The financial industry is perpetually involved in litigation and the timely identification of relevant business records is a legal imperative. This is a challenging task with more than 90% of business records created or stored electronically, and 30% existing only in electronic format. ¹ This soaring volume of electronically stored information (ESI) has affected the entire field of information management and forced an intricate reevaluation of legal records, electronic discovery (e-discovery) requirements, and procedures.
In 2006, the U.S. Supreme Court published amendments to the
Keeping one step ahead
Financial companies already comply with myriad laws, rules, regulations and contractual documents governing minimum record retention periods. These retention periods may range from two years to seven years or even longer and are based on the content of the individual record, not the system or server that stores the record. Most organizations delete records at the end of the documented retention period to help control storage and archival costs, but this act also helps avoid future legal costs associated with discovery.
When financial companies anticipate litigation or receive a subpoena, the company must place a 'litigation hold' on ESI relevant to the case in order to preserve them for future action. The Rules allow for the deletion process of non-relevant ESI to continue; however, IT departments must have solid documented procedures to ensure that all relevant ESI are unaltered and secured. Relevant ESI may be categorized as structured information like database records, but also non-structured information such as emails, video archives, voice mail, call center recordings, instant and text messaging, and access-control logs.
Additionally, once a financial organization becomes aware of or even suspects potential litigation, it must be prepared to interrupt operational retention and destruction cycles and place a litigation hold on information critical to a lawsuit, or be subject to fines. The ability to comply with a litigation hold requires routine processes, designated people, and specialized technologies to manage data as legal evidence.
So what can a financial organization do to ease the process? Here are some suggestions:
- Develop an enterprise-wide records retention and destruction policy
The policy should define classes of information based on legal requirements, and also specify various retention periods to meet those requirements. Also, the policy should assign clear responsibility for information management and how to manage the destruction of business records (including emails, video archives, voice mail, call center recordings, instant and text messaging, and access-control logs) when no longer needed. This policy should be reviewed by independent third parties, preferably a law firm specializing in the field of records retention, prior to implementation.
- Form a cross-functional executive-level team to address e-discovery compliance.
The team should be comprised of legal, compliance, security, and IT members. This holistic approach will allow the financial organization to address the business' response to e-discovery in a coordinated manner. Key strategic decisions on information management, information classification, and information retention periods must be made early in the process, as they will drive future costs. The goal of executive management will be to achieve agreement from the many constituents in these processes, while conveying the fact that there will be trade-offs between an acceptable risk posture and the associated costs.
- Do not save all records permanently.
This strategy drives up future data management costs, increase legal cost of discovery and increases the litigation risks by unknowingly assisting the plaintiffs. Over long periods of time, the volume of data generated by the 'keep forever' approach can be fiscally challenging and when combined with rapidly obsolescent technologies, may prove inherently unexecutable.
- Publish or modify policies and procedures impacting records management
This includes records retention, records destruction, archival and backup, email management, internal audit plans and litigation hold. The e-discovery implementation program will impact data integrity, configuration control, information technology refreshment and vendor management processes.
- Work with your auditors
Engage auditors to ensure that policies are sound, processes are refined and data retention practices are mature enough to ensure that all records are protected from loss, alteration and destruction. The auditors can help validate that all records needed for potential future litigation can be quickly identified, isolated and preserved for future use.
Progressive organizations have been leveraging their e-discovery compliance requirement to implement a new data management structures and implement centralized data storage and archival solutions. Many organizations are finding that the resulting data storage efficiencies derived from implementing a sound process will help to fund the many efforts required for e-discovery.
About the author:
Clyde Hewitt, CISSP, CHS, ISO 27001 Lead Auditor, and Level III Program Manager, is a principal consultant for Forsythe Solutions Group. He has over 20 years information technology, program management, security, and auditing experience. Clyde has both CIO and CSO experience in multiple domains, including government, healthcare, telecommunications, pharmaceuticals, public utilities and insurance. He has performed security audits/assessments at over 50 organizations and has presented at over 30 conferences and workshops.
¹ Data from the 2003 "Electronic Records Management Survey" conducted by Cohasset Associates,
ARMA International, and AIIM International.
This was first published in April 2008