Taking A Total View Of Records Retention

As with many things Sarbanes-Oxley, barrels of ink were used to describe the law’s effect on records management until about 2003. Then there was relative silence—as if Sarbanes-Oxley somehow went away, or was revised with a giant “never mind” with respect to record retention.

The impression is misleading. SOX is far from the only compliance issue facing records management professionals, but among compliance officers and managers formulating document retention strategies, it remains an elephant in the room that specialists say fuels the need for a strategic approach to records management.

Sarbanes-Oxley’s actual codified effect on records retention is relatively narrow. Sections 802 and 1102 add a criminal penalty of up to 20 years in prison for those who knowingly alter, destroy or hide records related to federal investigations (see box at right). SOX also requires auditors of public companies to retain audit documents and work papers for seven years.

But Sarbanes-Oxley has also “raised the retention and disposition of information, paper and electronic, to a place that it’s never been before,” says William Millican, director of professional resources and standards development for ARMA International, formerly the Association of Records Managers and Administrators.

Ken Rubin agrees. He is senior vice president of marketing at Boston-based Iron Mountain, which handles records management for some 90,000 corporate accounts and 97 percent of the Fortune 500. Sarbanes-Oxley’s personal accountability at the executive level has taken records management “from a backroom issue to the boardroom,” Rubin says.

Rubin notes other factors as well, principally high-profile acts of corporate malfeasance such as Frank Quattrone allegedly ordering the destruction of records in the face of litigation at Credit Suisse First Boston and the rise of e-discovery in corporate litigation.

Rubin

“Sarbanes-Oxley changed things substantially, but it was part of a confluence of factors that worked together in a sort of perfect storm event,” he says. “It was one part compliance, one part litigation and one part sheer volume—the growth in the amount of documentation that makes it a management challenge.”

In particular, Rubin cites changes slated for later this year to the Federal Rules of Civil Procedure’s rules 26 and 37 (see box above, right). Among the consequences will be new rules pertaining to electronic documents requested during litigation, and revised rules regarding suspending the destruction of records pending a court case.

Corey Meitchik, vice president of sales and marketing at Anacomp, a records management business in San Francisco, says his customers still mostly worry about litigation costs, business continuity and plain old customer service when it comes to records storage. Sarbanes-Oxley is also a concern, too, he adds, but “I would say 99 percent of our customers go way beyond what Sarbanes-Oxley requires.”

Boman

Marc Boman, a partner with law firm Perkins Coie, says clients are “very anxious to make sure they are in compliance with [SOX],” but it remains just one part of a diverse set of laws and regulations affecting records retention, ranging from the PATRIOT Act to employment laws to the tax code—and increasingly, he stresses, prospective litigation.

How does one create a strategic records management program that keeps Sarbanes-Oxley and myriad other considerations in view? In general, Boman, Rubin and others boil the process down to three steps:

Know Thyself

Records retention may have some broadly applicable tenets, but not that many. The regulatory environment with respect to document retention is far different for a health care company than, say, an electric utility. As a result, experts say that companies should plan accordingly.

“You need to know what you have before you can control it. It’s not exactly brain surgery or rocket science,” says David Steward, director of records at the Blackwell Sanders Peper Martin law firm. “It’s amazing how many companies operate without knowledge of what their strategic information resources contain.”

Millican at ARMA warns against confusing the medium with the message. An email, for example, could contain sensitive information that would require retention longer than a standard 90-day email deletion policy would indicate, he says.

“Properly developed retention is based on the content of information, and not the type of item it is,” he says. “Some organizations continue to pay fines because of these issues.”

Geographic location also matters, Boman says. He cites the example of collective bargaining agreements and employment contracts, which have different retention requirements in California, Illinois, New York, Washington, D.C., and at the federal level.

Create A Retention Schedule

INTERNATIONAL

Document Retention Overseas

Sarbanes-Oxley and a slew of other U.S. regulations may not be of much consequence when doing business overseas, but companies operating internationally still need a good document retention strategy.

Depending on where you’re doing business, the rules can get downright weird. France, for example, requires that documents born on its soil stay there. And even if there is no Sarbanes-Oxley Section 802 to worry about, there may be an ISO 15489 (the international standard for records retention; see box above).

“Any records retention program, domestic or international, has to be rooted in international standards,” says Tom Bowen, chief executive officer of Entium Technology Partners.

Entium implements records management programs for multinational clients. Often, Bowen says, simply understanding what the rules are in a given country is the hardest part. In countries like the United Kingdom, Canada and Australia, regulations related to document retention are well codified. That isn’t so in places like South America, the former Soviet sphere, and Africa. There, Bowen contends, rules for the retention of accounting, business and legal records are harder to come by.

That doesn’t mean you can ignore them, of course. But identifying documents for retention and developing retention schedules may come down to understanding the legislative environment, business mores and even cultural factors, Bowen explains.

“We have a lot of trouble developing requirements for Brazil,” Bowen says. “The laws don’t tell you what’s going on.” Instead, Entium relies on in-country counsel in such locales, he adds.

Christine Ardern, a records management consultant and president of Information Management Specialists in Toronto, has researched record retention policies from Peru to Suriname. She says companies doing business overseas also face the question of whether to retain records according to local custom, or based on a more universal set of rules developed centrally.

Doing it one-size-fits-all has its appeal, she says, but such an approach is rarely easy. “Often you are looking at having records schedules that incorporate the local differences,” she says.

—Todd Neff

Document retention needs are often dictated by legal language; Sarbanes-Oxley, for example, requires auditors to retain documents for seven years. The number of such rules is daunting: Steward says his firm has compiled an evolving list of no less than 48,000 legal requirements for records retention covering the 50 states and the federal government.

In addition, retention schedules can be dictated by good business practice. In health care, laws may only require a record to be maintained for 11 years, Meitchik says, “but if the patient’s five years old, chances are you’re going to need those records for 60, 70, 80 years.”

And, Millican says, some records—documents related to real estate or some financial transactions, for example—have no practical expiration date. “There are some types of information you just can’t get rid of,” he says.

Access, Index, Monitor, Destroy

Meitchik

Records management is not always pretty. “We have people that walk in the door literally with boxes covered in dust,” says Meitchik at Anacomp. “You open it up and there’s a candy bar from 1912.”

But even such records (perhaps without the candy bar) should be quickly digitized for future access and, where appropriate, destruction according to a corporation’s strategic records management plan.

Such strategic plans should be comprehensive, Rubin at Iron Mountain says, even if the actual records management implementation is being done incrementally. He emphasizes simplicity, minimizing the number of policies and records where possible. “Treat it like other corporate compliance programs,” he says.

In the end, Rubin adds, records retention should be taken in context. “You’re not trying to win the Malcolm Baldridge award for global records management excellence,” he says. “You’re trying to demonstrate you have done what is reasonable and prudent.”

Additional resources—including relevant rules, related columns, and legal commentary—can be found in the box above, right.