July 2010

Are You Protected? Frequently Asked Questions & Answers about Records and Information Management

8 min

At a time when business requirements have driven the number, formats and types of records to record levels, the risks associated with ineffective management of an organization’s records are far higher than ever before.  Having a comprehensive policy, schedule of records, procedures and IT systems in place to effectively manage your organization’s records is now, more than ever, a critical business function.

What is records and electronic information management?
Records management is the application of systematic controls to all recorded information generated in the operation of an organization’s business.  The goal of a records management program is to manage cost (typically the cost of storage) as well as risk (the risk of not having records available in case of litigation or a government inquiry or the risk of keeping too many records and increasing potential liability).  It involves managing the creation, maintenance, use, storage and disposition of hard-copy records and electronically stored information (“ESI”).

Why should my organization spend resources on a records management program?
An effective records management program can support your organization’s goals by limiting risks and controlling costs in the following ways:

  • Lowering costs of records storage;
  • Assuring continuity of business functions in the event of a disaster;
  • Protecting against privacy violations resulting from inappropriate access to data or disclosure of data, and;
  • Avoiding substantial fines and penalties for discovery failures (in civil or administrative cases) or criminal sanctions for obstruction of justice (in government investigations).

A properly drafted records management policy, addressing all relevant records and ESI, and consistently applied throughout the enterprise, will ensure that documents which should be produced in litigation are available to be produced, and that those records which are not available due to the routine, consistent operation of the policy and procedures prior to notice of the threat of litigation do not become the subject of civil sanctions or a separate criminal inquiry.

Is my organization at risk because we don’t have an effective records management policy and program?
Yes.  A robust records management program has long been an important internal control for managing both the costs of storage and risks associated with an organization’s records.  Changes to the Federal Rules of Civil Procedure, which went into effect on December 1, 2006, explicitly extend an organization’s obligations to preserve and produce records in federal litigation to all electronic information, and recent cases have deemed companies’ production obligations to include metadata associated with electronic records.  The obligations to implement effective systems to comply with the new federal rules run to senior corporate officers; failure to adopt effective systems to manage and produce records as required may subject responsible corporate officers to questioning about corporate records management systems, and may lead to fines and other sanctions against the organization.  Likewise, an amendment to the federal criminal obstruction of justice statutes included in the Sarbanes-Oxley Act, effective July 2002, makes it a crime to knowingly destroy, alter or modify any document with the intention of obstructing a matter within the jurisdiction of an agency of the federal government, where such matter is pending, imminent or contemplated.  Case law has already established that this language is broad enough to encompass any area of federal interest or activity, and extending potential criminal exposure to circumstances where a matter within the government’s jurisdiction is contemplated makes determining the boundaries of proper corporate conduct challenging, to say the least
.
How much will it cost to implement a records management policy/program?
Not surprisingly, that depends.  The wide range of costs associated with developing a records management program (including a policy and schedule of records) are based on a variety of factors: the number, diversity and storage media of the organization’s records, whether new technology solutions are needed, staffing resources to be committed, and employee training.

What kinds of questions should we be thinking about?
Some of the questions you should be asking include:

  • Does my company have a policy in place, and a complete schedule of records, that may simply need updating, or do we need to create a policy, schedule and program from scratch?
  • Apart from the company’s policy, what are our current practices when it comes to handling records? 
  • Approximately how many kinds of records are created, used, received and stored by my organization, and in what formats?
  • What kind of resources does my company plan to commit to records management?
  • What is my company’s regulatory and risk environment?  For example, is my company publicly traded or privately held, does it do business in a highly regulated part of the market (e.g., is the company subject to environmental regulation, OSHA, banking regulation or self-regulation via a trade association)?  In how many states does my company have offices?  Do we produce products that are potentially subject to product liability lawsuits?

Why shouldn’t my organization use the records management policy that I found on the Internet (or in a book or at a seminar)?
There really is no “one-size-fits-all” policy for managing records.  A records management policy that is not based upon a proper assessment of how your organization actually uses the information it handles, the risk environment in which it operates, and the IT challenges and resources available is not likely to satisfy your company’s unique needs, or provide adequate protection against various risks associated with records management.  Each company faces its own set of records management challenges stemming from, among other factors, its information technology architecture, the legal and regulatory environment in which it operates, and the organization’s culture and goals.  The development of an effective records management program for your company should account for these and other factors that make your company unique.

We already have an automated technology solution for records management, so why do we need a records management policy/program?
Records management technology should be implemented according to a broader records management policy governing all of the organization’s records, whether hard copy documents or electronically-stored information, because a records management policy provides the most protection where all of the organization’s records are managed according to consistent, objective and neutral criteria.  A policy and a program that together address issues such as litigation hold procedures, offline sources of information, and crisis situations, created with your company’s needs in mind will help “fill the gaps” left by your technology solution.

Third parties (vendors, business partners, etc.) handle our data, so why do we need a records management policy?
Your company’s data is valuable and may contain confidential personal or trade secrets information.  Third-party management of your company’s records presents a number of risks in terms of safety and record retention.  Trade secrets, competitive commercial information, and sensitive personal and financial information must be managed in a way that is consistent with applicable privacy rights, data security laws and other legal obligations, as well as the obligation to protect your business processes and intellectual property.  A records management policy can help your company meet its obligations in this respect by addressing issues related to the transfer of data to the third party, allowing your company to assess the third party’s records management practices, and focusing counsel on records management issues when negotiating and reviewing contracts with third-party vendors.

We already have a records management policy.  Does it need to be updated?  If so, how often do we need to update our existing records management policy/program?
A company should review its records management policy and retention schedule annually, and update them whenever it appears necessary. Updates should address changes in applicable legal requirements as well as any shifts in the types and functions of information that your company uses.  Updating the policy and retention schedule to reflect changes in the company’s business and the regulatory environment may highlight the need for new technology solutions, new procedures or staffing changes for records management.  The review process should extend to the practices of third-party vendors who handle your organization’s records. Fundamentally, the review process should include an evaluation of compliance with your policy and management program, and the updates should be designed to keep the policy, procedures and technology current with the company’s practices and risk environment.

How do I decide which records should be subject to the records management program?
Typically, you should try to identify each and every kind of record that your organization creates, uses, receives, or maintains.  The resulting “schedule of records” should identify records as either temporary or permanent, set the period for retaining each record or category of records, and provide instructions for the disposition of records.  The schedule of records should be administered according to the principles set forth in a company’s records management policy. Retention periods should be based upon the functional needs of the business and relevant state and federal law.

Who should be responsible for records management in our organization?
This depends upon your company’s needs and resources. Management may decide to use existing staff (General Counsel’s office, HR, IT, etc.) to perform records management responsibilities, or, in cases where the records management tasks and resources available are more extensive, to make records management the responsibility of a records management professional or a separate organizational unit.  Every records management program needs leadership from management, input from all departments, the involvement of legal counsel, and compliance training and incentives for rank and file employees.