Few IT professionals want to worry about how long to keep (or how to properly destroy) company records. Many people consider records management even less interesting than watching paint dry. But interesting or not, it's becoming critical. Savvy IT leaders care about records retention. Here's why:
Government regulations. US companies are subject to dozens of federal, state and local regulations requiring records to be retained for periods of one year to indefinitely. The USA Patriot Act gives the federal government broad authority to obtain many types of personal data and designates retention periods for each. The Health Insurance Portability and Accountability Act (HIPAA) privacy rules limit access to individuals' protected health information and describe how long medical records must be retained. The Sarbanes-Oxley Act demands that public accountants retain certain corporate audit records and work papers for five years after an audit is completed. It also calls for fines or imprisonment for individuals who knowingly change or destroy company records with intent to obstruct federal proceedings (either under way or anticipated). The North American Free Trade Agreement, the General Agreement on Tariffs and Trade and other pacts also require significant records management.
International regulations. More than 40 countries currently have regulations requiring varying degrees of records retention. This can create problems for global companies when national regulations conflict. For example, e-mail regulations in SEC Rule 17a-4 conflict with European privacy laws. The international banking standard Basel II has different requirements for banks' loan loss reserves than US rules mandate. These differences in requirements add complexity to multinational record-keeping. Complying with all applicable regulations requires a lot of homework.
Litigation. Last year, the Federal Rules of Civil Procedure were broadened to cover electronic records. Under the amended rules, both parties' lawyers must meet early in the litigation process to determine what types of records will be required. Companies have only 120 days after this agreement to produce all required records in a form that is "reasonably usable". Companies may also be required to provide technical support to ensure that the data is "useful". In addition, the producing party must now identify any potentially relevant sources of information that will not be searched if "undue burden or costs" can be justified. This requirement to disclose what is not being searched is new, and it places a significant burden on companies to determine all potentially relevant sources of data.
Legal awareness. The number of requests for data will increase as lawyers better understand IT data management. In 1999, the University of California's Continuing Education of the Bar program began a statewide drive to educate lawyers on how to search, maintain and use electronic records. Many other states have similar programs. Web searches for the terms e-discovery, records management and records retention produce mounds of advice for lawyers. In addition, lawyers are being advised to hire computer forensics specialists to access deleted, encrypted or other difficult-to-retrieve data.
Costly penalties. Penalties for noncompliance can be enormous. In 2006, Morgan Stanley agreed to a $US15 million fine to settle charges that it failed to provide tens of thousands of e-mails requested during SEC investigations. (Even scarier, Morgan Stanley client Ron Perelman had previously won a $US1.45 billion judgment against the firm for its failure to turn over requested e-mails to the court.) Recently, in Zubulake v. UBS Warburg, the judge concluded that UBS had willfully deleted relevant e-mails despite court orders. When a defendant has destroyed potentially relevant data, judges can (and this one did) direct the jury to presume that the deleted data would have supported the opposition. Zubulake was awarded $US29 million. If you want to see more rulings regarding deleted e-mails, read up on the explosion at BP's Texas City refinery.
Keep abreast of changes in these areas. Regulations, requirements and penalties are evolving rapidly -- but not always for the worse. In her opening speech at the CeBIT trade show, German Chancellor Angela Merkel observed that Germany has a large number of reporting requirements and said that the country's government "has committed to reduce bureaucracy costs by up to 25 percent by 2011". Stay tuned, and hope other countries follow suit.
Good records management is critical. Your organization could become involved in litigation or be hit with a government agency's request for information at any time. It will be impossible to produce data you have not retained, and failures may be costly. Prepare now.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.