The financial industry is perpetually involved in litigation and the timely identification of relevant business records is a legal imperative. This is a challenging task with more than 90% of business records created or stored electronically, and 30% existing only in electronic format. ¹ This soaring volume of electronically stored information (ESI) has affected the entire field of information management and forced an intricate reevaluation of legal records, electronic discovery (e-discovery) requirements, and procedures.
In 2006, the U.S. Supreme Court published amendments to the Federal Rules of Civil Procedure, which applied many of the existing paper-based records rules to ESI. The amendments addressed how subpoenas apply to ESI and e-discovery, and placed more emphasis on pre-trial procedures with the goal of speeding up the discovery process. These Amendments to the Rules have a direct impact on how financial businesses must respond to future subpoenas.
Keeping one step ahead
Financial companies already comply with myriad laws, rules, regulations and contractual documents governing minimum record retention periods. These retention periods may range from two years to seven years or even longer and are based on the content of the individual record, not the system or server that stores the record. Most organizations delete records at the end of the documented retention period to help control storage and archival costs, but this act also helps avoid future legal costs associated with discovery.
When financial companies anticipate litigation or receive a subpoena, the company must place a 'litigation hold' on ESI relevant to the case in order to preserve them for future action. The Rules allow for the deletion process of non-relevant ESI to continue; however, IT departments must have solid documented procedures to ensure that al
To continue reading for free, register below or login
To read more you must become a member of SearchFinancialSecurity.com
l relevant ESI are unaltered and secured. Relevant ESI may be categorized as structured information like database records, but also non-structured information such as emails, video archives, voice mail, call center recordings, instant and text messaging, and access-control logs.
Additionally, once a financial organization becomes aware of or even suspects potential litigation, it must be prepared to interrupt operational retention and destruction cycles and place a litigation hold on information critical to a lawsuit, or be subject to fines. The ability to comply with a litigation hold requires routine processes, designated people, and specialized technologies to manage data as legal evidence.
So what can a financial organization do to ease the process? Here are some suggestions:
Progressive organizations have been leveraging their e-discovery compliance requirement to implement a new data management structures and implement centralized data storage and archival solutions. Many organizations are finding that the resulting data storage efficiencies derived from implementing a sound process will help to fund the many efforts required for e-discovery.
About the author:
Clyde Hewitt, CISSP, CHS, ISO 27001 Lead Auditor, and Level III Program Manager, is a principal consultant for Forsythe Solutions Group. He has over 20 years information technology, program management, security, and auditing experience. Clyde has both CIO and CSO experience in multiple domains, including government, healthcare, telecommunications, pharmaceuticals, public utilities and insurance. He has performed security audits/assessments at over 50 organizations and has presented at over 30 conferences and workshops.
¹ Data from the 2003 "Electronic Records Management Survey" conducted by Cohasset Associates, ARMA International, and AIIM International.
