Electronic Records Retention: Getting It Right

Wednesday, December 1, 2004 - 01:00

The computer's common use as an essential business tool, and the tremendous and exponentially increasing storage capacity of computer generated or recorded information has transformed the landscape of information retention and destruction. Now record retention regulations are becoming increasingly important to follow, and follow correctly and consistently.

Certain regulations in particular illustrate this need, including extensive OSHA requirements, as well as new Sarbanes-Oxley laws that prohibit the destruction or alteration of records, and escalate penalties for already existing violations to, e.g., 20 years of incarceration for obstruction of justice, including tampering with records or witnesses.

Many rules are entity and business specific and only some more recent rules provide guidance concerning electronic records. Most laws in place predate the current electronic information age, yet still require evaluation in examining this topic.

Immediately Segregate Attorney-Client Communications

Disaster lurks once privileged and confidential attorney-client communications become commingled with normal corporate communications. Privileged communications must be clearly marked, both in the "Re:" line and the text of the document. Given the frequency of email communications, such communications automatically should be retained in a segregated, secure server, to the extent retained pursuant to company policies and procedures.

After the fact, unless segregated, privileged communications inadvertently may be produced to potential adversaries because, for example, the reviewer prior to production is unaware the sender or receiver is an attorney (which becomes more likely the longer the retention period due to employee turnover). Moreover, the segregation process itself after the fact can delay production enough to result in sanctions for untimely production. Legal Department systems should default to place the privilege notice in the "Re:" line, an abbreviated notice as a header on every page of the document, and more extended notice after the text, increasing the probability of identifying a privileged, yet corrupted document (missing, perhaps, the first page).

Outside counsel should take the same precautions when communicating with clients, and clients should arrange for the same automatic routing and segregation for communications without outside counsel.

Paper Preempted

Before the ubiquitous use of the computer in business and business communications, information meant, for the most part, paper records. This simplified developing workable information retention policies, which companies could follow with relative ease.

But now that has changed, vastly complicating earlier practices: (i) a small, inexpensive hard drive can store a room full of printable information; (ii) electronic communications like email, now used extensively in order to conduct business, generate even more information, often with little thought given to the detail of their contents (as in a formal letter) and its recipients; (iii) electronic information is distributed to multiple locations (including home computers), through various systems, any one of which can store a copy of the information; and (iv) the routine "backing up" and storage of data against the possibility of a catastrophic systems failure.

Myriad laws, rules and regulations at the federal, state and local levels obligate companies, governmental organizations, persons and other entities to retain documents, records, email, electronic communications and other information. After adding mountains of electronic information (with multiple copies in multiple locations) to paper and other records, how can an entity even begin to analyze, and then implement and monitor, policies, procedures and systems designed to comply with these obligations?

Since the vast details and steps necessary to accomplish this are beyond the scope of one publication, this article aims to suggest a basic framework designed to arrive at a reasonable and compliant information retention policy.

1. Establish A Formal Information Retention Policy. A surprising number of entities have arrived at their current information retention practices in a haphazard, reactive fashion. Even before recent laws and decisions brought this topic to the forefront, this was dangerous. Although the process may differ depending upon the nature of the entity, every single entity should establish a formal information retention policy. The framework for approaching this has a number of basic common elements, since all document and record retention laws applicable to a particular entity raise the same questions:

  • What information?

  • At what time(s)?

  • How (or in what form) and where?

The first step to establish a rational and compliant information retention policy is to answer these questions in two respects: (I) determine what information is necessary and appropriate to retain given the business or other needs of the particular entity in order to conduct day-to-day operations efficiently and at a reasonable cost; and (II) develop a thorough understanding of the applicable laws - usually different for different entities, depending upon type and operations.

Integral to this is the day-to-day involvement of Senior Management, Mid-Level Management, and the Management Information System ("MIS") and Records departments. The driving force underlying any information retention policy should be serving the reasonable, legitimate business and other needs of the entity. Legal requirements are an essential but secondary element.

Certain considerations bear examination:

  • Entity-Dependent Balancing Act. Establishing a Policy will require an extended business analysis that culminates in an entity balancing the importance and usefulness of information it is not legally required to retain against the potentially tremendous costs of locating and producing the information if required to do so in the future, perhaps in connection with an investigation or lawsuit.

  • Critical Business Continuity Information . Depending upon the nature and business of the entity, critical information should be backed up to an off-site location.

  • Multiple Copies. Since the advent of the Xerox machine, and even more so in the computer age, employees tend to create and distribute far too many document copies, both in electronic and paper form. Distribution only should be to those with a need to know and the employee's direct supervisor, plus, if required by Policy, to Records.

  • Internal Spam. Many companies suffer from internal spam, often because employees use pre-existing, defined distribution lists too broad for the necessary audience. Employees must be trained to use narrow, defined distribution lists, company created if broadly useful, or employee created for specific situations. If not, everyone may lose, say, fifteen minutes of productivity a day deleting unnecessary email. Worst case: prosecutors and juries may believe everyone on the distribution reads a damaging email.

  • Treat Email Like Formal Correspondence. Employees tend to treat email as unrecoverable conversations. Statements intended at the time to reflect sarcasm, satire or a joke later may take on a nefarious appearance when reviewed by others, such as the government and plaintiffs. All entities must train employees to treat email as formal correspondence.

Ultimately, following this process leads to an Information Retention Policy that is good for the overall business, not just another set of burdensome legal requirements. As such, employees will view the Policy in a positive light, encouraging timely and diligent implementation.

2. Use One Point Attorney For The Project. For larger organizations subject to many laws, the legal analysis may seem daunting. Nevertheless, although certain laws requiring information retention may be exceedingly complex, a single point attorney alone should master their overall information retention requirements, and consult experts in particular legal practice areas after a comprehensive draft policy is developed.

3. System Limitations And Operation. Existing system limitations should not drive the Policy, which may require the company to supplement or adopt entirely new systems.

The entity must understand and control the precise details of MIS operations. For example, if the Policy calls for destruction of a class of information after a certain date, and the systems' programs destroy such information on the mainframe but not on an automatically backed up off-site location, the entity has not achieved Policy goals.

Also, destruction must mean obliteration: the information must be completely wiped and unrecoverable - like shredded paper. Information on a hard drive cannot merely have its index pointer deleted or erased with just single binary digits, thus remaining recoverable until overwritten under today's sensitive technology. The underlying data itself must be rendered entirely unrecoverable using algorithms that rely upon multiple random overwrites.

This process puts the entity in a position to know precisely what information it has and has not. If not, for example, an information subpoena might require the entity to search all hard drives that might still contain responsive information because deleted information might not yet have been overwritten.

In this day and age, in well-publicized cases, personnel and legal expenses required to respond to a single information request have cost entities fees and expenses in the $100 million range. In this light, entities must not ignore or delay arriving at and implementing an effective Information Retention Policy.

4. Implement The Information Retention Policy. Ultimately, the entity and senior management bear responsibility for establishing and maintaining Policy compliance. Thus, after these deliberations and any resulting changes, one necessary policy refinement remains: clearly delineating who is responsible for implementing and supervising the Policy. These details must be enunciated in a manner designed to make certain that the tasks are carried out in a coordinated fashion and result in reasonably retrievable information under the circumstances.

The computer age necessitates the formulation, implementation and routine adherence to a reasonable and compliant Information Retention Policy. Unless this project is prioritized, adequately staffed and completed in a timely fashion, an entity is exposing itself to unimaginable costs, regulatory sanctions and other disastrous consequences, including the end of its very existence.

Getting It Wrong

A company's potential damage from wrongly implementing or executing proper electronic information retention is skyrocketing. Well-publicized cases have placed companies and their attorneys on notice of this peril. According to Federal Judge Shira Scheindlin of the New York Southern District Court, "[t]he subject of the discovery of electronically stored information is rapidly evolving. Now that the key issues have been addressed and national standards are developing parties and their counsel are fully on notice." In that case, Zubulake v. UBS Warburg, Judge Scheindlin punished UBS and its lawyers for intentionally deleting emails sought in discovery and delaying electronic material delivery. Even though some deletions appeared to result from misunderstandings and miscommunications, the Court held, "counsel failed to properly oversee UBS in a number of important ways, both in terms of its duty to locate relevant information and its duty to preserve and timely produce information." In March 2004, the SEC fined Banc of American Securities $10 million for alleged stalling on providing evidence in an investigation. Banc of America had claimed that it was too burdensome and would take too long to produce the required archived emails.

Getting It Right

The monetary and criminal penalties, loss of investor confidence, extraordinary regulatory oversight and bad press arising from a record retention error are tremendous and increasing. This removes establishing and maintaining a reasonable, consistent and effective record retention policy, including periodic training, from the "back burner, non-revenue producing" category straight to the "front burner." If not already done, technology platforms must be fully understood, and upgraded if inadequate, and the Board and Senior Executives need to push the project, and maintain their oversight.

This proactive approach may well keep the Company and themselves entirely off any burner.

Dennis R. Dumas is counsel in the NY office of Chadbourne & Parke LLP. He can be reached at ddumas@chadbourne.com. This article was previously featured in Compliance Week.