Computerworld - Few IT professionals want to worry about how long to keep (or how to properly destroy) company records. Many people consider records management even less interesting than watching paint dry. But interesting or not, it's becoming critical. Savvy IT leaders care about records retention. Here's why:
- Government regulations. U.S. companies are subject to dozens of federal, state and local regulations requiring records to be retained for periods of one year to indefinitely. The USA Patriot Act gives the federal government broad authority to obtain many types of personal data and designates retention periods for each. HIPAA's privacy rules limit access to individuals' protected health information and describe how long medical records must be retained. The Sarbanes-Oxley Act demands that public accountants retain certain corporate audit records and work papers for five years after an audit is completed. It also calls for fines or imprisonment for individuals who knowingly change or destroy company records with intent to obstruct federal proceedings (either under way or anticipated). The North American Free Trade Agreement, the General Agreement on Tariffs and Trade and other pacts also require significant records management.
- International regulations. More than 40 countries currently have regulations requiring varying degrees of records retention. This can create problems for global companies when national regulations conflict. For example, e-mail regulations in SEC Rule 17a-4 conflict with European privacy laws. The international banking standard Basel II has different requirements for banks' loan loss reserves than U.S. rules mandate. These differences in requirements add complexity to multinational record-keeping. Complying with all applicable regulations requires a lot of homework.
- Litigation. Last year, the Federal Rules of Civil Procedure were broadened to cover electronic records. Under the amended rules, both parties' lawyers must meet early in the litigation process to determine what types of records will be required. Companies have only 120 days after this agreement to produce all required records in a form that is "reasonably usable." Companies may also be required to provide technical support to ensure that the data is "useful." In addition, the producing party must now identify any potentially relevant sources of information that will not be searched if "undue burden or costs" can be justified. This requirement to disclose what is not being searched is new, and it places a significant burden on companies to determine all potentially relevant sources of data.
- Legal awareness. The number of requests for data will increase as lawyers better understand IT data management. In 1999, the University of California's Continuing Education of the Bar program began a statewide drive to educate lawyers on how to search, maintain and use electronic records. Many other states have similar programs. Web searches for the terms e-discovery, records management and records retention produce mounds of advice for lawyers. In addition, lawyers are being advised to hire computer forensics specialists to access deleted, encrypted or other difficult-to-retrieve data.
- Costly penalties. Penalties for noncompliance can be enormous. In 2006, Morgan Stanley agreed to a $15 million fine to settle charges that it failed to provide tens of thousands of e-mails requested during SEC investigations. (Even scarier, Morgan Stanley client Ron Perelman had previously won a $1.45 billion judgment against the firm for its failure to turn over requested e-mails to the court.) Recently, in Zubulake v. UBS Warburg, the judge concluded that UBS had willfully deleted relevant e-mails despite court orders. When a defendant has destroyed potentially relevant data, judges can (and this one did) direct the jury to presume that the deleted data would have supported the opposition. Zubulake was awarded $29 million. If you want to see more rulings regarding deleted e-mails, read up on the explosion at BP's Texas City refinery.
Keep abreast of changes in these areas. Regulations, requirements and penalties are evolving rapidly -- but not always for the worse. In her opening speech at the CeBIT trade show, German Chancellor Angela Merkel observed that Germany has a large number of reporting requirements and said that the country's government "has committed to reduce bureaucracy costs by up to 25% by 2011." Stay tuned, and hope other countries follow suit.
Good records management is critical. Your organization could become involved in litigation or be hit with a government agency's request for information at any time. It will be impossible to produce data you have not retained, and failures may be costly. Prepare now.
Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners Inc., which helps organizations invest well in IT. Contact him at BartPerkins@ LeveragePartners.com.
Read more about Government IT in Computerworld's Government IT Topic Center.
- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
- Slideshow: 5 ways to lock down your mobile device
- Slideshow: 10 mistakes companies make after a data breach
- How to rob a bank: A social engineering walk through
- Which smartphone is the most secure?
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Mitigating DDoS Attacks with F5 Technology
- This document examines various DDoS attack methods and the application of specific ADC technologies to block attacks in the DDoS threat spectrum while...
- The DDoS Threat Spectrum
- Bolstered by favorable economics, today's global botnets are using distributed denial-of-service (DDoS) attacks to target firewalls, web services, and applications, often simultaneously.
- Defending Against Denial of Service Attacks
- By utilizing end-user interviews, this whitepaper explores a deeper understanding of DDoS defense plans and reveals the knowledge gaps around the Denial of...
- Strategic Solutions for Government IT
- This paper outlines why F5 is the optimum partner to help achieve the levels of security, performance and availability that are vital to...
- Leveraging Managed Security Services to Fight Growing Cybersecurity Threats
- IT Infrastructure-as-a-Service enables agile responses to constantly changing threats. All Government IT White Papers
- Modernizing SAP environments with minimum risk - a path to Big Data Hear from top IDC analyst, Richard Villars, about the path you can start taking now to enable your organization to get the benefits...
- The Power of the Citrix Mobility Solution, XenMobile Does everything become a smartphone? Or does the smartphone begin to do everything? How can we afford to support BYOD? Rather, how can...
- BYOD Happens: How to Secure Mobility How to navigate the journey of securing mobility, including the BYOD corruption of IT, the top ten mobility strategies, and the mobility management...
- HR and Finance Were made for Each Other View now >>
- The Value of Human Capital for Finance Professionals View now >>
- All Government IT Webcasts
Does your organization offer extensive benefits, cool perks, competitive salaries, opportunities for training and advancement? Then get it recognized!
Nominate your company or another deserving organization for Computerworld's 2014 Best Places to Work in IT list now through Dec. 12, 2013.