Risk & Compliance

An Ounce of Retention

Nudged by regulators and litigators, companies are making new investments in electronic records management.
Yasmin GhahremaniNovember 9, 2005

Two years ago, Gary Loveridge had a sudden realization — the bad kind. As general counsel for Sutter Health, a nonprofit health-care network, he realized that the way his organization handled growing volumes of E-mail posed a risk. Sutter Health is a highly decentralized group with 40,000 employees spread across Northern California. Hundreds of thousands of E-mails flow daily across multiple systems, and back then, the only formal copies were stored on hard-to-search backup tapes that were regularly overwritten. In an industry rife with lawsuits, that was a problem. And without an easily searchable E-mail archive, discovery was extremely labor-intensive. “I looked at the costs involved in trying to respond to subpoenas, and it seemed it was going to be extraordinarily expensive without a new system,” says Loveridge.

Sutter Health is now rolling out a new program that will automatically capture and store E-mail in a centralized, nonrewritable repository that can be explored using a powerful search engine. From a risk-management point of view, CFO Bob Reed says the $1 million investment was a no-brainer. “We live in a very litigious society, and it’s obvious to me that as a high-profile organization we will have lots of lawsuits,” says Reed. “This seems like a pretty straightforward way to lower those costs.”

From Wall Street to Silicon Valley, companies in a wide range of industries have seen E-mail emerge as critical evidence in legal and regulatory matters. Motivated by those concerns and the desire to improve data-storage and retrieval capabilities to enhance internal operations, companies are formulating new policies and investing in electronic records management (ERM) technologies to tackle what can be a dauntingly complex chore. Gartner Inc. says the market for E-mail archiving technology grew 104 percent last year, and Forrester Research puts the compounded annual growth rate for records-management software at 159 percent from 2002 to 2006.

The concept is hardly new: as core IT competencies, storing and finding data have long loomed near the top of the list. But changes in the way business is done necessitate a fresh approach. Electronic information continues to mushroom. A University of California, Berkeley, study found that 92 percent of all new information is stored in digital format.

E-mail, the most troublesome source of electronic records, is growing not only in volume but also in business importance. In a recent survey conducted by the Association for Information and Image Management, 70 percent of respondents said they use E-mail to negotiate contacts, and nearly half use it to respond to formal regulatory inquiries. “Today businesses regularly execute contracts with a click, amend them with a voice-mail message and breach them with a blog,” says Randolph Kahn, founder of Khan Consulting Inc., which specializes in compliance, policy, and legal issues related to information management.

At the same time, recent regulations have upped the stakes. Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) both include fines or prison sentences for mishandling certain types of records. Violations of retention rules from the Securities and Exchange Commission, the National Association of Securities Dealers, the Federal Drug Administration, the Occupational Safety and Health Administration, and myriad other federal and local bodies also carry stiff penalties.

Regulations are influencing records-management practices even at exempt organizations. For the Church Pension Group, a nonprofit organization that manages the pensions of Episcopal Church employees, Sarbanes-Oxley has been a factor in its decision to set up an ERM program. CFO Daniel Kasle knows it is only a matter of time before a similar law is passed for nonprofits. And, he says, “even if there were no new law on the horizon, Sarbanes-Oxley has set a new standard for operating a business. We might as well work toward that.”

Reaping Multiple Dividends

A good ERM program can go a long way toward making compliance easier. Just ask Florida Department of Health CIO David Taylor. Florida’s “Sunshine Law” opens all public records, including E-mail, to public inspection. When Taylor started his job two years ago, the department’s E-mail retention policy relied on employees to remember not to delete E-mails before nightly tape backups took place. Records requests came in once or twice a week, and each time staff members had to hunt down and restore what they hoped were the appropriate tapes before the tedious search for E-mails could even begin. The whole process took hundreds, if not thousands, of man-hours.

Today, an E-mail archiving system that uses KVS Enterprise Vault software, EMC Centera storage hardware, and an AltaVista search engine has cut the time needed to find a given E-mail by 90 percent. And by storing messages older than 30 days centrally, rather than on desktops and local servers, the department has improved E-mail system performance for its 17,000 users and reduced its local server needs. Because of those factors, the new system should pay for itself within two years.

To be sure, there is room for ERM technology to improve. Joseph Steffan, director of technology compliance at Lehman Brothers, is a proponent of E-mail archiving tools, but he notes that on some systems, one search can still take an entire day. “Performance has been a big issue,” he says. “We are pressing vendors very hard to achieve order-of-magnitude improvements.”

Finding Your Way

Despite the imperfect technology, many experts advise companies to explore ERM now rather than wait, particularly if the nature of their businesses makes a legal or regulatory matter likely. To approach such a project efficiently, keep the following things in mind:

For starters, the job is best handled by a multi-disciplinary team. Legal services, compliance, records management, lines of business, and IT all need to be represented. The first task is to determine a retention policy stipulating what to keep and for how long. “An organization needs to understand confidently what its retention policy is going to be,” says Steffan. “That mixes legal obligations and operational preferences.”

Regulations will sometimes dictate policy. HIPAA, for instance, requires health-care providers to keep all customer information for six years. But coming up with retention rules in gray areas is much harder. You don’t want to trash something that could help you in court one day, but saving everything devours expensive storage space and requires more time to search through. Too much information can also be a liability in court, making the matter of what to save and for how long a particularly vexing one.

A lot depends on the company’s risk profile. “The first question we ask clients is, ‘Do you believe that saving documents increases or decreases your liability?’ ” says Mark Diamond, president and chief executive of compliance and data consultancy Contoural Inc. “It is a linchpin issue.”

Air conditioning and heating supplier York International Corp. uses different approaches for different types of records. Documents generated by standard business processes, such as an employee request for a new PC, are automatically routed to storage using EMC Documentum software. But E-mail retention may vary based on employee roles. For example, all senior-management E-mail is automatically saved, but other employees must actively file E-mail in official records folders to archive it. If no action is taken, the E-mail will eventually be deleted. “The legal department’s point is that too much E-mail is a bad thing,” explains Timothy Fives, manager of global content solutions for York. “We’d rather err on the side of not having enough data than keeping things in perpetuity, which generally comes back to bite companies.”

One challenge for ERM is whether decisions about what constitutes a record can be automated. At specialty-materials maker Rohm and Haas Co., for example, an archiving system will leave it to end users to decide what does and does not get saved. “Historically, end users have always made those decisions,” says Jim Coulson, principal and senior consultant at the Records Improvement Institute, a consulting firm that is helping Rohm and Haas design its program. “They are the subject-matter experts. There is no autoclassification tool on the horizon that will classify these things more accurately than the end user.”

No matter what approach is taken, training and enforcement are critical. In a courtroom, it is better to have had a bad policy enforced consistently than a great policy enforced inconsistently. “If litigators find you are not following your policy, they will exploit that,” says Diamond.

Internal marketing is also an important part of the process. Rohm and Haas enlisted consultants at CRA Inc. to create a long-term communications plan for its program, which will eventually cover many kinds of documents. Employees receive consistent messages telling them how the new system will save them time and inconvenience. “Communication is everything, because more than anything this is a cultural and behavioral change for the corporation,” says Sandra Hostetter, program manager for electronic content management and retention. The proverbial “tone at the top” matters as well. Given that improper records management can directly affect the livelihoods of C-level executives, senior leaders have plenty of motivation to encourage strict adherence to new ERM policies.

ERM at a Glance

Electronic records management (ERM) solutions involve a number of components. Depending on the size of the company and the scope of the project, deployment can cost anywhere from $10,000 to $3 million. Mark Diamond, president and chief executive of compliance and data consultancy Contoural, breaks down the offerings as follows:

Retrieval Software

This is the brain of the ERM system. It is responsible for autoarchiving functions and keeps track of where records are, who owns them, who has access to them, and when they should be destroyed. Systems are available for structured data (from EMC, OuterBay, Princeton Softech, and others, priced from $150,000 to $250,000 per application, such as an ERP system), semistructured data (Veritas, EMC (including Documentum and Legato), Zantaz, AXS-One, iLumin, IBM, and others, priced from $25 to $75 per mailbox per year), and unstructured data (Kazeon, Arkivio, and others, priced from $150,000 to $250,000 per major data center). Structured data typically resides in a database; unstructured data is found in spreadsheets, Word documents, or PowerPoint presentations; and semistructured data refers to E-mail and instant messages.

Storage Hardware

Storage ranges from inexpensive but difficult-to-search secondary storage (tape, stored off-site) to more-accessible near-line storage (big, slow disks usually stored on-site) to expensive but quick network (on-site) storage. Vendors include EMC, IBM, Hewlett-Packard, Sun/StorageTek, Hitachi Data Systems, and Network Appliance, among others. Costs vary widely depending on volume and other criteria, and are sometimes offset by moving records stored on expensive media to more cost-effective media.


Many companies find they need an outside consultant such as Contoural to help manage the creation of their ERM program, draft policy, and evaluate vendor solutions. The cost typically ranges from $50,000 to $150,000. —Y.G.