Comply or Die: Corporate Record Keeping in a Digital World

Although compliance is generally thought of in a regulatory sense, every corporation that could be involved in litigation needs to consider the implications of how and what information is stored. In a sense, heavily regulated industries such as health care, securities, banking, and commodities are in a better position since the specifics of record keeping are set out in great detail. All industries that interact with the government can assume that their time will come. Other corporations may not discover whether they are adequately preserving information until they are faced with a discovery request. In either event, failure to comply can have dire financial consequences. See The Cost of Non-Compliance.)

There are three recent laws that have specific requirements for the electronic retention, protection and dissemination of information: the Gramm-Leach-Bliley Act enacted in 1999 (GLBA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and the Sarbanes-Oxley Act of 2002 (SOA). GLBA and HIPAA hold affected enterprises accountable to protect private information while SOA requires companies that issue public securities to establish and maintain internal controls over their financial reporting systems and assess these controls' effectiveness in reports to the Securities and Exchange Commission (SEC).

Management is directly responsible under these acts for creating, implementing and overseeing each of these laws. Failing to comply, or trusting the IT department to take care of this, can result in civil and/or criminal penalties. For example, fines for ignoring a specific requirement under HIPAA can reach $25,000 per violation; under SOA a corporate officer who knowingly signs a false financial report can be fined up to $1 million and face as many as 10 years in prison; and GLBA authorizes individual actions against banks and financial institutions up to $1000, with damages available up to $500,000 for a class action.

While corporate counsel in the impacted industries need to be aware of the ramifications of these acts for their clients, all corporate counsel need to consider that the trend is toward similar requirements for other industries and be prepared to advise clients as to their responsibilities and liabilities. In addition to these new laws, corporations must consider the impact of other regulations relevant to records management, including NASD Rules 2210, 3010, and 3110, NYSE Rules 342 and 440, and ISO 15489. Together, these rules impose strict records management requirements on regulated organizations. Department of Defense (DOD) Directive 5015.2, issued in 1997, serves as a de facto records management standard, providing detailed implementation and procedural guidance on the management of records in the DOD and its departments and offices.

The future may hold more specific standards. The government is drawing up guidelines in the form of three Federal Information Processing Standard drafts. The first, FIPS 199, aims to help enterprises classify risks as low, moderate or high for three security objectives: confidentiality, integrity and availability (a draft is available at csrc.nist.gov/publications/drafts/FIPS-PUB-199-ipd.pdf) The second piece of the series will offer guidelines to help agencies identify the types of information and information system appropriate for each category of data while the third will specify the minimum sets of security controls for each defined category of information and information system.

Of interest in defining a 'record' are the UETA (Uniform Electronic Transactions Act) adopted in many states, the Electronic Signatures in Global and National Commerce Act of 2000 both of which define a record as information “created, generated, sent, communicated, received or stored by electronic means,” and Title 44, Sec. 3301 of the U.S. Code, which defines a public record as all “books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics.”

The first step in meeting the compliance challenge is to evaluate a corporation's current archival and data management strategy with both possible discovery orders and the specific requirements of federal regulations in mind. For example, Rule 17A-4(f), promulgated under the Securities and Exchange Act of 1934, provides very specific requirements for digital information storage and production while Section 404 of SOA specifically outlines the requirements for public companies regarding records retention. In addition, the corporation must balance the need to preserve information and assure business continuity in case of a disaster against the possibility that preserving records unnecessarily could create a disaster of its own during pre-trial discovery.

Following the evaluation of the current information management policies and processes, the corporation is ready to create a system that meets regulatory, discovery, business continuity and disaster avoidance needs. This system will depend on technology that integrates all of the elements of an enterprise-wide set of policies and procedures to govern the collection, preservation, and dissemination of electronic information, but will be driven by the analysis and expertise of corporate counsel. A sensible approach to implementing such a system would be to create a team comprised of members with expertise in law, business, and technology.

With the varied and perhaps even conflicting requirements imposed by regulations, litigation and business continuity needs, it is critical that the corporation employ an enterprise-wide content management solution based on tightly integrated records management, resulting in a comprehensive, scalable, end-to-end solution for the creation, version control, security, and lifecycle management of all types of content. (See Characteristics of an Enterprise-Wide Records Management System.)

Off the shelf software may fail to take into account the specific requirements of laws that affect a particular corporation so it is important that these requirements be specifically addressed. For example, as of August 1, 2003, SOA has decreased the time for reporting Form 4 insider transactions from 1 month to within 2 business days of the trade and mandates electronic filing. Dealing with changing or additional regulations requires a nimble, adaptable system. In this case, software vendors, network vendors and service providers can create secure Internet/intranet sites on which transactional information can be centralized. For example, Form 4 filings can be automatically populated and distributed for review via a red-flagged email, and, once approved, the filing can be formatted for SEC's EDGAR (Electronic Data Gathering, Analysis, and Retrieval system) and filed.

It is also critical that the corporation consider the security and accessibility of its network. The best software and hardware system is not of much use if the network goes down or the physical location of the corporation is not accessible due to a natural or unnatural disaster. In the post-9/11 environment, the corporation that does not think beyond its own servers is at risk. Consider the example above. What would be the result if the filing does not get to the SEC because a server failed or the local phone company had a system failure, or the power went out from New York to Detroit, and the corporation had failed to plan for a backup system? If the corporation was using current technology that can replicate both data and applications in an outsourced, remote secure facility, the backup servers would automatically take over and complete the filing.

Although the government is moving towards offering guidelines (see The Cost of Non-Compliance on page 2), for the time being a corporation should follow industry standards for network security, such as keeping Internet-connected hosts and proxy servers patched at the operating system and application levels, maintaining firewalls, VPNs and other devices that control TCP/IP traffic between the Internet and the intranet, and maintaining and updating antivirus software.

All of the new laws require that digital data be stored securely and recovered quickly. Corporations that rely on tape back up (or any other physical storage medium) should consider switching to remote digital online backup. Even if a corporation's IT staff is able to flawlessly perform conventional tape backups, computerized data is still at risk from disasters, hackers, and viruses as well as from more mundane problems such as:

• hardware and software failures
• improper tape handling and storage
• faulty backup tapes
• scrambled and non-restorable data
• electrical outages & power surges

In addition, in the event of a disaster, the tapes may not be accessible. Critical data may be lost or may have to be recreated from paper sources via costly and time-consuming data entry. The bottom line is that remote digital storage provides the most reliable, secure, and cost effective way to ensure that the information required by law, court order or business necessity is always available.

E-mail presents one of the more difficult management tasks and merits some specific attention. Industries such as financial services are now required to treat e-mail as formal records with severe penalties for not properly retaining, archiving and producing it. A comprehensive e-mail management system provides a secure archive of all e-mail that the corporation is required to keep that is integrated with other document types, and indexed and searchable in the same manner as other documents. In addition, the corporation must provide a secure way to use e-mail to transmit protected data required by federal law. This requires encryption to protect privacy, digital signatures or certificates to authenticate users, and a hashing capability to ensure data integrity. There are a variety of products that can provide this service as well as outsourced secure “compliant” e-mail services.

Outsourcing functions such as network management, data archiving or e-mail often provide the best ROI since the corporation gets the advantages of technical expertise and up-to-date technology and facilities without adding staff or having to buy or update software or hardware. Any corporation considering outsourcing should make sure that the outsourcer complies with all regulations. The responsibility for complying rests with the corporation, and even with the individual directors, so it will not be possible to blame the outsourcer.

Whether a corporation decides to outsource, buy or some combination thereof, certain basic requirements should be met. The ability to meet both regulatory and discovery requirements are a given, but ask for references and check them. An enterprise records management product should be able to:

• organize files and folders,
• identify, save, and index appropriate metadata, support searches,
• set up accounts and control access,
• automatically apply retention and disposal policies,
• track access and transactions and generate audit trails,
• generate space utilization reports, and
• manage all content types as records.

If data is to be stored remotely, the minimum requirements are:

• customized, scalable solutions,
• completely automated process
• facility located a minimum of 25 miles from corporation's physical location,
• encryption of the sent data,
• secured data that cannot be read by the vendor,
• fast turnaround for data recovery,
• documented quality control,
• redundant data storage,
• secure, state of the art facility (perimeter hardened),
• sufficient data storage capacity, and
• tracking and feedback.

The key is to select a vendor that has specific, relevant experience, scalable, customizable products, and the willingness and ability to integrate with other vendors.

Corporations are faced with having to comply with ever increasing governmental regulations, potential personal liability for corporate officers and directors for non-compliance, and costly discovery orders. The success, perhaps even the survival, of a corporation, depends on its ability to manage all of these regulatory requirements and its business at the same time.  

The Cost of Non-Compliance

In December 2002 the SEC fined Deutsche Bank Securities Inc., Goldman, Sacks, & Co., Morgan Stanley & Co. Inc., Salomon Smith Barney Inc., and U.S. Bancorp Piper Jaffray Inc., a combined $8.25 million for failing to comply with SEC Rule 17a-4. In this instance, failure to properly preserve e-mail as required by SEC Rule 17a-4 and CFTC 17 CFR 1.31 was the issue, but these rules apply to all information corporations are required to preserve and produce. Recently, the SEC broadened its investigation to include chief executives and analysts' supervisors and demanded copies of e-mails and other documents within 3 weeks. Outside of the securities industry, the fate of Arthur Anderson, Enron and many other prominent corporations has made the level of appropriate and defensible preservation, collection, disposal and production of data a source of critical concern both in the legal departments of major U.S. corporations and in their executive suites.

Characteristics of an Enterprise-Wide Records Management System

An enterprise-wide system effectively manages all record types and allows a corporation to:

• Create, implement, and oversee policies and procedures for identifying and protecting using cost effective, automated, auditable methods;
• Retrieve, capture and disseminate information from a variety of sources including paper, scanned images and digital files;
• Store, archive, easily retrieve and quickly disseminate 'inactive' information;
• Restore active records and applications from a secure source in the event of a disaster;
• Meet specific governmental reporting and auditing requirements; and
• Manage e-mail and forms of digital communication.

Although compliance is generally thought of in a regulatory sense, every corporation that could be involved in litigation needs to consider the implications of how and what information is stored. In a sense, heavily regulated industries such as health care, securities, banking, and commodities are in a better position since the specifics of record keeping are set out in great detail. All industries that interact with the government can assume that their time will come. Other corporations may not discover whether they are adequately preserving information until they are faced with a discovery request. In either event, failure to comply can have dire financial consequences. See The Cost of Non-Compliance.)

There are three recent laws that have specific requirements for the electronic retention, protection and dissemination of information: the Gramm-Leach-Bliley Act enacted in 1999 (GLBA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and the Sarbanes-Oxley Act of 2002 (SOA). GLBA and HIPAA hold affected enterprises accountable to protect private information while SOA requires companies that issue public securities to establish and maintain internal controls over their financial reporting systems and assess these controls' effectiveness in reports to the Securities and Exchange Commission (SEC).

Management is directly responsible under these acts for creating, implementing and overseeing each of these laws. Failing to comply, or trusting the IT department to take care of this, can result in civil and/or criminal penalties. For example, fines for ignoring a specific requirement under HIPAA can reach $25,000 per violation; under SOA a corporate officer who knowingly signs a false financial report can be fined up to $1 million and face as many as 10 years in prison; and GLBA authorizes individual actions against banks and financial institutions up to $1000, with damages available up to $500,000 for a class action.

While corporate counsel in the impacted industries need to be aware of the ramifications of these acts for their clients, all corporate counsel need to consider that the trend is toward similar requirements for other industries and be prepared to advise clients as to their responsibilities and liabilities. In addition to these new laws, corporations must consider the impact of other regulations relevant to records management, including NASD Rules 2210, 3010, and 3110, NYSE Rules 342 and 440, and ISO 15489. Together, these rules impose strict records management requirements on regulated organizations. Department of Defense (DOD) Directive 5015.2, issued in 1997, serves as a de facto records management standard, providing detailed implementation and procedural guidance on the management of records in the DOD and its departments and offices.

The future may hold more specific standards. The government is drawing up guidelines in the form of three Federal Information Processing Standard drafts. The first, FIPS 199, aims to help enterprises classify risks as low, moderate or high for three security objectives: confidentiality, integrity and availability (a draft is available at csrc.nist.gov/publications/drafts/FIPS-PUB-199-ipd.pdf) The second piece of the series will offer guidelines to help agencies identify the types of information and information system appropriate for each category of data while the third will specify the minimum sets of security controls for each defined category of information and information system.

Of interest in defining a 'record' are the UETA (Uniform Electronic Transactions Act) adopted in many states, the Electronic Signatures in Global and National Commerce Act of 2000 both of which define a record as information “created, generated, sent, communicated, received or stored by electronic means,” and Title 44, Sec. 3301 of the U.S. Code, which defines a public record as all “books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics.”

The first step in meeting the compliance challenge is to evaluate a corporation's current archival and data management strategy with both possible discovery orders and the specific requirements of federal regulations in mind. For example, Rule 17A-4(f), promulgated under the Securities and Exchange Act of 1934, provides very specific requirements for digital information storage and production while Section 404 of SOA specifically outlines the requirements for public companies regarding records retention. In addition, the corporation must balance the need to preserve information and assure business continuity in case of a disaster against the possibility that preserving records unnecessarily could create a disaster of its own during pre-trial discovery.

Following the evaluation of the current information management policies and processes, the corporation is ready to create a system that meets regulatory, discovery, business continuity and disaster avoidance needs. This system will depend on technology that integrates all of the elements of an enterprise-wide set of policies and procedures to govern the collection, preservation, and dissemination of electronic information, but will be driven by the analysis and expertise of corporate counsel. A sensible approach to implementing such a system would be to create a team comprised of members with expertise in law, business, and technology.

With the varied and perhaps even conflicting requirements imposed by regulations, litigation and business continuity needs, it is critical that the corporation employ an enterprise-wide content management solution based on tightly integrated records management, resulting in a comprehensive, scalable, end-to-end solution for the creation, version control, security, and lifecycle management of all types of content. (See Characteristics of an Enterprise-Wide Records Management System.)

Off the shelf software may fail to take into account the specific requirements of laws that affect a particular corporation so it is important that these requirements be specifically addressed. For example, as of August 1, 2003, SOA has decreased the time for reporting Form 4 insider transactions from 1 month to within 2 business days of the trade and mandates electronic filing. Dealing with changing or additional regulations requires a nimble, adaptable system. In this case, software vendors, network vendors and service providers can create secure Internet/intranet sites on which transactional information can be centralized. For example, Form 4 filings can be automatically populated and distributed for review via a red-flagged email, and, once approved, the filing can be formatted for SEC's EDGAR (Electronic Data Gathering, Analysis, and Retrieval system) and filed.

It is also critical that the corporation consider the security and accessibility of its network. The best software and hardware system is not of much use if the network goes down or the physical location of the corporation is not accessible due to a natural or unnatural disaster. In the post-9/11 environment, the corporation that does not think beyond its own servers is at risk. Consider the example above. What would be the result if the filing does not get to the SEC because a server failed or the local phone company had a system failure, or the power went out from New York to Detroit, and the corporation had failed to plan for a backup system? If the corporation was using current technology that can replicate both data and applications in an outsourced, remote secure facility, the backup servers would automatically take over and complete the filing.

Although the government is moving towards offering guidelines (see The Cost of Non-Compliance on page 2), for the time being a corporation should follow industry standards for network security, such as keeping Internet-connected hosts and proxy servers patched at the operating system and application levels, maintaining firewalls, VPNs and other devices that control TCP/IP traffic between the Internet and the intranet, and maintaining and updating antivirus software.

All of the new laws require that digital data be stored securely and recovered quickly. Corporations that rely on tape back up (or any other physical storage medium) should consider switching to remote digital online backup. Even if a corporation's IT staff is able to flawlessly perform conventional tape backups, computerized data is still at risk from disasters, hackers, and viruses as well as from more mundane problems such as:

• hardware and software failures
• improper tape handling and storage
• faulty backup tapes
• scrambled and non-restorable data
• electrical outages & power surges

In addition, in the event of a disaster, the tapes may not be accessible. Critical data may be lost or may have to be recreated from paper sources via costly and time-consuming data entry. The bottom line is that remote digital storage provides the most reliable, secure, and cost effective way to ensure that the information required by law, court order or business necessity is always available.

E-mail presents one of the more difficult management tasks and merits some specific attention. Industries such as financial services are now required to treat e-mail as formal records with severe penalties for not properly retaining, archiving and producing it. A comprehensive e-mail management system provides a secure archive of all e-mail that the corporation is required to keep that is integrated with other document types, and indexed and searchable in the same manner as other documents. In addition, the corporation must provide a secure way to use e-mail to transmit protected data required by federal law. This requires encryption to protect privacy, digital signatures or certificates to authenticate users, and a hashing capability to ensure data integrity. There are a variety of products that can provide this service as well as outsourced secure “compliant” e-mail services.

Outsourcing functions such as network management, data archiving or e-mail often provide the best ROI since the corporation gets the advantages of technical expertise and up-to-date technology and facilities without adding staff or having to buy or update software or hardware. Any corporation considering outsourcing should make sure that the outsourcer complies with all regulations. The responsibility for complying rests with the corporation, and even with the individual directors, so it will not be possible to blame the outsourcer.

Whether a corporation decides to outsource, buy or some combination thereof, certain basic requirements should be met. The ability to meet both regulatory and discovery requirements are a given, but ask for references and check them. An enterprise records management product should be able to:

• organize files and folders,
• identify, save, and index appropriate metadata, support searches,
• set up accounts and control access,
• automatically apply retention and disposal policies,
• track access and transactions and generate audit trails,
• generate space utilization reports, and
• manage all content types as records.

If data is to be stored remotely, the minimum requirements are:

• customized, scalable solutions,
• completely automated process
• facility located a minimum of 25 miles from corporation's physical location,
• encryption of the sent data,
• secured data that cannot be read by the vendor,
• fast turnaround for data recovery,
• documented quality control,
• redundant data storage,
• secure, state of the art facility (perimeter hardened),
• sufficient data storage capacity, and
• tracking and feedback.

The key is to select a vendor that has specific, relevant experience, scalable, customizable products, and the willingness and ability to integrate with other vendors.

Corporations are faced with having to comply with ever increasing governmental regulations, potential personal liability for corporate officers and directors for non-compliance, and costly discovery orders. The success, perhaps even the survival, of a corporation, depends on its ability to manage all of these regulatory requirements and its business at the same time.  

The Cost of Non-Compliance

In December 2002 the SEC fined Deutsche Bank Securities Inc., Goldman, Sacks, & Co., Morgan Stanley & Co. Inc., Salomon Smith Barney Inc., and U.S. Bancorp Piper Jaffray Inc., a combined $8.25 million for failing to comply with SEC Rule 17a-4. In this instance, failure to properly preserve e-mail as required by SEC Rule 17a-4 and CFTC 17 CFR 1.31 was the issue, but these rules apply to all information corporations are required to preserve and produce. Recently, the SEC broadened its investigation to include chief executives and analysts' supervisors and demanded copies of e-mails and other documents within 3 weeks. Outside of the securities industry, the fate of Arthur Anderson, Enron and many other prominent corporations has made the level of appropriate and defensible preservation, collection, disposal and production of data a source of critical concern both in the legal departments of major U.S. corporations and in their executive suites.

Characteristics of an Enterprise-Wide Records Management System

An enterprise-wide system effectively manages all record types and allows a corporation to:

• Create, implement, and oversee policies and procedures for identifying and protecting using cost effective, automated, auditable methods;
• Retrieve, capture and disseminate information from a variety of sources including paper, scanned images and digital files;
• Store, archive, easily retrieve and quickly disseminate 'inactive' information;
• Restore active records and applications from a secure source in the event of a disaster;
• Meet specific governmental reporting and auditing requirements; and
• Manage e-mail and forms of digital communication.