730 likes | 871 Vues
Document Retention Policies and the Data Management Lifecycle: Law and Information Technology. Thursday, April 13, 2006. The Integration of Information and Risk Management John Murphy DataForeSight. Agenda. Introduction Establishing the Retention Policy The Sea Of Data
E N D
Document Retention Policies and the Data Management Lifecycle: Law and Information Technology Thursday, April 13, 2006 The Integration of Information and Risk Management John Murphy DataForeSight
Agenda • Introduction • Establishing the Retention Policy • The Sea Of Data • The Data Retention Roadmap • The Data Lifecycle • Draining the Swamp • Example Data Reduction • A Data Retention Framework • Wrap-up
Establishing the Retention Policy • Establishing the Data and Information Retention Policy • Preservation and Retention • Retention Policy • Preservation and Retention Duty • Compliance • Litigation • Creating Your Policy – This is not an IT Problem • Document Destruction • Retention Policy and The Litigation Hold • Information Security
Preservation - Time: foreseeable dispute (shorter than retention) Bases: rules, tort, inherent power Breach: spoliation Penalties: default or dismissal, evidence, fines Retention - Time: statute or regulation Bases: statutes and regulations Breach: spoliation Penalties: default or dismissal, evidence, fines, statutory penalties Preservation vs. Retention Duty
Retention - Legal compliance Litigation preparedness Company’s reputation Destruction Reduce Operational Cost Asset protection Privacy Purpose of Retention/Destruction
20,000+ statutes and regs require retention Consider impact of foreign retention requirements Harm of retention spoliation similar to harm of preservation spoliation Compliance
Four Legs of Compliance Compliance is the result of integrated Policy and Process The Policy - Information Records Management Policy is established by corporate Legal. Specific measure for compliance are tied to the policy. What’s the policy and how do you measure compliance? The Leadership – The Policy is reflected in the visibility, adoption, enforcement and compensation by and for senior management. Does Leadership walk the walk? The Technology – The Policy is reflected in all aspects of data management. IT is using and NOT establishing The Policy. Does the Procedure tie to the policy? The Training – The Policy reflected in all aspects of training, education, procedure and compensation. Does everyone understand their responsibility, liability and consequences?
The Compliance Team The Compliance Team is Comprised of: • General Counsel • Compliance Officer • Information Architect • Application Architect • Content and Messaging Manager • Training Supervisor • The Compliance Team provides an enterprise understanding of data retention through: • Comprehensive understanding of corporate policy and procedures related to regulatory compliance. • Elimination a fragmented responses to regulatory inquiry • Optimizes response to Litigation Discovery
Statutes and Retention • SEC Rule 17a-4 Electronic Storage of Broker Dealer Records • Graham-Leach-Bliley Act - Financial Services Modernization Act -1999 • Sarbanes – Oxley Act of 2002 • FDA 21 CFR Part 11 • DOD 5015.2 Department of Defense • Health Insurance Portability and Accountability Act (HIPAA) • Fair Labor Standards Act • Occupations Safety and Health Administration (OSHA) Act • Internal Revenue Service Reform Act • Food and Drug Administration • Health and Human Services
Statutes and Retention SEC Rule 17a-4 Electronic Storage of Broker Dealer Records • Retention – Minimum of 3 Years • Related to the retention of correspondence between the securities company and its customers. • Purchase and sale documents, • Customer and associated persons’ records, • Customer complaint records • Written supervisory procedures • Additional rules have been established by both the NASD (sect 2210 and 3010) and NYSE(SECT 342 ) that require members to comply with SEC 17a-4 or risk fines by both the SEC and the members SRO.
Statutes and Retention • "preserve the records exclusively in a non-rewriteable, non-erasable format.“ This requirement does not mean that the records must be preserved indefinitely. Like paper and microfilm, electronic records need only be maintained for the relevant retention period specified in the rule. • The electronic storage media must verify automatically the quality and accuracy of the storage media recording process; serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.
Statutes and Retention Graham-Leach-Bliley Act or Financial Services Modernization Act of 1999 • Retention Period – 6 Years or “Best Practices” • Related to limited privacy protection against the sale of private financial information to third parties. • Personal financial information must be securely retained. • Customers must be advised of the policies in place for sharing personal financial data. • Customers must be able to easily opt out of the sharing of some financial data
Statutes and Retention Name - Health Insurance Portability and Accountability Act • Retention Periods • Complaints – 6 Years • Medical and Diagnostic Records – 6 Years • Medicare Records – 5 Years • Special Consideration for Minors • Records must be retained for 2 years after a patients death • Relates to documents on uses and disclosures, authorization forms, business partner contracts, notices of your information practice, responses to a patient who wants to amend or correct their information, the patient's statement of disagreement, and a complaint record.
Statutes and Retention The Sarbanes-Oxley Act of 2002 • Retention Period – 7 Years • Deals with the falsification, destruction, alteration of documents or data with the intent to impede, obstruct or mislead an investigation by any federal agency. Includes the destruction of materials used in the creation of audits or financial assessments • Applies directly to publicly held companies • US Companies valued at over 100 million dollars will spend a combined 2 Billion dollars on implementing SOX 4 • Privately held companies with US ties are adopting SOX as well.
New SOX “Data” Sources • Website Records - Section 403 - Posting stock ownership changes • Internal Control Reports – Section 404 - Audit notes on how the internal control reports are created • Corporate Officer Certification – Section 302 – Who certified which reports and audits and when. • Complaints – Section 301 – The collection, retention and treatment of complaints, external, internal, anonymous as they relate to financial audit and disclosure. Also, a description of how the complaint was addressed. • Penalties – Section 906 – False certification can result in $5,000,000 in penalties and/or 20 years in prison.
Bioterrorism Act of 2002 Applies to all who manufacture, process, pack, transport, distribute, receive, hold, or import food in U.S. Section 305. Regs include duty to create and collect specified information, and duty to retain for up to two years. No format requirements, but records must be available within 24 hours of notice from FDA. http://www.omnirim.com/SupportDownloads/support_whitePapers.htm Compliance Statutes
Electronic storage media must be able to: Preserve in a non-rewriteable, non-erasable format Serialize units of storage media Time-date the information Produce easily readable images Provide facsimile enlargement Maintain separate original and duplicate Organize and index all information Be audited, with audit results readily available Provide access to SEC or designee Statutes and Retention
The Next Wave – Basel II • The Basel Capital Accord, or Basel II, updates 1988 European capital rules for risk-management practices that align capital with operational, credit, and market risks for banks operating internationally. • Basel II also mandates new regulatory methods for calculating capital to support operational risk. • Banks must determine operational risk in its methods of calculating the amount of capital an institution must set aside to cover risk. • Banks must retain data on how risk was determined.
Basel II Impact Guillermo Kopp, of TowerGroup, on 2005 trends in financial services: “ [T]he Basel II Accord introduces the concept of operational risk across the company, and fragmented silos can't offer an enterprise view of operational risk. As a result, companies are starting to think more horizontally across the hierarchy, looking at ways of combining and integrating their systems for each compliance mandate. “ 5
Crime and Punishment… • In response to the WorldCom bankruptcy filing, the Securities and Exchange Commission (SEC) takes swift and dramatic action to deal with what was perceived as a wholly inadequate records management program and imposes an $800-an-hour monitor on WorldCom (now MCI). The monitor’s task is to ensure that the company “has developed document retention policies and ... has complied with these policies. • The SEC fines five brokerage firms $8.25 million for failure to retain e-mail records. In addition to the monetary penalty, the firms are required to “review their procedures to ensure compliance with recordkeeping statutes and rules.” • The CEO of a pharmaceutical company is found guilty, sentenced to seven years in jail, and forced to pay a $3 million penalty for obstruction of justice because he “directed another individual to ... delete certain computer files ... Containing phone messages he received ... and documents evidencing [his] instructions.”
Cohasset, ARMA & AIIM: 2005 Electronic Records Management Survey – recent improvement Not include electronic: 43% No formal email policy: 49% No formal litigation hold process: 43% No data migration plan: 68% Electronic not included in litigation hold: 53% Assess Your Current Reality
Crime and Punishment • Procter & Gamble: P&G was sanctioned $10,000 for failure to preserve corporate e-mail communications despite its knowledge that the e-mail would be relevant to an action. • Applied Telematics Inc. v. Sprint Communications Co.: Sprint’s failure to preserve electronically-stored routing plans resulted in an order for payment of plaintiffs’ costs and attorney fees. • Prudential Ins. Co. of America Sales Practice Litigation: Prudential’s “haphazard and uncoordinated” approach to document retention denied its opponents potential evidence to establish facts in dispute, and was grounds for a $1 million fine. • Fen/phen wrongful death class action suit Experts estimated that the cost to restore emails from backup tapes to satisfy the discovery process could go as high as $1.75 million. Facing a hostile court, defendant Wyeth settled for over $3 billion dollars.
Two Models Categorize In Advance Retrieve in Retrospect Two Methods of Categorization Human Computer Computer Categorization Import data into data mining software Embed data mining software into databases Rules-bound agents sent to network based, distributed, diverse data sources Categorize Documents
Litigation • Forensic Data Analysis • Do you know where the data is? • Can you get to it? • Is it related through multiple systems? • Information Discovery Process • Outsiders view data as a “Corporate Asset” • Halt Destruct Orders • Similar in form and function to Regulatory retention rules except they will (hopefully) expire or be terminated.
Assume you will need to support Litigation Audits, Government Investigations Proposed new federal rules of civil procedure on electronic discovery will have a significant impact upon retention Rule 26(b)(2)(C) protects information identified as “not reasonably accessible because of undue burden or cost.” Reinforced tenet (Rules 16 & 26): Electronic information must be reliably searchable, accessible in a short time Production format: (a) requested format; (b) format in which “ordinarily maintained”; or (c) reasonably usable format The effectiveness of your document retention practice may influence whether a court enters ex parte, expedited or other preservation orders. Pueblo of Laguna v. U.S., 60 Fed. Cl. 133 (Ct. Claims 2004) Assume that the retention policy and retention schedules will be discoverable and will be requested Prepare for Litigation
Clear, detailed, signed computer and email use policies Size, copying and portability restrictions upon email Monitoring of documents, electronic information assets and email use Privacy Repeatability Balance Culture, Law & Efficiency
Destroying a document requires much more discipline and planning than retaining a document. Must know sources Must control migration Other possible controls: transmission monitoring, spidering, copy (e.g., usb drive) controls, both rules-based and technology based Destruction should be routine, non-selective, rules-based Document Destruction
Definitions must be tested against flow and function Policy must be uniformly and systematically applied Assume that policy and schedules will be discoverable and discovered Retain an audit trail of activities Draft Retention Policy
Retention duties create the policy Preservation duties create the exceptions Two models: personnel or computer driven Written checklist and protocol Define trigger: reasonable notice of dispute Define scope Identify sources Send internal preservation notice Require response, even if negative Follow up Create Litigation Hold
Rambus v. Infineon Technologies, 220 F.R.D. 264 (E.D. Va. 2004): When retention program is instituted or amended, carve out destruction of documents as to which litigation is reasonably foreseeable Be forthright about destruction purpose Differentiate between operational data and casual communications. If retention is done at the direction of, or in consultation with, counsel, process may be privileged (i.e., in absence of evidence of bad faith) Create Litigation Hold
Some statutes mandate the creation of information, but most only mandate retention Automated processes rely upon metadata Rules, spiders, agents – all metadata Default: retain, preserve metadata Integrate DR standards as part of data and information definition. Understand and Use Metadata for Retention
Under some circumstances, deleted data is as discoverable as active data Retention process should take into account whether deleted data is preserved and what audit / trace is available. Be certain that there is uniformity in the deletion process Deleting from operational systems won’t delete from long term archive. Know where each instance of the record will be. Understand Deleted Data
The Sea Of Data… • In 1967 there were less than 5000 Computers world wide.4 • 2002 UC Berkley Worldwide Data Volumes 1 • >2 million Server Class Machines or Higher • 400 million PCs • 250 Mb / person / year as of 2002. • 97% of corporate documents are electronic. • < .003% of all information is in paper print. • IDC Worldwide E-Mail Study – 2002 2 • ~ 60 Billion email / day – increasing at a rate of 25% / yr • ~ 25 Billion wireless text messages / day • Average corporate mailbox contained >1000 messages with • > 50 Mb of content.
Common Data Centric Architecture Operational App and Web Services Analytics and Reporting Services Operational App and Web Storage Data Warehousing HR Attached Storage Data Warehouse GL Data Warehouse SAN Data Warehouse Content Management Sales Near Line Storage Prod Backup Disposal Process?
Data Under Management Data Under Compliance Archived Data Paper Copy Unstructured Content Managed Relational Data Off Site Backup EMail
The Roadmap • Establish Retention and Disposal Policy for all data • Relational Data • Unstructured Data • E-Mail, Training Materials etc. • Identify data value for all data under management • Relational by subject area • Content Managed as Related to Relational • Email, Backup and Offsite • Dispose of non-regulated low value / low access data with an appropriate audit trail. • Develop process to periodically dispose of disposal eligible data with audit and reporting systems.
New Regulation Process • New and modified regulations reviewed and interpreted by legal department designee. • Regulation requirements reviewed with Chief Compliance Officer (CCO). If warranted, Implementation team assigned. • Business Analyst reconciles new requirements with existing rules. • BA reviews Data Requirements with Data Architect • DA identifies impacts to data and data lifecycles. • New rules developed by BA and validated with Legal • New rules reviewed with DA and implemented • New rules test cases run and approved by legal and CCO • New rules applied to current data set (production and archive) • New rules in production
Retention Requirements • Speed – The system must provide sub-second respond time for most queries. • Cost efficiency - The system must be inexpensive. • Regulatory compliance – The system must be conformant. • Reliable – The system can never lose or corrupt data. • Litigation Readiness – Be continually ready to produce documents with a verified Chain of Custody
The Data Lifecycle • The Data Lifecycle is the collection of standard events applied to an area of records and information. • The Lifecycle is comprised of working events to modify, refresh and change the content and context of the information and records • The Lifecycle also contains events that allow the data to remain observable but with fixed and unchanging content and context.
Data Value and Lifecycle 80% < 20% Online Nearline / Offline Archive Distribute Delete Create Update Value Time
Data Lifecycle Caveats • All data has a lifecycle composed of event triggered by rules. • These events and rules can be captured as part of the administrative or operational metadata associated with the data. • Additional Lifecycle events may be required to support business, governance or regulatory requirements. • The Events become the metrics for the audit. • The rules behind the events may change requiring version management. • Halt destruct orders need to be accommodated as well.
Traceability • Limit data to a single set of “Master” information records • Reduce or eliminate replication and reproduction • Control access and distribution of data and information • Develop a “birth to grave” tracking of data. • Know where the data is through it’s metadata • Systems of record • Check in check out process • Configuration management
Draining the Swamp Disposing of Data, Mitigating Risk and Achieving Compliance
Data Reduction • Get rid of data eligible for disposal based on Policy • Paper Records, Relational and Unstructured electronic • Scan and make electronic copies of paper records. • Associate related data. • Track data and records utilization. • Identify and keep “Value” data. What purpose does this information serve? • Required for Analytics, Business Continuity • Business Operations, Regulatory Controlled • Archive Low Value, Low frequency accessed data • Keep aggregate, dispose of atomic • De-Dupe Data Create one source of data = “Enterprise” view. Eliminate Replication • Limit individual e-mail storage capacity.
Results Business Case benefits are primarily related to Legal Exposure Risk Avoidance. • Storage Recovery is minimal • Improved performance • Improved Disaster Recovery Time • Less complex data integration • Lower Development Costs • Reduced Discovery Costs • Paper File Retention and Storage
Data Reduction – Example 1 22m No DR Disposal 18m Remove Delete Eligible Transactions 14m 10m De-Dupe Operational Data DR with Disposal 6m 2003 2005 2007 16.5M 7.3M