A few years ago, most companies give little thought to electronic records management. But a spate of scandals, lawsuits and new regulations has changed all that.
Despite renewed attention to e-records management, however, many organizations still lack automated systems to efficiently process all e-records requested during a legal discovery proceeding. Yet retrieving such records -- and the penalties for noncompliance -- can cost businesses millions of dollars.
"E-litigation is an extremely expensive endeavour," says Jane Connerton, corporate records manager at The Procter & Gamble Co. While P&G has a records retention policy, finding and retrieving records during legal discovery can be a daunting challenge -- especially when the records are on backup tapes.
"We had a case that, after a week's worth of discovery, we calculated that backup tape suspension and legal review of the e-records was going to cost us a million dollars," Connerton says. And, she adds, such requests aren't uncommon for businesses of P&G's size.
In response, companies are turning to records and content management systems to automate the processes for identifying and categorizing records of all types, establishing and enforcing retention schedules, and maintaining accessibility to those records.
"You're trying to identify what has become a record, associate a rule with it and blow it away when it's no longer needed," says Julie Gable, principal of Gable Consulting.
Companies must also comply with myriad local and federal regulations that vary by industry. For example some records need to be held for seven years, others for longer. Other requirements are triggered by events, such as healthcare regulations that require records to be kept for a certain period after a patient's death.
The elusive e-record
Records serve as evidence, Gable says. "They accrue to business processes, show what transpired during transactions, confirm rights and obligations, and provide motive for corporate action." What constitutes a record is determined by business, regulatory and legal requirements.
Those definitions and policies are typically set by a corporate records manager, but IT must manage those records.
Today, records take many forms. While printed documents may be collected in file cabinets, e-records are scattered across a wide range of repositories. They may be embedded in e-mail, instant messages and other unstructured data that account for up to 40 percent of business data flows, according to the Storage Networking Industry Association (SNIA).
"E-mail is the biggest issue we see," says Barclay Blair, director of the IT compliance practice at Kahn Consulting.
In 2004 in the US, for example, Banc of America Securities was fined $US10 million and Philip Morris USA and Altria Group $2.75 million for failing to produce e-mail records in a reasonable time frame and failing to preserve documents after being told to do so. But despite such penalties, 65 percent of organizations still have no e-records policy for legal hold orders, let alone the technology to enforce it, according to a survey by the Association of Records Managers and Administrators (ARMA) and the Association of Information and Image Management.
The typical IT strategy of saving everything doesn't help, says Larry Medina, a records management contractor. "All non record material should be destroyed as soon as is practical," he says. "If you have things you didn't need to retain, they become ticking time bombs in your system." Those documents could be used to the detriment of the company in legal proceedings, he says.
But more important, they add to the cost of discovery, says Deidre Paknad, president of record information management (RIM) software vendor PSS Systems. "If there's a legal hold, all the information you have, whether a business record or not, is discoverable," she says.
Once a policy is in place for deleting end-of-life records, halting those processes in response to a legal hold order is difficult. Many organizations lack adequate technology and processes to deal with the problem, Gable notes.
IT needs to work closely with records managers, says ARMA president Dave McDermott. As assistant records manager at agribusiness conglomerate J.R. Simplot Co, McDermott worked with his IT group to develop a retention requirement for all backups.
Because records may be needed in the future, eliminating or archiving based on activity level or disk space usage doesn't work, says Michael Peterson, program director of the SNIA data management forum.
At a minimum, good records management practices require interaction among IT, the corporate records manager, the business units that own the data and the legal department. Today, part of the problem is ignorance of records requirements within some IT organizations, says P&G's Connerton.
Evolving tools
RIM software helps to define and categorize records and set retention policies. But the programs, originally created to manage paper records, are still evolving to handle e-records in places ranging from the ERP system to e-mail. To deal with this challenge, most products copy files and related metadata into a central repository. Records management tools also integrate with desktop productivity software, e-mail programs and archiving software to identify records and establish an audit trail for compliance purposes.
RIM has caught the attention of enterprise content management (ECM) software vendors such as EMC's Documentum unit. They have snapped up RIM products and integrated them into their own suites.
But Connerton says centralization is no panacea. "In a major corporation, you're never going to have a single repository for all records," she says. While P&G's seven divisions do use RIM and ECM tools for some records, that's not enough. "What we've done is mapped out where the records are, who owns them from an IT perspective and how we can get them to facilitate the discovery process," she says.
At FirstEnergy Corp, one-third of the company's records are in its ERP system and can't be easily copied into a central repository. Senior IT systems analyst Teresa Straight says she's trying to figure out how to connect a FileNet system with SAP in order to manage records in the company's data warehouses.
Most RIM products still rely on manual processes or prompt the end user to identify, classify and check in records. Products such as FileNet's Records Manager are at the forefront of a trend to automate that. With e-mail volume exploding, automated identification and classification of records is crucial, says Craig Rhinehart, director of compliance products and solutions at FileNet. "If you think you'll get 10,000 users to manually declare and classify records, you're wrong. Enforce your policy at the technology layer, not at the user layer," he says.
Connerton says she wouldn't trust an automated categorization system alone -- a sentiment Blair agrees with. "You can get part of the way there with really good tools, but ultimately, you need to rely on employees," he says, and that requires both policy and training.
At P&G, employees attend a 15-minute training session and an annual refresher. They are also required to review their files annually to comply with P&G's retention schedules, Connerton says.
Records management best practices must be infused throughout the IT systems that create or touch records, practitioners say. Connerton is working with IT to integrate e-records guidelines into the P&G's information systems. With business units ranging from pharmaceuticals to dog food producers, that's not an easy task.
"We can't impose them immediately because there are legacy systems that are too expensive to retrofit," explains Connerton. It will be five to seven years before every document repository is in compliance, she says.
Larry Hawkins, director of records and information compliance at FirstEnergy, says he collaborates with IT on new system designs. "We don't procure technology without a thorough review," he says.
Six tips for handling e-records
Jane Connerton, corporate records manager at Proctor & Gamble, recently oversaw the establishment of e-records guidelines and is working with IT to implement them across all data repositories. She offers these six tips for IT organizations:
- Know the record contents of data, and manage the life cycle accordingly, as opposed to managing it based on volume or location (for example, * GB on Unix Server 3).
- Understand how the record will be retrieved and used by primary users, and design the system to meet those specifications.
- Work with your legal or regulatory experts and know what laws or regulations apply to the records in your system.
- When preserving a record, maintain all the metadata, too, in order to adequately define the context.
- Don't keep backup data any longer than necessary to meet operational needs, and never longer than the record itself.
- When erasing a record, simply deleting the file isn't good enough. Use a process or technology that completely obliterates the data so it can't be retrieved later.
When record-keeping goes wrong
Here are a few examples of organizations that have paid a price for inadequate records management.
Who: Lucent Technologies Inc.
When: May 2004
Accusation: Providing incomplete records in response to a Securities and Exchange Commission investigation.
Consequences: $US25 million fine
Who: UBS Warburg
When: July 2004
Accusation: During an ongoing gender-discrimination lawsuit (Zubulake v UBS Warburg), deleted relevant e-mails despite court order; failed to locate, preserve records and produce e-mail and other documents in a timely manner.
Consequences: Ordered to produce relevant documents and pay for redeposition of some witnesses and pay legal expense of the plaintiff.
Who: Philip Morris USA/Altria Group
When: July 2004
Accusation: Deleted e-mail that was over 60 days old for more than two years after a legal order to preserve all documents relating to litigation. Failed to follow the company's internal procedures for document and e-mail preservation.
Consequences: $US2.75 million fine
Who: Banc of America Securities
When: March 2004
Accusation: Violation of US Exchange Act record-keeping requirements, including failure to produce e-mail records in a timely manner and failure to preserve documents after an SEC staff request to do so.
Consequences: $US10 million fine; censur