There was a time when IT managers dealt with document retention as a way to keep their boss' boss off their boss' back. Now, with a myriad of new laws on the books, establishing a good document retention policy—and enforcing it—is how IT managers keep their boss, and their boss' boss, out of jail.
"This isn't just about a discussion about backup and retention policies," said Emilio Bernabei, vice president of product marketing for RenewData Corp. "This is a discussion about how to keep your corporate executives out of jail."
And so it is. Ever increasing amounts of electronic data that need to be secured, new laws that place a greater emphasis on cooperation between private business and law enforcement, and new technologies that aid in evidence-gathering and archiving combine to produce yet another job on the IT manager's to-do list.
And unlike the usual internal policies that are demanded by profit and corporate culture, governmental entities and the laws they are passing are behind much of the push for new document-retention policies. There are more than 10,000 separate laws in the United States that deal with document and data retention, and more such legislation is coming, according to RenewData general counsel and business development vice president Bob Robinson. "If you have a quantifiable form of data, there's a regulation for it," Robinson said.
Sarbanes-Oxley raises the bar—and the penalties
Of all these laws, the biggest of them is one of the newest, Sarbanes-Oxley. This federal law, enacted in large part as a response to U.S. corporate and accounting scandals, is, on its face, designed to require companies to become more fiscally accountable. Others have called it a paper tiger because it criminalizes spoilage and the intentional failure to preserve documents that are—or may one day be—required in litigation.
Sarbanes-Oxley provides for a number of stiff penalties, the most brow-raising of which are the criminal sentences that could be handed down. A corporate executive could face up to 20 years in prison for "knowingly" altering or destroying anything in an effort to influence or impede any federal investigation or bankruptcy. And it doesn't matter if that investigation or bankruptcy is ongoing or in the misty future.
Step one: Benefit analysis
So, as often happens when C-level managers are faced with a difficult but potentially dull, repetitive, labor-intensive task, they are turning to technology and their IT departments to figure out how to keep the company in compliance and out of court. And that means the CIO and CTO suddenly have had to become very concerned about all the different forms of "paper" data—paper records, microfiche, and faxes—in addition to e-mail, software, voice mail and other data long considered part of their focus. The thought of rifling through desks and file cabinets while they're searching desktops and laptops, various servers, and so many backup tapes to decide what to keep has been quite daunting to many.
A few IT managers are dealing with the issue by ignoring it. This doesn't last, said Jason Velasco, RenewData's vice president of legal and investigative services. "What happens is Mr. Lawsuit gets filed," he said. "That's when people scramble. All of a sudden, they need to know who has the documentation, where it is, who has access to it, and how fast can they get to it."
It's far better to be proactive and know the answers to all those questions before "Mr. Lawsuit" arrives. Robinson said that the first step is to do a benefit analysis. Determine how much it will cost to retain data and documents, and how much benefit the company will derive from that expenditure. Often, the larger the company, the more its executives need to worry about document retention legislation and regulations. "A small, small company just doesn't need to," said Robinson.
But a large company does, especially if it's publicly traded. "If it's a public company, and they're not working on this, then they're already in trouble and don't know it," said Robinson.
Step two: Determine what needs to be archived
The next step is to decide what the company wants to keep. Some are no-brainers. Most IT managers know they should keep patents, corporate foundation documents, sales, employee records, marketing planning, and other such documents. But some aren't so clear. For instance, some newer regulations now on the books require some companies and organizations to archive e-mail and even store instant messaging records. However, a company that finds it isn't required by statute to archive e-mail needs to decide if there is any real motivation to do so.
Step three: Archiving is the only way
Step three is to define what technology solutions are available and get them in place. This is when a lot of IT managers find out that the long cherished grandfather-father-son backup system won't satisfy the new regulations. What companies need to avoid is what RenewData's marketing materials call the "three-headed monster": the idea that PCs, servers, e-mail, and backup systems somehow equal a de-facto data repository. They don't.
This means that IT managers have to learn the difference between a backup system and an archive system. System backups are designed to restore a computer or an entire network should a natural or other type of disaster destroy the existing system data. However, these same backups, useful as they are, make very poor repositories. Robinson cited one case in which a litigant thought his 40,000 backup tapes would save him, only to find they were impractical for retrieving court-required data in a hurry.
And while IT managers are dealing with that learning curve, they're also having to deal with a challenge that has plagued IT departments for years: management-level apathy. Higher management too often tells IT to "just do something, and I don't care what," Robinson said. "That's probably the greatest pitfall there is."
But it points up the greatest challenge to making a success of these new retention policies—getting the rest of the company onboard. "Having a policy and not enforcing it is worse than having no policy at all," Robinson said.
Step four: Setting up a solid team for the job
This brings me to step four: getting the right people in place and keeping them there. "Proper implementation will free up manual labor, which is the most difficult type of labor to get," Robinson said.
And by manual labor, Robinson doesn't mean digging ditches. He's talking about the drudgery of having to keep track of data and documents and maintain a policy. Very large companies need large departments to maintain and implement policies. This is a particularly gifted set of people, Robinson said. "These are the haranguers, the reminders, the people who will constantly do this stuff," he said.
The reason these people are important is because employees, even at management level, seldom discover that document and data retention is necessary or very important. "It must be part of the corporate routine," Robinson said. "People aren't going to do this because they want to. The only way to do it is to make people do it."
And making them do it is quickly becoming another job for the IT manager and his or her department. Bernabei cited the work he and his colleagues have done with Fortune 1,000 companies and said he's had a chance to see the right way and the wrong way to implement new document retention policies. "The best practices we've seen are in companies where CIOs take the initiative and get the company to work across the board as a team."
However, one thing that members of the team will do—ultimately—is screw up. Somewhere, sometime, an employee is going to delete a file he or she shouldn't have. One way to guard against that eventuality is to plan for it. Donald Goldstein, co-managing partner of Goldstein Lewin and the person spearheading his company's IT and accounting training in the wake of Sarbanes-Oxley, recommended layer upon layer of document archiving and data retention. Documents that require retention should be retained in multiple archives.
Goldstein also cautioned against getting bogged down in worrying about what might happen if an employee unintentionally destroys what could be a litigation-sensitive document. "Most of the provisions [in Sarbanes-Oxley] talk about documents that are intentionally erased," he said. "If you've done a good job in developing a policy and have implemented that policy, then you've done everything you can do to comply with the spirit of the law as it's intended."
Still, even the most seasoned IT manager should approach development and implementation of a new document retention policy with a certain amount of wariness, said Robinson. "Bite off only as much as you can chew," he said.
"This is a big, big, big project. And there is no way it can be implemented throughout an organization all at once," said Robinson. "Think of it as a giant hydra with many heads. Go after one head, attack it, and kill it. When it's dead, go onto the next head."
For more information
Here are a few related links available online:
- "Sarbanes-Oxley changes The rules on document retention"
- RenewData's Electronic Evidence Reference Chart Signup (by mail)
- "What the Sarbanes-Oxley Act means for IT managers"
- "Businesses hope software can help them meet reporting requirements of the Patriot Act"
- "CIO Hotline: The CIO's guide to effective records management"