|
|
|
Features
< Back
Sarbanes Oxley : Law : Document Retention
Preservation Perils: Updating Your Corporation's Document Retention Policy for the Digital Age
By
Michele C.S. Lange (and Matthew D. Nelson)
|
|
Michele C.S. Lange (and Matthew D. Nelson)
Kroll Ontrack
|
Although Sarbanes-Oxley (S-OX) took effect three years ago, companies continue to struggle with compliance issues. As organizations continue to migrate more and more from a paper-centric environment to an electronic and paperless environment, challenges abound. How can an organization properly retain electronic records in light of S-OX? What are an organization?s obligations to preserve electronic documents when litigation ensues? How are these obligations changing in light of recent federal rule revision efforts?
Understanding the Issues
The imposition of S-OX has helped fuel a new era of increased regulatory scrutiny that has stung corporate pocket books to the tune of millions of dollars in sanctions and landed some of America?s top corporate executives in prison. In the new millennium, new regulations now require publicly traded companies to closely monitor electronic and paper document retention. Organizations can no longer blindly destroy documents, emails and backup tapes without risking sanctions. Prior to S-OX, many companies retained digital data in an unorganized and haphazard manner. Now that the Securities and Exchange Commission, NASD, the New York State Attorney General?s office, and other regulatory agencies have sent a shot across the bow of corporate America, have corporate records management programs really changed?
Contrary to popular opinion, the Sarbanes-Oxley Act has had a modest impact on records management programs. According to a 2003 survey, only a relatively small number of respondents ? 16 percent ? indicated any substantive impact, while 61 percent said S-OX had no impact on their records retention policies. In fact, the overwhelming majority of those surveyed ? 87 percent ? reported that their records management budgets had not increased as a result of S-OX.1
Compare these statistics with today?s business climate where outdated email, antiquated files and archival data stored on backup tapes or disks are often kept for months or years past their useful life:
- At least 92 percent of all business information is generated in digital form. 2
- The total number of electronic records produced on the planet is expected to double every 60 minutes over a 10-year period. 3
- Approximately 1 in 20 companies have battled a workplace lawsuit triggered by employee email.4
Recent case law reveals growing instances of unwieldy preservation of all electronic data and inadvertent failures to appropriately follow companywide document retention policies. Electronic data created in the course of business can sometimes come back to haunt a corporation when litigation ensues. For example, in Murphy Oil USA, Inc. v. Fluor Daniel, Inc., 2002 WL 246439 (E.D. La. Feb. 19, 2002), the court stated, ?Fluor?s email retention policy provided that backup tapes were recycled after 45 days. If Fluor had followed this policy, the email issue would be moot.? As a result of Fluor?s deficient document retention administration, the parties spent a considerable amount of time and money arguing over the discoverability of email messages which should have been destroyed.
This case is not an anomaly. In fact, document retention and preservation mishaps have continued to dominate the legal headlines. For example:
- In United States v. Philip Morris USA Inc., 327 F.Supp.2d 21 (D.D.C. 2004), the defendants maintained their normal monthly email deletion policy, even after the court ordered them to preserve all potentially relevant documents. In punishing the defendants, the court imposed $2,750,000 in sanctions and precluded key employees associated with the deleted data from testifying at trial.
- In re J.P. Morgan Securities Inc., SEC, Admin. Proc. File No. 3-11828 involved a charge by the SEC, NASD, and New York Stock Exchange against J.P. Morgan Securities Inc. for failure to preserve email for the required three-year period and for lacking adequate email preservation systems or procedures. J.P. Morgan settled the charges without admitting or denying wrongdoing, agreed to pay a total of $2.1 million, and consented to establishing procedures for complying with email preservation laws, regulations and rules.
- In Zubulake v. UBS Warburg, 2004 WL 1620866 (S.D.N.Y. July 20, 2004), the court determined an employer had willfully deleted relevant emails despite contrary court orders. Finding the employer had a duty to preserve the missing emails, since it should have known that the emails may be relevant to future litigation, the court sanctioned the employer and also ordered the employer to pay costs.
In addition to S-OX, the U.S. federal court system is fueling the document retention and electronic evidence debate in civil litigation by proposing significant changes to the existing Federal Rules of Civil Procedure. Judges, litigators and academics serving on the Committee on Rules of Practice and Procedure have been working to clarify electronic discovery issues since August 2004 when the first set of proposed amendments were made available for public comment. If adopted in their present form, the proposed Federal Rule changes could become law in the next year, changing the way litigators exchange electronic information during discovery.
With these changes and the realities of S-OX, where should corporations turn for clarification on their own retention, preservation and discovery policies?
Sarbanes-Oxley and Electronic Document Retention
Sarbanes-Oxley imposes requirements on public companies and their accounting and auditing teams relating to the retention and destruction of certain financial records. Some of the Act?s key provisions and the resultant SEC rules as they relate to electronic evidence include the following:
- Document Alteration or Destruction. §8025 of the Act amends the federal obstruction of justice statute by adding two new offenses. First, individuals who knowingly alter, destroy, mutilate, conceal or falsify any document or tangible object with the intent to impede, obstruct or influence proceedings involving federal agencies or bankruptcy proceedings may be fined, imprisoned up to 20 years, or both.
- Mandatory Document Retention. Second, §802 directs (1) accountants to maintain certain corporate audit records and work papers for a period of five years and (2) the SEC to promulgate any necessary rules and regulations relating to the retention of relevant records from an audit or review. To maintain consistency with other areas of the Act, the SEC adopted a seven-year retention period for these documents. §802 imposes fines and/or a maximum term of 10 years imprisonment for violation of these provisions.
- Obstruction of Justice. §11026 of the Act expands the obstruction of justice statute that prohibits tampering with witnesses. Now acting or attempting to ?corruptly? alter, destroy, mutilate or conceal a record or other object ?with the intent to impair the object?s integrity or availability for use in an official proceeding? is punishable with fines and/or imprisonment of up to 20 years.
The impact of S-OX on electronic data management is basically two-fold. The first part of §802 places criminal liability on any person who knowingly destroys documents or objects relating to a federal agency investigation or Chapter 11 Bankruptcy. Secondly, §1102 prohibits persons from corruptly altering or destroying documents with the intent to impair an official proceeding. The definition of ?document? in these statutes is likely to be interpreted to include electronic document destruction. Given its breadth, these provisions give the federal government authority to prosecute electronic evidence tampering, cyber-crimes, and other computer hacking resulting in information destruction relating to official proceedings.
Federal Rule Revisions Relating to Document Destruction
Despite the significant criminal penalties that may result from S-OX noncompliance, corporations should also be aware of other legal developments that are making their way into federal statute books. For instance, the proposed amendments to the Federal Rules of Civil Procedure ? the ?playbook? for civil litigation in the U.S. federal court system ? add another level of concern and compliance measures for corporations and the attorneys who represent them. These proposed amendments, similar to current S-OX obligations, give courts the ability to impose broad orders governing a party?s retention obligations and penalties for noncompliance with preservation orders.
Proposed Rule 34(a) clarifies and modernizes the definition of discoverable material by specifically indicating that electronically stored information is subject to discovery. This means that litigating parties would have a clear duty to preserve and produce relevant electronic documents, databases, and communication once they have notice of impending litigation. Some practitioners and organizations have expressed concern with this revision, stating the Rules exacerbate already complex problems associated with corporate document retention and records management.7 While the proposed Rules make it clear broad categories of ?electronically stored information? may be discoverable, the Rules do not outline best practices for instituting a document retention policy or standards for complying with such broad preservation requirements.
In addition to the changes in Rule 34, proposed Rule 26(b)(2)(iii) outlines a two-tiered approach for facilitating the exchange of information between parties in litigation that treats ?reasonably accessible? data differently from inaccessible data. The proposed Rule states in part: ?A party need not provide discovery of electronically stored information that the party identifies as not reasonably accessible. On motion by the responding party, the responding party must show that the information sought is not reasonably accessible. If that showing is made, the court may order discovery of the information for good cause and may specify terms and conditions for such discovery.?8 Although the distinction between ?accessible? and ?inaccessible? data is not clearly defined, some argue the proposed rule may encourage corporations to develop a policy of retaining data in an ?inaccessible? format since ?inaccessible? data is less likely to be subject to production. Similarly, corporations revisiting their document retention policies would also be advised to consider any applicable state and federal cases or statutes referencing data inaccessibility as it relates to cost shifting protocols in litigation.9
Over the next few months, the Rules Committee will likely make revisions to the proposed Rules based on feedback from the public. If the proposed Rules are approved and codified into law, federal courts and lawmakers will take a great step forward in setting electronic evidence standards for litigators, corporations and courts. However, much work still remains to adopt a consistent set of electronic record retention and preservation best practices.
Records Retention Policy Best Practices
In today?s era, maintaining a superior records retention system requires consideration of electronically created and stored data. Regulatory agencies, organizations and academics have affirmed the importance and benefit of solid records retention policies. For example:
- In rolling out S-OX, the SEC stated ?those firms with good records management systems should have more efficient services and more secure information.?10
- According to the Sedona Conference, a legal and political think tank founded for the purpose of establishing reasonable standards and principles for handling and managing electronic evidence, ?[t]he responsible handling of electronic information and records should be considered a core value of an organization ? [i]ncomplete or inadequate execution of an electronic information and records management policy may result in the loss of valuable business information.?11
Retained and deleted electronic evidence could become intricate minefields of liability in the event of a lawsuit or government investigation ensues. Even if data is effectively deleted and overwritten from a hard drive, it may not be permanently eliminated. Numerous ?electronic footprints? may still exist if documents have been copied to other media, saved in a routine system backup, or emailed to any one else.
Organizations must find a balance between appropriate destruction of stale and non-regulated documents and adequate preservation of potentially significant documents. Such balance is the key to effective electronic document management and protection of informational assets. To mitigate the risk associated with electronic information management, firms and corporations should create a document retention policy that specifically addresses electronic data.12 The policy should start with an electronic information inventory of the firm?s electronic framework, including documentation of:
- all electronic hardware and software in use throughout the company (including cell phones, PDA?s, laptops, etc.),
- all locations and storage formats of archived electronic data, and
- all methods in which data can be transferred to/from the company.
This inventory provides a ?table of contents? for the document retention policy ? supplying an outline of the company?s electronic framework.
The bulk of the retention policy should include methods for classifying documents, determining retention periods, setting the retention schedule and procedures, and selecting a records custodian. The policy should also create an index of active and inactive records and implement ?log books? which record all destroyed documents.
Lastly, the policy should include delegations of record keeping authority amongst the different departments, a reporting structure, and the delegation of a discovery response team in the event of pending or impending litigation. Litigation response teams should include outside counsel, corporate counsel, human resource supervisors, business line managers, record management and information technology staff. This team should have official authority to quickly suspend or alter any document retention policy in the event of an emergency.
Once the document retention policy is established, the company should clearly document and regularly train employees about the policy?s impact on daily business operations. For example, employees should be trained to properly manage the content of both paper and electronic documents they generate. Drafting documents thoughtlessly could put the company at risk during litigation and investigations. Additionally, employees should know how often they are allowed to delete email and under what circumstances they must retain email files. Organizations must also work closely with the IT and human resources departments to post the policies and a ?frequently asked questions? brochure on the company?s Intranet site.
Most importantly, a corporation must retain all relevant documents when they know or should have reason to know that the documents will become material at some point in the future. ?A corporation cannot blindly destroy documents and expect to be shielded by a seemingly innocuous document retention policy.?13 If the company uses automated software to destroy records, it should halt programming in the wake of imminent litigation.
Conclusion
Corporate leadership and corporate counsel should consider electronic data management a top priority. Digital document management is not an annual ?spring cleaning? but rather a business initiative that must be continually reviewed, updated and audited ? especially as federal regulations such as S-OX continue to develop and the civil litigation rules change to address the realities of the digital age.
1 http://www.cohasset.com/survey_research.html
2 Lyan, P. and Vatian, H., How much information? (2003).
3 1 Rich Lysakowski & Zahava Leibowitz, Titanic 2020 ? A Call To Action.
4 2003 Email Rules, Policies and Practices Survey by the American Management Association, The ePolicy Institute, and Clearswift.
5 SEC Rule 802-2, available at: http://www.sarbanes-oxley.com/search.php?q=802.
6 SEC Rule 1102-2, available at: http://www.sarbanes-oxley.com/search.php?q=1102.
7 See ?2004 Civil Rules Comment Chart, Including Requests to Testify? http://www.uscourts.gov/rules/e-discovery.html.
8 Proposed Federal Rules available at: http://www.uscourts.gov/rules/.
9 See California Rules of Civil Procedure Section 2031(g)(1); Zubulake v. UBS Warburg, 217 F.R.D. 309 (S.D.N.Y. 2003); Toshiba Am. Elec. Components, Inc. v. The Superior Court of Santa Clara County, 21 Cal. Rptr. 3d. 532 (Cal. Ct. App. 2004).
10 SEC Rule 802-3.
11The Sedona Guidelines: Best Practice Guidelines & Commentary for Managing Information & Records in the Electronic Age (Sedona ConferenceSM Working Group Series 2004). http://www.thesedonaconference.org/publications_html.
12 See Daniel I. Prywes, ?The Sarbanes Oxley Act Raises the Stakes for E-Records Management? Digital Discovery & E-Evidence, October 2002 at 1.
13 See Lewy v. Remington Arms, 836 F.2d 1104 (1988).
Michele C.S. Lange (and Matthew D. Nelson)
Kroll Ontrack
Michele C.S. Lange, Esq.
Michele Lange is a staff attorney at Kroll Ontrack in Eden Prairie, Minnesota. Ms. Lange tracks the evolving common and statutory law in the areas of electronic discovery and computer forensics and assists practicing attorneys with electronic discovery issues. She has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law.
Matthew D. Nelson, Esq.
Matthew Nelson is a Legal Consultant for Kroll Ontrack in San Francisco. He has spoken extensively on issues relating to technology and the law, and he is also responsible for conducting CLE's and other programs for attorneys and litigation support professionals. He is licensed to practice law in Idaho and California.
|
|
|
|
|
