Forensics Journal - Stevenson University 2012 | Page 47
FORENSICS JOURNAL
Organizations often have a hoarding mentality, believing that one
useful piece of information might be maintained to save a company
or person during litigation. However, several professionals have
argued that this is normally not the case. It is more probable that
information maintained beyond its retention period will harm an
organization more so than help it (Cisco, 2010). Given the survey
results described above, this does not appear to deter employees from
retaining the information.
Another significant issue with the retention of ESI is the format
in which it is retained. Most organizations backup their systems
and servers on a periodic basis, however such backups are normally
“snapshots” of information maintained for recovery purposes. As
Heer and Osterman explain in their research paper, The Impact of the
New FRCP Amendments on Your Business, there are three clear issues
with the use of backups for record retention. First, backups are made
of raw data which creates the inability to index the information for
discovery at a later time. Second, older backup tapes are commonly
unreadable and corrupt when maintained over a long period of time.
Finally, because of the snapshot nature of backup tapes, they do not
include information that is created and deleted between backups
(Heer & Osterman, 2007).
Regardless of its form, ESI has become a type of information that
organizations are loath to destroy. In an article published by Information Week, entitled “Appetite for Destruction,” Conry-Murray posits
three reasons for this apprehension. First, organizations are not always
confident that they are legally allowed to destroy their information.
Second, companies are nervous that they will destroy relevant information that could later save them during litigation. Finally, organizations are not knowledgeable enough about their information to
determine what can and cannot be destroyed (Conry-Murray, 2008).
Given the reasons above, it is important to note that the apprehensions identified by Conry-Murray can be found present in most
organizations and also apply to physical forms of documentation.
Searching ESI increases the time and resources needed to adequately
perform the discovery process. ESI is often difficult to search, find
and obtain exactly what is needed by both parties in litigation. In a
2009 decision by Judge Andrew Peck, the “need for careful thought,
quality control, testing, and cooperation with opposing counsel in
designing search terms or ‘keywords’ to be used to produce emails or
other electronically stored information” was emphasized (Vinson &
Elkins LLP, 2009).
REGULATORY REQUIREMENTS
INSUFFICIENT KNOWLEDGE AND APPLICATION OF CORPORATE POLICIES
Industry and regulatory requirements usually dictate document retention policies in organizations. The plethora of regulatory federal and
state agencies, in addition to professional associations which outline
confusing and contradictory retention requirements for various types
of information, can add to an organization’s failure to understand and
comply. Further, continuously changing regulation requires organizations to stay abreast of updates and amend their operations accordingly.
Despite a 73 percent document retention policy reported by companies, there remains lack of compliance by many employees. Policies
created commonly go unnoticed or are completely disregarded by the
employees required to abide by them (Diamond, 2010, June 29). This
disconnect causes a gap between what an organization says it requires
and how it actually operates, which is actually a riskier approach than
not having a policy at all (Diamond, 2010, June 29). The inconsistent
application of document retention policies raises “red flags” to regulators, and can make the company appear to have poor operations with
higher risks for fraud and non-compliance (True, 2010).
The Internal Revenue Service provides guidance regarding the number of years a tax return is subject to audit and therefore should be
retained. The general amount of time is three years. However, this
becomes longer and sometimes indefinite when fraudulent or unfiled
tax returns come into play (How Long Should, n.d.). As if the IRS’s
guidance does not make it difficult enough for an organization to
determine how long its records should be kept, the Sarbanes-Oxley
Act of 2002 and the Securities and Exchange Commission (SEC)
are two examples of a regulation and a regulatory agency which add
another layer to the process. In 2002, after the infamous fall of Enron
Corporation and its auditor Arthur Andersen, the Sarbanes-Oxley Act
was created to protect shareholders and enforce stricter penalties for
corporate scandals (Bumiller, 2002). Section 802 of the Act mandates that auditors of public companies retain all audit work papers
for a minimum of five years after the end of the respective fiscal year
(Sarbanes-Oxley Act, 2002). One year after enactment, the SEC
released Regulation S-X, which increases the retention period of audit
and review work papers from five to seven years (Final Rule: Reten-
RELUCTANCE TO DESTROY DOCUMENTS
Surveys conducted by Inside Counsel revealed that approximately
90% of employees retain documents beyond their required retention
periods (Diamond, 2010, November 15). One common method in
which this is done is via “underground archives,” which are files maintained by individuals to protect themselves from potential disputes
(Diamond, 2011, March 21). Information and documents retained
in violation of an organization’s document retention policy increases
associated risks to the organization because the individuals responsible
for oversight no longer have the ability to track, organize, and access
the information for retention or destruction. This also increases the
likelihood that the information will be maintained past its associated
retention period thus becoming vulnerable to discovery.
45