ARMA review

Records managers are reeling from constant changes in technology and the resultant vortex of online information. In addition to the increasing amount of information that must be managed, the definition of what qualifies as a record has also expanded. In part due to the promulgation of white collar lawsuits, the scope of information that has become recoverable has grown. At the annual ARMA conference, the biggest records management industry tradeshow in the US, attendees gathered in Baltimore, game for some insight into this shifting terrain.

Almost 200 software providers, joined by over 1,000 corporate practitioners, attended the trade show, while seminars examined the challenges imposed by changes to the Federal Rules of Civil Procedure, structured management of digital records and the definition of records and materiality.

In a live podcast, keynote speaker former Congressman Michael Oxley spoke on the Sarbanes-Oxley Act, which mandated credible records management processes. As co-author of the act, he said ‘the overall writing goal was to restore investor confidence, and the way we did it was to provide more transparency and more accountability of corporate America.’ Success in this degree is proven by the performance of the market, he said. The good news: Oxley thinks a rule-shift as severe as Sarbanes-Oxley won’t be required again for at least another 70 years.

Pertinent issues

Marie Allen, former chief of records policy and administration for the FBI, who was previously the senior manager at the National Archives and Records Administration (NARA) conducted an enticing seminar on ‘Records policy implosions from the White House to Moscow’. The audience listened attentively to tapes in which Nixon and chief of staff Bob Haldeman discussed having the CIA tell the FBI not to look into Watergate for reasons of national security. ‘It’s the content and the use that matter,’ not the form, said Allen, extrapolating Watergate onto the entire spectrum of records management situations. Approximately 15 years later, in Moscow, Mikhail Gorbachev initiated glasnost (openness) and perestroika (restructuring), opening up access to information in a country where the media was previously constrained.

Records have always been a sticky business, and email is providing added pressure as a more indistinct form of communication. In January, 1993, the first rulings came out regarding email, calling for records managers to put processes in place for carefully documented access, discovery parameters and creating search aids and inventories.

Compliance as it relates to email is difficult. An even more elusive area is metadata, or data about data, which includes retention schedules. In a session on ‘Monitoring and auditing for compliance’, Frank McGovern, program director for records and retention management at IBM, discussed the positive function of metadata, which can ‘provide sound evidence of compliance with regulatory and governance requirements.’ Unstructured information, being user-controlled, is the most problematic area for metadata, as 67 percent of data loss is caused by humans, McGovern explained. Attempts at companies to have employees manage their own data, like personal emails, are often unsuccessful and are attributable to discomfort with the process. According to a study performed by NARA, 56 percent of users find technology ‘extremely burdensome’.

With a good business process, McGovern said, ‘it’s easier for us to capture records,’ and accurate records management ‘enables proof of compliance.’ Automated systems help to ‘automatically capture content,’ like names of numeric patterns, ‘but it’s just a tool and doesn’t always work,’ he said. ‘It’s okay to destroy information if you do it in a legally compliant manner,’ he continued. Ending on a note of caution, he advised companies to keep a cool head about costs, and to ask: ‘How much are you paying your auditor to tell you whether you’re in compliance or not?’

Big picture theory

In a seminar on information lifecycle management (ILM), Andrew Chapman, director of compliance applications for records management software provider EMC, discussed federated records management, a control framework in which records cannot be edited or deleted prior to the expiration of the retention period, according to the legal, administrative, fiscal and historical value of the records. He differentiated between ‘managed unstructured content’, ‘ETL structured data’, ‘unmanaged unstructured content’ and ‘siloed unstructured data’, which includes all of the third-party data.

As each system is inferred by the other, Chapman said, ‘we can’t pretend to understand one system without the others.’ It isn’t just information categorized as records that needs to be assured either, as some content ‘may not contain records but will contain data that’s discoverable.’ The lines here are blurred. ‘If every system has different controls, you can’t do enterprise-wide management.’

The real problem has businesses saying, ‘I’ve got 300 systems but I haven’t got one view,’ said Chapman.

He proceeded to describe a fully integrated enterprise management system, with ‘legal hold functionality’, discussing matching content to pointers in a master system so it could be trackable. He referred to Morgan Stanley for case analysis, a company that lost a billion dollars because they lost track of their content.

Hold on

John Isaza, an attorney with Howett Isaza Law Group, led a seminar on ‘Legal holds for anticipated litigation: New case developments’, expanding on ideas in the 2004 study for the ARMA Educational Foundation, ‘Spoliation and legal holds - identifying a checklist for the duty to preserve’. Referring to the chaos surrounding the destruction of records during investigations at Zubulake and Arthur Andersen, Isaza discussed methods for managing timing and scope for issuance of legal holds while enabling companies to conduct business.

Isaza used to be general counsel for a medical company. Informed by his experience there, he brought forth a dogma that should be closely attended to: the ‘duty to preserve continuum’. Arthur Andersen was one of the five biggest accounting firms, and now, it’s out of business, recounted Isaza. You can’t ‘just pay lip service to litigation holds. Get out there and do something about it,’ he said. To achieve this end he advocated a ‘records retention schedule’ reminding companies not to ‘apply it in hindsight once you’re already under investigation.’

He also mentioned a common semantic struggle: ‘People are trying to grasp what the court would see as reasonable.’ With electronic data preservation, ‘how we define pending is more than just reasonable,’ he said. Foreseeable litigation is when ‘threat is more than reasonable,’ he added. ‘It’s when you start having a pattern of problems and complaints … and it’s just a matter of time before you’re going to get sued.’ The moment that you know you’re about to start an investigation, he said, you must send ‘notice to your insurance carrier, you have to start putting in place litigation holds.’

Litigation holds are a hot topic right now, but when considering issuing them, it’s just as important to consider ‘the lifting of the hold,’ he said, ‘because you don’t want cascading holds.’

Isaza branched out into a discussion of spoliation, or when a company ‘throw[s] away information that you should have been retaining.’ The courts are already putting more onus on attorneys to discuss these issues. So Isaza said companies need to make sure that information materially pertinent to an investigation that’s being held by third parties is not destroyed.