New E-world Replaces Musty Boxes in Basement

Posted by Gregg Mayer on Friday, March 21st, 2008   

“Electrons have replaced ink and paper,” according to an article in The Journal of Legal Technology Risk Management.

Archiving in the past meant “moving around dusty boxes of paper in the basement.”  Today, it means the dynamic world of storing email and other electronically stored information (“ESI”).

Increasingly, regulations and litigation are forcing companies to take stronger and broader strides in ensuring retention programs are up to date and effective. As the article explains:

New regulations, such as Sarbanes-Oxley and the December 2006 revisions to the United States’ Federal Rules of Civil Procedure have made the need for archiving electronic information in a manner that makes the information retrievable without crippling the enterprise more urgent. A fully functional enterprise archiving system is no longer “nice to have,” but should be now a “must have” for all business enterprises, particularly those in highly regulated environments such as the financial or healthcare industries. Unfortunately for business, most enterprises have no such system; those that do often find the employees not following the rules. Without such an implemented system, the enterprise must spend massive amounts of time and money finding documents that may be kept in backup media because the enterprise does not have useful archives, or that may be kept on CDs or DVDs tossed in some employees’ desk drawers.

The article offers 13 tips to consider when developing an archiving system. Here are the first three:

1. Understand that archiving is a long term project that sheds a whole new light on needs and may test all existing technological knowledge and assumptions, requiring constant monitoring and revising;

2. Assess the enterprise’s current electronic policies and define or redefine processes and procedures to account for worldwide regulation affecting the enterprise;

3. Assess the total document repository size in terms of the number of individual documents rather than in storage capacity, which is a misleading metric since the number of documents not their size defines scale;

Read the entire article from The Journal Of Legal Technology Risk Management here. 

New Book Offers Basics For A Retention Policy

Posted by Gregg Mayer on Monday, March 17th, 2008   

With the increasing business use of electronically stored information (“ESI”), coupled with the burdens of regulatory compliance and e-Discovery under the Federal Rules of Civil Procedure, CIOs are tasked with crafting effective retention policies for ESI.

A newly released book – designed for law students and lawyers, but offering some practical information for CIOs as well – addresses a whole host ESI issues, including the drafting of a retention policy.

According to New Directions: Social Networks, Blogs, Privacy, Mash-Ups, Virtual Worlds and Open Source (PLI, $199), here are some basic foundations that retention policies should take into account:

(1) state the good faith purpose for its implementation;
(2) designate a person responsible for oversight and implementation, usually within each business unit;
(3) ensure that documents necessary to preserve the entity’s organizational knowledge are preserved and categorized so that they can be retried when needed;
(4) divide each type of document for file into categories and then assign a retention period for each;
(5) comply with statutory or regulatory requirements to retain specific categories of documents;
(6) ensure that the documents necessary to support the entity’s legal position in the event of possible litigation are preserved;
(7) avoid improper destruction or alteration of documents if litigation or a governmental investigation ensues; and
(8) provide for procedures to suspend the policy due to potential investigation/litigation

Of course, all retention policies vary depending on the size of a company and the type of work it does. CIOs should work closely with their legal department and IT staff to ensure a retention policy meets all of the company’s needs.

Just as important as drafting a policy is its implementation. CIOs must make sure their companies are fully following the policy or it will prove of little value if legal trouble ensues.

To check out the table of contents for New Directions, and to order one, visit the PLI site here.

Document Retention Policies In An E-World

Posted by Gregg Mayer on Tuesday, February 26th, 2008   

More than ever, business documents are e-documents that companies must retain as part of their day-to-day business practices. According to a recently published article in the Louisiana Bar Journal, “a recent study concluded that 93 percent of all ‘documents’ now originate in an electronic format.”

This excellent article discusses reasons for retention policies in an e-world, particularly the storage of email and other ESI:

It should be clear why business clients should care about the proliferation of perpetual “e-documents” in the digital age: in those “e-documents,” the litigation adversary is likely to find a gold mine of information — or possibly the single “e-nugget” that may be the ticket to a large jury award. From the Big-6 accounting titan brought to its knees in the wake of the Enron scandal, to the Wall Street banking house dealt the “death penalty” instruction for repeated failures to announce its trove of digital data, incidents of failed document retention and destruction policies have served a wake-up call on corporate America.

There are several considerations a retention policy must take into account. According to the article, effective records management includes:

• identify those documents that must be maintained in accordance with the law;
• identify those documents that the business must keep to effectively function;
• track the company’s maintenance efforts;
• lay out a schedule for the systematic destruction of records in accordance with the above guidelines;
• effectively destroy the documents that are scheduled for elimination under the program;
• and monitor and audit the company’s execution of the program.

The article is available at the LBJ’s Website here.

Compliance Costs and Implementing Solutions

Posted by Gregg Mayer on Monday, February 25th, 2008   

In Wall Street & Technology, a short article reports that compliance costs for financial institutions are growing faster than net incomes. Compliance costs grew from 2.83 percent of net income in 2002 to 3.69 percent in 2006.

One of the primary reasons for the increase in costs, according to Deloitte, is that institutions are responding to regulation by applying human resources to monitor compliance, rather than investing in scalable technology resources to manage the effort. The research report shows that 60 percent of respondents’ compliance-related spending in 2006 was on compensation, while only 19 percent of spending was on consultants and vendors; 18 percent went to capital expenses, including systems, hardware and software.

As the article notes, finding ways to incorporate more technological solutions may help drive down compliance costs.

Speaking of compliance, a recent article in InformationWeek explores using email archiving to keep up with the fast-paced world of ESI.

Companies can implement online e-mail archiving with little to no capital expense in just a few days. In comparison, installing a fixed content storage system and integrating it with e-mail archiving software is a substantial project. This makes online archiving especially attractive to smaller organizations

Read the full article here. 

Regulation Means Retention for Years – Email and All

Posted by Gregg Mayer on Thursday, February 14th, 2008   

CIOs must implement record retention policies – including retaining email - that comply with a vast assortment of federal regulations. Often, companies must craft different retention periods for various types of communications to meet the demands of federal regulation.

Knowing what to keep and how long to keep it can be a monumental task.

For example, some records are not covered by any regulations and can be discarded under the company’s own policy – maybe in as little as 30 days. Other records – including relevant email - may need to be retained for as long as 30 years, if not permanently.

The problems of retention are compounded by the proliferation of email for business use. Thousands of email messages pour in and out of a company. Knowing where this email goes and what information is in it is a critical necessity. More importantly, knowing how long the information must be retained is necessary to ensure regulatory compliance.

In order to be prepared, CIOs need to ensure they have an active and comprehensive retention policy. They need to make sure their archiving systems properly retain relevant records. They need to know where all of that email is and how they can get to it when the regulators (or lawyers) come calling.

Just as important, they need to know how long the regulatory timelines require the information be stored. Below is a synopsis of various timelines established by regulations that affect numerous companies:

Family Medical Leave Act (FMLA)
Generally, records must be kept for three years. This includes basic payroll documents, names of employees, addresses and occupations, hours worked and total compensation, among other related information. Keep in mind the FMLA also requires records be kept pertaining to employee leave taken under the FMLA, as well as any records regarding leave disputes.

Title VII of the Civil Rights Act of 1964
Any information about race or ethnicity of employees should be kept permanently and separately. Other information relating to personnel decisions, including requests for reasonable accommodation and application forms, must be kept for one year.

Americans With Disabilities (ADA)
Requirements under the ADA mirror the requirements of Title VII. Generally, retention is one year.

Fair Labor Standards Act (FLSA)
The length of time to save records under the FLSA depends on the type of records. Here’s a general breakdown:

• Keep these records two years: Under the regulations, companies must keep “basic employment and earning records,” as well as wage rate tables and assortment of other related material for two years.
• Keep these record three years: Payroll records, certificates, agreements, plans and notices must be kept by the employer for three years.

Equal Pay Act of 1963
In addition to having the same compliance as the Fair Labor Standard Act, an employer must preserve for two years records that relate “to the payment of wages, wage rates, job evaluations, job descriptions,” and an assortment of related records.

Age Discrimination in Employment Act of 1967
Similar to the FLSA, this Act implements a three-year retention requirement for payroll and related records containing information about the employee’s identity such as the name, address, date of birth, and rate of pay.

In addition, employers must keep for one year information such as job applications, resumes, or other job inquiry information. This also includes other information such as job postings.

Employment Retirement Income Security Act (ERISA)
ERISA regulations actually specify the use of electronic media for retention of records, and demand they be kept in “reasonable order and in a safe and accessible place, and in such manner as they may be readily inspected or examined (for example, the recordkeeping system should be capable of indexing, retaining, preserving, retrieving and reproducing the electronic records).”

Records necessary to determine benefits to employees must be kept permanently. Welfare and pension records should be kept five years, and supporting documents for ERISA filing should be kept six years.

Occupational Safety and Health Act (OSHA)
Generally, information should be kept for five years after the end of the year in which the information pertains (such as an accident, illness, etc.) Records for serious adverse reactions must be kept up to 30 years.

Federal Acquisition Regulations (FAR) Subpart 4.7 Contractors Records Retention
Information, such as books, documents, accounting procedures, and other data, including email, must be kept for three years after final payment under the contract.

Health Insurance Portability and Accountability Act (HIPAA) of 1996
Employers should retain various records, such policies and procedures, patient privacy data, certificates of coverage and other coverage information, for six years. Records must be kept for two years after a patient’s death.

Employee Polygraph Protection Act
Records relating to reasons for conducting polygraph examination and other related materials must be kept for three years.

Sarbanes-Oxley Act of 2002
Generally, public companies should save business records, including email and other ESI, for five years, although the Act specifies various retention periods for different types of records.

Labor-Management Reporting & Disclosure Act of 1959
Records, including back-up and supporting documents, required by the Secretary of Labor must be kept for at least five years.

Federal Withholding
Under the Federal Insurance Contribution Act (FICA), the Federal Unemployment Tax (FUTA) and Federal Income Tax Withholding regulations, records pertaining to federal taxes must be kept for at least four years. This includes identity and wage information.

Davis-Bacon and Copeland Act
Employers with federally funded projects should keep information for two years, including records relating to the periods of contract, pay records and work records.

National Labor Relations Act (NLRA)
Any collective bargaining agreements, including correspondence with the union, must be kept for seven years from conclusion of contract.

Immigration Reform and Control Act of 1986 (IRCA)
Employers should keep for three years after date of hire (or one year after termination) information about employee’s identification and work authorization.

SEC Rule 17a-3, a-4
Broker-dealers must retain comprehensive records, including email, of securities transactions for at least six years. The first two years they must preserve the documents in a reasonably accessible place.

Check back to this blog for individual posts about different regulations and how they may impact you.

What Would The Most Famous E-Discovery Judge Do To Ensure ESI Was Properly Maintained?

Posted by Gregg Mayer on Monday, February 4th, 2008   

Judge Shira A. Scheindlin, who gained fame for her multiple opinions on e-Discovery in the precedent-setting Zubulake case, told interviewers the top 10 things she would do if she were suddenly off the bench and general counsel for a Fortune 500 company:

1. I would be sure there is a well-thought-out records retention policy in place for business purposes that takes into account any statutory or regulatory obligations.
2. I would make sure that someone is really in charge of records retention and that she knows what she is doing. This person should probably not be the head of the IT department, but someone whose primary obligation is deciding what should be retained and how.
3. I would set up a records retention committee that meets regularly. The committee should include the general counsel — that’s me! — a senior executive, the head of the IT department and the records retention manager. Minutes of these regular meetings should be kept and circulated among all the participants.
4. I would disseminate the records retention policy to all company employees, and then I would find a way to test them on whether they have understood and implemented the policy.
5. I would set up a response team every time there is a litigation-need to preserve documents.

See the rest of her tips in this transcribed interview.