Record Risks

Driven by million-dollar fines, businesses are using technology to comply with legal and regulatory requirements -- and regain control over electronic records.

A few years ago, most companies didn't give much thought to electronic records management. But a spate of scandals, lawsuits and new regulations has changed all that. Despite renewed attention to e-records management, however, many organizations still lack automated systems to efficiently process all e-records requested during a legal discovery proceeding. Yet retrieving such records -- and the penalties for noncompliance -- can cost businesses millions of dollars.

"E-litigation is an extremely expensive endeavor," says Jane Connerton, corporate records manager at The Procter & Gamble Co. in Cincinnati. While P&G has a records retention policy, finding and retrieving records during legal discovery can be a daunting challenge -- especially when the records are on backup tapes.

"We had a case that, after a week's worth of discovery, we calculated that backup tape suspension and legal review of the e-records was going to cost us a million dollars," Connerton says. And, she adds, such requests aren't uncommon for businesses of P&G's size.

In response, companies are turning to records and content management systems to automate the processes for identifying and categorizing records of all types, establishing and enforcing retention schedules, and maintaining accessibility to those records.

"You're trying to identify what has become a record, associate a rule with it and blow it away when it's no longer needed," says Julie Gable, principal of Gable Consulting in Philadelphia.

Companies must also comply with myriad local and federal regulations that vary by industry. For example, SEC Rule 17 requires that brokerages store records in a nonrewritable, nonerasable format. Sarbanes-Oxley Act Section 802 requires some records to be held for seven years. Other requirements are triggered by events, such as health care regulations that require records to be kept for a certain period after a patient's death.

The Elusive E-record

Records serve as evidence, says Gable. "They accrue to business processes, show what transpired during transactions, confirm rights and obligations, and provide motive for corporate action." What constitutes a record is determined by business, regulatory and legal requirements. Those definitions and policies are typically set by a corporate records manager, but IT must manage those records.

Today, records take many forms. While printed documents may be collected in file cabinets, e-records are scattered across a wide range of repositories. They may be embedded in e-mail, instant messages and other unstructured data that account for up to 40% of business data flows, according to the Storage Networking Industry Association (SNIA).

"E-mail is the biggest issue we see," says Barclay T. Blair, director of the IT compliance practice at Kahn Consulting Inc. in Highland Park, Ill.

In 2004, for example, Banc of America Securities LLC was fined $10 million and Philip Morris USA Inc. and Altria Group Inc. $2.75 million for failing to produce e-mail records in a reasonable time frame and failing to preserve documents after being told to do so. But despite such penalties, 65% of organizations still don't have an e-records policy for legal hold orders, let alone the technology to enforce it, according to a survey by the Association of Records Managers and Administrators (ARMA) and the Association of Information and Image Management.

The typical IT strategy of saving everything doesn't help, says Larry Medina, a records management contractor in Danville, Calif. "All nonrecord material should be destroyed as soon as is practical," he says. "If you have things you didn't need to retain, they become ticking time bombs in your system." Those documents could be used to the detriment of the company in legal proceedings, he says.

But more important, they add to the cost of discovery, says Deidre Paknad, president of record information management (RIM) software vendor PSS Systems Inc. in Palo Alto, Calif. "If there's a legal hold, all the information you have, whether a business record or not, is discoverable," she says.

Once a policy is in place for deleting end-of-life records, halting those processes in response to a legal hold order is difficult. Many organizations lack adequate technology and processes to deal with the problem, Gable notes.

IT needs to work closely with records managers, says ARMA President Dave McDermott. As assistant records manager at agribusiness conglomerate J.R. Simplot Co. in Boise, Idaho, McDermott worked with his IT group to develop a retention requirement for all backups.

Because records may be needed in the future, eliminating or archiving based on activity level or disk space usage doesn't work, says Michael Peterson, program director of the SNIA Data Management Forum.

At a minimum, good records management practices require interaction among IT, the corporate records manager, the business units that own the data and the legal department. Today, part of the problem is ignorance of records requirements within some IT organizations, says P&G's Connerton.

Evolving Tools

RIM software helps to define and categorize records and set retention policies. But the programs, originally created to manage paper records, are still evolving to handle e-records in places ranging from the ERP system to e-mail. To deal with this challenge, most products copy files and related metadata into a central repository. Records management tools also integrate with desktop productivity software, e-mail programs and archiving software to identify records and establish an audit trail for compliance purposes.

RIM has caught the attention of enterprise content management (ECM) software vendors such as EMC Corp.'s Documentum Inc. unit. They have snapped up RIM products and integrated them into their own suites.

But Connerton says centralization is no panacea. "In a major corporation, you're never going to have a single repository for all records," she says. While P&G's seven divisions do use RIM and ECM tools for some records, that's not enough. "What we've done is mapped out where the records are, who owns them from an IT perspective and how we can get them to facilitate the discovery process," she says.

At FirstEnergy Corp. in Akron, Ohio, one-third of the company's records are in its ERP system and can't be easily copied into a central repository. Senior IT systems analyst Teresa Straight says she's trying to figure out how to connect a FileNet system with SAP in order to manage records in the company's data warehouses.

Most RIM products still rely on manual processes or prompt the end user to identify, classify and check in records. Products such as FileNet Corp.'s Records Manager are at the forefront of a trend to automate that. With e-mail volume exploding, automated identification and classification of records is crucial, says Craig Rhinehart, director of compliance products and solutions at Costa Mesa, Calif.-based FileNet. "If you think you'll get 10,000 users to manually declare and classify records, you're wrong. Enforce your policy at the technology layer, not at the user layer," he says.

Connerton says she wouldn't trust an automated categorization system alone - a sentiment Blair agrees with. "You can get part of the way there with really good tools, but ultimately, you need to rely on employees," he says, and that requires both policy and training.

At P&G, employees attend a 15-minute training session and an annual refresher. They are also required to review their files annually to comply with P&G's retention schedules, Connerton says.

Records management best practices must be infused throughout the IT systems that create or touch records, practitioners say. Connerton is working with IT to integrate e-records guidelines into the P&G's information systems. With business units ranging from pharmaceuticals to dog food producers, that's not an easy task.

"We can't impose them immediately because there are legacy systems that are too expensive to retrofit," explains Connerton. It will be five to seven years before every document repository is in compliance, she says.

Larry Hawkins, director of records and information compliance at FirstEnergy, says he collaborates with IT on new system designs. "We don't procure technology without a thorough review," he says.

Copyright © 2005 IDG Communications, Inc.

8 simple ways to clean data with Excel
Shop Tech Products at Amazon