Computerworld - Few IT professionals want to worry about how long to keep (or how to properly destroy) company records. Many people consider records management even less interesting than watching paint dry. But interesting or not, it's becoming critical. Savvy IT leaders care about records retention. Here's why:
- Government regulations. U.S. companies are subject to dozens of federal, state and local regulations requiring records to be retained for periods of one year to indefinitely. The USA Patriot Act gives the federal government broad authority to obtain many types of personal data and designates retention periods for each. HIPAA's privacy rules limit access to individuals' protected health information and describe how long medical records must be retained. The Sarbanes-Oxley Act demands that public accountants retain certain corporate audit records and work papers for five years after an audit is completed. It also calls for fines or imprisonment for individuals who knowingly change or destroy company records with intent to obstruct federal proceedings (either under way or anticipated). The North American Free Trade Agreement, the General Agreement on Tariffs and Trade and other pacts also require significant records management.
- International regulations. More than 40 countries currently have regulations requiring varying degrees of records retention. This can create problems for global companies when national regulations conflict. For example, e-mail regulations in SEC Rule 17a-4 conflict with European privacy laws. The international banking standard Basel II has different requirements for banks' loan loss reserves than U.S. rules mandate. These differences in requirements add complexity to multinational record-keeping. Complying with all applicable regulations requires a lot of homework.
- Litigation. Last year, the Federal Rules of Civil Procedure were broadened to cover electronic records. Under the amended rules, both parties' lawyers must meet early in the litigation process to determine what types of records will be required. Companies have only 120 days after this agreement to produce all required records in a form that is "reasonably usable." Companies may also be required to provide technical support to ensure that the data is "useful." In addition, the producing party must now identify any potentially relevant sources of information that will not be searched if "undue burden or costs" can be justified. This requirement to disclose what is not being searched is new, and it places a significant burden on companies to determine all potentially relevant sources of data.
- Legal awareness. The number of requests for data will increase as lawyers better understand IT data management. In 1999, the University of California's Continuing Education of the Bar program began a statewide drive to educate lawyers on how to search, maintain and use electronic records. Many other states have similar programs. Web searches for the terms e-discovery, records management and records retention produce mounds of advice for lawyers. In addition, lawyers are being advised to hire computer forensics specialists to access deleted, encrypted or other difficult-to-retrieve data.
- Costly penalties. Penalties for noncompliance can be enormous. In 2006, Morgan Stanley agreed to a $15 million fine to settle charges that it failed to provide tens of thousands of e-mails requested during SEC investigations. (Even scarier, Morgan Stanley client Ron Perelman had previously won a $1.45 billion judgment against the firm for its failure to turn over requested e-mails to the court.) Recently, in Zubulake v. UBS Warburg, the judge concluded that UBS had willfully deleted relevant e-mails despite court orders. When a defendant has destroyed potentially relevant data, judges can (and this one did) direct the jury to presume that the deleted data would have supported the opposition. Zubulake was awarded $29 million. If you want to see more rulings regarding deleted e-mails, read up on the explosion at BP's Texas City refinery.
Keep abreast of changes in these areas. Regulations, requirements and penalties are evolving rapidly -- but not always for the worse. In her opening speech at the CeBIT trade show, German Chancellor Angela Merkel observed that Germany has a large number of reporting requirements and said that the country's government "has committed to reduce bureaucracy costs by up to 25% by 2011." Stay tuned, and hope other countries follow suit.
Good records management is critical. Your organization could become involved in litigation or be hit with a government agency's request for information at any time. It will be impossible to produce data you have not retained, and failures may be costly. Prepare now.
Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners Inc., which helps organizations invest well in IT. Contact him at BartPerkins@ LeveragePartners.com.
Read more about Government IT in Computerworld's Government IT Topic Center.
This pilot fish is a contractor at a military base, working on some very cool fire-control systems for tanks. But when he spots something obviously wrong during a live-fire test, he can't get the firing-range commander's attention.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Reduce federal infrastructure risk with compliance management and situational awareness
- IBM continuous monitoring and management solutions deliver real-time situational awareness to help federal agencies understand vulnerabilities, and protect the infrastructure.
- SANS: Next-Generation Datacenters = Next-Generation Security
- This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
- SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Safeguarding the Next-Generation Data Center
- Use of virtual and cloud servers has exploded. Unfortunately, security often lags behind. McAfee recommends looking at innovative solutions in order to erect...
- Aberdeen: Securing the Evolving Datacenter
- This report highlights ways security technologies and services are evolving to provide the visibility and control needed to deploy workloads flexibly in the... All Government IT White Papers
- Is SQL Server AlwaysOn really as powerful? Tips and Tricks from the field With the introduction of AlwaysOn, Windows Clustering Services is now more critical than ever.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their...
- DevOps with PureApplication System: Reduce cost and speed delivery with an integrated IBM Cloud solution Join this webcast to hear what ING Netherlands has been able to achieve while deploying DevOps tools from IBM Rational. An ING executive...
- All Government IT Webcasts