The computer's common use as an essential business tool, and the tremendous and exponentially increasing storage capacity of computer generated or recorded information has transformed the landscape of information retention and destruction. Now record retention regulations are becoming increasingly important to follow, and follow correctly and consistently.

Certain regulations in particular illustrate this need, including extensive OSHA requirements,

as well as new Sarbanes-Oxley rules that prohibit the destruction or alteration of records. SOX also requires auditors of securities issuers to maintain all audit or review workpapers for five years from the fiscal year end covered by the audit, with fines and jail time up to 10 years (see box at right for "Regulatory Overview").

The Act also escalates the penalties for existing violations. For example, Section 1102 expands the obstruction-of-justice statute that prohibits tampering with witnesses. Now, whoever "corruptly alters, destroys, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object's integrity or availability for use in an official proceeding" may face fines and imprisonment up to 20 years.

Many rules are entity- and business-specific. For example, SEC Rule 17a-4(b)(4) requires broker dealers to preserve for a period of not less than 3 years—the first two years in an accessible place—originals of all communications received and copies of all paper and electronic communications sent. That includes inter-office memoranda and communications relating to its "business as such." Non- compliance or delays in producing requested documents can be devastating (again, see Regulatory Overview).

Immediately Segregate Attorney-Client Communications

Disaster lurks once privileged and confidential attorney-client communications become comingled with normal corporate communications. Privileged communications must be clearly marked, both in the "Re:" line and the text of the document. Given the frequency of email communications, such communications automatically should be retained in a segregated, secure server, to the extent retained pursuant to company policies and procedures.

After the fact, unless segregated, privileged communications inadvertently may be produced to potential adversaries because, for example, the reviewer prior to production is unaware the sender or receiver is an attorney (which becomes more likely the longer the retention period due to employee turnover). Moreover, the segregation process itself after the fact can delay production enough to result in sanctions for untimely production. Legal Department systems should default to place the privilege notice in the "Re:" line, an abbreviated notice as a header on every page of the document, and more extended notice after the text, decreasing the probably of omitting the notice when required (much easier to delete than type) and increasing the probability of identifying a privileged document as such if a corrupted document is produced (missing, perhaps, the first page).

Outside counsel should take the same precautions when communicating with clients, and clients should arrange for the same automatic routing and segregation for communications without outside counsel.

Paper Preempted

Before the ubiqitous use of the computer in business and business communications, information meant, for the most part, paper records. This simplified the adoption of workable information retention policies, which companies could adopt and follow with relative ease. But that has changed—especially in today's litigious environment.

Now, one can store the equivalent of a room full of paper information on a small, inexpensive hard drive, and most companies rely upon electronic communications like email in order to conduct business, so information retention has become far more complicated. This is compounded by the distribution of electronic information to multiple locations, through various systems, any one of which can store a copy of the information, and the routine "backing up" and storage of data against the possibility of a catastrophic systems failure.

A myriad of laws, rules and regulations at the federal, state and local levels obligate companies, governmental organizations, persons and other entities to retain documents, records, email, electronic communications and other information. After the addition of mountains of electronic information to paper and other records, how can an entity even begin to analyze, and then implement and monitor, policies, procedures and systems designed to comply with these obligations?

While recent laws regulating certain entities directly address the topic of electronic record retention, other laws—many enacted before the computer’s invention—also require examination in evaluating this topic.

Since the vast details and steps necessary to accomplish this is beyond the scope of one publication, this article aims to suggest a basic framework designed to arrive at a reasonable and compliant information retention policy.

Establish A Formal Information Retention Policy

A surprising number of entities have arrived at their current information retention practices in a haphazard, reactive fashion. Even before recent laws and decisions brought this topic to the forefront, this was dangerous. Although the process may differ depending upon the nature of the entity, every single entity should establish a formal information retention policy. The framework for approaching this has a number of basic common elements, since all document and record retention laws applicable to a particular entity raise the same questions:

What information?

At what time(s)?

How (or in what form) and where?

The first step to establish a rational and compliant information retention policy is to answer these questions in two respects: (I) determine what information is necessary and appropriate to retain given the business or other needs of the particular entity in order to conduct day-to-day operations efficiently and at a reasonable cost; and (II) develop a thorough understanding of the applicable laws—usually different for different entities, depending upon type and operations.

Integral to this is the day-to-day involvement of Senior Management, Mid-Level Management, and the Management Information System ("MIS") and Records departments. The driving force underlying any information retention policy should be serving the reasonable, legitimate business and other needs of the entity. Legal requirements are an essential but secondary element.

Certain considerations bear examination:

Entity-Dependent Balancing Act. Establishing a Policy will require an extended business analysis that culminates in an entity balancing the importance and usefulness of information it is not legally required to retain against the potentially tremendous costs of locating and producing the information if required to do so in the future, perhaps in connection with an investigation or lawsuit (see Regulatory Overview, above, right).

Critical Business Continuity Information. Depending upon the nature and business of the entity, critical information should be backed up to an off site location.

Multiple Copies. Since the advent of the Xerox machine, and even more so in the computer age, employees tend to create and distribute far too many document copies, both in electronic and paper form. Distribution only should be to those with a need to know and the employee's direct supervisor, plus, if required by Policy, to Records.

Internal Spam. Many companies suffer from internal spam, often because employees use pre-existing, defined, distribution lists far too broad for the necessary audience. Such employees must be trained to use narrower, defined, distribution lists, which the company must create if broadly useful, or the employee must create for specific situations. If not, everyone may lose, say, fifteen minutes of productivity a day deleting unnecessary email. Worst case: prosecutors and juries may believe everyone on the distribution read a damaging email.

Treat Email Like Formal Correspondence. Employees tend to treat email as unrecoverable conversations. Statements intended at the time to reflect sarcasm, satire or a joke later may take on a nefarious appearance when reviewed by others, such as the government and plaintiffs. All entities must train employees to treat email as formal correspondence.

Ultimately, following this process leads to an Information Retention Policy that is good for the overall business, not just another set of burdensome legal requirements. As such, employees will view the Policy in a positive light, encouraging timely and diligent implementation.

Use One Point Attorney For The Project

For larger organizations subject to many laws, the legal analysis may seem daunting. Nevertheless, although certain laws requiring information retention may be exceedingly complex, a single point attorney alone should master their overall information retention requirements.

If not, the legal analysis becomes diffused among a number of lawyers, likely causing a lengthy, painful process, involving, for example, assumed responsibility by other overlapping or parallel practice areas and ignorance of record retention details. In the end this may cause the inadvertent omission of important legal considerations and requirements.

The point attorney certainly should consult with experts in particular legal practice areas before the entity issues a final policy but should not rely upon them to originate policy elements relevant to their practice areas.

System Limitations And Operation

The Policy may need to address current MIS limitations and the need to supplement or adopt entirely new systems. However, existing system limitations should not drive the Policy.

Moreover, the entity must understand and control the precise details of MIS operations. For example, if the Policy calls for destruction of a class of information after a certain date, and the systems' programs in fact destroy such information on the mainframe, the entity has not achieved Policy goals if the same information, automatically backed up in an offsite location, is not part of that destruction.

Also, destruction must mean obliteration: the information must be completely wiped and unrecoverable--like shredded paper. Information on a hard drive cannot merely have its index pointer deleted, thus remaining recoverable until overwritten. The underlying data itself must be entirely wiped and unrecoverable.

This process puts the entity in a position to know precisely what information it has and has not. If not, for example, an information subpoena might require the entity to search all hard drives that might still contain responsive information not yet overwritten or simply erased using one binary digit.

In this day and age, in well-publicized cases, personnel and legal expenses required to respond to a single information request have cost entities fees and expenses in the $100 million range. In this light, entities must not ignore or delay arriving at and implementing an effective Information Retention Policy.

Implement The Information Retention Policy

Ultimately, the entity and senior management bear responsibility for establishing and maintaining Policy compliance. Thus, after these deliberations and any resulting changes, one necessary policy refinement remains: clearly delineating who is responsible for implementing and supervising the Policy. These details must be enunciated in a manner designed to make certain that the tasks are carried out in a coordinated fashion and result in reasonably retrievable information under the circumstances (see sidebar).

The computer age necessitates the formulation, implementation and routine adherence to a reasonable and compliant Information Retention Policy. Unless this project is prioritized, adequately staffed and completed in a timely fashion, an entity is exposing itself to unimaginable costs, regulatory sanctions and other disastrous consequences, including the end of its very existence.

Getting It Wrong

A company's potential damage from wrongly implementing or executing proper electronic information retention is skyrocketing. Well-publicized cases have placed companies and their attorneys on notice of this peril. According to Federal Judge Shira Scheindlin of the New York Southern District Court, "[t]he subject of the discovery of electronically stored information is rapidly evolving. Now that the key issues have been addressed and national standards are developing parties and their counsel are fully on notice." In that case, Zubulake v. UBS Warburg, Judge Scheindlin punished UBS and its lawyers for intentionally deleting e-mails sought in discovery and delaying electronic material delivery by ordering (i) the jury to assume the deleted emails contained information damaging to UBS, and (ii) UBS to pay all costs of litigating the discovery dispute. Even though some of the deletions appeared to result from misunderstandings and miscommunications, the Court held, "counsel failed to properly oversee UBS in a number of important ways, both in terms of its duty to locate relevant information and its duty to preserve and timely produce information."

The federal judiciary has added more fuel to the fire by issuing proposed nationwide rules for federal courts to manage electronic discovery. These rules, scheduled to become effective in 2006 after a comment period, should serve as another strong warning to corporate America.

Getting It Right

The monetary and criminal penalties, loss of investor confidence, extraordinary regulatory oversight and bad press arising from a record retention error are tremendous and increasing. This removes establishing and maintaining a reasonable, consistent and effective record retention policy, including periodic training, from the "back burner, non- revenue producing" category straight to the "front burner." If not already done, technology platforms must be fully understood, and upgraded if inadequate, and the Board and Senior Executives need to push the project, and maintain their oversight.

This proactivity may well keep the Company and themselves entirely off any burner.

Related sidebars are available from the box at right.

The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.

What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.

Topics