for complying with FRCP requirements, says Osterman Research CEO Michael Osterman, is “to show a clear retention policy,” and then demonstrate it’s been followed. Do this well, he says, and your company can respond quickly to discovery and hold requests, and make overall records management more cost-effective and efficient.

Unfortunately, one year after the FRCP revisions went into effect, an Osterman survey found that 53 percent of all companies still lack a policy governing the retention and deletion of that über-digital record: corporate e-mail. Another recent study, by ARMA, discovered similar FRCP-related shortcomings. For example, 44 percent of organizations do not include electronic records as part of their record holds — defined as “setting aside for an indefinite period of time those records that are deemed relevant to an existing or pending legal or regulatory proceeding.” What are they thinking?

Document the Discovery Process

Experts are clear: incomplete electronic records retention is a recipe for regulatory disaster. “In the age of electronic discovery, organizations should be prepared to have their discovery process called into question,” notes Dan Keldsen, director of market intelligence at AIIM. Succeeding in court, then, requires “having that process well documented and followed, and moving towards a stance that provides undeniable authenticity of the content provided, such as the recommendations by Judge Paul W. Grimm [in Lorraine v. Markel American Ins. Co., 241 F.R.D. 534 (D. Md. 2007)] to utilize trusted time-stamping in content placed into repositories.”

Whenever possible, Keldsen also recommends companies automate compliance with hold requests, to move beyond a “please hold” approach (namely, distributing a memo requesting relevant employees not alter or delete specific information) to an “‘it’s automatically held’ stance.” Automation enforces compliance, and also helps demonstrate such compliance in court.

Retention: Think Positivistic

Beyond having an effective hold system in place, of course organizations must know what to hold in the first place. Answering that question will require a coordinated effort by the records management group. Namely, “legal, compliance, records management and IT really need to be working together — if they’re not already — to handle a lot of the new laws and regulations that are coming down,” says Kevin Joerling, senior manager for standards and records management at ARMA.

When revising retention polices to meet current requirements, think broadly, advises Jeanne Caldwell, founder and principal consultant for Information Management Specialists. “Don’t just focus retention on what you can get rid of. Rather, in this day of focus on compliance — with Sarbanes-Oxley, and so on — and what are the records we should have as a company, and how long should we keep them?”

Retain, but Simplify

Retention requires classification: broadly classifying a document, then applying the relevant policies. Many companies today, however, have so many classification types, or buckets, that they are impossible for anyone but records management professionals to utilize. According to a 2007 ARMA study, for example, roughly one-quarter of organizations have between 250 and 1,000 such buckets, and 16 percent have 1,000 or more.

Caldwell argues for using a dramatically smaller number of buckets, or “retention rules.” Her ideal: no more than 100 per business, “because it’s much easier for users to understand, and for IT to implement.” That’s especially important when companies ask employees to manually classify the records they create.

Complying with FRCP requirements, in particular, demands simplicity, says AIIM’s Keldsen. “If you are overly sophisticated in the upfront collection of content, it is much more likely that you will have created a situation where content blissfully flies under the radar, for want of a keyword search that doesn’t know that The Green Dome Project was changed to the Henry Walker Auditorium Project, midway through the time period being examined.”

Crafting Retention Rules

How should a company go about creating retention rules in the first place? Caldwell recommends starting with business functionality. “You would certainly have the whole corporate governance and compliance area, legal, accounting and finance, HR, the whole communications area, then you’d have operations — meaning, what does this company do that’s specific to them? Those are just a few ideas of where we’d start looking at the functions of the business, for a public company.”

Also factor in the more abstract concept of event-based retention. A common example: retaining certain documents for a set number of years after the end of someone’s employment. Effective event-based retention requires meta-data — for example, to know which documents relate to an employee’s HR record, performance reviews, and so on. Be sparing; meta-data is hard to come by. “The more meta-data you ask users to collect, the more resistance you will face,” warns Caldwell.

Don’t Trust Users, or Automation

Manual classification is a labor-intensive endeavor, and studies show many users simply won't do it, or don't do it well. Yet so far, automated data classification tools — similar to spam-blocking tools, in fact — aren’t good enough to take over, says Colin Bush, a Ferris Research analyst. “Really, their accuracy is still questionable, and when it comes down to compliance obligations and some of the repercussions, it may not be a risk an organization wants to take.”

Instead, “short- to mid-term, we’re seeing automated classification technology that prompts the user with suggestions for which classifications to choose,” he notes, as well as corporate “broad strokes” for retention policies, such as retaining all email for seven years. As retained records start piling up, however, “we’re going to have to narrow those broad strokes down more and more.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.