Risk & Compliance

File Under ‘Nightmare’

Information overload has acquired a regulatory dimension, forcing senior executives to take notice.
Bob ViolinoJune 16, 2003

Not long ago, the topics of data retention and records management elicited yawns from senior executives. After all, the storing of old documents and E-mails hardly seemed like a strategic imperative. But if those executives are yawning now, it’s not from boredom but from being up all night worrying.

Data retention is yet another new priority created as a result of corporate accounting scandals and Sarbanes-Oxley. What had once been the domain of file clerks has suddenly become an agenda item for CEOs and corporate boards concerned about the consequences of failing to keep certain records for specified periods of time.

“Records-keeping was something many people didn’t give a lot of thought to,” says Ronald Folwell, CFO at DiMare Home-stead, an agricultural company in Homestead, Florida. “Now we’re thinking about the kinds of data we have, where we keep it, and how we keep it.”

Senior financial executives, in particular, need to help drive efforts to better manage data and lend support to IT projects that achieve that goal. “At the end of the day, the CFO is the gatekeeper who has to make sure we keep good records and document the things we do and the business decisions we make,” says Marc Teal, CFO at Boston Capital, a real-estate financing and investment company.

Sarbanes-Oxley has made gatekeeping more hazardous, threatening heavy fines and prison sentences for those who alter, destroy, or falsify financial records or data that might be needed for proceedings such as government investigations and trials. Sarbanes-Oxley specifies how long certain data must be kept, but raises enough questions in other areas to create a field day for lawyers and consultants.

There are other data-retention regulations and laws, although they don’t all specify the length of time particular records must be kept. The Internal Revenue Service requires companies to retain accounting records and other financial data to support tax filings. The Uniform Electronic Transactions Act, approved by the National Conference of Commissioners on Uniform State Laws and passed by a majority of states, has data-retention requirements. The Occupational Safety and Health Administration has rules for retaining data about employees.

Retention requirements vary by industry. Financial firms must comply with Securities and Exchange Commission rules on data retention, including rules on how long to keep particular types of E-mail messages. The Food and Drug Administration (FDA) regulates the retention and security of electronic records in the pharmaceuticals and biotechnology industries. The Environmental Protection Agency has rules for managing environmental records and reports, whether paper or electronic. And health-care companies must take into account the Health Insurance Portability and Accountability Act when dealing with records retention. HIPAA focuses mainly on security and privacy but also involves data retention of patient records. Some data — such as customer-profiling information and sales trends — is of historical or business value and should be kept even if there’s no legal requirement to do so.

It may be tempting to keep everything, but companies should avoid the potentially costly problem of information overload. Many documents don’t need to be kept for more than two or three days, or for as long as they’re needed for business. This includes, for example, information used for background research, memos about company social events, and E-mails about trivial matters that don’t pertain to business.

Experts say that in many cases, “data” isn’t considered a “record” until it’s put into a readable format that has context. Such data doesn’t have to be kept unless it’s needed for business. For example, information such as someone’s name, telephone number, or address might not mean much. But when it’s part of an invoice, that’s a record that might have to be kept.

Before stocking up on hardware, software, or archiving services, however, companies should develop a records-retention schedule and policy that clearly states how long various types of records should be kept and when they were or should be disposed of.

“If a company that doesn’t have a schedule of retention destroys records in the regular course of business and then ends up in court, saying they don’t have a retention policy is not going to be good enough,” says Rae Cogar, an attorney who heads RCS Consulting, a Hamburg, New York, firm that focuses on records-management issues. “Lots of companies have been fined and sanctioned because they had no policy,” and the fines can run into millions of dollars.

An advisory committee that includes the CFO and other senior business executives, a senior IT representative, a records manager, and corporate attorneys should oversee the records-retention policy and schedule. The schedule must be based on legal and regulatory requirements, as well as business needs.

While this may sound obvious, many companies aren’t doing it. “Most companies are in a mess; they don’t have a good fix on electronic records retention,” says Julie Gable, founder and principal of Gable Consulting in Wyndmoor, Pennsylvania, a firm specializing in records and document management.

Some companies have always taken records-keeping seriously. Guidant Corp., an Indianapolis manufacturer of medical devices, has had a retention policy since the 1980s, largely because the FDA requires it to have records-control procedures in place. The Guidant policy calls for some data to be kept for as long as 20 years, says Alan Lybeck, group leader of quality, information, and technology, and a certified records manager.

“Records-keeping has gotten incredibly complex,” notes Lybeck. “When I started doing this 15 years ago, most of our records were still on paper or microfilm, and you could see them in the filing cabinets. Today, probably 95 percent of the information is electronic, which can make it very hard to find.” Electronic storage is cost-effective, of course, but creates its own headaches: as operating systems and other technologies evolve, there is no guarantee that records stored electronically will be able to be read in the future.

Adding to the complexity is the ever-growing reliance on E-mail, both as a source of communication and as a means of sharing files. Some data-retention laws and regulations pertain to E-mail because, as Lybeck notes, “much of the content can be considered a record that needs to be retained.”

But E-mail can require a message-by-message evaluation. “You can have one message that says ‘Do you want to go to lunch?’ and another that details sensitive auditing issues, and they have totally different retention requirements,” explains Cogar. “One can be deleted today, and the other needs to be kept” where it can be easily retrieved, possibly for years.

Find It Fast(er)

While no single technology offers a magic solution to the complex problems of records retention, a growing array of products addresses some facets of it. Storage-management software, document-management systems, data backup and recovery systems, and programs that classify E-mail content are all being marketed with a Sarbanes-Oxley or related regulatory hook. And while that may seem opportunistic, it doesn’t mean it’s off-base.

Guidant is using imaging and document-management software from Hummingbird Ltd. to meet FDA requirements to retain such information as patent data, design specifications, and quality-assurance information for a product’s lifetime and for two years after it is retired. Guidant also has to retain records under EPA, Department of Labor, and IRS regulations.

One major advantage of today’s records-keeping products is that they bring significant automation to processes that are usually manual. For example, previously when Guidant staffers filed a document, they had to fill out a form and send it with the document to a records center. There, someone would enter the data from the form into a database before filing the record. With five manual steps along the way, the process was time-consuming and error-prone. And despite all that, it was difficult to find specific data and documents. With the Hummingbird software, which was implemented in June 2001, employees fill out an online version of the form, and once documents are filed, there’s a single point of access via the Internet for data queries.

The software supports Guidant’s records-retention schedule for electronic and paper records, Lybeck says, so it automatically knows how long to keep certain information. By placing all these documents in an electronic repository, the system provides a handy way to keep information centralized, which is an additional benefit.

Boston Capital is in the process of implementing a close cousin of document-management systems, an enterprise content management system from Documentum, to manage the retention of all paper and electronic records associated with transactions, finances, and property information. The system manages documents, Web content, records, E-mail, scanned images, and other data. Companies can apply automated retention and destruction policies to any type of content. CIO Tom Gardner says Boston Capital, which for years has retained “everything” related to its corporate partnerships as a matter of course, is creating a formal records schedule to work in conjunction with the content management system.

CFO Teal says one of the things that drove the investment in the system was the rising cost of holding on to so much information, be it electronically or in paper form. In fact, there may be a dual role for the CFO in this regard: while the risks of fines should drive the creation of a corporate policy for records retention, the difficulty of calculating just what it costs to manage information today, versus what it might cost to address it in a more automated fashion, requires leadership.

The costs of data retention and records management are scattered across the organization, making it very tough to get a clear view. Someone at the top needs to insist that such work be done so that any future investments can be made in the proper context. And if cost savings aren’t motivation enough, consider the risk of legal entanglements. E-mail, documents, and other forms of “reference data” can often become electronic evidence in court cases. Just ask the major Wall Street firms pilloried by New York State Attorney General Eliot Spitzer.

A range of “forensic computing” techniques can be brought to bear to ferret out data, but it’s certainly cheaper to manage it better up front. Vendors see plenty of opportunity here, not only in services but also in new products. Later this year, for example, Austin, Texas-based RenewData will offer ActiveVault Enterprise, a software/hardware combination that stores E-mail and other data and includes a rules engine that helps companies locate all the disparate E-mail and documents relevant to a given query.

Given that judges have cited companies for failing to provide electronic evidence in a timely manner, data management is taking on new importance by the day. Almost any company may eventually be asked, “What did you know, and when did you know it?” If data-retention policies and the underlying technologies that support them are deficient, the (non)answer could be ugly.

Sidebar: Paper Chase

Since many of today’s business processes involve electronic data, records-management experts issue this reminder: don’t forget about paper documents when planning a records-retention schedule and policy.

All laws and regulations governing retention apply to both paper documents and electronic data. Some records managers say the notion that automated processes replace paper is a myth. “As our electronic records have increased in volume, the paper records being produced have also increased,” says Alan Lybeck, group leader of quality, information, and technology at Guidant Corp. and a certified records manager. “All these electronic systems are actually producing more paper.”

Rae Cogar, an attorney who heads RCS Consulting, says a records-retention program should include requirements for safely maintaining paper documents. This includes having the proper environmental controls to preserve documents for very long periods of time.

Sidebar: Not-So-Deep Storage

The growing emphasis on data retention is having an impact on the storage-products market, says Roy Sanford, vice president of content-addressed storage at EMC in Hopkinton, Massachusetts. EMC last year introduced Centera Compliance Edition, a specialized content-addressed storage system designed to help companies meet regulatory requirements for data retention.

Centera, which enables records managers to set retention periods on numerous types of electronic records and tags individual documents with identifiers and time-date stamps to facilitate tracking, quickly became EMC’s fastest-growing product line. In 2002 the company sold the equivalent of 4 petabytes of Centera systems to customers. To put that into perspective, Sanford says, that’s equal to twice the information stored in the Library of Congress.

Among the companies using the product are an insurance company that’s required to keep records on 160 million policies and a financial-services firm that needs to retain 600 million check images. So far, the products have been aimed primarily at companies in heavily regulated industries such as financial services, pharmaceuticals, health care, and life sciences. Charles King, an analyst at the Sageza Group, says that EMC has set a new standard, offering a disk-based storage system specifically optimized for data retention and retrieval. Most archiving systems rely on tape or optical media, which lack sophisticated search functions and other features associated with disk storage.

New companies see an opportunity here as well. Persist Technologies this month came out of the gate with what it bills as a “plug-and-play appliance” designed specifically to archive E-mail, documents, and digital media. The company emphasizes that its product makes fast retrieval of information possible, and cited SEC and NASD requirements for records retention as a prime driver behind its offering. The Enterprise Storage Group, a consulting organization, found that “reference data,” which it defines loosely as “any digital asset retained for active reference and value” is piling up at twice the rate of “flat” data at most companies. Reference data tends to entail larger files that need to be accessed more quickly by more people, requires more security/authenticity protection, and must be kept for varying lengths of time. All of that, Enterprise says, will make storage a critical issue for companies in the years ahead.

Sidebar: Tips For Records Retention

While a number of technologies are pivotal to data retention, experts say that it is fundamentally a management issue. Key steps include the following.

  • Form an advisory committee consisting of senior financial, business, and IT executives; a records manager; and legal representatives to help develop and maintain a retention and destruction policy and schedule.
  • Thoroughly research state and federal laws and industry regulations pertaining to retention to ensure that the company is meeting requirements.
  • Periodically update the retention schedule as needed to comply with laws and regulations, and educate employees about the schedule and policy.
  • Periodically inspect electronic documents and files, as well as appropriate IT systems to ensure that the storage media and systems are adequate for maintaining data integrity.
  • Establish a policy regarding the retention of E-mail messages, based on overall retention policy and legal requirements, and inform all employees about the policy.
  • Don’t overlook newer mobile devices that may place critical data on laptops or personal digital assistants, as well as employees’ home computers.

Understanding Which ERP Modules Your Business Needs – And When