Forensics Journal - Stevenson University 2012 | Page 48
STEVENSON UNIVERSITY
1. Identify, Classify, and Determine Applicable Retention Period. An
effective document retention policy should identify all categories
and types of information that must be maintained. Information
found on individual laptops, email servers, removable thumb drives,
printers and cell phones should be outlined and described in the
policy. Retention periods should then be assigned to each category.
It is imperative for the organization to gain an understanding of the
regulatory and industry standards that mandate their operations and
determine retention periods accordingly. It is equally important to
know where the information is found and its purpose. Therefore,
organizations should create detailed process maps that capture pertinent information along the way, such as the date the data was created
and purpose of information (Irvin, 2010).
tion of Records Relevant to Audits and Reviews, 2003). However, if
the same information supports an audit and an unfiled tax return,
that information must be kept indefinitely.
Another aspect of regulatory requirements is the expectations of court
proceedings. From a litigation standpoint, five standards of electronic
discovery were created by United States District Court Judge Shira
A. Scheindlin in response to Zubulake v. UBS Warburg. As part of
these standards, “once a party reasonably anticipates litigation, it must
suspend its routine document retention/destruction policy and put in
place a ‘litigation hold’ to ensure the preservation of relevant documents” (Cogliano, 2007). Therefore, these standards stipulate that
it is most important to retain documents and ESI when litigation is
looming, unlike certain legislation which mandates a specific number
of years. Overall, while an organization’s document retention policy
will guide its business operations, it is the regulatory and industry
standards that will take precedence and determine if the company is
compliant and acting in good faith.
2. Implement A Records Management System. During litigation, the
cost of discovery increases with the amount of information available
to be searched (Conry-Murray, 2008). Eventually, there comes a point
in time when the cost to provide and review historic documents outweighs the potential benefit gained during a lawsuit. Retaining older
documents also causes the cost of storage to rise over time (Saffady,
2011). In an effort to decrease costs, improve compliance and facilitate the efficiency and effectiveness of discovery, organizations should
use technology, such as an Enterprise Content Management system
(ECM), to streamline the document retention process. Regardless of
an organization’s size, varying ECM products and solutions are available to assist in such processes.
DETERMINATION
Based on the information gathered, it might be thought why not keep
everything? Organizations would not need to develop a policy, worry
about whether or not its employees are compliant, or stay abreast of
changing regulations. However, hoarding documents and information
is not the answer. Instead, it is both practical and realistic for companies of all sizes to have a document retention and destruction policy.
Such policies are vital to a company, especially if litigation is likely. As
part of the FRCP amendments, a “safe harbor” was put into place to
protect companies who fail to provide relevant information because
of the “routine, good faith operation of the party’s computer system”
(Heer & Osterman, 2007). An example of routine, good faith is the
development and implementation of a document retention policy.
However, merely writing a policy and posting it to the company
intranet site does not excuse the inability to produce information.
Organizations must also be able to prove that the policy is monitored
by, communicated to and complied with by its employees. In the
event an organization cannot provide adequate evidence, courts can
conclude that a company has not acted in good faith and is guilty of
spoliation (Heer & Osterman, 2007).
3. Provide On-Going Training to Personnel. According to survey results
presented above, there is a gap between policy development and compliance. To remedy this, document retention training should become
an on-going process that is provided periodically and monitored by
upper management. Training should include the organization’s expectations of individuals as well as explanations behind the policy (e.g.
regulatory requirements).
4. Collaborative Effort. While seemingly difficult at first, organizations should ensure the appropriate group of individuals is included
in the development and implementation of the document retention
policy and oversight process. Relevant departments will likely include
Information Technology, legal and business unit leaders, but will also
be unique to each organization (Hill, 2009).
BEST PRACTICES
5. Perform Annual Internal Audits of Compliance. Auditing compliance
is one of the few ways to ensure and prove successful implementation
(Smaroff, 2011). As stated by LexisNexis, “If a company’s policy is
comprehensive and routinely audited, it can provide the court with
assurance that a company has all of the information it is required to
keep, and knows how to find it which can go a long way to protecting
a corporation in the long run” (LexisNexis Discovery Series, 2007).
Today’s organizations require a better way to organize and manage their
information as well as efficiently respond to discovery requests while
reducing the risk of non-compliance (Irvin, 2010). In order to mitigate
the risks associated with inadequate preservation of documents, the
implementation of a document retention policy has become an industry best practice. The following discussion identifies six common best
practices and respective benefits of their implementation.
46