Managing Electronically Stored Information: A Good Policy Now Prevents Headaches Later
In today's business environment, a midsized company can send and receive thousands of communications each day, most of which originate in or eventually become converted to an electronic format. As this volume continues to grow, and due to the inherent differences between electronic records and their paper-based counterparts, companies are well advised to strategically design and implement a program to manage, store and discard electronically stored information (ESI).
In its most basic form, ESI is any information that can be stored electronically: documents, e-mails, spreadsheets, databases, faxes, voice mails, Web sites, etc. Although the majority of ESI is now created, utilized and maintained electronically, it also encompasses information that did not originate in an electronic form. The volume of ESI and the accompanying challenges have grown dramatically in recent years. By 2006, approximately 60 billion person-to-person e-mails could be sent each day. The total number of electronic records that exist worldwide is projected to double every minute over the next 10 years.
How is ESI Different from Paper?
There are a number of unique issues that must be addressed in planning an appropriate ESI management and retention program. Among them are preservation, access, security, privacy, trustworthiness and compliance with legal requirements. Technology is always evolving and legacy systems are being replaced at an ever-increasing pace. Unlike paper, which can be stored in a file folder and easily accessed at any time, an ESI program requires more careful consideration of the technology to be used, the resources available to update and maintain the technology, and the organization's cultural ability to adhere to changing policies to ensure ESI integrity. In light of these challenges, companies must ensure that their programs capture all of the required information within the ESI system (such as metadata, which includes any information that is captured about a document or communication that serves to further describe it). It is also wise to make sure the purchased technology will be supported and effective until it is time to implement an updated system to stay current with changing technology and environmental needs, and that appropriate audit trails are put in place to ensure the trustworthiness and integrity of the ESI.
Creating an Information Management and Retention Program
A properly designed and implemented information management and retention program can accomplish several key goals:
Dramatically reduce the volume of ESI and related storage costs
Ensure that needed information is properly stored, organized and easy to retrieve
Provide the organization with an additional source of information about its business operations
Minimize the effort and expense associated with responding to discovery requests during litigation or meeting governmental reporting requirements
While neither business uses nor legal/regulatory requirements mandate the retention of all ESI, a good program will ensure that a company retains only the information that it truly needs or wants. In many cases — especially for smaller, privately held companies — business uses of ESI (e.g. customer service issues, knowledge management and payroll records) will dictate the retention of information. Customer complaints, for example, may be retained by a manufacturer until the statute of limitations has passed for product defect/personal injury claims.
Legal and regulatory requirements — such as statutes of limitations, the Sarbanes-Oxley Act (SOX) and industry-specific regulations — may also mandate or serve as guidelines for ESI retention. Currently, SOX requires publicly traded companies to retain certain corporate audit records and work papers for five years. Even for a privately held business, SOX requirements may be relevant if a company plans to go public or be acquired by a publicly traded entity. Similarly, medical and insurance professionals are subject to HIPAA, the Health Insurance Portability and Accountability Act, which imposes stringent requirements to ensure the confidentiality of patients' medical records.
Building a Policy that Meets Your Unique Needs
The purpose of a successful information management policy is to provide clear guidelines for retaining and disposing of records to satisfy a company's legal obligations and business needs. Considerations include:
Which records should be retained and for how long?
Which records should be disposed of and by what method?
How will a company avoid the destruction of potentially discoverable information during litigation?
How should a company store records so that ESI can be efficiently accessed and retrieved?
Who should be responsible for adherence to the policy?
Smart businesses should implement an information management program now. With ESI volumes growing at a dramatic pace, the longer an organization waits, the more information it will have to contend with and the more complicated and expensive the implementation will be.