Records management was a topic that, while recognized by many (especially
in-house attorneys) as important, represented the "Rodney Dangerfield" of
corporate affairs: it received little respect. That all changed several years
ago when Arthur Andersen, a respected member of the small group of international
accounting and consulting firms, stood convicted of federal crimes related to
its records management practices and its relationship with the Enron Corporation
(a client). Soon after that conviction, Arthur Andersen disappeared as an
ongoing firm despite its decades-long history and reputation.
More recent events have underscored the significance of records management.
Its importance for Corporate America is now well recognized. In-house counsel
now devote much time to devising records-management policies, responding to
inquiries about the implementation of such policies and otherwise elevating
records management to a higher-priority place on their to-do lists.
Records management comprises a portion of the subject of corporate
compliance. The way in which a company deals with its information and records
can greatly affect whether that company's ethics and compliance program is
effective, not to mention establishing a basis for prosecution (as in the case
of Arthur Andersen), if something goes awry.
As an element of a corporate ethics and compliance program, a company's
records management policy or program should address the interests and concerns
of a variety of audiences. While those interests and concerns vary with the
audience, they all provide some important perspectives for the proper design and
implementation of the compliance program and, more specifically, the records
management regime that the company adopts.
Which audiences serve that purpose? Without suggesting that this constitutes
a comprehensive list of all those whose views must be taken into account by
in-house counsel, some of those audiences are the following:
1. Government officials, including regulators (the SEC, EPA, HHS, etc.),
lawmakers and others.
2. Members of the investment community.
3. Employees of the company.
4 Other groups, such as customers, joint venture partners, litigation
counterparties.
For each of those audiences, a different response might address its concerns
most directly. For example, investors care whether a company has undertaken
adequate diligence regarding various risk-related issues but might express less
interest than a government agency in whether that company has implemented an
"effective" compliance program. Employees generally want to feel assured that
the company for which they work does things the "right" way, so an ethics code
embraced by senior management constitutes an important step in their view.
What developments have increased the significance of records management? One
of the foremost events of the past few years was the enactment of the
Sarbanes-Oxley Act of 2002, which represents the most wide-ranging response of
Congress and the federal government to the corporate scandals of 2000 and 2001
(Enron, WorldCom, Adelphia, etc.). That statute created new requirements
vis-à-vis records management, increased the penalties for violations of those
mandates, heightened the financial accountability of corporations and their
senior officers for certain misdeeds and focused renewed attention on the
fiduciary responsibilities of corporate directors and officers.
Recognizing the importance to investors and government officials of evidence
of corporate actions, Congress included in Sarbanes-Oxley some provisions that
specifically address records-management issues. Examples include §802, which
prohibits "knowingly alter[ing], destroy[ing], mutilate[ing], conceal[ing],
cover[ing] up, falsify[ing], or mak[ing] a false entry in any record, document,
or tangible object" with certain specified intent, and §1102, which provides for
a sentence of twenty years in prison for "corruptly alter[ing], destroy[ing],
mutilat[ing], or conceal[ing] a record, document, or other object, or
attempt[ing] to do so, with the intent to impair the object's integrity or
availability for use in an official proceeding." These represent significant
changes to the law surrounding how businesses create, manage and destroy
records.
While Sarbanes-Oxley made some of the more dramatic changes to the law of
records management, other laws also contain very far-reaching provisions on that
same subject. The Health Insurance Portability and Accountability Act of 1996
(HIPAA) led to various regulatory initiatives that deal with the records that
relate to individuals' health data. The Gramm-Leach-Bliley Act pertains to
information about consumers of financial services and mandates that financial
institutions take certain steps to protect that information. The USA Patriot Act
provides for certain records-related protections, especially in respect of
anti-money-laundering efforts of companies.
As a result of these developments, in-house counsel now face a problem that,
at least in magnitude if not in kind, they did not face previously. The
certification requirements of Sarbanes-Oxley, increased distrust by investors
and regulators, a greater likelihood of investigation, civil lawsuits and
criminal proceedings if records are improperly altered or destroyed, the absence
of standards for many of the new requirements and the dearth of judicial
interpretation of many of these new requirements combine to present a minefield
of expectations and demands.
The certification of a company's financial statements, for example, presents
a particularly vexing subject. In making such a certification, a corporate
officer cannot personally review and assimilate the huge amounts of information
and the incredible number of documents that underlie those statements.
Nonetheless, that officer must be prepared to certify (1) that he or she has
reviewed the periodic report in question1 , (2) that the
report does not contain any untrue statement of a material fact or fail to state
a material fact necessary for the financial statements not to be misleading, (3)
that the financial statements fairly represent the financial condition of the
company, (4) that the certifying officer has designed the internal controls
necessary to ensure that those statements are accurate and (5) that the officer
has apprised the company's auditors and audit committee of any deficiencies in
the design or operation of those internal controls and of any fraud that
involves management or other employees who have significant roles with respect
to those internal controls.2 The fact that a false
certification can lead to considerable penalties, both monetary and punitive,
compounds both the significance and the difficulty of making that certification.
Unfortunately, the statute and even the regulations promulgated pursuant to
that and other statutes provide minimal guidance as to how an organization's
records-management policies and practices can comply with the mandates. As a
result, in-house attorneys cannot rely on the statutory requirements alone.
Records and processes designed for normal business practices may not pass muster
under these strictures. Aggressive, pro-active analysis and action are necessary
for inside attorneys to have and to provide to their internal clients the
comfort desired on that score.
What do they need? Reliable procedures for the creation, retention,
management and destruction of records. An ability to demonstrate that the
procedures properly operate. Adequate training for all employees on the subjects
of records and records management. An ability to demonstrate that training and
its implementation.
What issues should such training address? Some examples are the following:
What are the procedures for the creation, management and destruction of records?
Who is responsible for those procedures? What is a "record"? When can a record
be safely destroyed? How can the organization effectively locate relevant
records, for purposes of litigation-related discovery, for example?
In-house counsel should ask questions regarding the training such as these:
What might we have to prove and to whom in respect of the training? Can we
develop and apply a reasonable standard? Can we develop a reasonable process
that the organization can implement clearly? What records can we design that
will prove the compliance of our process? How can we demonstrate satisfactorily
to others that compliance?
Inadequate training and compliance almost certainly will lead to a number of
negative results. These include excess storage costs, an inability to find
relevant information for business purposes, repeated creation of similar
information (recreating the wheel), excessive production during discovery in
litigation and an inability to demonstrate appropriate protection of privileged
documents.
An organization's law department should be integrally involved in that
organization's records-management policies and procedures. Those policies and
procedures must conform to legal standards, such as the laws like
Sarbanes-Oxley, regulations issued by federal, state and local agencies, court
rules and other standards. The law department should analyze (or oversee the
analysis of) those requirements and their applicability, as well as the
conformity of the company's procedures with those standards.
Given the scope and stakes involved in these issues, a law department should
begin by developing a strategic plan by which it will manage those issues. The
department's role in the firm's records-management regime should be set out in
that plan. The department likely will serve as the monitor of the organization's
implementation of the records-management procedures and protocols. The in-house
attorneys should be prepared to respond to inquiries and questions in respect of
those policies and their application.
What should the strategic plan address? First, the role of the law department
in the company's records-management process deserves clarity. This will benefit
employees throughout the company by providing them a vision of what they can
expect of the in-house lawyers when they have questions about or encounter
issues related to the records with which they must deal on an everyday basis.
The lawyers will enjoy the increased certainty as to what the company expects of
them in that regard. The issues to address include the following ones.
To what degree will those in-house lawyers assume responsibility for creating
the records-management policies? The more participation that the in-house
clients assume, the greater the buy-in they will possess in those policies. As
important to those policies as legal analysis may be, the policies ultimately
serve to assist the business to manage its knowledge and information
efficiently.
Should the in-house lawyers serve as monitors of how the business implements
it records-management policies and procedures? There are many reasons why such a
role makes sense. The legal issues that arise over time will demand rapid
analysis, which the lawyers will be well-positioned to provide if they are
already intimately involved in monitoring that implementation.
If the company's employees encounter issues regarding records during their
job activities, will they pose those issues to the lawyers? If the company
expects its employees to call on the in-house lawyers in such situations, it
ought to make that perfectly clear so as to avoid confusion. The importance of
training on that subject for all employees of the firm is one aspect of records
management that should be covered.
While these few issues do not exhaust the range of topics that might appear
in a strategic plan, they should provide some food for thought. Law departments
should begin the process by which they can prepare such plans because the
process - strategic planning - constitutes a vital means by which to eliminate
or reduce uncertainty in an organization's records management policy so as to
minimize the likelihood of legal problems.
i I refer to the certifications required of the chief
executive and chief financial officers as to the accuracy of financial
statements by §302(a) of the statute.
2 The statute
requires that the Securities and Exchange Commission issue regulations
containing those substantive requirements, which the Commission has done. See
href="http://www.sec.gov/rules/final/33-8124.htm"
target="\'_blank\'">http://www.sec.gov/rules/final/33-8124.htm.
Published November 1, 2004.
