When Documents Rise from the Grave

CIOs, as the custodians of all corporate data, need to ask themselves whether they might not in future be made the scapegoat when corporations get into trouble over the inappropriate destruction - or retention, for that matter - of data.

It is not just pieces of paper but even seemingly robust corporate reputations that can be shredded when organisations go in for ill-considered destruction of electronic documents

In May 2002, brokers at several prestigious Wall Street firms had their good names trashed by the US media when they were discovered to have trashed their own deal-related e-mail messages the law required them to retain for at least two years. In a stunning example of self-inflicted collateral damage, the firms, where brokers typically earn seven figure bonuses, each argued in the New York Times that keeping e-mail messages was too expensive.

Two months earlier, on this side of the Pacific, British American Tobacco and Clayton Utz had won themselves reams of bad publicity after Justice Geoffrey Eames of the Supreme Court of Victoria found both had subverted the process of discovery in the case of McCabe vs British American Tobacco Australia Services Limited (BATAS). Justice Eames concluded BATAS had developed a document retention policy for the primary purpose of destroying material that would be harmful to it in the defence of any litigation, with the deliberate intention of denying a fair trial to the litigants. He found some of Clayton Utz's senior partners had worked with an army of litigation lawyers to implement the policy of document destruction.

While the Court of Appeal disagreed, finding insufficient evidence to prove either BATAS or Clayton Utz had systematically destroyed documents, this decision itself may yet be overturned by the High Court. Either way, the stink of poor publicity seems destined to hang around.

Now lawyers are warning businesses that rely overly much on the Delete button and industrial-sized paper shredders to cover corporate embarrassments to rethink their practices. And so CIOs, as the custodians of all corporate data, need to ask themselves whether they might not in future be made the scapegoat when corporations get into trouble over the inappropriate destruction - or retention, for that matter - of data.

"With the electronic evidence explosion, both technology people and attorneys as well as executive managers are really being faced with a bunch of new problems, and on the forefront of those problems is dealing with electronic evidence and document retention," says Michele Lange, a staff attorney with US electronic evidence services group Kroll Ontrack.

Not on the Radar

Electronic document destruction and retention has sat somewhere below the radar for most CIOs until recently, but events in the courts have given them some very good reasons to pay it much closer attention. Where once they struggled, courts have showed considerable sophistication over the past couple of years in dealing with electronic documents, and lawyers routinely issue subpoenas for files on servers and backup tapes in the course of legal disputes. Heaven help the corporate reputation of any organisation unable to comply with such demands from courts or regulators because required documents have been destroyed.

Regulators are getting more involved too. Among the new rules issued by the US Securities and Exchange Commission (SEC) to enforce the Sarbanes-Oxley Act, which comes into force on October 31, is one requiring auditing firms to retain every document that influences its report about a client for at least seven years, in case they are needed for an investigation. Lawyers in the US are advising the rules mean every public company and some private ones will need to start keeping these records too if they wish to avoid liability in some unforeseen investigation. Lawyers in Australia warn any companies dealing multinationally may be swept up in the demands.

"I think that from the Sarbanes-Oxley standpoint [document management] is a huge issue. It's happening today and I think that one cost is that executives go to gaol, and companies are being fined massive amounts," says Surety CEO Tom Klaff. "There's a huge hard and soft dollar cost associated with tampering with records and deleting the records and shredding. And in the Wall Street Journal we're seeing every day instances where this is happening, and it's probably happening more than we know because these are only the high-profile cases."

Klaff says CIOs, CFOs, CEOs and general counsels are all liable, but particularly the CEO and CFO who signs their names to the filing of financial statements. "The issue is that as a CFO or CEO you're signing your name that you attest to the validity of the statement, even though you've never met the thousands of employees who are responsible for the sales contracts and all the ancillary data that comprises those reports. So it needs a fig leaf of faith and a fig leaf of trust," he says.

Page Break

And the issues themselves have shifted. A decade ago corporations tended not to keep many hard copies of documents because these paper documents took up costly physical space. Now, with 93 per cent of all business documents created electronically and only 30 per cent ever printed to paper, companies save nearly every electronic document and e-mail because it can be stored electronically with relative ease. In response to this techno-reality, corporations are implementing and enforcing document retention policies more than ever before.

This amount of document retention, Lange notes, is landing electronic evidence in the headlines on an almost daily basis, as is evidenced by the "stream of consciousness" e-mails that have been found during the US Securities and Exchange Commission's investigation into Wall Street investment banking practices. For example:

  • In one e-mail to US research chief Kevin McCaffrey, star Salomon Smith Barney telecom analyst Jack Grubman admitted: "Most of our banking clients are going to zero and you know I wanted to downgrade them months ago but got a huge pushback from banking. I wonder what use bankers are if all they can depend on to get business is analysts who recommend their banking clients."

  • One e-mail revealed what one Merrill Lynch financial analyst thought about impartiality: " . . . the whole idea that we are independent from banking is a big lie."

  • Another analyst reportedly wrote that a company being touted to the public as an investment vehicle was, in actuality, "a piece of junk".

    So, both keeping documents that should never have been created and deleting documents that should have been kept, can get companies into hot water. Such embarrassing revelations highlight the need for companies to strike a balance between document retention and usefulness of information, Lange says.

    "We all know how to manage paper documents: we look in the file and we either shred it or keep it," she says. "With electronic evidence, however, it is much different. Some of the biggest concerns are: Where are electronic documents? How are they being stored? Where are the digital footprints that we don't know about, and where are those stored? So CIOs and other technical people are being faced with a bunch of new problems along those lines."

    Taking Nothing for Granted

    Experts warn even companies that have achieved a degree of complacency about their electronic records management strategy (because they rigorously back up their data and actively preserve everything possible lest the original files get damaged) are probably fooling themselves. Effective electronic record management, they insist, means taking into account not only the content of those files but for how long they should be saved.

    "There's two sides of the issue," says Tom Patterson, head of the security services group for Deloitte Touche Tohmatsu's Middle East and Africa divisions. "There's the data that they keep and the data that they destroy, and on both sides there needs to be a comprehensive policy that looks at not necessarily just the security issues but also at the business requirements, and that in turn means regulatory compliance."

    Patterson says a common mistake of companies around the world has been to allow business owners to decide whether to retain or destroy documents. Instead it should be up to the CIO to oversee an efficient, centralised process for document management, preferably via an all-encompassing policy that is rolled out company-wide. The CIO should assign policy, and allocate roles for employees and their management. Under such a scheme a secretary might have authority to create documents, but not be empowered to delete them.

    "That whole concept of assigning the employees to certain roles and managing a large organisation that way, will really help enforce whatever policy the company wants to put in place," Patterson says.

    Patterson says technology has reached the point where if the CIO really thinks through this issue, and is clearly given direction by their board and executive leadership, they can easily put a centralised plan in place that makes this a very manageable job. Some CIOs are even finding themselves saving money in the process though shutting down ineffective repetitive systems scattered though the organisation and replacing them with a common system that lowers the risk and operates more efficiently.

    Page Break

    The plan needs to embrace regulatory requirements and privacy as well as security, and where privacy and security imperatives conflict, the business owner should make the call, and the security officer should help to implement it.

    "Finding the right balance is often led by some of the international standards like BS799 and HIPPA [a wide ranging set of policies around the health-care industry], if you're in the health-care field. So for any industry there's most likely industry policies that they should be looking at, industry regulations that they should be adhering to, both country-wide and international ones. Companies which do business inside and outside Australia need to ensure policy conformance all over the world," Patterson says.

    When it comes to document integrity, Patterson says there have been a number of great advances in the area of encryption lately, so that encryption is now inexpensive and widely available and should become a standard tool in every IT shop, certainly for company-sensitive documents. "Encryption is not just used to keep a document secret for a while; it can be used to maintain the integrity of a document. You can put in a signature, you can put in a date and time stamp, you can encrypt the whole package, so that if anybody else changes it even one bit in the future you know that it has been tampered with," he says.

    Kevin Shaw, who heads the Asia-Pacific region of Deloitte Touche Tohmatsu's security services group, points out that when documents are collated through the use of Web forms, those Web forms take the data and put it back into databases in a format that is broken down into two rows.

    "What happens is that at a later stage if something happens and you have to reconstitute that document, say with legal proceedings on the go, you reconstitute that document and in some constituencies they will say that document has been stored not in context. So the document's validity from the point of the time that it was reconstituted is not the same as from when it was created," Shaw says.

    "By using encryption technologies you can still break it down into the rows and tables and databases, and when it gets put back together again, the hash function in the encryption technology makes sure it's exactly the same document that was first collected. So from a legal perspective they say we're fine, we're happy that document has been stored in context."

    As Time Goes By

    However, there are some difficulties with digital signatures when it comes to document protection. Surety is a US-based data integrity services company that focuses on helping companies in industries that have been highly regulated for many years, and which have requirements to maintain records for long periods of time. Through the use of patented, proprietary technology, Surety can verify the authenticity of a document: who created it, precisely when and precisely what was created, indefinitely.

    Klaff says this ability is proving to be of growing importance particularly in the US where companies are now required to retain documents for much longer times than previously. "The issue that we're tackling is the issue of: How do you know that the data has integrity 10 or 20 years from now?" he says. "Particularly if you're using a digital signature, there still is a problem with document life exceeding the life of the key, so we have a patent on extending the validity of that key to meet the life of that document."

    Klaff warns there is "a complexity" in managing digital signatures once they expire, with organisations periodically facing the massive task of re-signing vast numbers of electronic records that have been accumulated over the years. Surety thinks public key infrastructure (PKI) is a "wonderful technology" but Klaff warns the problem many organisations face from a regulatory standpoint is the need to manage that key infrastructure.

    "You have to trust the people that manage [the infrastructure] and you have to trust the people who have access to your data, and that's a problem," he says. "We take the trust out of the equation because we're not built on keys or certificates; we're built on mathematical algorithms."

    Shaw says when it comes to identity management, CIOs have an important role to play in the education of the employees within the organisation. "That's the way to get around the 'people peril' absolutely," he says. "We've noticed on some of the engagements that we've been doing where budget restrictions start to bite, unfortunately that's where clients tend to do the first budget cuts - in their education/evangelisation of the project."

    Page Break

    Gone but Not Forgotten

    When it comes to destruction of documents, it seems far too many people in far too many organisations still think that deleted documents are gone for good.

    "Another thing you need to think about is the fact that with electronic footprints, Delete does not mean Delete, and both technical people and people involved with litigation are finding out it's almost like a vampire coming back from the grave - you push Delete, you send a file to your Delete box, empty your Trash and think it is gone," Lange says.

    "Unfortunately, or fortunately, it is not. It resides on the computer until it is overwritten by new material or the computer is wiped clean or overwritten. These electronic footprints can come back to haunt you by computer forensic specialists going in and doing a recovery. And the courts are very responsive to that and case law is quickly developing, saying deleted information is fully discoverable when you are sued in litigation. So you have a duty to go back, and in most cases, restore that evidence and then produce it to the parties."

    Lange warns CIOs should constantly bear in mind that this is not a stagnant area, either for lawyers of technology people. "It is something that is changing very quickly and I can't reiterate enough how important it is for both technology and legal folks to stay on top of the law and how technology is developing," she says. "In the last year-and-a-half or two years that I have been working in this area, it has completely changed, and the courts have issued more opinions on it that really narrow the focus down on what the protocols are.

    SIDEBAR: Mandate from SEC Regulators: Save Your Electronic Documents

    by Ben Worthen

    Among the new rules issued by the US Securities and Exchange Commission (SEC) to enforce the Sarbanes-Oxley Act is one that says an auditing firm must keep every document that influences its report about a client for at least seven years - everything from the CEO's e-mail to a sticky note with some key figures on it - in case they are needed for an investigation. According to emerging legal interpretations of the rules, as a practical matter, every public company - and possibly some private ones - have to start keeping these records too if they wish to avoid liability in some unforeseen investigation. The rules take effect October 31, giving CIOs little time to deploy the capability to save records if they don't already have it.

    "The possible implications are far broader than some [experts] concluded initially, and the document management implications are probably greater than meets the eye," says Randolph Kahn, a Chicago-based lawyer and regulatory compliance consultant.

    Here are some tips for getting started with a document retention plan that meets the spirit and letter of the law.

    1. Call the lawyers. Meet with your chief counsel and other executives, and create a document retention and destruction policy. Kahn says that companies need two policies: a business-as-usual policy, in which certain types of documents are regularly destroyed; and an emergency policy that specifies which documents must be saved at the first sign of litigation. Specific decisions about what gets saved and destroyed are up to each company, but it's foolish to destroy accounting or financial records, says Ladd Hirsch, a Dallas-based securities lawyer.

    2. Assess IT requirements. Figure out what IT investments are needed to support the policy. Saving e-mail is just the tip of the iceberg that includes spreadsheets, text files, voicemails and PowerPoint presentations, and just storing documents probably won't pass muster with regulators. Document retention systems should index material by topic - such as contracts or accounting - rather than document format - such as PDF or Word - and should also be tamper-proof. Such a system may include audit trails, forbid overwriting and require passwords to access documents, says Kahn.

    3. Train employees. E-mail won't archive itself. Employees have to be familiar with retention and destruction policies and how to use the systems that support them. Earlier this year, five brokerages agreed to $US8.3 million in fines because employees deleted e-mail pertaining to a fraud investigation. While the fines stemmed from violations of a different securities law, Hirsch says to expect the same kind of fines under Sarbanes-Oxley. If employees break the rules, but the company can demonstrate that it provided adequate training, the company may reduce its liability.

    4. Enforce the policy. Hirsch says that having a document retention policy and not enforcing it is worse than not having a policy at all. At the start of the Enron scandal, Arthur Andersen compounded its troubles by enforcing its document destruction policy only when investigators came calling. "You can't baby-sit an entire workforce," says Kahn, and enforcement isn't just the CIO's responsibility. But by putting in place the proper technology and providing the right training, he adds, "you can help them get it right".

    Page Break

    SIDEBAR: Which Records Must Be Saved?

    Here's how the SEC defines which audit-related records must be maintained:

    "The final rule requires that the auditor retain records relevant to the audit or review, including work papers and other documents that form the basis of the audit or review of an issuer's financial statements, and memoranda, correspondence, communications, other documents and records (including electronic records) that meet two criteria. The two criteria are that the materials: 1. are created, sent or received in connection with the audit or review; and 2. contain conclusions, opinions, analyses or financial data related to the audit or review."

    SIDEBAR: Top 10 Tips for Effective Electronic Data Management

    Kroll Ontrack has created the following 10 tips that should be considered when developing and maintaining rules for electronic record retention:

    • Make electronic data management a business initiative, supported by corporate leadership.

    • Keep records of all types of hardware/software in use and the locations of all electronic data.

    • Create a document review, retention and destruction policy, which includes consideration of: backup and archival procedures, any online storage repositories, record custodians and a destroyed documents "log book".

    • Create an employee technology use program, including procedures for: written communication protocols, data security, employee electronic data storage and employee termination/transfer.

    • Clearly document all company data retention policies.

    • Document all ways in which data can be transferred to/from the company.

    • Regularly train employees on your data retention policies.

    • Implement a litigation response team, comprised of outside counsel, corporate counsel, human resources department, business line managers and IT staff, that can quickly alter any document destruction policy.

    • Be aware of electronic "footprints" - Delete does not always mean Delete, and metadata is a fertile source of information and evidence.

    • Cease document destruction policies at first notice of suit or reasonable anticipation of suit.

    On a final note, make a practice of conducting routine audits of policies and enforcing violations.