Compliance Corporate Governance Risk Management These high value corporate practices have yet to find one comprehensive technology counterpart to improve the quality and reduce the costs of legal services. In light of many high profile cases involving electronic records, legal and compliance teams continue to struggle with how to effectively leverage technology to mitigate risks across the organization.
In July 2004, Philip Morris was slapped a $2.75 million fee for failing to appropriately suspend, upon a court order, its routine information destruction program that automatically deleted company e-mails after 60 days.
In April 2005, UBS Warburg was demanded to pay $29.2 million in damages largely due to e-mail destruction after a litigation hold was in place.
And to date, the largest damages to be paid are against Morgan Stanley in the amount of $1.58 billion for their inability to produce e-mails.
Execution of records management policies around electronic records, especially e-mail records, can be challenging, but as the above examples illustrate, not having the proper tools in place can be disastrous. This article is intended to lay out some concepts and provide "how-to" tips that will be useful for any organization trying to get its arms around e-mail. Given the right strategy, any number of technologies can be used to improve the quality and reduce the costs of legal services.
Any discussion about technology and the management of records in accordance with the corporate records management policy should begin by asking, "What are the requirements for records management for records in all media formats?" There are five requirements that must be met to ensure compliance, good corporate governance, and risk management when dealing with records controls, and they are as follows.
1. Retention: records must be retained long enough to meet both regulatory and "valid" business requirements.
2. Accessibility: records need to be quickly accessible, particularly in discovery or investigation, as some regulators impose extremely short deadlines.
3. Hold Management: records required for investigation, litigation, or audit need to be removed from normal destruction cycles.
Hold management is perhaps one of the most important requirements; yet, it is the one requirement that many companies have been unable to meet, which, in many cases, has led to unmerited settlements, fines, sanctions and adverse inferences.
4. Regulatory Tagging: records must be "tagged" to meet requirements imposed on how a business must manage, protect and ultimately dispose of records.
To confidently manage these records, companies are "tagging" each of the record types to the appropriate requirement, for example: HIPAA, FACTA, SB 1386, and New Jersey's Identity Theft Prevention Act. Regulatory tagging provides companies the ability to produce records quickly, protect sensitive data throughout its life cycle and ensure secure disposal of records.
5. Disposition: corporate records are an asset to a point, and then they generally tend to become a liability and an unnecessary expense. The corporate records management program should address when and how records should be disposed.
By understanding the five requirements, the next step is to ensure the legal and compliance team has the critical information about organizational records. They need to know what records the company has, who owns and controls them, where the records are located, and when they can be destroyed.
What record types the company generates and retains.
This sounds simple enough; however, it is rare that companies have corporate-wide agreement on record naming and description standards. In fact only 15 percent of ACC respondents to the 2004 survey reported that most records were classified into corporate record standards. Without knowing what records the company actually has, it is very difficult to make decisions about how long to retain them, where to look for them, and how to appropriately preserve records when requested. Standardized record naming and definitions allow everyone in the company to be on the same page.
Knowing who controls each record type.
To ensure records can be produced, protected and destroyed as needed, companies must know not only the "official owner," but also convenience users and parties with custodial relationships. Knowing who owns your records and facilitates record holds, enables the appropriate employees and facilities to be instructed to protect and produce needed records, and ensure that owners/controllers of records dispose of records as they become eligible. Unfortunately, according to the 2004 ACC survey, only three percent of companies can easily identify who controls records.
Knowing where the records are located.
Records are terribly redundant and commonly found in multiple departments and in multiple media across an organization. Companies must know where records are located geographically, on what media, and in which applications. This information also helps companies ensure their requirements and records practices are applied consistently across the organization, regardless of the systems or vendors used. This information is also critical in eliminating redundancy and improving business efficiency.
Knowing when records become obsolete and can be destroyed.
Most records are only an asset of the organization for a relatively brief time. Once records have been retained long enough to meet any regulatory or valid business requirements, they typically become a liability and should be disposed of in a consistent manner. Determining the correct retention requirements goes beyond regulations; it includes a careful evaluation of business/risk decisions, tax needs, operational needs, and the consideration of industry trends or best practices.
Knowing the critical information about the company records will portray how technology decisions affect corporations. The following organizational challenges make it difficult to implement successful technology solutions for corporate records programs.
An age old problem in business is that companies tend to operate in "silos"- different groups operating independently of one another on related issues. This becomes painfully clear when discussing electronic-record keeping.
Unfortunately, a complete disconnect between legal, IT, and the business side is all too common. These corporate areas must work collectively on the issue of managing electronic records. According to Gartner, it is critical for a company's legal staff to communicate with IT concerning the company's IT "topology and system architecture." By uniting legal, IT, and the business side, records retention practices, hardware and software conventions, and the accessibility of records are better identified. And so, in order to meet legal and regulatory requirements, scale technology solutions, and dramatically cut costs, organizational silos must be eliminated.
Inventory Resistant Records
Those records that are controlled outside the realm of formal business process or centralized corporate control are called inventory resistant records. These records are maintained by individuals, and do not allow a company to maintain them centrally.
Regardless of the investment a company may make in technology, employees can and will work around systems put in place.
Using e-mail as a prime example, companies employ automatic deletion of e-mail, and may centrally archive e-mail and monitor e-mail usage. Yet, employees still can and will save e-mail to hard drives, forward them to personal accounts or simply print them. The inherent loss of corporate control, however, does not relieve the corporation from making its best possible efforts to control these records.
As with any other legally mandated requirement that is controlled by employees, it requires a proactive shifting of compliance responsibility to those who actually control compliance with the policy. A company must clearly communicate its records policy to employees, properly train employees, systematically enforce, and regularly audit the policy.
E-mail is a technology liability. The ease of transmitting and storing information creates many of the problems and expenses that companies are incurring today. For example, the costs associated with managing and producing electronic records is extremely high. According to technology market research firm Radicati Group, e-mail archiving alone will grow to over $4.4 billon by 2009. In litigation or investigation, the threat alone of having to produce volumes of e-mail is chilling and can force unmerited settlements. In a 2005 survey produced by the ABA, respondents reported settling cases to avoid the costs of electronic discovery which can run in excess of $2 per message.
And while there is technology that can be implemented to reduce the volume of e-mail being retained and enable rapid searches for e-mails based on various attributes, the fact still remains that e-mail and the management of e-mail is very dependent upon the actions of employees. In the end, there are no perfect "solutions" for e-mail, but there are very effective strategies.
It doesn't have to cost a fortune to effectively manage e-mail or any other electronic records. Successful strategies begin with developing a clear understanding of company objectives.
Before drafting a policy or investing in technology, executives should gain an understanding of how their organization is really using e-mail. Of all corporate e-mail, which ones are really valid business records that need to be retained; and which ones are nonessential business communications that don't validate a retention period? What is the relationship between various job functions and e-mail usage? What resources are currently available around e-mail and what initiatives may be in the works? The answers to these questions will be surprising and will provide the necessary information to make informed decisions regarding e-mail management.
Enforcement: The Missing Counterpart
Understanding the critical records-related information and how to overcome the challenges that records technology has incurred will help establish corporate protection. Take an untamed records-related technology, like e-mail in this case, and put processes and strategies behind it, creating an enforceable records program.
Enforcement is the level of controls put in place to ensure company policies are linked to actual daily practice. This includes adherence to the retention schedules, elimination of employee discretion, and the proper control of records subject to pending or imminent government investigation, litigation, or audit. Corporate records management is perhaps the only area of corporate governance in which compliance is routinely left to the discretion of the employees.
Developing standards, policies, and procedures around e-mail controls, and then educating, training, and auditing employees will help reduce the liability regarding corporate e-mail practices.
Published April 1, 2006.