Record Retention Is Back In The Spotlight - Actiance · PDF file3 Key Trends in Litigation and...

Record Retention Is Back In The Spotlight Successfully Using Electronic Communications In Today’s Regulatory Environment

ContentsI. Introductions .........................................................3

II. Industry Regulations ..............................................5

3 Key Takeaways For Complying With ......................5 Industry Regulations

Consequences of Non-Compliance ..........................7

III. Litigation and eDiscovery ......................................9

3 Key Trends in Litigation and eDiscovery ................9

Consequences of Non-Production .......................... 10

IV. Conclusion ......................................................... 11

V. Appendix ............................................................12

Record Retention Is Back In The Spotlight | 3

I. Introduction Over the last three years, no fewer than ten regulations relating to the archiving of electronic communications have been issued or updated by regulators around the world. Financial services, pharmaceuticals, healthcare, the public sector and energy and utilities are some of the most heavily regulated industries. The fact that regulators in these industries are either issuing new regulations for electronic communications or updating existing regulations, reflects the importance placed on good recordkeeping.

Increased regulations for electronic communications is due in part to the sheer volume of email. The use of email within the workplace has accelerated over the last decade and shows no sign of slowing. According to a recent report1, email is expected to increase from 3.3 billion accounts in 2012 to over 4.3 billion accounts by year-end 2016. Furthermore, the report highlights the growth in volume of business emails sent and received per day which looks set to grow at an average of 13% to reach over 143 billion by year-end 2016.

The continued rise in email volume creates management challenges for businesses, not least because of regulatory requirements to retain business correspondence and the increasing incidence of eDiscovery cases citing email. For highly regulated industries such as Financial Services and Healthcare, recent cases have illustrated that major organizations are struggling with their email archiving process as a result of eDiscovery requests2.

On top of this, the number of electronic communications used within an enterprise over the course of the last decade has multiplied. In many organizations, email is used along with other collaborative platforms, such as Microsoft SharePoint, Salesforce Chatter and Jive; unified communication platforms such as Microsoft Lync and Cisco Jabber; public instant messaging networks such as Yahoo! Messenger, AIM; public social networks such as Facebook, LinkedIn and Twitter; and specialist community networks such as Bloomberg, Thomson Reuters Eikon, ICE Chat.

These electronic communications are sent in real-time, and participants have the opportunity not only to reply instantaneously but also to copy, edit, and even delete in an instant with just a few keystrokes. Tracing the authors of electronic communications could also be challenging if the communications were sent via personal accounts, such as in the case of social media. Firms could have a difficult time tying the account names on social media (for e.g. @lonewolf1) back to a corporate identity (for e.g. John Smith).

1 Email Statistics Report, 2012-2016, The Radicati Group Inc., http://www.radicati.com/wp/wp-content/uploads/2012/04/Email-Statistics-Report-2012-2016-Executive-Summary.pdf

2 4 Email Archiving Trends from Gartner, http://www.deadmanheartbeat.com/compliance/gartner-4-email-archiving-trends/

| Record Retention Is Back In The Spotlight4

Just like email, these other forms of electronic communication are just another form of electronically stored information (ESI) and as such, subject to eDiscovery requests. Over 50% of law firms and corporations reported that they were involved in a matter with social media data3. In the eyes of the courts, producing requested content or any other relevant documents in a timely fashion becomes hugely important. It is a cautionary tale that many organizations end up losing a case because specific data to prove their side of the case could not be found.

Organizations are also more aware of eDiscovery costs than in the past. Studies indicate that discovery continues to account for the vast majority of the cost of civil litigation. Indeed, according to one survey, discovery is responsible for 70% of total litigation costs in cases that are not tried. Litigants can spend upwards of $18,000 to collect, process and review a single gigabyte of data. In large cases, potentially responsive data can measure in the hundreds or even thousands of gigabytes4.

With the evolution of electronic communications in the workplace, organizations need to re-evaluate existing archiving processes against the backdrop of current regulatory and eDiscovery requirements. See the Appendix for a detailed listing of rules and regulations impacting firms around the world.

3 Year in Review: How Predictive Coding, New Forms of ESI and Cybersecurity Impacted Ediscovery in 2014, Kroll Ontrack, Nov 18, 2014. (http://www.businesswire.com/news/home/20141118005096/en/Year-Review-Predictive-Coding-Forms-ESI-Cybersecurity#.VL5ZtNKsXEi)

4 3 E-Discovery Trends You Can’t Afford to Ignore, Corporate Counsel, 26 September 2014, http://www.corpcounsel.com/id=1202671501269/3-Ediscovery-Trends-You-Cant-Afford-to-Ignore?slreturn=20150030155830


II. Industry Regulations 3 Key Takeaways For Complying With Industry Regulations

1. Content is Determinative

A recurrent theme through many of the regulations is that content of the communication determines whether it should be archived for regulatory purposes, not the medium used to send it.

The Financial Conduct Authority in the U.K. is just one of the regulators that have issued clarification in this area, defining electronic communications as:

“includes fax, email, Bloomberg mail, video conferencing, SMS, business to business devices, chat and instant messaging. But is not limited to these as it captures any electronic communications involving receiving client orders and the agreeing and arranging transactions. We will not produce an exhaustive list of electronic communication because of the continuing innovation and advancement in technology which would mean the list frequently becomes out of date. We also feel that it is inappropriate to limit the obligations to a prescriptive list and an outcome based approach is more suitable in implementing such rules. We would expect senior management to exercise their judgement in this area.”

FINRA in the U.S. specifically includes electronic communications to be archived in Rule 2210:

“any written (including electronic) communication that is distributed or made available only to institutional investors”

“any written (including electronic) communication that is distributed or made available to more than 25 retail investors within any 30 calendar-day period”

“any written (including electronic) communication that is distributed or made available to 25 or fewer retail investors within any 30 calendar-day period”

2. Make the Archive Easily AccessibleRegulators such as the Securities Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), Financial Conduct Authority (FCA), Swiss Financial Market Supervisory Authority (FINMA) and the Food and Drug Administration (FDA) are among those that require for the communications retained to be kept in a readily accessible place and in a reviewable format. Moreover, the communications need to be archived in a tamper-proof format.

In addition, organizations governed by the Health Insurance Portability and Accountability Act (HIPPA) need to be aware that tools used to capture and retain communications could to be subject to audit.


3. Different Departments Have Different Retention RequirementsDifferent departments within an organization have different business use cases for the electronic communications deployed. Some groups of employees, by regulatory standards, are subject to greater supervision than other groups.

For instance, in a healthcare setting, frontline hospital staff with access to Protected Health Information (PHI) and Electronic Personal Health Information (ePHI) would need to have their real-time communications captured and logged in line with recordkeeping requirements, however, Human Resources or IT might not have access to PHI and ePHI and would not be subject to similar requirements.

As such, the ability to define data capture policies at a global, group or site level to map to compliance or corporate governance standards could bring about cost efficiencies for the organization. For one, storage costs would be lower, as only relevant content is captured. Further downstream, having a smaller pool of data to search, will expedite eDiscovery in the event of litigation, not to mention decreasing the risk of liability.

Consequences of Non-ComplianceThe inability to retrieve communications to meet regulatory requirements can result in financial penalties and even lawsuits being brought against the organization.

In 2005, the New York Stock Exchange fined UBS AG8 $2.1 million for failing to preserve electronic communications and for supervisory failures. More recently in 2013, U.S. financial services regulator, FINRA, doled out more than $15 million in fines against 66 electronic communication cases. Although the increase in the number of cases was small – only a 5% increase from the previous year’s 63 cases – the fines have more than doubled.

Cases include LPL Financial Holdings Inc.9, who were fined $7.5 million by FINRA for “systemic email failures” from 2007 to 2013 and for doing too little to fix them. This fine of $7.5 million was the biggest ever by FINRA, for email-related violations of securities rules. LPL also agreed to create a $1.5 million compensation fund for clients. FINRA also fined five affiliates of ING $1.2 million in 2013, for failing to retain or review millions of emails for periods ranging from two months to more than six years. And Barclays Capital Inc.10 was fined $3.75 million for systemic failures to preserve electronic records and certain emails and instant messages in the manner required for a period of at least 10 years.

8 NYSE Fines UBS, Claiming a Failure To Retain Emails, The Wall Street Journal, http://www.wsj.com/articles/SB112129129838585020

9 LPL Fined $9 Million for Email ‘Failures’, The Wall Street Journal, http://www.wsj.com/articles/SB10001424127887323648304578497054039151168

10 FINRA http://www.finra.org/Newsroom/NewsReleases/2013/P412646


The regulators tell us that content, not the channel, is determinative when it comes to electronic communications. That means that in addition to email, firms need to capture, archive and make ediscoverable, all forms of electronic communications if they contain business records. For example, in the wake of the investigation into the manipulation of LIBOR, it emerged that traders had used instant messaging to collude. An estimated total of $2.3 billion in fines was shared amongst global banking institutions11 for their part in the LIBOR scandal.

In the case of public sector organizations in the U.S., the Freedom of Information Act (FOIA) makes provisions for requests to be responded to within 30 days. A recent benchmarking study12 showed that for the 86 agency offices that produced documents under FOIA, the average response time was 75 business days with a median of 63 days, a figure more than double the 30 day window. If information that is requested cannot be found, or cannot be found within the timeframe, public sector organizations have to deal with negative publicity, could face accusations of not being open and transparent, and even lawsuits13.

The implication for organizations is that regulators are scrutinizing electronic communications more closely than ever before, making it imperative that archiving plans are fit for purpose.

11 Cause of Action report: A Look at How Federal Agencies Measure Up on FOIA Requests, Spring 2013

12 Weinberg says Port Authority is late on GWB freedom of information law request, Dec 26 2013, http://www.nj.com/politics/index.ssf/2013/12/gwb_closures_weinberg_christie_docu-ments.html

13 Big Banks Fined $2.3B over Illegal Libor Cartels, More Fines on the Way, Forbes, 12 Apr 2013, http://www.forbes.com/sites/halahtouryalai/2013/12/04/big-banks-fined-2-3b-over-illegal-libor-cartels-more-fines-on-the-way/


III. Litigation and eDiscovery

3 Key Trends in Litigation and eDiscovery

1. The Types of Electronic Documents Considered As Evidence

Case law has demonstrated that in litigation, electronically stored information has broad applications. Anything from email, to instant messages, texts and even internal collaboration networks can be targeted. The key is for businesses to ensure that any communications relating to the business are retained to evidentiary standards. Tamper-proof stamping and accurate audit trails that guarantee that conversations and file transfers are sent to archives in chronological order, are necessary to avoid preservation sanctions and to prove chain of custody and authentication of documents for admissibility as evidence in a case.

2. eDiscovery Costs Are Escalating

The average cost of electronic discovery in litigation has climbed to $1.5million per event.14 With 90% of U.S. corporations engaged in litigation and companies with revenues of more than $1 Billion averaging 147 simultaneous lawsuits, the cost associated with eDiscovery can have serious implications for organizations.

According to the Association for Information and Image Management (AIIM), a gigabyte of storage costs around $0.20 per day. However, the cost of reviewing that 1 gigabyte of data for evidentiary purposes costs $3,500. And this figure could be as high as $18,000 per gigabyte of data, according to Rand Survey.

3. Timing Is Key

Being able to produce the evidence requested within the specified time frame set by the law courts is key to winning the case and to avoid being penalized for the delay or failure to produce evidence. This means that organizations need to be prepared, and have systems and processes in place to review the emails or other electronic communication required, and be able to retrieve that information from short or long term storage quickly. Law courts also require information that establishes authorship and sequence of events, of emails and other electronic communication.

14 Study Shows “Traditional Linear Review” Almost Accounts for 73% of e-Discovery Costs, 19 Feb, 2013, http://www.abajournal.com/advertising/article/reducing_costs_with_ad-vance_review_strategies/


Consequences of Non-Production

eDiscovery is emerging as a strategically important issue for organizations fighting litigation. A comprehensive eDiscovery study by Duke University in 201015 found that eDiscovery sanctions are on the rise. In 2003, seven sanctions were issued, compared with 2009 where 111 sanctions were issued. The sanctions ranged up to $8.8 million. The most common reasons for sanctions were the failure to preserve electronic evidence, followed by the failure to produce, and delay in production.

Notable high profile cases in recent years have included:

• Intel Corp. v Advanced Micro Devices, Inc., 2005: Competing sanctions filed by both parties claiming failure to

adequately retain documents. In November 2009, Intel agreed to pay AMD $1.25 billion as part of a deal to settle

all outstanding legal disputes between the two companies.

• Apple v Samsung, 2012: Technology giant Samsung received a $400 million fine due to spoliation of relevant data

• Moore v CITGO Refining & Chemicals Co., 2013: Plaintiffs’ failure to preserve ESI (largely personal emails) and

other eDiscovery failures led to the dismissal of an employment class action and an appellate court increasing the

cost award to the defendant.

• Lester vs Allied Concrete Company, 2011: The attorney who instructed Plaintiff to cleanup his Facebook page

faced $522,000 in costs and ended his career while the Plaintiff had to pay $180,000 for deleting his Facebook

posts.

• Brown v. Tellermate Holdings, 2014: For not preserving Salesforce.com data, Tellermate was not able to argue at

trial that the Browns were terminated for performance-based reasons, thereby effectively precluding Tellermate’s

entire defense. In addition, the Court granted the Browns all attorneys’ fees and costs, which were to be paid

jointly by Tellermate and its counsel.

• Hosch v. BAE Systems, 2014: Repeated failure to preserve and production of texts and voice messages on an

iPhone, which led to the case being dismissed with prejudice, and Hosch and his counsel facing the bill for fees

and costs of BAE Systems.

See the Appendix for more details regarding Litigation and eDiscovery.

15 Sanctions for E-Discovery Violations: By the Numbers, Dan H. Willoughby, Jr., Rose Hunter Jones, Gergory R. Antine, 2010, http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1487&context=dlj


IV. Conclusion

Heightened interest in email and other electronic communications by both industry regulators as well as law courts indicate that organizations should re-assess their retention policies, processes and technologies. Record retention of email and other electronic communications are firmly in the spotlight. Organizations need to demonstrate that they are retaining business-related communications and also that they are able to readily retrieve and produce these documents should they required by the regulators or the courts.

Industry analyst, Gartner, estimate that “by 2019, 75% of organizations will treat archived data as an active and ‘nearline’ data source, and not simply as a separate repository to be viewed or searched periodically, up from less than 10% today.”16

16 Gartner Magic Quadrant for Enterprise Information Archiving, 2014


5 recommendations for organizations to consider when re-assessing their current archive:1. Ensure that all relevant business communications are archived regardless of medium.

Email, instant messages, tweets are all relevant to regulators and courts of law if they contain information about business transactions.

2. Define data capture policies at a global, group or site level to map to compliance or corporate governance standards. This would greatly reducing storage costs by capturing only relevant content. Moreover, should regulators request for content, the process or search and retrieval will be expedited with having a smaller pool of data to search. Liability is also mitigated by having less data available.

3. Capture the content in context. The dynamic nature of real-time communications means that content can be created by one user, shared with groups of users, any one of whom may edit, comment or delete the content. By capturing these communications in context, it is easier to search, find and review relevant content should the regulators or the courts require the content to be produced. This could dramatically reduce the cost of administering the data and ensures that content can be produced to regulators in line with the required standards.

4. Store data so that it is easily retrievable. Regulatory and eDiscovery requirements repeatedly call for information to be stored in a format that cannot be altered, but which can be easily reviewed. Follow established principles for good governance, storing content with tamper-proof stamping and accurate audit trails to guarantee that conversations and file transfers are sent to archives in chronological order.

5. Retrieve records quickly. Regulators and courts of law often set time limits for organizations to produce the communications required. Failure to produce within set time periods could cost organizations dearly in expensive sanctions or loss of court cases.


V. Appendix

II. Industry Regulations

This section summarizes the regulations calling for retention of email and other electronic communications by industry.

Financial Services (U.S.)

Regulator Rule Description

Securities and Exchange Commission (SEC)

SEA Rule 17a-4.18

This rule outlines the recordkeeping requirements for certain Exchange members, brokers and dealers. There is a requirement to preserve records for a minimum of 6 years. For the first 2 years, records should be kept in an easily accessible place.

Securities and Exchange Commission (SEC)

SEA Rule 17a-4(b) Requires broker-dealers to preserve certain records including communications with the public, for a period of not less than three years, the first two in an easily accessible place. Records can be held on “micrographic media” or by means of “electronic storage media”.

Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC)

DFA Section 764 SEA Section 15F(g)(1)

Adds a new section to the Securities Exchange Act of 1934. Each registered security-based swap dealer and major security-based swap participant shall maintain daily trading records of the security-based swaps of the registered security-based swap dealer and major security-based swap participant and all related records (including related cash or forward transactions) and recorded communications, including electronic mail, instant messages, and recordings of telephone calls, for such period as may be required by the Commission by rule or regulation.


DFA Section 764 SEA Section 15F(g)(4)

Adds a new section to the Securities Exchange Act of 1934. Each registered security-based swap dealer and major security-based swap participant shall maintain a complete audit trail for conducting comprehensive and accurate trade reconstructions.




DFA 951-954 Record justification for executive compensation and related communications as these may be subject to legal hold or discovery requests.

Commodity Futures Trading Commission (CFTC)

CFTC Regulation 23.201, 23.202 and 23.203

All records, including but not limited to, certain written approvals, position records, transaction records, business records, real-time reporting records or marketing and sales materials that a Swap Dealer (SD) or Major Swap Participant (MSP) are required to maintain must be maintained in accordance with 17 CFR 1.31 and shall be made available promptly upon request. This includes daily trading records. Records have to be kept at the principal place of business.


CFTC 1.31 and 1.35(a)

Oral communications that lead to the execution of a transaction in a commodity interest need to be retained for one year. Written communications should be retained for five years.

Financial Industry Regulatory Authority (FINRA)

Rule 2210(b)(4)(A)

Recordkeeping requirements for retail and institutional communications that incorporate the recordkeeping format, medium and retention period requirements of SEA Rule 17a-4.18.


Rule 2210(c)(6) Each firm’s written and electronic communications may be subject to a spot-check procedure, and firms must submit requested material within the time frame specified by the Advertising Regulation Department.




Regulatory Notice 10-06 (Social Media Web Sites Guidance on Blogs and Social Networking Web Sites)

Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications. SEC and FINRA rules require that for record retention purposes, the content of the communication is determinative and a broker-dealer must retain those electronic communications that relate to its “business as such.”


Regulatory Notice 11- 39 (Social Media Websites and the Use of Personal Devices for Business Communications)

Firms using social media need to capture and retain communications sent via social media accounts, even employee personal accounts, if they relate to the business.

Federal Financial Institutions Examination Council (FFIEC)

Bank Secrecy Act / Anti-Money Laundering Programs (BSA / AML)

Financial institutions must adhere to recordkeeping and reporting requirements which apply to electronic communications. Applies to all customers, products and services, including customers engaging in electronic banking (e-banking) through the use of social media, and e-banking products and services offered in the context of social media. Additionally, virtual internet games and digital currencies present a higher risk for money laundering and terrorist financing and should be monitored accordingly.

Federal Financial Institutions Examination Council (FFIEC)

Community Reinvestment Act (CRA)

Recordkeeping requirements for comments made by the public. Retain records of written communications made on sites run by or on behalf of the institution that specifically relate to the institution’s performance in helping to meet community credit needs.


Financial Services (Canada)


Canadian Securities Administrators

National Instrument 31-303 (CSA NI)

Retain records for 2 years, in a manner that allows “rapid recovery to a regulator”.

Investment Dealers Association of Canada

IDA29.7 Requires the retention of records related to business activities regardless of its medium of creation.

Investment Industry Regulatory Organization of Canada IIROC

Universal Market Integrity Rules 10.12

Records of orders to be retained for 7 years - during the first 2 years, this should be kept in a readily accessible location.

Investment Industry Regulatory Organization of Canada IIROC

Notice-0349, Guidelines for the Review of Advertisements, Sales Literature and Correspondence

Requirement to retain records of business activities, financial affairs, customer transactions and communications, regardless of the “methods” used. This includes but is not limited to “Facebook, Twitter, YouTube, blogs and chat rooms, are subject to the IIROC Dealer Member Rules.”


Financial Services – U.K.


Financial Conduct Authority (FCA)

Policy Statement 08/1 – Telephone Recording: recording of voice conversations and electronic communications

Clarification that all relevant electronic communications must be retained. The FCA states that electronic communications “includes fax, email, Bloomberg mail, video conferencing, SMS, business to business devices, chat and instant messaging. But is not limited to these as it captures any electronic communications involving receiving client orders and the agreeing and arranging transactions. We will not produce an exhaustive list of electronic communication because of the continuing innovation and advancement in technology which would mean the list frequently becomes out of date. We also feel that it is inappropriate to limit the obligations to a prescriptive list and an outcome based approach is more suitable in implementing such rules. We would expect senior management to exercise their judgement in this area.”


COBS 11.5 Record keeping: client orders and transactions

Investment services firms need to maintain full and proper records of each and every client, the orders placed, who has dealt with the order, what was executed and any transactional prices.


COBS 11.8 Recording telephone conversations and electronic communications

Firms need to “take reasonable steps to record relevant telephone conversations, and keep a copy of relevant electronic communications, made with, sent from or received on equipment”. The definition of “relevant” is said to be those which have been conducted between the firm and their client or client’s representative. Telephone conversations and electronic communications need to be preserved in an easily accessible location, for at least 6 months from the date the record was created, and in a tamper-proof format.




Senior Management Arrangements, Systems and Controls (SYSC) 9 Record-keeping

Encapsulates the obligations that firms have under MiFID and the UCITS Directive (from the European Commission), such as keeping related business records for a period of at least five years. This rule stresses a number of principles of good record-keeping – the need to save records in a readily accessible place, and to ensure that the records are kept in a tamper-proof format.


Guidance Consultation: Social Media and Customer Communications

Firms should keep their own records of social media communications and not rely on digital media channels to maintain records.

Financial Services (Europe)


European Securities and Markets Authority (ESMA)

MiFID II Article 16(7)– Recording of Telephone Conversations and Electronic Communications

Telephone conversations or electronic communications relating to investment services such as the reception and transmission of orders, execution of orders on behalf of clients, and dealing on own account are required to be recorded.

Swiss Financial Market Supervisory Authority (FINMA)

Market Conduct Rules

Retention of all electronic communications (e.g. email and instant messages sent by Bloomberg and Reuters) sent by employees in securities trading for 2 years. Firms need to be able to produce electronic communications sent by employees in securities trading to FINMA without alteration.


Financial Services (International)


International Organization of Securities Commissions (IOSCO)

Principles for Benchmark-Setting Processes, C.5

Benchmark Submitters are required to keep records of all relevant aspects of the submission process for a period of at least five years in line with the requirements on record keeping in MiFID. Records should be retained in a medium that allows the storage of information in a way accessible for future reference, and in a tamper-proof form.

International Organization of Securities Commissions (IOSCO)

Principles for Benchmark-Setting Processes, D.2 & D.3

Benchmark Calculation Agents need to document and keep records of all interactions with submitting parties, audit records of the data used for calculating the Benchmark and records of contacts with the Benchmark and make these available to Supervisory Authorities upon request.


Dodd-Frank Act – Section 731

The Dodd-Frank Act added new obligations for registered swap dealers and major swap participants. The requirement calls for daily trading records of the swaps and all related records (including related cash or forward transactions) and electronic communications, including electronic mail, instant messages, and recordings of telephone calls, for one year. This information needs to be stored safely and in a manner that allows for easy retrieval and review by regulators.


Pharmaceuticals (U.S.)


Food and Drug Administration (FDA)

Prescription Drug Marketing Act (PDMA)

Includes recordkeeping requirements associated with marketing and advertising drugs, such as presenting risk information, etc.


Food Safety Modernization Act (FSMA)

FDA is granted record access authority (Sections 101/204) with this Act. Most requirements are for record retention for two years after they have been superseded or obsoleted.


Fulfilling Regulatory Requirements for Postmarking Submissions of Interactive Promotional Media for Prescription Human and Animal Drugs and Biologics (Draft)

In these draft guidelines, firms wanting to use social media need to submit the material posted on social media to the FDA after the event. The FDA requests that ‘It is preferable for the company to submit the interactive or real-time communications in an archivable format that allows FDA to view and interact with the submission in the same way as the end user (e.g., working links). Alternatively, companies should submit screen shots or other visual representations.’


Draft Guidance for Internet/Social Media Platforms: Correcting Independent Third-Party Misinformation About Prescription Drugs and Medical Devices5

Firms are not required to submit corrections to the FDA but will need to keep records of corrections made should the FDA have questions.

5 http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM401079.pdf



Other guidelines from an international regulatory harmonization effort and which are enforced and cited by FDA, EMA, Health Canada, and other health agencies:International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH)

ICH E6 Good Clinical Practice

The types of records to be retained for clinical trials.

International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH)

ICH Q7 Good Manufacturing Practice for Active Pharmaceutical Ingredients

The harmonized standard for pharmaceutical companies for record retention under current Good Manufacturing Practices (cGMPs).

ISO 15489: Records Management Standard

An international industry consensus standard that provides a high level framework for records retention.


Healthcare (U.S.)


Department of Health and Human Services

HIPAA Organizations need to retain records in a large number of areas to demonstrate compliance and also to respond to requests, for instance, from patients.

State Governments

The Affordable Care Act

Requires organizations to adopt comprehensive recordkeeping practices e.g. health insurance issuers offering individual health insurance coverage are required to maintain for six year records of all claims and notices associated with the internal claims and appeals process.

If a consumer completes a qualified health plan (QHP) selection using an agent or broker’s Internet website, the site is required to maintain related audit trails and records in an electronic format for a minimum of 10 years.

Department of Labor

Employee Retirement Income Security Act (ERISA)

The Department of Labor has issued general guidance for record retention of journals, ledgers, checks, invoices, contracts, agreements, vouchers, worksheets, receipts, claim records, and applicable resolutions to name a few. Actual records, not summaries, are required, although electronic versions are acceptable if certain standards for electronic retention are met. Companies planning to use social media need to ensure that their social media records are complete, secure and tamper-proof.


Public Sector (U.S.)


President’s Office

Memorandum on Building a 21st Century Digital Government6

The memorandum emphasizes the importance of good record keeping practices for accountability and transparency. Federal agencies and public sector organizations face a deadline of 2019 for adoption of these practices.

National Archives and Records Administration (NARA)

Bulletin 2014-027 The Bulletin reminds federal agencies of The Federal Records Act (44 U.S.C. 3301) which defines Federal records as “any material that is recorded, made or received in the course of Federal business, regardless of its form or characteristics, and is worthy of preservation”. In other words, the content, not the form of transmission, is determinative. Therefore, public records could include email and other electronic communications

Federal Government

Freedom of Information Act (FOIA)

This Act allows for the full or partial disclosure of previously unreleased information and documents controlled by the United States government if requested by a member of the public. By this document, records of official business may be interpreted to include any type of electronic communications such as email, texts, public instant messages, unified communications, collaboration tools and social media.

6 http://www.whitehouse.gov/the-press-office/2012/05/23/presidential-memorandum-building-21st-century-digital-government

7 National Archives and Records Administration, NARA Bulletin 2014-02, Oct 2013


Energy and Utilities (U.S.)


Federal Energy Regulatory Commission (FERC)

FERC 18 CFR Parts 35 and 284

Requires firms to keep records of any type of communication for five years.


FERC Part 125 Specifies the retention periods for records maintained by public utilities and others.


FERC Order No. 717

Requires the creation of ethical walls between marketing and transmission functions of vertically integrated companies and also imposes retention requirements.

National regulatory authorities (NRA) on wholesale energy markets in EU

REMIT- EU Regulation No.1227/2011

Wholesale energy market participants are required to retain relevant communication records for at least six months from the date the record was created.


Cross-Industry


Federal Rules of Civil Procedure (FRCP)

Rule 16(b) Scheduling order must include “provisions for disclosure or discovery of electronically stored information”


Rule 26(a) Initial disclosures during the meet and confer include a “copy of, or a description by category and location” of ESI


Rule 26(f) Parties must “discuss any issues relating to preserving discoverable information and to develop a proposed discovery plan”. Parties have to meet and confer as soon as possible and at least 21 days before a scheduling conference or order is due.


Rule 34(a) An extensive list of what is considered electronically stored information (ESI) which can be requested by either party involved in litigation for inspection by the opposing party.

EU Model Requirements for the Management of Electronic Records (MoReq)

This formal requirements specification for electronic records management was published by the European Commission for use across the European Union. Widely regarded as the de facto standard for the retention, administration, and deletion of electronic records.

III. Litigation and eDiscovery


Cross Industry


U.S. law SarbanesOxley Act (SOX)

Audit papers have to be retained for a minimum of five years, and there are severe penalties for anyone who deliberately alters or deletes documents with the intent to defraud third parties. Even though it is a U.S. law, SOX is also applicable to European companies with U.S. listings as well as to companies which do business with the U.S.

U.S. law FRCP (Federal Rules of Civil Procedure) – Rule 26

Rule 26 - Outlines the requirements for discovery and production of documents, email messages (and attachments), video files, and other electronically stored information for civil litigation in federal court cases. Rule 34 – Outlines the timeframe and specific provisions for the production of such information.

U.K. Ministry of Justice

Practice Direction 31B

Defines ‘Electronic Document’ as any document held in electronic form. It includes email and other electronic communications such as text messages and voicemail, word-processed documents and databases, and documents stored on portable devices such as memory sticks and mobile phones. In addition to documents that are readily accessible from computer systems and other electronic devices and media, it includes documents that are stored on servers and back-up systems and documents that have been deleted. It also includes Metadata and other embedded data which is not typically visible on screen or a print out.

More information: actiance.com

[email protected]

Worldwide Headquarters1400 Seaport Blvd.

Building B, 3rd Floor

Redwood City, CA 94063 USA

(650) 631-6300 phone

[email protected]

EMEA Headquarters Asmec Centre, Merlin House Brunel Road Theale, Berkshire RG7 4AB United Kingdom Tel: +44 (0) 1189 026 468 [email protected]

©2015 Actiance, Inc. All rights reserved. Actiance, the Actiance logo, Socialite, and the Socialite icon are registered trademarks of Actiance, Inc. Vantage is a trademark of Actiance, Inc. Alcatraz is a trademark of Actiance, Inc. All other trademarks are the property of their respective owners.

Follow us

facebook.com/Actiance linkedin.com/company/actiance-inc twitter.com/actiance youtube.com/actiance slideshare.com/actiance

http://www.actiance.com/

mailto:sales%40actiance.com?subject=

http://www.facebook.com/Actiance

http://www.facebook.com/Actiance

http://www.linkedin.com/company/actiance-inc

http://www.linkedin.com/company/actiance-inc

http://www.twitter.com/actiance

http://www.twitter.com/actiance

http://www.youtube.com/actiance

http://www.youtube.com/actiance

http://www.slideshare.com/actiance

http://www.slideshare.com/actiance

Record Retention Is Back In The Spotlight - Actiance · PDF file3 Key Trends in Litigation and...

Documents

Transcript of Record Retention Is Back In The Spotlight - Actiance · PDF file3 Key Trends in Litigation and...