EDRM Evergreen/Information Management/Programs & Policies

From Working EDRM

Comments: Please submit comments to the EDRM Evergreen Information Management forum

Companies that create, enable and enforce reasonable information management policies can more efficiently share, use, preserve and produce information that is useful to their operations and necessary for compliance and electronic discovery purposes. Such policies also enable the responsible and defensible destruction of information that has outlived its useful life; and aid the litigation process by reducing the amount of electronically stored information, ensuring that ESI can be more efficiently located and preserved as required.

There are three common categories of these policies.

1. Retention policies
2. Backup and archival storage and policies
3. Usage policies

Contents 1 Retention Policies 1.1 Policy Development 1.2 Implementation 1.3 Training and Enforcement 1.4 Periodic Review 2 Backup and Archival Storage and Policies 3 Usage Policies

Retention Policies

All electronic data should have a lifespan, after which time it should be automatically deleted or, in a more risk-averse environment, reviewed for disposition by a designated and properly trained individual. Given the amount of electronic data generated and stored by most companies, as well as the vast number and dizzying array of electronic repositories, this goal can be difficult to achieve. The problem is perhaps most acutely visible for email messages, with recent surveys reporting that the average user receives 130 email messages each day.

A sound retention policy is a critical tool in helping companies to achieve the goal of managing and disposing of data after its useful life. Without it, content that must be retained for compliance goals, regulatory requirements, records needs (such as contracts), and litigation holds may be deleted inappropriately, creating a host of problems ranging from lost productivity to electronic discovery sanctions and negative press. And the alternative -- keeping all electronic information indefinitely -- can be worse, creating myriad and unnecessary costs and potential litigation exposure. Moreover, the increased costs and risks of electronic discovery, as well as the burden on IT infrastructure, mandate that information that is no longer useful or needed be responsibly discarded.

Some characteristics of good retention policies include the following:

1. Policy development with parameters that are achievable and meet the needs of the business;
2. Identification and deployment of tools to implement the policy;
3. Appropriate training for employees and audit to ensure enforcement; and
4. Periodic review.

Policy Development

A good retention policy must balance compliance, records, regulatory and business needs to determine what, where and how content should be retained and deleted. These requirements must be clearly identified and understood before creating the policy. For example, energy companies may have requirements to maintain information about plants for 50 years or more; while both hospitals and insurers frequently maintain information about minors through their age of majority. Other companies may have few regulatory requirements, but have a business need to maintain contracts or drawings for long periods. With more of this information in electronic form, stored on systems that frequently have a short-term lifespan, it is critical that these needs are thoroughly understood and factored into policy development.

A good retention policy must also make efficient compromises when requirements conflict. For example, a “thorough” records policy might mandate classification of data into 150 different categories. The time needed to perform this classification work would clearly conflict with the business need to have employees focus on their regular business tasks. Fortunately, there are approaches that help to balance these requirements. Rather than requiring employees to classify content into each of these 150 discrete categories, a reasonable policy may take a “big bucket” approach, whereby the majority of content is categorized into just a few different types (like “Personal” or “Project-related”). A policy might also provide default buckets, so that users are only required to classify a very small portion of the content they touch, with all other content handled automatically according to default rules.

Implementation

While developing effective and sensible retention policies is an undeniable challenge, proper implementation of the policy truly drives its actual effectiveness. A retention policy must therefore be supported by appropriate technologies and/or processes to make the policy achievable.

There are many tools and systems available to implement policies, and companies may take different approaches depending upon their culture, IT infrastructure, budget, industry, needs, risk appetite and other requirements. Some implementations focus on providing different repositories where employees can store, access and share content, such as email archiving, records management systems or even simple fileshares. Implementation of a retention policy could require employees to specify the appropriate retention period for each piece of data as it is created, or might merely require them to provide sufficient metadata enabling a system to classify the data, and automatically determine the appropriate retention period. A successful implementation may also vary tools and processes depending upon the specific department, recognizing that the legal and HR departments may have different needs and require different tools than a customer-facing account team.

The appropriate implementation must also provide capabilities that are useful to employees in performing their daily jobs. Data needed to perform tasks should be easily available, and maintained for a sufficient amount of time. If certain departments have their own system of storing files on network shares, or even on personal workstations or laptops, it is essential that these departments align with the larger organization-wide policy – which may require a useful replacement for these storage locations. A good policy must also account for the reality of today’s workplace, such as the fact that many people work from home, potentially saving company documents or other work product on their home computers. Documents and records that might otherwise be stored on and managed from a company computer or central fileshare at the office could be stored on an employee’s home computer, obviating much of the benefit of the new policy.

Training and Enforcement

A good policy will also ensure that everyone within the organization understands and applies its underlying principles. This requires both up-front and annual training, in addition to spot audit and enforcement.

For example, if the Human Resources department is concerned that certain employees or departments could present future liability risks, an HR employee might circumvent policy by maintaining certain records beyond the policy retention period, ostensibly to protect the company. With proper training, this employee would understand that violating the policy could create other, new risks for the company – such as making it more difficult to rely upon the retention policy in litigation. Similarly, a company should periodically monitor for enforcement of the policy, providing remedial training or, when necessary, sanctions for violations.

Periodic Review

Much like the popular saying, “What have you done for me lately?”, an organization’s retention policy is only as effective as the date of its last review and update. With rapid changes in technology and industry developments, substantial changes may take place within even a 12-24 month period that may require reconsideration and possible alterations of well thought out retention policies. An organization facing its first large scale lawsuit may determine that it needs new policies to govern the generating, holding, and discarding of electronically stored information. Or perhaps new government regulations are enacted that affect the record keeping requirements of an organization’s financial officers. Without a review of the retention policy, simple compliance with such regulations could conflict with terms of an older retention policy, creating potential liability for failing to comply with the new requirements.

Backup and Archival Storage and Policies

Many companies will also have policies for Backup and Archive. While the terms are frequently commingled in practice, “Backup” and “Archive” actually represent two very distinct functions. “Backup” generally refers to a snapshot in time of all of the information on a system (or systems), such that the system can be restored to that point if a disaster occurs. In contrast, “Archive” generally refers to a system that maintains less frequently accessed data that is retained for regulatory, records management or other long-term needs.

Backup Policies (aka Disaster Recovery or Business Continuity policies) are generally created to enable a business to recover from some type of disaster that damages the IT infrastructure. In its simplest form, a Backup Policy will specify key systems (such as financial systems, email, etc.) that are necessary for the continued operation of the business; provide details of when and how backups of those systems should be made (e.g. full backup, incremental backup), the media to be used in creating those backups (tape, online, etc.), where the media should be stored and when the media can be recycled. In a more complex form, Backup Policies may provide for real-time backups to a hot site, which can immediately be transitioned, with a loss of almost no data, to in the event of a disaster.

In contrast, Archival Policies recognize that certain data or categories of data must be retained and accessed over a relatively long period of time. During this timeframe, such data may be accessed very infrequently (if at all), but retention of the data is necessitated by regulatory requirement. Examples of data that should typically be subject to an archive policy include: financial information under Sarbanes Oxley (up to 7 years); Books and Records requirements of the broker-dealer community under Rules 17a-3 and 17a-4 (up to 6 years); plant records under Federal Energy Regulatory Commission rules (up to 50 years after the lifetime of a plant); etc.

The chart below highlights these differences:

Despite these differences, companies continue to frequently use backup media as an archive, particularly for electronic discovery and compliance purposes. This may be largely driven by the fact that most important data is normally backed up at some point, creating a ready-made archive merely by preserving backup tapes for a long period.

However, this is a risky practice because maintaining backups as an archive can cause a host of problems:

• A backup does not preserve content that is created and deleted between backup processes; an archive can immediately preserve content;
• A backup creates a new copy each day; which can result in hundreds of copies over a long-term period, all of which may vary in minor or significant ways; an archive maintains a single, “true” copy;
• A backup is generally stored on offline, hard-to-access media; an archive is generally contained on online (or near online) storage;
• Backups cannot be policy managed as their contents are generally “hidden” until the media has been restored; archives are immediately accessible; and
• Backups can represent information from several different, disparate systems; an archive is built for a specific system.

The media selected for backup and archiving purposes can also play an important role in the effectiveness of the policy. Over the course of the typical lifetime of an archive that is stored on backup media, the media can begin to fail and become extremely unreliable. As new technologies develop, companies may also change backup platforms – resulting in an inability to access information stored on the prior generation media without the assistance of a third-party vendor or maintaining a separate environment. Also, any access requires restoration of all of the applicable backup media before any search or review can typically be conducted. In contrast, archive is typically stored on long-term, inexpensive disk-based storage. Access to this media can be “slow” in computer terms – but the difference between a microsecond and a millisecond can be very negligible for humans needing sporadic access to this data. Finally, from a legal perspective the use of a backup system (which is often not subject to electronic discovery inquiries) as an archival system (which typically is subject to electronic discovery inquiries) may change the effective nature of such backup system, thus making it subject to electronic discovery inquiries in the eyes of a court – potentially creating a host of unintended headaches with additional associated costs.

Usage Policies

Usage policies govern how an organization’s employees are permitted to store and use information, including remote access methods and portable information storage devices. A Usage Policy can inform the electronic discovery process by indicating where corporate information is expected to reside. For example, if an organization has implemented a policy banning the use of personal web-based email accounts to send corporate information, it may have a stronger argument to limit an adversary’s search for unique, relevant ESI to on-site systems. Without probative evidence that relevant ESI exists elsewhere -- in webmail, home computers, or on portable storage devices -- it will be far less likely that a request to search or even include these systems in the party’s list of potential sources of discoverable information will be approved (as required under Rule 26 (a)(1)(B)). Conversely, if Usage Policies are not followed and enforced, they can be worthless and provide little or no protection to a company in litigation.

Established usage policies can also aid in the effort to show that an organization has a routine, controlled, systematized, and good-faith method for management of information. This demonstration can aid in discovery proceedings in three primary ways. First, a well-organized, controlled corporate information process can build credibility when negotiating the scope and details of the discovery plan with the opposing party. Second, corporate knowledge as to where information resides, who has it, and what they do with it can support an argument that a diligent discovery plan exists. Third, it can reduce the risk of inadvertent non-productions by informing the ESI identification process.

Outside the need for information usage policies to support and structure corporate electronic discovery matters, strong usage policies are also key to managing and protecting an organization’s intellectual property, information privacy and overall information governance. As such, information usage policies should not be implemented merely to round out electronic discovery preparedness. Although electronic discovery concerns drive the initiative to create or update these policies, their benefit extends far beyond electronic discovery into the domain of information and security management.

[updated Feb. 1, 2008]