Where
are my car keys? Where
are my car keys? 
By Iron Mountain's Australasian MD, Ian Hollow
So you know that the capital of Swaziland is
Mbabane; that Janis Joplin, Jimi Hendrix, Jim Morrison and Kurt Cobain all died
aged 27; you can sing all the words to the French national anthem (Allons
enfants de la patrie…), you can even quote the value of pi to ten decimal
places…but you can’t for the life of you remember where you’ve left your car
keys!
For many organisations, corporate records management is a lot like the human memory – mounds of (probably useless) information stored because that’s what the law requires. It’s organised in a questionable fashion in the hope that one day someone might a want a sample of it. But seldom are we able to retrieve a vital fact when we really need it – at least not without a whole lot of effort – and that assumes, of course, that it hasn’t already been wiped from the record!
But brace yourself, because it just got even harder! As SEC Chairman, William Donaldson says: “Simply complying with the rules is not enough. They should make this approach part of their companies’ DNA. For companies that take this approach, most of the major concerns about compliance disappear. Moreover, if companies view the new laws as opportunities – opportunities to improve internal controls, improve the performance of the board, and improve their public reporting – they will ultimately be better run, more transparent, and therefore more attractive to investors.”
Corporate governance is a lot more than ticking the boxes or passing an audit. And compliant records management is a lot more than making sure you put every piece of paper in a box, duly archiving the boxes every quarter. How about all the other records? How many emails did you receive/send/file/delete today? Public policy and corporate governance touches on the fundamental controls of every aspect of your enterprise. So compliant records management is about having control over the storage and transmission of all information – both in paper hard copy and digital forms. Do your policy settings determine the storage rules on your email server? Are they about saving IT costs, limiting the disk usage of email accounts or are they aimed to retain the right records, remove the wrong ones, and ultimately save you from legal penalty?
SCENARIO 1: Choose your risk. You’re not sure what records you should keep. You think the law says seven years, but being a responsible, risk-averse type, you keep everything for 10 years, and then destroy it.
Risk management in record keeping is not just about retaining records for as long as you can bother storing them. Managing risk is about retaining the right records for the right period of time – for corporate reasons (corporate memory) or for legislative reasons (compliance with regulations and law) – and then securely destroying them at the right time.
Yes, wrongfully destroying records too early can be illegal. And yes again, a bower bird who retains them too long can also trigger a legal liability or two. Certain components of an HR file must be deleted upon departure of the staff member, others, such as injury records, must be retained for decades. Arbitrary rules of thumb simply don’t measure up.
Over the last decade or so some high profile cases were profoundly changed when records that should have been destroyed were actually found and they became the evidence that cost their owners millions. In other recent news, the wrongful act of destroying records that were subject of a legal action cost even more. Ultimately today the penalties can include a journey to jail.
SCENARIO 2: Suffering Monday-itis? Your DBA didn’t quite finish analysing how customer purchasing patterns have changed in the last 12 months. She copied the database onto her laptop to work on over the weekend. The computer never made it home – went missing Friday night on the peak hour train, was traded for a few bucks on Saturday morning, and the data – unencrypted personal information on 130,000 customers – was published on a website on Monday…
Current reports indicate that for an 18-month period in the United States, that bastion of Sarbanes-Oxley and litigation-driven corporate governance, there have been 190 known incidents of such data breaches, leading to 88 million individual records potentially being compromised. With a population of 300 million, that means, on average, every third person may have had their privacy breached. Major insurance, finance and educational bodies, together with internal revenue and other government departments, have reported such data losses and had their wake-up calls. Simple accidental disclosures? Perhaps! Nothing really malicious or grossly negligent? Maybe! The results are still compliance breaches and will be so judged – statutory and civil penalties then follow. In Australia and New Zealand the laws and statutes differ – and litigation may be less developed than US – but it’s just a question of time. Either we can use that time to reduce risk, increase compliant records management or tempt a similar fate of our own.
For every Worldcom or Enron there are thousands of simpler breaches awaiting discovery. Compliant records management is about more than just records retention – it’s about taking every necessary step to ensure and manage the records. Whether those records are digital or paper-based, organisations must have demonstrably adequate processes to manage, protect, control access and securely dispose of all records – paper or digital – according to policy and law. Do you have unencrypted IT backups; confidential paper files or media left within public view; unlocked filing hardware; inadequate security screening of staff? Minimum acceptable standards have changed and any breaches of security during storage and movement of data are now seen as business governance issues for all responsible officers, not just a few IT records specialists.
SCENARIO 3: You’ve got mail! As a diligent organisation you retain copies of all email correspondence. And as a multinational corporation the law of averages means you will be the subject of many legal suits every year. A key part of your defence for each lawsuit is being able to produce certain relevant classes of email for up to seven years. You have just been served with a legal discovery order – you have 14 days to produce and swear to the fact that ALL records on the subject are present before the court. The consequences of you being inaccurate…you lose every case, every time!
A recent survey predicts that US companies will spend nearly US$2 billion in 2006 in e-discovery – the search for electronic documents. Earlier this year, one major bank was fined US$15 million for not retaining emails; another was fined US$2.5 million for failing to produce emails after a 16-month search. Whether it’s an email, a Blackberry message, a voicemail transcript, or a call centre recording, a “document” is nowadays held by many laws and jurisdictions to include these items. Words such as “any other material data or information stored or recorded by mechanical or electronic means” is now what may define your document. And just storing the documents is not enough – you need to be able to locate every single one – and swear you have.
What role does compliant records management play in achieving compliance and efficiency? Compliant records management has three key phases:
Reduce the risk/cost of automatic penalty. Organisations must develop records policies that meet the legislative obligations to maintain records of all transactions and retain all those records for adequate periods. A compliant records management programme helps organisations demonstrate that they are not only meeting the letter of the law but the spirit of the law as well.
Reduce the cost/risk in legal defence. A programme puts into place processes and systems that help organisations respond timely and more effectively to the tide of increasing legal discovery orders and regulatory investigations – and to reduce legal exposure by providing the owner with the ability to analyse its information, not just frantically gather it in response to an urgent order or request.
Reduce the cost and risk in retaining mounds of useless information. A programme helps reduce the costs of compliance by proactively reducing both the amount of information that your company needs to retain and the costs of searching and recovering records for use/discovery/decision making/disposal.
Compliant records management is about managing risk, cost and information flow in your organisation. It is not about performing an annual office cleanse, just in time for the office party, using a temporary clerk to rough index records and scribble a date seven years hence on the carton. And in the digital world, it is not about the invisible accumulation of redundant back-up tape/disk records in dark corners – nor the mindless imposition of disk space reductions and email account cleansing. It is about understanding your business, the information it produces, and paying due respect to the legislative framework. Above all, it’s about managing the risk.
And for the record, the value of pi to ten decimal places is 3.1415926536. File that under useless information, and destroy in December 2007.
This article was previously
published in “The Strategic Path” (www.strategicpath.com.au).
For more information about records and information management solutions for your business, please contact Iron Mountain on 1800 181 800 or visit www.ironmtn.com.au.