By Christine Dunn — October 16, 2007

new report finds that despite the growing importance of records management to prevent snafus in corporate litigation, only one-third of companies believe they have a comprehensive records management program.

RELATED RESOURCES Iron Mountain Compliance Benchmark Report (Oct. 8, 2007) Related Coverage Courts Start Making e-Discovery Decisions (July 3, 2007) Best Practices: Managing e-Discovery Rules (June 8, 2007) More Articles on e-Discovery, Records Management

The 2007 Iron Mountain Compliance Benchmark Report surveyed nearly 2,000 people at public, private, government, and nonprofit organizations. Only 35 percent of respondents said they have a formal, enterprise-wide records management policy—despite new “e-discovery” rules for civil litigation that are proving ever more painful for companies whose sloppy recordkeeping returns to haunt them in court.

Early adopters in highly regulated industries, such as financial services, insurance, accounting, pharmaceuticals, and health care, have the most mature programs and consistently rate above average, the study found. Those companies in retail, technology, education, architecture, construction, and engineering lagged.

Reese

“What we found is that having a consistent policy, applied across an organization, is not as strong as it needs to be,” Iron Mountain CEO Richard Reese said in an interview with Compliance Week. “I think there’s a bit of struggling about how to get through to the entire corporation. If you don’t build consistency across an organization, that’s where you’ll find it collapsing on you.”

Many companies still tend to have policies that differ among divisions, Reese said. Consistency, however, helps to bolster compliance, and also can help drive efficiencies and reduce certain costs, such as those for pretrial discovery.

“Litigation used to be the purview of the legal department,” Reese said. “Now most of the game is in e-discovery and involves the discovery of digital data that is spread out all over the place: on desktops, laptops, servers. Even knowing where it all exists is a major hurdle from a legal perspective.”

The Iron Mountain study identified five major best-practice areas for records management: record retention; policies and procedures; record disposal; indexing and access; and auditing and accountability.

Of the five, strong record retention practices can provide much of the backbone of an overall program, since a clear retention schedule sets the pace for how the other four are implemented and governs the “lifecycle” of a document.

EXCERPT Below is an excerpt of the Iron Mountain survey, examining records retention schedules. Just over half of all respondents (55 percent) report that their organizations use an enterprise-wide retention schedule, and an additional 12 percent state that approximately three-quarters of their business departments or units have a records retention schedule. The survey indicates that 19 percent of the participants do. These results show that organizations are, indeed, investing in records management, particularly in the areas of schedules and policies. Companies are making incremental progress, although most have not yet consistently covered their organizations thoroughly; leaving gaps and/or significant areas uncovered or with inconsistent practices. These are all symptoms of programs that are in the early stages of a multiyear roll-out. This is important because a records retention schedule serves as the cornerstone for an organization’s regulatory compliance efforts and provides the blueprint for all records management activities, including assurance that obsolete records are disposed of in a systematic and controlled manner. An “end of life” disposal plan must make certain that records are destroyed in a consistent manner that complies with the retention schedule. The disposal plan must also specify the chain of custody of the information until it is destroyed, in order to meet the requirements of new data privacy regulations. Absence of a proper disposal program can cause an organization to become reluctant to destroy any records and, therefore, to accumulate an excessive volume of obsolete records. While 28 percent of organizations update their records retention schedules at regular intervals of two years or less, nearly half of all surveyed organizations (47 percent) report nonexistent, irregular, or infrequent updates. More than half of the respondents have an incomplete approach, with 22 percent of those having a retention schedule for hard copy records only. With the legal and regulatory landscape changing so rapidly, frequent re-examination is imperative. After all, successful compliance and governance programs are not one-off events, but instead require a continuous process of assessment and refinement. This is evidence that most organizations are pursuing a long-term vision to their Records Management Program, but their current programs still leave many areas exposed to risk. The need to create and implement a records retention schedule that focuses on managing electronic records, as well as physical records, is an essential step for all organizations. And for most, a lack of focus on electronic records implies that they are treating e-mail as a basic file storage and archive issue, rather than a critical records management responsibility. Source Iron Mountain (Oct. 8, 2007).

According to John Bace, research vice president at Gartner, information can largely be organized into three categories. Most important is information that a company should never get rid of, such as intellectual property, patents, and trademarks, or issues where a business takes on liability or absolves individuals of liability.

The second category is information that has no real, long-term value to it, such as setting up a lunch appointment. Third is information that is ephemeral, such as e-mail. “E-mail was supposed to be the technological equivalent of a Kleenex, but it’s become the primary collaboration tool and workflow tool,” Bace says. “Some of our clients—those who are under constant litigation—require employees to apply a taxonomy to e-mails and electronic documents so that it ends up in the right bucket.”

Bace

Retention schedules vary by company and industry, and by the regulations that companies must obey. Bace suggests first determining how long something has to be kept (seven years for tax records and two years for employee records, for example) and then figure out a way to keep it for that period.

Once the required storage time for a record has expired, “get rid of it,” Bace says. “The information quite often develops an inverse negative value to it. Some people say we’ll keep everything forever. That’s one of the worst ideas around, especially given the penalties and issues around the new discovery rules.”

Companies also need to consider long-term, as well as short-term needs. “If you need to retain records for a long period of time, how are you going to manage that when the media on which those records are stored goes out of date? We call this the 100-year archive strategy,” says Marie-Charlotte Patterson, head of market strategy for AXS-One, which makes e-mail archiving software.

Diligence in Management

Having a consistent policy has become much more important since the Federal Rules of Civil Procedure were amended last December; the changes address e-discovery and the obligations companies have to find and provide electronically stored information. A central premise of the e-discovery rules is that companies must act “in good faith” to avoid sanctions in the event of a records snafu, such as not turning over relevant e-mails in a lawsuit. A lack of consistency, the Iron Mountain study states, “will put an organization at a disadvantage when trying to defend good-faith practices during litigation.”

“The thing that companies absolutely have to think about when preparing a records retention schedule is: Are they confident that the schedule applies to all record types?” Patterson says. “It’s fine to have a schedule for paper records, and a schedule for e-mails. But what are you going to do about other record types such as instant messaging? Blackberries? Phone records? Legacy records? We could go on and on.”

The e-discovery rules also make litigation-hold policies especially critical elements for compliance, according to Iron Mountain’s study. In such a situation, records under a hold order would not be destroyed even when otherwise permitted by an organization’s records retention schedule. Iron Mountain found that 80 percent of organizations don’t have written procedures, or have limited procedural notification, to cease destruction of records.

“Litigation-hold policies are difficult in that legal requirements must be communicated in layman’s terms to other departments,” says Jane Allen, a director at PricewaterhouseCoopers.

Companies should not wait until they are faced with litigation to think about how they’ll address this scenario, Patterson says. “If you reach that point, the chances are you’re too late.”

Having the technology in place to retrieve records effectively is also growing in importance. “For a regulatory review, the timelines we hear most often from our clients is 24 hours or less,” Patterson says. “If you don’t have the appropriate technology, policies, and procedures in place, the cost of recovering records through legacy means is massive.”

At a minimum, companies should review their retention schedules annually and update them to reflect significant business changes, such as a merger or changes to financial systems, Allen says.

“Know what you have, know how long you’re supposed to keep it, and once you’ve reached the end of that period of time, take one last look around to make sure another preservation obligation hasn’t been added,” Bace says. “If not, get rid of it, and be sure you get rid of it.”

Compliance Week provides general information only and does not constitute legal or financial guidance or advice.