Electronic Document Retention and Destruction: The Impact of Global Regulations

Transcription

1 An IT Briefing produced by

2 By Mark Diamond and Galina Datskovsky 2007 TechTarget BIOS Mark Diamond, President and CEO, Contoural Inc., is an industry thought leader in archiving, compliance, storage, data protection, and ILM strategies and practices. As CEO of Contoural, he helps Fortune 500 companies reduce risk, ensure compliance, and lower costs. A frequent industry speaker, Diamond addresses how organizations can better align business requirements with IT and storage spending. Galina Datskovsky, Ph.D., CRM, Senior Vice President of Development at CA, is an internationally known expert in the field of records management and associated technologies. She has over 20 years experience in computer sciences, and is Past President of the New York City Chapter of the Association of Records Management Administrators (ARMA). She received her CRM certification in In 2006, Dr. Datskovsky received the Honored Member of the Year Award from the ARMA Metro New York City Chapter. Dr. Datskovsky has published articles in prestigious academic journals and computer science conference proceedings and is a sought-after speaker to organizations worldwide on computer and records management systems. Speaking engagements include: ARMA chapters in California, Connecticut, Florida, Massachusetts, and New York; AIIM, ALA, ARMA, Gilbane Conferences, LawNet, and MER. In 2003, Dr. Datskovsky gave a nationwide web presentation to NARA on the topic of electronic records administration. Dr. Datskovsky is Senior Vice President of Development at CA, Inc. She was founder and CEO of MDY and one of the creators of MDY FileSurf, leading the company to become one of the leaders of records technology for the past 18 years. Dr. Datskovsky oversees technology operations for a variety of clients in the Fortune 100, legal, medical, government, and civil-service arenas. She consults with companies to evaluate their records and document management strategies. Prior to joining MDY, Dr. Datskovsky consulted for IBM and Bell Labs and taught at the Business School of Fordham University and the Graduate School of Columbia University. Dr. Datskovsky received her Ph.D. and Masters in Computer Science from Columbia University. This IT Briefing is based on a CA/TechTarget Webcast, Electronic Document Retention and Destruction:. This TechTarget IT Briefing covers the following topics: International Regulations and Electronic Documents Different Drivers International Regulatory Landscape Privacy Information Litigation Discovery User Behaviors Global Retention Policies: Best Practices Automate Records Retention Information Governance Litigation Discovery Content, Not Format Getting Started Collaborate On Policy CA s Solution Copyright 2007 CA. All Rights Reserved. Reproduction, adaptation, or translation without prior written permission is prohibited, except as allowed under the copyright laws. About TechTarget IT Briefings TechTarget IT Briefings provide the pertinent information that senior-level IT executives and managers need to make educated purchasing decisions. Originating from our industry-leading Vendor Connection and Expert Webcasts, TechTarget-produced IT Briefings turn Webcasts into easy-to-follow technical briefs, similar to white papers. Design Copyright TechTarget. All Rights Reserved. For inquiries and additional information, contact: Dennis Shiao Director of Product Management Webcasts, TechTarget dshiao@techtarget.com

3 Electronic Document Retention and Destruction: The Impact of Global Regulations International Regulations and Electronic Documents This document describes the impact of international regulations on electronic documents, one of the most interesting, most complicated, and most emotional areas within all of IT, and possibly within all business. There has been a huge surge of electronic documents, a huge surge of globalization, which many people are struggling to understand. It is difficult enough to lay out best practices for a single organization, but how do you determine the best practices for electronic document retention and destruction all across the world? Companies that have operations all over the world are typically surprised by the number of documents they have in different locations. International records include corporate, finance, and tax documents. Different countries have different regulations in terms of human resources, employee documents, and intellectual property. A slightly larger proportion of documents internationally are paper, in contrast to those in the US, but as companies begin to look at this, they sometimes get overwhelmed as they look at all the different countries, all the different document types, and all the different media. Local regulators and local courts in many different jurisdictions generally recognize that electronic documents have a lot of merit, but just because something is electronic does not mean it is a real document; quite the opposite. Electronic documents today are playing a more significant role than ever in global record keeping. Different Drivers As reflected in Figure 1, many organizations initially approach this topic from a compliance perspective, typically because either global standards or local regulations require some retention of electronic documents. The next driver, which is especially important internationally, is privacy. Privacy is not a driver itself that requires organizations to retain documents, but it has a real impact. Many documents contain personally identifiable information, about either employees or customers or patients, and organizations need to know what they have and be able to keep it secure. Privacy almost has a bigger impact on document retention and destruction than compliance. One of the largest drivers tends to be litigation and discovery in different jurisdictions. Companies need to have documents to support their positions in court, or they find themselves continually in a position to be discovered, and rules are changing in this area very quickly. Storage costs and business productivity also tend to be big drivers. Employees in remote locations have a tendency to save all their own documents and all their own , mainly for personal productivity reasons. It is worse to have a policy that is not followed than to have no policy whatsoever, so whatever policy is put in place for electronic document retention and destruction must be consistent with how employees actually do their work. Storage costs, operational costs, archival costs, destruction costs, and discovery costs all weigh into this. Many organizations are reluctant to adopt enterprise documents retention and destruction policies unless they have a good idea of the different cost issues associated with it. International Regulatory Landscape Most regulations are country-specific, so there is a tremendous amount of variability. Some of the regulations tend to follow Commonwealth organizations. Sometimes companies fall under international regulations such as Sarbanes-Oxley if they are traded on stock exchanges. Thus, there is a mismatch of different regulations: many of the regulations are based on paper records, and the electronic records are slow to catch up. Time and again, one of the big challenges is getting prescriptions from the regulations. Some of these regulations tend to be fairly prescriptive: they tell you exactly what you need to say or, in some cases, exactly what you need to secure. However, in most cases, international regulations tend to be very 1

4 Figure 1 nonprescriptive and not terribly clear. Sometimes they are based on the idea that everything is recorded on paper records; it is not, and that produces many gray areas. Regulatory discovery from one country can impact records kept in other countries. If a company s operations are based out of Australia, for example, and the company gets sued in Australia and they have operations in Indonesia, their Indonesian records are fair game for the Australian regulators. Regulation tends to be company-specific and not necessarily locationspecific. One overall trend is that regulators want organizations to save more records and to retrieve records quickly. When, for example, Japanese regulators request, I want to see these records, they must be produced very quickly. Vague or indefinite regulations may require indefinite retention. Many more companies have many more operations in many more countries. Globalization is spreading much, much faster than local laws are adopting, and so the regulations will probably take at least five years to catch up in all the different locations. However, just because regulations are not in place yet does not mean you should not follow them. Figure 2 shows a high-level view of the different electronic regulatory prescriptions in different countries. As you would expect, some of the more advanced economies tend to have more prescription, although not in all cases. Other economies are just emerging, and so different rules are coming up. You see more of a move toward corporate governance. Corporate governance is a trend that started in the US, and from country to country, more and more regulators are looking for their own version of Sarbanes-Oxley for corporate governance, which has some impact on records management. The idea here is to try to simplify your records to make retention and destruction for regulatory purposes easier. One of the best approaches is having one master policy with very limited country-by-country exceptions. That tends to be less complicated than having different records policies for each country in which you operate. We are now seeing the opposite with data privacy, which really started in Europe. Most of the data privacy regulations were a reaction to World War II and the wartime misuse of personal data. Germany was the leader in the privacy regulations post World War II. This trend migrated to France, and now it is in the EU, and then it spread to Japan and Australia and 2

5 Figure 2 South America. The United States has a patchwork level of data privacy. This is a wave that is spreading all across the world, as shown in Figure 3, and most countries are expected to have some level of best practice around privacy regulations within the next two or three years, probably spreading faster than corporate governance. Privacy Information What is privacy information? This is personally identifiable information: any records, any , any documents, any files that contain names or addresses or government identification numbers, phone numbers, credit card numbers, driver s license information, criminal information, school information, academic information, or genetic information about individuals. These can be employees, patients, or customers. The regulations state that information needs to be kept securely. In some cases, for example in the UK, if an individual consumer wants to have that information expunged, they can go to an organization and say, Tell me what information you have about me, and expunge that information. The trick with privacy is to know what you have: know where you have information about individuals; have a way of finding specific information about individuals; and keep it secure. Companies want to avoid privacy breaches and to keep privacy data more secure than other information. Companies must do those two things: know what they have and keep it secure. Companies do not want their records retention policy to make them liable for some type of privacy breach. The data privacy policy needs to be consistent with the records retention policy. Litigation Discovery Litigation discovery is the next driver. Employees create records, and tax laws and reporting regulations have additional record-keeping requirements. Once records exist, they may be sought as evidence in government inquiries, civil litigation, or criminal prosecution. This tends to vary significantly by country. In some countries for example, in the US, which is the leader in this area the idea of e-discovery or discovery of records, particularly electronic records, tends to be a very strong driver. In parts of Europe, it is much less of a driver because they do not have quite the same discovery requirements. Other parts of the world, like Australia, are catching up very quickly. Note again that actions in one country can be discovered by courts in another country. If a company has business 3

6 Figure 3 across the world, it needs to manage all pertinent records. It cannot say, Well, those records are sitting in China. We do not have to get those records. Chinese law may not require the company to do that but, certainly in the US, litigation for a company that has an office in China can discover those records. Geographies do not necessarily protect you from e-discovery actions, and many companies are putting the whole idea of e-discovery and the whole idea of litigation readiness on the same page in order to be better prepared. McCabe Versus British American Tobacco One case study concerned an Australian company, McCabe versus British American Tobacco (BAT). BAT was anticipating litigation. They updated their policies, and they had a previous litigation hold that expired, and because this litigation hold expired they said, Okay, this is a good chance for us to go delete all those records because we do not need them. The judge in the case found the deletions outrageous, saying, You do not have a right to delete these records, and he refused to let them present their defense. The Appellate court reversed that decision, but public outrage led to a crime bill, the Document Destruction Act, in This is a trend across the world, in which business has a responsibility to produce records when in litigation, and any attempt to delete those records will be viewed in many cases as spoliation, which is a legal term meaning purposeful deletion of records. User Behaviors Next is the issue of end-user behaviors. No matter what country they are in or what company they work for, users will save information. They want that information, and if the company policy is to delete all , for example, after 30 days, people individually save it on PST files. They save it on USB drives. They save it in part because this is an important productivity tool for getting their jobs done. They are not necessarily trying to be bad people, going against the policy, but very aggressive deletion policies tend to drive underground archival. This is true in Europe, Asia, and in the US and South America. Whatever a firm s record retention policy is, it must be consistent with how end users actually do their jobs. Firms should avoid the 30- to 60-day deletion policy, because it drives underground record archival. 4

7 Global Retention Policies: Best Practices International locations tend to have more paper documents, or at least the regulators there tend to take a more paper-centric view versus an electronic-centric view, although that is changing. In this case, management and exploration of those paper documents is very important. It is best to develop standard global retention policies with country-specific exceptions. The global policy should be as simple and as straightforward as possible, and you should apply any country-specific exceptions only to that one country. The policy should contain a component of data privacy or e-commerce regulations. Sometimes, countries lack specific electronic record retention regulations. In that case, it is acceptable to fall back on a country s code of civil procedure, because that tends to be more firm than other regulatory requirements. If you are looking for where the world is heading in the future, US law in terms of electronic record retention will probably be one of the standards, as well as some of the regulations coming out of the EU data privacy laws. Put together the EU data privacy laws and the US corporate governance and record retention practices, and that is where the world will be 10 years from now. If a firm is going to base its policy on something, it is good to base it on the US and the EU data privacy laws. One of the big issues on which companies continue to be challenged is retention of records, and litigation and litigation holds. If a firm has a trial happening in one place and has to go around the world and find all pertinent records, how are they going to find them? Organizations should not take a bottom-up approach based on regulations. It would become insuperably complicated to look at every document and every regulation in every country in which the firm operates. It is much better to create a simpler policy that is easier to execute. Automate Records Retention Put time and effort into getting the right tools and the right technology. Good records require using technology effectively, which means creating automated collection and avoiding manual processes. The companies that are best at this have put some effort into the policies, which is important, but they have also put effort into making the policy simple. They are really good at having the right tools and technologies. The sheer quantity of these records makes a manual process impractical. The best-practices approach for international records is to develop a record retention policy based on the five drivers. First, address the privacy component. Start out with the more prescriptive countries, because the less prescriptive countries will tend to follow the more prescriptive ones. Good policies tend to be media-agnostic. You can start out creating an e- mail retention policy, but that will be very similar to the file retention or paper document retention policy, because it does not make a difference what the underlying media is. Develop country-specific exceptions in order to make this easier. If you start with the business drivers and simplify from there, if you take the approach discussed above, and if you have the right technology, it tends to work. It begins as something that feels very difficult, but gets easier as you proceed. It is actually a very manageable and achievable project that will make an organization much more compliant and litigation-ready, and much better prepared to manage electronic records. Information Governance Information governance is critical in today s business climate for many reasons. As Mark Twain said, It is no use to keep private information which you can t show off, and unfortunately sometimes we show off that information in court. So it is very important to know what we are keeping and to keep it for just the right amount of time. Litigation Discovery Why information governance? One answer is litigation. If you are required to produce information during a particular request for a discovery motion, it is very important to have that information easily retrievable. It is very important not to have extraneous information, and to have just the right information that you need to actually go through, particularly with electronic records, although most of us use paper records. Firms go through massive amounts of information that they just happen to store because they have no policy, and during the litigation that can be an extraordinary request to process. There are privacy issues, and those are very important. Content, Not Format It is important to look at electronic records, regardless of the form in which they are created, in a uniform, policy-driven way. What does that mean? As one example, is not a record site in its own right. The content of the is what drives the kind of 5

8 record it is. If someone sends an to the HR Department and the HR person properly files it as an HR record, that is great. However, if that person is transferred out of the HR Department, but still has the right to that , then in fact we are in violation of privacy. So, good information governance takes into account who can see information and when. The business impact in itself is the message. We need to be able to store the information because we have to do our work. However, we are often unable to retrieve the correct information. If the wrong record is in fact retrieved as the correct one and there is no way to ascertain what is right, we could make serious mistakes. It is very important to keep information and to share information appropriately, to be able to quickly retrieve only that information that is indeed correct and needed. You need a good record policy with an appropriate retention schedule according to which, if there is no reason to hold information like a litigation-readiness reason it is deleted on a normal course-of-business basis. Firms then also benefit from reduced storage and search costs. Getting Started Some tasks need to be done before you start. For example, map out your data storage. Where is the information stored? For electronic records in particular, where are the electronic records created? If you have 200 or 300 different IT systems creating data, what is that in terms of volume of records? What kinds of records are being generated by each system? Can you determine the ownership? Who is actually the custodian of this record? What is the business alignment? What are the regulatory requirements that govern the record series being produced by these applications? Determine the information retention policies for all these questions. We need to look at information as records regardless of how they were created. For example, an HR record, an HR record, and an electronic document data record are one and the same series. Just because it is an , it does not belong in a different record. It is very important to have a policy and to simplify this policy as a particular set of rules and regulations. Note that, even if you have no policy, you still have a policy. That policy is, We are opting to keep everything forever because, if we have no policy, we had better not be deleting any records or we are in violation. Collaborate On Policy When creating a policy, it is critical that multiple departments custodian, IT, information management, records management or compliance, and legal all collaborate on that policy. It is also critical to determine your legal obligations in the various countries where you do business, and in the various states where you do business. For example, if you do business in 30 states, you might choose the longest retention period of those 30 states as the one and only period. You should not complicate the process by having 30 different periods, one for each state, because then even interstate transfer becomes an issue. So, developing a retention policy requires thinking about interjurisdictional transfer country-tocountry and state-to-state in the US. And of course, you need to evaluate the technology in use. Is it going to support the retention policy? If you have a particularly old application that cannot apply the retention policy, you might want to leave it as an exception. Maybe your business cannot replace it right now because you may have to explain this in court. You need to know that you could not comply for these reasons, and you need to have a remediation plan. Successful planning is key to tackling this challenge. It is impossible to tackle this all at once. You might want to have a two- or three-year plan that will bring you into compliance, and that tends to develop the policy. In that case, if you do have a litigation, that plan could be very helpful in a legal proceeding. Understanding compliance regulations that govern your business is key. Discuss the plan with your legal department and with the business owners. That means understanding regulations that govern the particular business you are in; each country where you do business might have a different view of those regulations, so having a general knowledge of them is important. It is also important to have an appropriate team or task force work on this. Generally, it would consist of the IT department, the records management group, legal compliance if that is appropriate, and it certainly should have executive backing, because nothing is going to change the culture of a company if it is not management-backed. Identify clearly all the IT challenges around and other applications. It is very important to identify where difficulties may arise. For example, are particular systems going to have problems with the system? Will there be certain phases during which you cannot connect with the records management application, or an archive application, or other systems? Try to avoid tactical silo solutions, because retention schedules should be global across all information. It is very important to be able to do it across the enterprise, across all the applications. Do not forget physical records: you 6

9 want to be able to say you applied the same policy for physical records and electronic records, across the board. CA's Solution Figure 4 shows CA s vision for its information governance, and particularly for this regulated record management component of its information governance solution. Policies must be applied across the platform, and records management is the foundation. The records management application is the foundation that applies appropriate retention policies and guidelines across the enterprise, and it should apply those across the enterprise groups, from physical records to all electronic documents, to , and so on, in a uniform fashion. An enterprise might have multiple repositories within the document management system, but all of them should be controlled by the stated policy entity. So, all records management provides a uniform way of viewing retention, dispositions, holds, and so forth, as well as discovery, and interacts with them all in a regulated manner with all the various applications in an enterprise. In order to drive the appropriate policy, it also interacts with the archiving systems. This suite has the CA Message Manager archive system, and the two are in close interaction so that you can consult not just the record, but the nonrecord. Retention management applies to both records and nonrecords for example, the copies we send in might have a much shorter life span and those are also controlled appropriately. Records management is the application of uniformity, and the audit trails that demonstrate an enterprise in fact complied with it. Figure 4 7

10 About TechTarget We deliver the information IT pros need to be successful. TechTarget publishes targeted media that address your need for information and resources. Our network of technology-specific Web sites gives enterprise IT professionals access to experts and peers, original content, and links to relevant information from across the Internet. Our conferences give you access to vendor-neutral, expert commentary and advice on the issues and challenges you face daily. Our magazines CIO Decisions, Information Security, Storage, and WinStorage give you in-depth analysis and guidance on the critical IT decisions you face. Practical technical advice and expert insights are distributed via more than 80 specialized e-newsletters, and our Webcasts allow IT pros to ask questions of technical experts. What makes us unique TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals. We leverage the immediacy of the Web, the networking and face-to-face opportunities of conferences, the expert interaction of Webcasts and Web radio, the laser-targeting of newsletters and the richness and depth of our print media to create compelling and actionable information for enterprise IT professionals. For more information, visit CA_05_2007_0001 8