Developing a data retention policy is a necessity for mid to large organizations in order to effectively manage their information assets. The process for creating the policy should capture and identify all information repositories and storage media, physical as well as electronic. A functional approach from cradle to grave allows the flexibility to create timely information while also meeting the retrieval/usage requirements of the modern enterprise. With electronic storage being so simple and inexpensive, many business organizations now retain business records well beyond their useful lifespan—this creates not only operational problems with a significant hidden negative economic impact, but also a chaotic electronic records environment ill suited for litigation responsiveness.
The explosive growth of electronically stored information (ESI) and the recent changes to the Federal Rules of Civil Procedure (FRCP) regarding electronic discovery have triggered increased awareness of the problem. Business organizations are now faced with a bewildering array of options for dealing with both the legal and technical issues presented. Many proposed technology centric solutions target well defined pain points while ignoring important legal governance issues. Other solutions focus on policy and disregard the technical implications. This tutorial is premised on the assertion that the proposed solution to this problem must be comprehensive and must address both governance and the technical framework required for implementation.
This tutorial explores a high level road map for creating order from the current chaos. A brief description of the history and background of the problem is presented and then an approach for problem resolution is discussed.
Data retention, otherwise known as records management (RM), is a concept that has been around for well over a hundred years but one whose visibility has grown significantly with the dramatic increase of electronically stored information (ESI) and the recent changes to the Federal Rules of Civil Procedure (FRCP) regarding how ESI is handled during the legal discovery process.
Since the majority of business records are now stored electronically this tutorial uses the term electronic records management (ERM) to refer to this concept. The final deliverable of the effort described in this tutorial is a comprehensive ERM policy that addresses a company's business records including a data retention schedule for each identified record type (RT).
Conceptually a record is the equivalent of a document but ERM should not be confused with document management. Document management is primarily concerned with capturing documents (and metadata related to them) at the time of inception or creation, while ERM is concerned with records at the end of their life cycle. The said, the proposed solution described here presupposes a relationship between the two. The reason the link between document management and ERM is required is explored further in the section Developing the "To Be".
The types of records will vary with the type of business, but nearly all businesses have standard record types that must be addressed by an ERM policy including: accounting, contracts, insurance policies, corporate and board records, email, instant messages, employment, facilities, marketing, intellectual property, legal and others. While most records are now stored electronically there may still be (most likely are) record types that exist only in paper form. In order to have a single comprehensive ERM policy it is recommended that paper only records be converted into electronic form. While the conversion of all paper records is not a prerequisite for a comprehensive policy, it is nonetheless a significant step in the right direction. A 100% electronic data record environment facilitates discovery response times and is valuable in its own right from a business operations perspective.
Large and mid-size organizations have struggled with ERM since the dawn of the computer age. The issues presented today are not new. What is new is the exponential growth of ESI and the varied forms that it now takes, encompassing both structured (e.g. a purchase order database) and unstructured (e.g. email, instant messages, and websites). The complexity is magnified because of scale. As a problem scales its basic nature is transformed.
By all accounts the quantum of ESI currently stored by organizations is exploding. One historical study shows that the number of corporate e-mails sent daily is projected to increase at a compound annual growth rate of over 13%.The growth of instant messaging is similar with projected increases estimated to be at a compound annual rate of 43%. While each organization’s growth rate will differ, these estimates should come as no surprise to CIO’s tracking their respective rates.
The combination of explosive growth and cheap electronic storage has caused significant confusion with respect to what constitutes an appropriate ERM policy. Approaches range from keeping everything “just in case” to the indiscriminate deleting of records with no policy justification at all. Moreover, email and instant messages are simply a subset of record types that must be addressed within the universe of records that an organization maintains. A piecemeal solution is almost guaranteed to cause wasted effort over time as the problem must be re-visited for subsequent record types.
To add to the complexity, software vendors pushing technology centric solutions tend to minimize the importance of process issues because the hard of work of process definition impedes their ability to close the deal. Customers are justifiably confused by a bewildering array of options that all claim to solve the problem. Under pressure from corporate leaders "to do something" customers often begin by implementing a discrete "solution" that targets the pain point du jour.
To further complicate matters, recent changes to the Federal Rules of Civil Procedure (FRCP) have (rightfully) raised the awareness of general counsel with respect to the importance of having a sound and defensible ERM policy. This development often contributes to a hastily developed policy/solution that focuses almost exclusively on eDiscovery and does not address many other business needs.
To prevent an endless cycle of point solutions chasing a changing problem definition, a comprehensive and multi-disciplinary approach is required. This is not to question the validity of point solutions, but rather to suggest that such solutions must be implemented within a legal and technological framework that anticipates how various solution components interoperate, and one that accounts for all, or nearly all, organizational stakeholders.
The approach recommended by this tutorial is people and process centric. Platform (i.e. technology) initiatives only make sense after the critical people and process issues have been addressed. That said, the approach does include the development of a technology framework within which platform solutions can be implemented. In short, the proposed approach is integrated and comprehensive. It encompasses the legal, business and technical implications inherent in the development of an effective ERM policy.
Also, the approach is premised on the fact that the development of an effective ERM policy can only be accomplished via a collaborative project based initiative. There is far too much complexity for policy development to proceed sans the input of key organizational stakeholders. This implies sufficient process to meet organizational objectives, but no more. It does not imply the other extreme, which typically mandates committee formation, meetings and study. The latter tends to lead to "analysis paralysis" without much being accomplished despite the expenditure of significant time and resources. The recommended approach strikes a balance that is designed to drive results.
Before further discussion, it is critical that key terms be defined. The following list provides more precise definitions of key terms used throughout the remainder of the tutorial.
Notice that the policy definition is quite broad. This is as it should be. A policy must represent more than just a document. It must be a "living thing" with the requisite electronic enforcement capabilities. Sans the latter it becomes vacuous for all intents and purposes. That is, it is likely to be of little value either operationally or legally.
There is simply no way that a document alone can provide operational value from day to day, quarter to quarter, and year to year. Likewise, no credible "good faith" legal argument can be built with a document as its only foundational support. In order for an ERM Policy not to become just one more organizational dead letter, it needs "electronic and procedural teeth."
The process by which this is accomplished is discussed in the next two sections: 1) Capturing the "As Is"; and 2) Developing the "To Be." However, before proceeding it is instructive to consider for a moment what is meant by a "living document" and the abstraction represented by the phrase "electronic and procedural teeth." A good way to think about this is embodied in Peter Senge's seminal book "The 5th Discipline" and the Systems Thinking concept developed therein. A good summary of the book's foundational concepts is found here.
An effective ERM policy provides governance not merely by the operative words that it contains (e.g. a purchase order must be retained for the following period of time), but by the description (i.e. blueprint) of the system required to ensure compliance. Given that we live in an electronic world, this blueprint must describe the technological computing framework by which governance is enabled and the organizational processes that underpin it.
In other words, the policy is a "living document" with "electronic and procedural teeth" when it describes the system by which compliance is achieved and the roles and responsibilities of various organizational stakeholders required to administer it.
In practice capturing the "As Is" implies a dissemination of forms to key organizational stakeholders (e.g. Department Heads, Regional Vice Presidents, General Counsel, CIO, etc.) in order to capture all, or nearly all, organizational records, record types, systems of record and current end of life practices, if any. Essentially this is an inventory gathering and classification process. Enabling Web 2.0 based offerings make the capture of electronic form derived information (e.g. in question and answer format) far less painful and less expensive than paper based alternatives.
The first, and arguably most critical, step in building an effective ERM policy is the classification and grouping of an organization’s records and RT's. This is best accomplished by taking a simultaneous vertical and horizontal approach.
Horizontal records are those that touch every business function within an organization. Email and instant messages fall into this category. The inventorying and classification of horizontal records is usually the responsibility of the CIO. However, it should be noted that horizontal record types may be much broader than email and instant messages. It is likely that other “unstructured” record types such as those that exist within a company's Internet and Intranet site(s) and/or knowledge bases will also fall under the CIO’s purview. Courts tend to define ESI quite broadly and information stored on all corporate repositories may be requested during discovery. For example, trademark and copyright disputes often involve “evidence” located therein.
Vertical records are those that are generally under the control of a single business function. Examples of vertical records include human resources, accounting, legal and tax. However, vertical records are also found within line (i.e. revenue generating) organizations and these generally include contracts, leases, letters of intent and various other instruments used in day-to-day business.
Records that exist within line of business functions tend to be more problematic because often there is no system of record (SOR) in which they are captured. In fact, many such records may still exist in paper form. Before a systematic approach to these records types can be developed it is imperative that an organization, at a minimum, understand what instruments it uses, and where these instruments are currently stored.
Going forward, all such records should be linked to, and identified with, a specific SOR. Current knowledge management (KM) best practices allow such a link to be readily established (e.g. using Enterprise Wiki solutions and/or Microsoft Sharepoint).
The “As Is” Bottom Line
Capturing the “As Is” with some degree of rigor is foundational to the development of an effective ERM policy. Without it, the ERM policy is simply a “shot in the dark” and unlikely to be of much use from either a legal or business perspective. For example, a strong “good faith” defense (i.e. in response to a discovery request) can be asserted if an organization can point to its records, its record types, its systems of record and the governance processes used to determine a given record type’s end of life. If something is missed or slips through the cracks under these circumstances, a strong argument can be made that the organization has done everything within its power to ensure compliance.
The development of the “To Be” organizational state results in the collaborative project’s final deliverables: 1) the ERM policy; and 2) the technical implementation framework. The first order of business is to review and summarize the “As Is” documentation. As part of this process the joint team has responsibility for working through items that require clarification. The summary of the “As Is” state is an interim project deliverable and a project milestone and check point.
Notice that deliverables recommended by this tutorial are produced via the collaborative project alluded to in the Intersection of Law & Technology section. The project team must of necessity include key organizational stakeholders (e.g. CIO & General Counsel) as well as outside counsel. The resulting policy will impact the entire organization. Without "buy in" from all levels the deliverables will fail to meet organizational objectives.
The concept of a project embodies well defined roles, responsibilities, tasks, milestones and deliverables. A project based approach ensures that the resulting policy is not developed in an organizational vacuum.
The ERM Policy
As discussed previously, the ERM policy will provide the governance mechanism that controls and guides the technical framework. It will contain all the necessary legal and operational governance mandates required to underpin the framework. The ERM policy will also list all legal authority (i.e. statutes and regulations) that support such governance. However, for business reasons, the resulting policy may allow for retention schedules that provide for longer time frames than required by law. The final decision with regard to retention schedules by record type lies with the customer organization.
The Technical Framework
The technical framework consists of a set of system recommendations that, when implemented, will enforce the governance structure of the ERM policy. It is envisioned that over time all systems of record will be tied to the technological enforcement strategy. Essentially, the technical framework will provide system guidelines for archival and purging of business records once these records have reached their end of life. It will also describe a systematic procedure for dealing with issues such as “litigation holds” that may require intervention.
In addition, the technical framework will make recommendations with respect to the management of record types that currently do not have a respective system of record associated with them. This is likely to include scanning/imaging of paper records in order to achieve a 100% electronic business record environment, if at all possible. Finally the technical framework will contain a description of the roles and responsibilities of key staff members required to administer it.
The Challenge of no System of Record (SOR)
As previously mentioned, many line of business records (e.g. contracts) simply have no system of record at all. These documents are created in word processing applications and stored in various electronic folders. It is not an overstatement to say that most organizations do not have folder naming conventions let alone a taxonomy for managing unstructured records. It is also safe to say the most business executives cannot point to the electronic storage location of the most current version of executed instruments relied on to run day-to-day operations.
For large businesses, and many mid-size businesses as well, these documents are numbered in the hundreds of thousands, if not more. Imagine the burden of producing documents in response to a discovery request that span multiple line organizations across geographical boundaries (e.g. as is often the case in a class action suit). This is a problem of inordinate and unmanageable complexity. Under these circumstances it is virtually impossible for an organization to state with any degree of certainty that the requested documents have been produced.
It must be understood that there are no "silver bullet" answers to this problem. It is only through the combination of process and technology that the problem as stated can be managed. Fortunately, significant progress has been made with respect to the maturation of a set of technologies that are categorized as Enterprise 2.0 (e.g. as embodied in enterprise wiki's and Microsoft Sharepoint). These technologies provide foundational support for the development of SOR's for unstructured data. Many leading edge organizations are now moving in this direction.
The "To Be" Bottom Line
It would be misleading and inaccurate to suggest that at the conclusion of the proposed project an organization has a complete solution. Why? Because instrumenting the policy across all SOR's is a non-trivial and time consuming task. What an organization has at the conclusion of the aforementioned project is a road map for arriving at a final destination. A methodology for attacking a complex problem. Once a methodology is in place then point solutions can be selected depending on how well they fit within the system framework.
The implementation of an effective ERM policy continues to be one of the most significant business challenges facing mid to large organizations. This tutorial suggests a need for a multi-disciplinary project based approach. It further describes a mechanism by which the suggested approach can be realized.
Inherent in the recommended approach is the need for collaboration. Collaboration must occur not only with and between third party providers, but also among key organizational stakeholders. In addition, the recommended approach suggests that organizations must rethink their current storage strategies regarding unstructured data.
The legal, operational, and technological implications of an ERM policy must be understood using a systems thinking framework. Point solutions only make sense once a fundamentally sound methodology is in place.
Internet eDiscovery Lawyers. People. Process. Platform.