Key tenets to ensure your organization follows best practices for electronic record retention
Record retention isn’t the most glamorous topic, but it can be very embarrassing if it’s not handled correctly. Curt Moy, USAA, Assistant Vice-President, Corporate Counsel at USAA, and ESRA Board member knows quite a bit about electronic record retention. He moderated a discussion about retaining electronic records in front of a live ESRA event audience. Joining him were Jerry Buckley, founding partner of Buckley-Sandler, and John Isaza, CEO of Information Governance Solutions.
Implementing a meaningful record retention schedule
Isaza started the discussion by pointing out the major issue facing companies that don’t have a proper record retention plan in place: “The failure to retain records can create big problems when there is pending litigation. Look at Arthur Andersen, which went out of business for that reason.”
He noted that businesses have always known how to handle paper records, and while the technology explosion has led to a large increase in the number of electronic files being created, “statistically, most organizations are still maintaining the same amount of paper. The problem is they don’t know what to do with electronic records.”
Isaza added: “Records have to be maintained irrespective of medium. How do you create a records retention schedule that resonates with all your systems? How does that program capture those records? We have a lot of clients who are good at capturing the data, but they have difficulty with disposing of it properly, which creates vulnerabilities.
“It’s a distributed data problem. There are records stored in places you wouldn’t expect them to be stored, like some random person’s backup in the cloud, so you lose the ability to control the data. In all fairness, the technology has come a long way in the last three years, with the cheap ability to store data.
“Two cornerstone documents that need to exist for the creation of a successful program: a legal holds program and a records and information management policy, which includes a records retention schedule. They need to work in tandem, be robust, and be able to be audited.”
And, Isaza said, don’t forget that “a records retention schedule needs to be adaptable to all the places you store data and it has to follow the thousands of regulations that exist in the United States.”
Moy then turned to best practices, noting that the first one should involve creating an inventory of the information currently being stored and seeing what types of documents need to be retained.
“That’s correct,” Isaza said. “In the old days, that was the best practice. For many companies, they have an inventory from the paper world that serves as a good starting point. These days, we try to leverage our experience with other clients to say which are the types of records that should be expected for any organization– 80% of them will fall under finance, accounting, and so forth, where the type of information being retained is very similar. The other 20% of documents are dependent on vertical you’re in.
“Other than inventorying everything, you can create a department records coordinator network, where someone in each department is assigned the responsibility of telling you what kinds of records they have. That way the schedule is an evolving document that changes with the changes in the organization.”
Moy continued: “Next is determining the regulatory environment for the records and assigning retention periods for them.”
“Yes,” Isaza replied. “We know what the regulations are around the world. Even if a company is based in the US, if it does business elsewhere in the world, it can be subject to regulations in other jurisdictions. So the next step is identifying all those regulations, including what’s specific to your vertical, or verticals.
“Here’s a good anecdote that relates to identifying your verticals. I have a client with a technology consulting business, and they came to me asking about regulations around vaccinations. They have a division they purchased that has to do with creating vaccines, as odd as that seemed.”
Moy then moved on to document handling. He asked: “Don’t you have to focus on all components of a document, such as a contract with a digital signature? You have to marry the regulations that cover both because they’ve been compiled into one document, even though they may be housed in two different containers, one for the signature and one for the contract.”
Isaza replied: “Yes. That goes to the biggest challenge. You need to determine what the official record is and whether you’ll preserve it in place or find a repository to migrate it to. Most organizations decide to preserve in place, but in the example given, then you have to make sure that when you, for example, preserve a contract with a signature contained in another system, you have to make sure the systems speak to each other.
“You also have to keep in mind how to dispose of that document. Are you allowed to dispose of the signature at the same time as the contract? You need to know that.”
Moy asked: “What are some of the best practices for purging or disposing of records once the expiration date hits?”
Isaza responded: “That’s a challenge for most of our clients because of the number one concern around legal holds. You have to make an assessment whether a legal hold is pending. If you have the green light to dispose, the question becomes how to set the systems up top delete.
“In an ideal world, the deletion is taking place automatically in the systems, and you have the ability to stop the destruction if there’s a litigation hold. The best practices would involve identifying the triggering event that will initiate the disposition. The triggering event could be when the document is no longer active, or the sale of an asset. And then you have to decide if you want to tack on a certain number of years beyond that.
“Then the technology has to do what you want it to do. From that viewpoint, it’s a laborious process to apply the technology to this.
“You need to focus on the systems that are the most active and apply the rules to those systems and hopefully you’ll have systems that will allow you to build rules with disposition into them. If not, there are systems you can purchase that allow you to migrate the record into that system, such as Documentum, which provide repositories for records.”
Isaza noted that such an effort feeds into “the information lifecycle governance model. You’re being inundated with data on a daily basis, but only 3-5% of it rises to the level of becoming a regulated record or something you need to keep. Easily 70% of the rest of it is redundant data that can be disposed of at any time.
“Let’s say you have files on a portable device. I would consider that a copy. I would give it a very short time frame to retain, such as 3 years. That gives the end user 3 years to decide if they need to keep it before it’s destroyed.
“You can create buckets in your records retention schedule so you can retain big data. I would consider anything not in the official repository to be a copy that can be disposed of.”
An audience member then had a question about how Isaza’s comment aligns with the “store in place” trend. Isaza replied: “When we talk about ‘store in place,’ we’re talking about official repositories of records. So when you have a data map of where all the content is located, certain systems are the primary generators of records. Even emails could be generating records.
“That’s what we mean, versus store in place on a thumb drive or something like that. You need to make sure when the record is created, it has to be retained in an official repository. You need a ‘mother ship,’ so to speak. In SharePoint, there are add-ons you can use to create and capture a record. The implementation is a challenge, but it takes baby steps to get there.”
The impact of SPERS on e-record retention
Moy then turned to Buckley to discuss the impact of SPERS (Standards and Procedures for Electronic Records and Signatures) on digital record retention. Buckley and his colleagues played a role in developing SPERS.
Buckley recalled: “After the ESIGN Act was passed, we realized there were no provisions for regulations, which was intended. We deal mostly with financial services firms, and they need guidance. There was a realization that you could substitute e-signatures for ink signatures as long as certain standards were met, but people who had to deal with each other in secondary markets didn’t know what was legal, valid, binding, and enforceable.
“We initiated SPERS in the early 2000s to deal with that. We convened all the major trade associations and many of the biggest players in the business to discuss it. We spent a year-and-a-half to develop SPERS. That standard has 5 major parts. The fifth part relates to record retention. The intention is to have something that’s accepted as commercially reasonable and holds up in court. It’s a behavioral standard, not a technology one.
“SPERS was adopted by the mortgage, variable annuity, and auto finance industries. It’s had some durability since then. We are considering an update to it even though what’s in there has been reinforced by the courts.”
Buckley continued: “SPERS’ record retention provision is crucial because you have the offering of the record to the consumer, which has to be done under ESIGN, but you also have the retention of the record by the business party. That’s where the rules come in. It was designed for business people, lawyers, and technology people. We lay out the issues that need to be considered.
“One of the issues with the secondary market is retention and how records are retained. You have to demonstrate ongoing integrity of a record, keep it for specified time, and if you’re using vendors, you have the question of their durability. You also have to retain the audit trail so you can prove up the record.
“We’re talking about the records and the data. You can reference the SPERS standard and have a discussion with your legal, technology and business teams. The document is very readable. It has a practical approach to what has to be done.”
Moy noted: “It takes the entire company to make sure that information and record retention schedule is handled properly.”
Isaza added to that: “ARMA International promulgated eight principles for retaining records and information: accountability, transparency, integrity, protection, availability, retention, disposition, and compliance. When we talk about SPERS and its section on retention, maybe we need a section on disposition too, because it’s important to, for example, know what to keep when a merger happens. For many of my clients, it can be a liability if they keep things that should be disposed of.
“The other thing is what the courts are focusing on. When they look at whether you’re using artificial intelligence or the system you use, they’re looking at your methodology. They want you to have created an adaptable environment and did the best you could in a systematic way, not a situation where you applied it in different places.”
Retaining records in obsolete systems
Moy then brought up an interesting conundrum: “How should organizations deal with records in obsolete systems? You may have records that need to be retained for decades, but systems can change, so you have to migrate them as systems are updated. But what happens if you can’t retrieve those records?”
Isaza replied: “It’s a problem. The federal rules were revised in December 2015 to address those issues. But the reality is that as the owner of that data, if the information is relevant to the subject matter of a lawsuit, you’ll have to figure out how to obtain it.
“An example: We just wrote memoranda for a client who had 45,000 backup tapes. Of those 45,000 tapes, at least half were in an unreadable format because of physical deterioration. It was costing them $25,000 a month to store the tapes and it would cost them a fortune to restore the data because the systems and data are obsolete.
“So you’re stuck footing the cost to retrieve the data if that happens.”
Moy asked: “Is the creator of the document the person responsible for retaining it, or the recipient?”
Buckley replied: “It’s easiest to think of this as who is going to rely on the information. The truth is that with e-signatures, your signature will be created by the counter-party who feels it’s reliable and can be proved in court. The party that originated the transaction and parties relying on the record are the ones who have to retain it.”
Isaza added: “Along with a retention schedule, it’s useful to track owners of records, which could be an entire department. That way the record owner knows that if they receive a litigation hold, they put the record on hold.
“But there are other things that can transcend a department, such as a tax record, which could be held across accounting and finance. In that situation, I would argue that the record owner is the one who needs it the longest.”
Buckley added: “I think of retention almost like mortgage servicing. Until something goes wrong, you won’t worry about it, but if something happens, you’ll want to know you have a way to deal with it.”
A final question, regarding the risks seen in other spaces, was then raised to close out the session.
Isaza responded: “I do work across all the verticals out there, including oil and gas, automotive, software companies and others. It’s an issue across the board because of those 80% of your records that every company has. Then you have levels of complexity around various requirements, especially if, say, a company is in Omaha but they’re doing business in Germany.”