Sarbanes-Oxley, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 all established rules for records retention as well as penalties for violating those rules. More recent changes in civil law procedures pertaining to records retention have led to fines and sanctions as well.
With the specter of possible lawsuits facing them as a result of the above rules, it’s imperative that companies have written policies for records retention that adhere to all of the legal requirements, yet most many firms have not even started this process, according to Debra Logan, Gartner Research vice president, who discussed the issue at the recent Gartner Compliance & Risk Management Summit in Chicago.
“Make sure that the records retention schedule includes all content types — paper documents and other physical content types, electronic documents, and communication content such as e-mail and IM (instant messages).”
Records management applications enable firms to identify, manage and preserve critical business records such as transactions, while also making it easier to find electronic documents – including e-mail and instant messages – that are pertinent to litigation, Logan said. She added that the focus of litigation is increasingly dependent on the discovery and authenticity of electronic evidence. In litigation, according to Logan, 75 percent of electronic evidence is e-mail.
The need for storing these e-mails is prompting e-mail hosting services to provide archival services, Logan noted.
However, a lot of e-mails are duplicated, so a firm must balance its need for retaining e-mails with an archival system that eliminates duplicates, Logan said.
Gartner recommends a seven-step program for records management:
1. Build a program oversight team consisting of legal, finance, IT and business managers.
2. Draft policies to detail enterprise needs for record keeping in order that your firm meets business, regulatory, legal and fiscal requirements.
3. Build a file plan and retention schedule with access rights and document types.
4. Determine functional and technical requirements.
5. Select and deploy a records management solution.
6. Communicate and train staff. Publish policies, retention schedule and procedures.
7. Establish a continuous audit and review process.