Companies face legal and regulatory requirements for retaining records. Each company's specific requirements should be detailed in a Record Retention Policy and accompanying Record Retention Schedule. These provide both a legal basis for records compliance as well as a consensus on which records should be saved for how long they must be kept. And, equally important, when they should be deleted (destroyed). Since a large company may face as many as 30,000 specific retention rules, creating a compliant and defensible policy can be quite a task. Yet creating a policy and schedule is the easy part. A greater challenge for many organizations is executing their record policies against both physical (e.g., paper, tapes and other physical media) and electronic documents. What makes a record program defensible is not so much the policy, but how consistently and comprehensively the policy is implemented, as well as being able to demonstrate that the policy is being executed.
Many organizations have well-developed processes for retaining and destroying paper records (often through an offsite record storage vendor), but struggle when implementing the record policy for electronic information including emails, files and records in databases. According to ARMA International, in most companies, more than 90% of records are created or received in electronic format. Hence, poor record retention compliance for electronic information represents a significant compliance and eDiscovery risk. Worse, many employees tend to "hoard" their electronic information, and often copies of the same record often exist across multiple media, including electronic and paper copies.
1. Are emails really records? Do we need separate categories for email vs. paper records?
Some organizations take a misguided approach of listing email as a record category in their Record Retention Schedule (RRS). Record determination is based on the content, not the medium. Records exist in all types of media, including paper, files and social media. Email is simply another medium. Email as a medium contains both records and non-records, and some records exist exclusively in email. Some examples of records that may exist exclusively in email include supplier contracts, employee vacation request, expense approvals, requisitions, employee reviews, quarterly reviews and legal opinions. The percentage of records in email varies by, for example, type of company or compliance profile and ranges from as little as 5% of emails to as high as 40% for some organizations. Furthermore, some of these emails are copies of records that may have been created or exist in other media (such as paper files which are often better managed), while other email records exist exclusively in email.
While some emails contain records, that does not mean that they should be casually managed and saved forever in employee email inboxes or offline email files (called PST files). Good record management practices include: identifying the proper record custodian (not all employees need to save all emails); identifying the right medium to store a record (email is often not the best place to save attached files); determining the right repository (increasingly companies are using content management and archiving systems to better save emails); and, having routine and defensible deletion processes. Good record practices will allow you to save want you need, while getting rid of what you don't, both increasing compliance while reducing costs and risks.
2. What if my employees say my Record Retention Schedule is too confusing?
Faced with a growing accumulation of electronic information, many companies strive to create records retention policies and schedules that list each specific record type and the legal citations supporting the retention, sometimes creating hundreds of records categories requiring lengthy Record Retention Schedules. The hope in this detailed and granular "little bucket" approach is that it will enable records to be disposed of soon after the retention period has expired. While legally accurate, many employees find these detailed RRSs too difficult to follow, especially with the high volume of incoming electronic documents they receive and create every day. The result is a legally-correct and largely unimplemented RRS, leading to lower compliance and risk.
To increase compliance, companies can create simpler, "bigger bucket" RRSs with fewer categories and include clear examples organized either by department or role. The "bigger bucket" approach trades less granular categories with an easier-to-follow approach, leading to better compliance. Although the "bigger bucket" retention categories may have some records in the bucket longer than their minimal legal retention period, by making it easier to classify records, classification of documents is easier and, once classified and managed, disposition becomes an easier process. Like many areas of compliance, this is a balancing act.
3. How do we get employees to properly classify records, especially emails and files?
Record retention process are constrained by the "five second rule." Employees will, on average, spend no more than five seconds referencing, classifying and storing documents as a record, and often less than that. If the process takes longer, even well-meaning employees will ignore retention processes. Thus, the traditional process of looking up a record in the retention schedule, moving the document to a repository and selecting a classification often exceeds the five second rule, and companies experience very low employee compliance with their policy.
Instead, many companies are moving away from using the record retention schedule itself as a guide for individual employees, and instead are creating higher-level and easier-to-follow "file plans." Companies are also developing system "taxonomies" which can be encoded into archiving and enterprise content management systems. In other words, they are teaching these technology systems the retention rules, and when an employee puts an email or file in the right folder or storage area of these systems, the system then tags the record with the appropriate retention period. This creates more complexity at the system level, as multiple folders need to be mapped to the file plan and taxonomies, but presents a much simpler view for employees.
4. How do we prevent employees from hoarding documents?
A key element of an effective record retention program is both retention and, equally important, disposition, yet many employees hoard electronic documents, saving nearly everything forever. This increases both risk and costs. Companies generally take two approaches to combat hoarding, one which is generally ineffective and the other effective.
On average, as much as 70% or more of an organization's stored email, files and other electronic content is either an expired record, extra copy or content that has low or no business value and, assuming not subject to legal hold, can and should be deleted (destroyed). Many organizations, out of frustration, undertake "aggressive deletion" programs and delete (for example, after 30 or 60 days) emails not explicitly declared and stored as a record. While this initially deletes a lot of information, employees quickly realize their content is going away and engage in "underground archiving" by printing out emails and other electronic files, saving them on USB drives or even forwarding them to personal email accounts or email servers.
A better approach is to allow employees to save both records as well as non-records in easy-to-save repositories that include managed folders for records as well as "working document" areas for non-records (with, for example, two-year retention capabilities). The first objective is to capture emails and files into places where they can be controlled, and then let the systems delete older files and documents as appropriate (i.e., over a longer period of time). First, get control. Once under control, unneeded information is much easier to delete (destroy).
5. How do we avoid saving the same record in both electronic and paper in multiple locations?
Another challenge is saving the same record in multiple places and/or across multiple media. Someone employees may create a file and save it on a file share, and then email it to a number of people, some of who may print it out on paper. These duplications and over-retentions are large factors in increasing eDiscovery costs.
There are a number of approaches to limit over retention:
Designate Custodians - As part of the program rollout and training, designate and train custodians for certain records. Equally important is training employees on what records they are not a custodian.
Designate and Train on Media - For each record, determine the system of record, including is it electronic or paper medium, and train on it. Many employees sometimes erroneously believe that only paper copies of records meet legal requirements. Designate a system for each record type.
6. How do we apply retention to records in database systems?
Many records are created or stored in database systems. While not intuitive, the transactions in a database system are considered documents, many of which have content that makes them a record. Most applications that use a database are designed to save information indefinitely. Typically, the greater challenge is deleting older, unneeded and expired records in these database systems. Unlike emails and files, managing and deleting structured data in database systems requires some level of application programming performed by IT staff. Some approaches include:
Inventory and Classify - Inventory applications and their databases and apply this information against your RRS to determine recordkeeping requirements and possibly identify potentially expired records.
Deletion - Create a risk profile of applications with the most amount of expired records and investigate deletion strategies. Some applications have built-in deletion functions (which are often unused). Some applications have the ability to archive older information into easier to access formats. Unfortunately, this needs to be done on an application-by-application basis. Therefore, start with the applications that pose the most risk first.
Governance Standards - Socialize record retention policies and strategies within the groups that launch new applications to ensure that all new applications have a mechanism for deleting older, unneeded data.
7. How do we monitor employees to make sure they are following the policies, or do I just get them to acknowledge policy compliance?
While training and policy acknowledgement are an important component of compliance, independent surveys have shown that many employees either do not understand the policy or are not following it. They tend to click on the compliance link so they can fulfill management's requirements and get back to work. This lack of compliance creates the appearance of willfully disregarding the policy and creates risk.
One method to drive employees to program compliance is through monthly or quarterly employee policy self-compliance. On a periodic basis, employees should be required to click a link in an email acknowledging they are aware of, understand and are complying with the company's record retention policy. This has the illusion of both being easier to execute as well as forcing employees to follow policies they otherwise may not. Periodic audits should be conducted to verify their understanding and compliance.
8. What do we do if a business unit ignores the policy?
A good assumption to start with is that business units do not care about records compliance. This is not necessarily true, but it serves as a foundation for getting them to care. Instead, take an approach that identifies and socializes what is in it for them.
Talk to the Business - Do not create your record program sequestered in a conference room divorced from the business units. Talk to and listen to employees. Find out what information they have, where they keep their information, and what they really need to have in order to do their jobs. Find out their current frustrations in managing and accessing information. And, most important, make sure they feel heard.
Update the Record Retention Schedule to Include Business Value - Organizations are often reluctant to engage in deletion knowing that some of the records must be retained for a period of time to satisfy regulatory or legal requirements. These can be referred to as "Records" - with a capital "R." Another category is "records" - with a lower-case "r" - information that has business value but for which there is no external mandate to keep. Everything else can be referred to "transitory" information. Best practices dictate that RIM professionals take the lead in guiding the definition, identification, and classification of "big R," "little r" and "transitory" information, with policies and procedures embodied in a records management program.
One common mistake organizations tend to make is that such programs are focused too narrowly, often solely, on the "big R" records. Other parts of the organization may see value in content beyond "big R." The policy update process is an opportunity to better harmonize management of both records and content that have business value. It is a chance to build a consensus with the business units on what should be saved and what should not be saved. A good cross-functional team can decide on priorities and resolve conflicts.
Enact Behavior Change Management - Often the most overlooked component of a records management program is behavior change management: getting employees to abandon older "save everything everywhere" behaviors to putting information in the right place and keeping it the right time. This is a combination of messaging, communicating, training and auditing. Good records and information management makes individual employees more productive and business units more collaborative. Find the win for employees and use this to drive your program.
Audit and Remediate - Records management, especially for large organizations, is an inherently complex program. Do not expect everything to work as expected the first time. Rather, deploy, audit and remediate. If a particular group is not fully following the program, determine why. Is the training not clear? Has all of the high-value information been captured? Is it something else? This iterative approach not only drives a successful program, it is also the backbone of demonstrating compliance. The deploy and remediate approach also takes the pressure off of waiting until your program is perfect (and it never will be) before starting execution.
9. Do records in my international operations need to be followed differently?
Many international locations face different local retention requirements as well as stricter privacy rules. The temptation may be to create separate RRSs for each country in which a company operates. The problem is that executing retention across even a few RRSs quickly becomes incredibly complex and unmanageable, especially since many IT systems are centrally deployed across many countries.
Many companies have found a more effective approach is to create global schedules that contain local exceptions where necessary, and launching the execution of these schedules on a region-by-region basis. This includes balancing "big bucket" high water mark retention categories against local requirements, and then developing region or language-specific training programs. Keep the policy simpler and the execution more tailored.
10. How do we defensibly delete without worrying about spoliation?
Failed approaches and fear of spoliation have paralyzed many organizations attempts to get rid of expired recorded and unneeded documents. Don't give up. Ongoing deletion of expired or unneeded information is an important component any program, and cleaning the "clutter" is important to allow employees to find and collaborate on high value information. Good deletion follows some clear best practices.
Update Legal Hold Processes - Be sure you have well defined, well documented and compliant legal hold processes consistent with Sedona and other case law.
Capture Content and Control Deletion Through Automated Repositories - Capture and retain records in the right repositories, and let these repositories delete individual records based on their retention period. Slow and steady wins the race.
Avoid Indiscriminate Deletion - In general, the courts frown upon employee selective deletion. This risk is that an opposing party may claim that when deleted selectively, only "hurtful" information was deleted. It is better to have a more automated, systematic approach - one that can easily be audited.
Document Your Processes - Always document your policies and processes, including deletion. This shows you followed your own policies and processes. All records management is an inherently imperfect process, and that is OK. Document that you took the right steps at the right time, albeit imperfectly.
ACC Information Governance Committee - Engage with other in-house counsel helping their companies reduce risk, increase compliance and lower costs through Information Governance.
ACC Information Governance Primer for In-house Counsel InfoPAK - written by Contoural and available on the ACC Website.
"Building a Business Case for an Information Governance Program," ACC Docket, October 2014 - Available on the ACC Website
Contoural is the largest independent provider of strategic Information Government consulting services. We work with more than 30% of the Fortune 500, and numerous mid-sized and small companies and provide services across the globe. We are subject matter experts in Information Governance, including traditional records and information management, litigation preparedness/regulatory inquiry, information privacy and the control of sensitive information, combining the understanding of business, legal and compliance objectives, along with operational and infrastructure thresholds, to develop and execute programs that are appropriately sized, practical and "real-world." Contoural is also a sponsor of ACC's Information Governance Committee. More information is available at www.contoural.com