How to Design a Legally Defensible
Records Retention Plan Robert Fowler | Jordan Lawrence
CIPP US and Professional Services Manager
Jacki Cheslow | Avis Budget Group
CCEP and Senior Manager, Corporate Compliance & Corporate Records
Jennifer Smith Finnegan | Herrick, Feinstein LLP
Partner and Co-Chair of E-Discovery Committee
Upon completion of this session, participants will be able to:
1. Design a legally defensible records retention plan
2. Implement a successful retention program across the
enterprise
3. Leverage your records retention program in litigation
Learning Objectives
2
Corporate Objectives
Legal Landscape
Where Companies Miss the Mark
Developing Your Records Plan
Inventory
Retention Schedules
Implementation & Enforcement
Records Plan
Effective Litigation Holds
Program Agenda
3
Corporate Objectives
Find Information
Compliance
Efficiency
Savings Reduce Storage & Discovery Costs
Retention
Supporting Processes
Eliminate Obsolete Records
Manage & Protect
Discovery
4
Corporate Objectives
Find Information
Compliance
Efficiency
Savings Reduce Storage & Discovery Costs
Retention
Supporting Processes
Eliminate Obsolete Records
Manage & Protect
Discovery
90% of records, once filed, are never referred to again
95% of references are to records less than 3 years old
67% of data loss is directly related to user blunders
30% of paperwork is useless and could be eliminated
5
Legal Landscape & Considerations
Responding to government
audits and investigations
Obligations as a Party to
Litigation
Focus on ESI
6
Records Management Issues = Compliance Issues
Regulatory environment has
become highly aggressive
Body of ESI is growing
exponentially
Complexity of both content and
records is growing
Locations where records exist is
expanding
7
Missing the Mark: Policies Don’t Equal Action
8
Missing the Mark: Policies Lack Clear Guidance
9
Missing the Mark: Policies Lack Clear Guidance
10
Missing the Mark: Employees Are Confused
11
Know Your Information
Sensitive What
Where Retention Media
“Records Datamap” 12
Profile Your Business Folks
What: Pension Records 1
. Where: Human Resources 2
. Sensitive: SSN, PII, GID’s 3
. Process: Saved to thumb drive – sent to audit firm 4
. Retention: Permanent 5
.
13
Record Types
Start With What’s Familiar
| Advertising Records | Audit Reports | Backstock | Brand Strategy | Benefit Filings | Budget Records | Contracts | Coupon Records | Credit Card Reconciliations | Customer Complaints | Daily Sales | Design Sketches | Floorset Documents | Import Documentation | Inbound Merchandise | Inventory Projection 14
Applications
| Addept | Agile | Ariba e-Procurement | Ariba e-Sourcing | ASN Re-Route | Aspect Workforce Management | Blue Martini | Barrow Book | B-Smart FSA | Epiphany | Health Systems International | HireRight | Life Safety Database | My Customer | TeamMate
Start With What’s Familiar
15
| Retention | Sensitive | Locations | Movement
Email Personal Archives Laptop Paper Shared Drives
FTP Extranet Express Mail Third Parties Secure Mail
Business Need Tax Support Industry Standard Requirements Regulations
Then Go Deep
Customer Information Personally Identifiable Information Government Issued IDs Financial Information Employment Information Sensitive Information (EU)
16
Records
Inventory
Draft
Retention
Schedule
Steps to an Effective Program
17
Retention Schedule Best practice
retention.
Easy for employees
to understand.
Incorporates
industry standards.
Defined trigger
event.
18
Regulatory Tagging
Secure Disposal
Vital Record
PCI Data Security Standards
EU Data Protection Directive
SOX
FACTA
GLBA
HIPAA
ITAR
19
Records
Inventory
Draft
Retention
Schedule
SME &
Functional
Expert
Validation Legal
Review
Finalize
Retention
Schedule
Steps to an Effective Program
20
Executive Support
Partner with Subject Matter Experts
Legal
Compliance
Internal Audit
IT & Security
Privacy
Tax
Implementation
21
Build a Records Coordinator Network
Business Area Representatives
“Feet on the Street”
Receive program updates and notifications
Work with the Technology Group
Review backup practices
Review other related policies
Implementation
22
Develop a Communication Plan
Tool Kit
Internal website
Blogs
Job aids
Posters & flyers
Implementation
23
Enforcement
Annual policy notifications
Routine disposal practices
Processes for onsite/offsite storage
Maintain an audit trail
Program Training
Employee Accountability (Auditing)
Implementation
24
IMPLEMENTATION Publish Retention Schedule
Publish Policies
Communicate Directives
Training
Disposal
ASSESSMENT Identify Records
Sensitive Information Tagging
Regulatory Tagging
Gain Insight into Current Practices
DEVELOPMENT Approve Retention Schedule
Address Legacy Processes
Approve Policies
ENFORCEMENT Annual Policy Communication
Routine Disposal
Compliance Monitoring
Periodic Auditing
I
A
D E
>
25
Increased Efficiency & Productivity:
faster filing and retrieval of information
fewer misfiles
Decreased cost and litigation risk:
Reduced need for filing equipment, supplies and floor space
Reduced costs for document collection, review and
production (both electronic and paper)
Reduced risk of adverse results in litigation from lost
documents
Reduced cost for costly recovery of vital records
Leveraging Your Records Plan: Selling Your Program
26
Datamap of Record Types
27
Datamap of Applications
28
Leveraging Your Records Inventory: Where Email Lives
52% | save email to shared drives
50% | personal archives
43% | save to workstation hard drives
29% | printed and filed
10% | save to laptops
7% | save to external hard drives
2% | forward email to personal accounts
83% of Employees save email outside the
central messaging environment
29
Leveraging Your Records Inventory: Reference Value of Email
100%
55%
19%
0% 0%
20%
40%
60%
80%
100%
< 6 Months 6 Months to 1 Year 1 to 3 Years 3 + Years
30
Leveraging Your Records Inventory: Strategic Rules for Email Deletion
31
General Information (Short-term Value)
Information (Intermediate
Value)
Records (Long-term Value)
Retention Strategies for Unstructured ESI
32
• Consult with an e-Discovery specialist
and your Attorneys
• Identify case issues and information
custodians
• Issue a WRITTEN AND ELECTRONIC
litigation hold
• Partner with IT
• Focus on management of costs from
step one and manage for life of litigation
• Focus on risk management evaluation
SO… What do you do if… WHEN YOU GET SUED?
33
Process should be, repeatable and enforceable It
should be well-documented, closely-monitored
and transparent
Issue timely, written legal holds
Ensure record custodians understand what is
required and how to comply
Follow up with audit trails, one-on-one interviews,
supervised collection
Effective Legal Holds
34
Provide for periodic updates and reminders
Account for employee mobility and turnover
Consider third-party custodians
Thoroughly document actions and the basis
for decisions
Effective Legal Holds
35
Complete a records inventory
Build policies from industry-specific standards
Build retention schedules from industry best practices
Partner with subject matter experts
Build a network of records coordinators
Develop a “Tool Kit”
Communicate and train business people
Distribute litigation hold notices (track compliance)
Routinely dispose of obsolete records CUT STORAGE COSTS | REDUCE PRIVACY RISKS | REDUCE DISCOVERY EXPENSE
Audit the program
Program Development Check List
36
Questions
37
Continue the Conversation
Follow us on Twitter
@ARMANNJ
… and find us on LinkedIn by searching ARMA Northern New Jersey Chapter
… or visit our website at
www.armannj.org
How to Design a Legally Defensible
Records Retention Plan
Robert Fowler | Jordan Lawrence
CIPP US and Professional Services Manager
Jacki Cheslow | Avis Budget Group
CCEP and Senior Manager, Corporate Compliance & Corporate Records
Jennifer Smith Finnegan | Herrick, Feinstein LLP
Partner and Co-Chair of E-Discovery Committee
Top Related