- 0 Comments
It has long been the duty of litigants to preserve and disclose relevant documents “as they are kept in the usual course of business.” But everything is not business as usual. Increasingly, organizations are no longer free to set their own rules as to how they manage their documents: which ones to keep and which to destroy. Instead, Federal, state, local and international bodies are defining what documents must be kept, in what format, for how long and who may see them.
“Over the past decade, information, in many forms, has become the focal point of various regulations and laws. … Our research found more than 10,000 laws and regulations in the United States alone drafted by federal and state legislative bodies. … These regulations also address the process by which records must be created, stored, accessed, maintained, and retained over increasingly long periods of time, in some cases, beyond the life of a human.”
Enterprise Storage Group May 2003 Research Report
Looking beyond the regulatory aspects of these new laws, they will also have a profound affect on litigation. To begin with, they create a road map for a party as to exactly what documents the other party should possess, what they contain and where to find them. If one party lacks the records required, it exposes itself to discovery sanctions and regulatory penalties. On the other hand, keeping documents for compliance purposes rather than destroying them, as would be the usual business practice, means there is a lot more data available for discovery purposes.
“It is easy to comply if you save everything,” says Bob Gomes, CEO of Renew Data Corporation in Austin, Texas. “The tension is that all of that data is now discoverable.”
Having all the information easily locatable, however, also gives a party the advantage of knowing whether to pursue a case or settle it.
“When a large corporation gets sued, it doesn’t always know if there is a smoking gun somewhere in its records,” Gomes continues. “Part of a good retention policy is you know your position so when a suit comes in, you can do discovery on your own and determine what is there. If there is a smoking gun, you settle early, but if there is no evidence you don’t settle.”
Beating the Deadline
Getting up a compliance program is similar to managing litigation discovery. The difference is that it is done on an ongoing basis, rather than in response to a pending lawsuit. As in large cases, it is not something that can be executed manually. It requires a combination of process and tools.
The process aspect starts with identifying which regulations a company must comply with, and what records it has that fall under the purview of those regulations. Afterwards comes the establishment of procedures and the training of staff to follow those procedures. Those procedures should cover both the retention and destruction of documents. The procedures need to be followed on the prescribed schedule.
“It’s a very bad idea to have a lawyer send around an e-mail saying ‘remember our document retention policies’ just as the feds are preparing to walk in the door,” says Geoffrey Bock, senior vice president for the Patricia Seybold Group in Boston, MA, referring to the actions that led to the downfall of accounting firm Arthur Anderson.
But once the policies are established, there is still the matter of locating and managing all the documents that fall under those regulations. It can’t be done manually. Just as one needs document management software to digest and organize large batches of discovery documents, tools are needed to ensure that the right documents are stored in the right way.
“Over the last 18 months I have seen a lot of interest in software for regulatory compliance,” says Brian Babineau, a research analyst for Enterprise Storage Group. “People need to get a grasp on what data is being created in their organizations right now.”
These tools allow users to create policies to meet regulatory requirements. Companies can also purchase specific modules containing the necessary policies to comply with a specific law such as Sarbanes-Oxley or HIPAA. The software then searches the network for any email, word processing files or other documents which match the policies and saves or deletes them accordingly. Some software can also control access to documents, maintain any required logs, and generate reports necessary to demonstrate compliance.
Babineau points out that although there are over 10,000 regulations on data currently in force in this country, few of them are actively being enforced as of yet. To a degree, we are still in a grace period as companies set up the systems needed. But that doesn’t mean one can afford to be complacent about compliance. Two years ago the SEC fined five broker-dealers $5.4 million for failure to retain e-mail communications, and last fall a San Francisco accountant was arrested for destroying audit papers in violation of Sarbanes-Oxley.