Gone but Not Forgotten

When it comes to destruction of documents, it seems far too many people in far too many organisations still think that deleted documents are gone for good.

"Another thing you need to think about is the fact that with electronic footprints, Delete does not mean Delete, and both technical people and people involved with litigation are finding out it's almost like a vampire coming back from the grave - you push Delete, you send a file to your Delete box, empty your Trash and think it is gone," Lange says.

"Unfortunately, or fortunately, it is not. It resides on the computer until it is overwritten by new material or the computer is wiped clean or overwritten. These electronic footprints can come back to haunt you by computer forensic specialists going in and doing a recovery. And the courts are very responsive to that and case law is quickly developing, saying deleted information is fully discoverable when you are sued in litigation. So you have a duty to go back, and in most cases, restore that evidence and then produce it to the parties."

Lange warns CIOs should constantly bear in mind that this is not a stagnant area, either for lawyers of technology people. "It is something that is changing very quickly and I can't reiterate enough how important it is for both technology and legal folks to stay on top of the law and how technology is developing," she says. "In the last year-and-a-half or two years that I have been working in this area, it has completely changed, and the courts have issued more opinions on it that really narrow the focus down on what the protocols are.

SIDEBAR: Mandate from SEC Regulators: Save Your Electronic Documents

Among the new rules issued by the US Securities and Exchange Commission (SEC) to enforce the Sarbanes-Oxley Act is one that says an auditing firm must keep every document that influences its report about a client for at least seven years - everything from the CEO's e-mail to a sticky note with some key figures on it - in case they are needed for an investigation. According to emerging legal interpretations of the rules, as a practical matter, every public company - and possibly some private ones - have to start keeping these records too if they wish to avoid liability in some unforeseen investigation. The rules take effect October 31, giving CIOs little time to deploy the capability to save records if they don't already have it.

"The possible implications are far broader than some [experts] concluded initially, and the document management implications are probably greater than meets the eye," says Randolph Kahn, a Chicago-based lawyer and regulatory compliance consultant.

Here are some tips for getting started with a document retention plan that meets the spirit and letter of the law.

1. Call the lawyers. Meet with your chief counsel and other executives, and create a document retention and destruction policy. Kahn says that companies need two policies: a business-as-usual policy, in which certain types of documents are regularly destroyed; and an emergency policy that specifies which documents must be saved at the first sign of litigation. Specific decisions about what gets saved and destroyed are up to each company, but it's foolish to destroy accounting or financial records, says Ladd Hirsch, a Dallas-based securities lawyer.

2. Assess IT requirements. Figure out what IT investments are needed to support the policy. Saving e-mail is just the tip of the iceberg that includes spreadsheets, text files, voicemails and PowerPoint presentations, and just storing documents probably won't pass muster with regulators. Document retention systems should index material by topic - such as contracts or accounting - rather than document format - such as PDF or Word - and should also be tamper-proof. Such a system may include audit trails, forbid overwriting and require passwords to access documents, says Kahn.

3. Train employees. E-mail won't archive itself. Employees have to be familiar with retention and destruction policies and how to use the systems that support them. Earlier this year, five brokerages agreed to $US8.3 million in fines because employees deleted e-mail pertaining to a fraud investigation. While the fines stemmed from violations of a different securities law, Hirsch says to expect the same kind of fines under Sarbanes-Oxley. If employees break the rules, but the company can demonstrate that it provided adequate training, the company may reduce its liability.

4. Enforce the policy. Hirsch says that having a document retention policy and not enforcing it is worse than not having a policy at all. At the start of the Enron scandal, Arthur Andersen compounded its troubles by enforcing its document destruction policy only when investigators came calling. "You can't baby-sit an entire workforce," says Kahn, and enforcement isn't just the CIO's responsibility. But by putting in place the proper technology and providing the right training, he adds, "you can help them get it right".