Here's a continuation of my postings about the Electronic Discovery Institute's online course, that you can subscribe to for just $1. I last blogged about this course on January 29, 2017. Go to https://www.lawinstitute.org/ to sign up for the course.
COURSE 6 - Records & Information Management in an Organization
A. Information Management vs. Records Management
Jane Connerton, (who has run the RIM departments at PNC Bank and Procter & Gamble) began by making the point that information management addresses any kind of data point, whereas records management concerns documents that are retained because they have a specific business, financial, tax or legal value. Jason Baron, an attorney, at Drinker Biddle & Reath LLP noted that every 2-3 years the amount of data in the world doubles. All organizations are struggling to manage the amount of data that is generated. Different types of media can present different management challenges. Information management covers the life cycle of information, from its creation through its ultimate disposition. Information management deals not just with official records, but all data that resides in systems. Certain knowledge areas are key to information management. Information Technology will involve different platforms and applications, and there may be many legacy systems. Records Management focuses on the requirement to preserve certain kinds of information.
Connerton noted how outside regulatory bodies can drive the records management process. Eileen Carlson, the Senior Director of Strategy and Governance for Baxter Healthcare pointed out that a high amount of records must be created in the healthcare industry. Baxter regards reducing the amount of records as important, so it can ultimately reduce the amount of money that it takes to process a matter.
Baron quoted the Information Governance Initiative as giving the definition of information governance as involving the maximizing the value of information while minimizing associated costs and risks. There must be a recognition of the risks posed by discovery and the possibility of sanctions and fines, and also that there is a value to knowing what information you have. Information that is retained may lead to a patent, or uncover a way of doing business that is unknown to the rest of business. Information Governance includes ediscovery, but also includes business intelligence and data science. Baron said that it is important to focus on how all of the components of an organization talk to each other on issues relating to data. Think about mechanisms that allow for an IG champion. Special attention must be paid to information governance because of litigation holds or financial stress. There are a number of different units in an organization that should be talking to each other. There should be a holistic look at problems relating to data management.
Carlson described information governance as an umbrella under which covers protection and security. In the healthcare industry this involves compliance with the HIPPA laws.
Connerton noted that good data management should be a repeatable process on which people have receivied training. Documents should be reduced to just the core amount of information needed to run the organization.
B. Information Governance: Requirements & Responsibilities
Baron described how there are hundreds of records keeping requirements under federal and state law. In the private sector there is the The Sarbanes-Oxley Act of 2002 which requires publicly held companies to maintain records for six years to help prevent fraud. The Family Medical Leave Act, OSHA regulations and other legislation each have embedded in them a requirements for record keeping. Time frames are different under different laws. In the public sector the records requirements are more expansive, so some portion of information needs to be retained permanently. In the last 20 years there are more and more statutes requiring companies to retain their information indefinitely. Sarbanes-Oxley mandates records be maintained for six years in a variety of categories, so government investigators can audit them. There is a need in the digital era to pay attention to statutory requirements.
Baron -said that with hard copies ,file management was dealing with a stable medium. In the digital world, it is not so easy categorize ESI. Many organizations have adopted the practice of email archiving en masse. Sometimes there are designated categories of individuals covered for litigation. Difficulties may be posed when IT is migrating to a new platform every few years. Corporations need to continuously look at what they are doing. Information is becoming increasingly complex. There must continuous improvement in information management. There should be a committee devoted to information governance to effectuate process improvement.
C. Case Law
Baron noted that case law has developed in rapid fashion after the 2006 amendments to the FRCP, which addressed ESI. The rules revision specified that lawyers and judges have an early meet and confer to discuss preservation obligations. It's important to ask the client how their information is organized so legal obligations can be met. Judge have not been shy about second guessing organizations' information management practices. Increasing attention is paid to how records are kept in the normal course of business. When a law suit is filed, defensible disposition of legacy data must be conducted. Organizations should systematically address their stores of documents and dispose of unimportant documents before lawsuits happen. Lawyers must try to convince clients to save money by thinking about information governance in a serious way.
D. Benefits of Records Management and Risks of Non-Compliance
Connerton said questions needed to be asked about how to best store information - whether or not to move over into low cost, offline storage. It should be used as a strategic tool. Look for the right way to create information and make sure it's there when needed.
Carlson worried about the costs of non-compliance - then information gets out into the public. Baxter is a well known name, if it is exposed that it was non-compliant it would hurt the brand.
Baron discussed the risks of non-compliance. There are any number of precedents where corporations have been subject to sanctions in the millions of dollars for failing to bring forward information that was relevant to a lawsuit. Clients must review back up tapes, and search through email properly. Across different business sectors, the hacking issue is omnipresent. Baron referred to the Office of Personnel Management data breach as an example of vulnerability of personal information.
E. Creating a Records Management Program
Connerton noted the need for sponsorship at the senior management level for a records management program.
Carlson said it was best practice to create a communication plan for employees. Communications should be reinforced through video clips, newsletters; and in person follow ups to guarantee compliance.
Connerton said for a good information governance program, an organization must come together and get buy in from departments that are supposed to implement it.
Baron stressed the importance of knowing what statutes an organization is working under. A plan must be developed to inventory IT systems. A plan should be constructed based on IT systems and the regulatory environment. Records schedules can be too granular. A company must have the ability to search across data to find relevant documents for a compliance demand. Don't just construct a schedule but pay greater attention to how individuals meet whatever the compliance situation demands. It will be impossible to have individuals to folder emails individually. Baron is a big advocate of automation. IT should be given a set of requirements when procuring new systems. There must be integrated approaches looking at what the organization needs over the coming years. Technologies should have embedded in them records retention capabilities. The problem with going to the cloud, is that it's a large blob that is hard to manage. Easy to upload information, but hard to extract information.
Connerton noted that any organization has different needs. There are some core elements: senior management support must be brought in; and then different groups including all stakeholders leveraging information in large capacities should be included.
Baron warned that it is very important for organizations to bring in the right people at the beginning. Lawyers and people from different business units should be included. It is too easy for a CIO to buy a new application without asking others from the organization about security controls and privacy rights.
Carlson said to create a communication plan using various mediums, and roll it out group by group.
Baron noted in the public sector there was a requirement under the Federal Records Act , to keep FS115 schedule, and thousands of these were created in the government. He does not believe that it's sustainable to have thousands of records schedules dealing with digital information. In corporations there has been a great movement to simplify records schedules. There are a much smaller number of categories and shorter records retention periods. The best plans are where corporations are simplifying their records into different buckets across which searches can be run.
Connerton recommended having third party regulations in place - you need to be responsible for how your information is stored in third party or foreign servers.
F. Defensible Deletion and Document Destruction Policies
Carlson recommended having companies come to grips with their need to be compliant. Companies may have a guideline as opposed to a policy. As company's culture switches underline the guideline, then a move into a policy phase may occur.
Baron said that the issue of defensible deletion was challenging. There may resistance by senior leaders to hit the delete button. He has been involved in some projects where some attorney encourages the data to be held regardless of the specifications under an agreed upon policy. For adequate disposition, data not under a legal hold should be offline or otherwise archived . Resources should not been spent to have it online. There should be discussions about categorizing information going forward. Separate what is important to keep from what must be discarded. There should be automated mechanisms to accomplish this.
G. Further Considerations
Connerton encouraged companies to identify who needs to access information, under what security controls, and determine how it is monitored. If monitored appropriately, they should know where it is when threats arise. No system is invulnerable - but the best assets should be watched carefully. It is not easy to get the support of senior management. You must proactively look for opportunities to grow the program.
Baron said that lawyers need to be more tech savvy and competent. Young lawyers will provide immense value if they can show familiarity with software that the corporation is running. To be a good lawyer in the information governance field, one must understand the different forms data is being created in. Under the new ABA Rule 1.1, comment 8 attorneys are supposed to be more technological competent.