With the amendments to the Federal Rules of Civil Procedure rapidly approaching (effective December 1, 2006), companies will have to prepare their records-related practices very quickly in order to comply with the new provisions. A company's inability to fulfill these requirements exposes them to legal risk, fines, penalties and negative publicity.
The new rules significantly influence the need for an effective, practical and consistently enforced corporate records policy and program. For example, sanction limitations or 'Safe Harbor' only applies when the 'loss' or destruction of information is a result of a consistently enforced, well-documented records policy and program.1Unfortunately, most companies have not established the practices and policies necessary to demonstrate this.
In a recent ACC (Association of Corporate Counsel) survey2 , members overwhelmingly identified challenges with records as a top concern. Specifically, respondents noted the challenges of (a) understanding and complying with legal and regulatory obligations, (b) selecting the appropriate records-related technology in a cost-effective manner and (c) uncovering and addressing gaps within their corporate records practices. This article outlines some of the concerns voiced by survey respondents, along with general guidance for taking the first steps toward solving the pressing issues of corporate records programs.
Understanding The Obligations
There are five general legal, regulatory and cost-control requirements for corporate records policies and programs:
1. Ensure records are retained long enough to meet both valid business and regulatory requirements.
2. Ensure records can be accessed efficiently during the entire required retention period (in some cases, 'rapid discovery' obligations apply).
3. Ensure legal hold orders can be enacted across all media - precisely, immediately and with full verification of receipt and compliance by each recipient.
4. Ensure privacy and other non-retention obligations are met during the entire life cycle of each record type.
5. Ensure records are disposed of in a timely and appropriate manner in the normal course of business and in strict compliance with approved corporate retention standards.
Consistently meeting these obligations under a well-defined, enforced and defensible program - applied across all media and systems - is critical to protecting the legal and financial interests of the organization. In addition to retention requirements, most companies must also adhere to rapid-discovery, privacy and secure destruction obligations imposed by Sarbanes-Oxley, FACTA, GLB, HIPAA and similar regulations.
As for the Federal Rules of Civil Procedure, many companies are currently unable to clearly, confidently and correctly explain their corporate records practices to the court, let alone prove accuracy or employee compliance with the policy (if a policy even exists).
The only way to meet these obligations is to collect, maintain and use comprehensive information about company records - what record types are retained, who controls them, where records are located (physical locations and media/system locations) and when they become obsolete. This record type information must be centrally managed, updated and applied to all records held throughout the organization.Without it, most of the critical issues and decisions companies face today cannot be adequately addressed. Gathering this information in an effective manner requires a deep and broad assessment of the company's current practices.
Assessing Current Practices
According to the 2006 ACC survey report, the most common corporate records-related initiatives are:
Establishing a corporate records policy to improve compliance and create auditable events for monitoring policy enforcement;
Preparing for the changes within the Federal Rules of Civil Procedure regarding e-discovery;
Implementing a privacy policy and procedures to meet tightening requirements;
Developing legal hold capabilities to cut time, costs and risks;
Evaluating and securing email management systems;
Evaluating and securing e-discovery systems or services;
Expanding migration of paper records to native electronic or digital formats.
Each of these initiatives and most records-related obligations hinge on having extensive up-to-date information about the record types held within the organization (on all media and systems) and vendors used (along with satisfaction levels), as well as current and planned initiatives for meeting policy and other key requirements. Over 80 percent of companies surveyed did not have this high level of vital knowledge.
This information can be extracted from department representatives, advisors and subject-matter experts quickly (less than 60 days if a highly structured process is used). An assessment begins with information gathering, which is then analyzed and matched against industry benchmark standards. This enables companies to rapidly gather critical information, metrics and insights about their current corporate records policy and practices regarding:
Records holdings across all media (paper, email, image and electronic - both employee controlled and IT controlled);
Policy awareness and compliance;
Research, protection, destruction and retention practices;
Technological decision-making;
Regulatory and legal compliance;
Records and information volumes and storage, maintenance and production costs.
Ideally, it is best to compare the information from this type of assessment to industry benchmarked data and best practices for validation and consistencies.
An assessment enables a company to analyze and evaluate strengths and gaps within existing records programs and practices.The assessment information is critical for decision-making for records-related initiatives and projects, providing the insights necessary to accomplish strategic legal and cost-control goals, leveraging current strengths and avoiding common pitfalls of records policy non-enforcement, inconsistencies and over-reliance on technologies. It provides the 'road map' for achieving true enforcement of policy - what is required under the new rules.
Policy Enforcement
Once the records-related information has been gathered and analyzed, companies can quickly progress to a defensible level of records policy enforcement.
It is critical that corporate records programs are strictly enforced, which means meeting the basic requirements discussed earlier in this article3 . In a practical day-to-day sense, it means that the program needs to be kept up-to-date, employees must be reminded continually of the program and their obligations for compliance, periodic auditing needs to be conducted and vendors must comply with the corporate program consistently.
Enforcement is the critical piece to cost savings, legal and regulatory compliance and corporate protection.
From a cost-control perspective, policy enforcement leads to direct reductions of 40 percent to 70 percent in records volumes on all media.
From a cost-avoidance perspective, companies can avoid mistakes in multi-million dollar technology decisions that were based on ill-informed decisions, or a lack of integrated standards and rules necessary to ensure compliance and protection. Companies can also realize dramatic cost savings by consolidating technology vendors and records storage vendors and leveraging similar opportunities.
From a legal and regulatory perspective, policy enforcement enables a company to respond to the courts, investigators and other requesting parties more cost-effectively and in a timely manner. As records volumes are corrected, information is retained based on approved standards, rules and requirements. Legal hold management is centralized and kept up-to-date. Meeting the requirements of the new rules will be impossible without a solid enforced corporate records policy and the ability for management and counsel to clearly and confidently demonstrate compliant practices to a court.
Conclusion
Companies today recognize that lapses in records policy enforcement can be incredibly dangerous and costly. The only way to steer a company to 'Safe Harbor' is by strictly enforcing a corporate records policy that has been developed objectively with proper documentation and levels of record information and is kept up-to-date. Capture the critical record type information before charging ahead with email management, media migration, privacy policies, records-related systems and vendors, corporate records programs and other important, costly and critical efforts.
Exploiting this level of knowledge capture quickly and efficiently and acting on the insights gained will unveil compliance levels, identify dangerous gaps and advise what corrective actions should be initiated, including technological solutions, in order to protect the legal and financial interests of their organizations.
1 Allman, Thomas . The Impact of the Proposed Federal E-Discovery Rules, 12 RICH. J.L. & TECH. 13 (2006), law.richmond.edu/jolt/v12i4/article13.pdf
2 Jordan Lawrence conducted a survey of over two hundred In-House Counsel of the Association of Corporate Counsel, 2006 .
3 Ensure records are retained long enough to meet requirements. Ensure records can be accessed efficiently during the entire, required retention period (in some cases, 'rapid discovery' obligations are specifically expressed).
Ensure legal hold orders can be enacted across all media - precisely, immediately and with full verification of receipt and compliance by each recipient.
Ensure privacy and other non-retention obligations are met during the entire lifecycle of each record type.
Ensure records are disposed of in a timely and appropriate manner in the normal course of business and in strict compliance with approved corporate retention standards.
Published September 1, 2006.