The Archive of Unquestionable Integrity

A Strategy for Reducing Corporate Information Risk

by Thomas Bookwalter, CEO FMDC

In today’s business and regulatory climate it is bad business strategy to ignore proper records management. It is reckless to disregard regulatory requirements and a disservice to fellow workers and corporate investors not to actively seek to create a structure of records management that reduces enterprise risk and liability.

The need to create an Archive of Unquestionable Integrity as a part of a comprehensive strategy of risk management has increased in the face of heightened regulatory scrutiny and litigation discovery being focused on electronic records, particularly email. Companies are examining their policies and practices with regard to electronic archives in efforts to protect the enterprise, shareholder value and its executives, directors and employees. There is a great diversity of opinion about how best to minimize enterprise risk and liability associated with electronic records management. At one end of the spectrum is the view that no record retention is the safest approach. Companies that take this view aggressively pursue the strategy of “delete everything” as soon as possible. At the other end of the spectrum are companies that have decided to save everything. Some are saving records indefinitely. In the middle are companies that attempt to save records selectively.

An alternative to all of these approaches is a strategy of creating an Archive of Unquestionable Integrity™. The premise of the advantages of the unquestionable archive is based on the convergence of regulatory requirements, court precedence and litigation demands. To understand the advantages of the unquestionable archive, this paper compares the unquestionable archive to each of the other alternatives of:

  • Delete all as soon as possible
  • Save everything, possibly indefinitely
  • Save selectively

Delete All as Soon as Possible
The theory behind the Delete All Strategy is that if the record does not exist, then it cannot harm the enterprise. The assumption is that the balance of the impact of records in the archive is more negative than positive and that by deleting the records from the enterprise archive the records will be gone. The intent is to make sure that no damaging records exist even at the expense of the destruction of critical and valuable business records.

The fallacy in this approach is that by removing records from email servers and other record archives the records, particularly the emails, no longer exist. In fact what really happens is that employees begin making copies of their emails and records outside the control of the IT department in order to save valuable working papers. Copies are made in private .pst and .nsf files for emails or in private archives for other records. Senior executives insist on exceptions to the delete policy for their own records and emails.

The result is the appearance of the disappearance of the records without actually removing the records. Those emails that have the potential for damage are saved in the hands of those most dissatisfied with the companies. Because the company has no record of its own, let alone an unquestionable archive, it has no way to construct a defense. The records that may still exist cannot be proved to be tamper-proof and therefore will be successfully challenged by opposing counsel or questioned as an honest record by regulators.

Significantly, a Delete All policy defies regulatory requirements for record retention. Nearly every company has regulatory retention requirements. If a company is not required to preserve records because of industry regulation then it certainly is because of general business regulation. Many companies that pursue this strategy do so encouraged by the belief that the regulations will not be enforced; at least not for them. Given the heightened intensity of regulatory enforcement actions this is a very risky point of view.

The result of a Delete All policy is in fact to substantially increase enterprise liability by eliminating any hope of a defense in the face of litigation or regulatory censure. More importantly, if these records were deleted during or just prior to a regulatory inquiry or litigation their deletion, even in the regular course of standard policy, is an obstruction of justice. To consciously choose to expose the enterprise to such high levels of risk is at least arrogant if not reckless. Given the increased levels of personal liability that has been incorporated in recent legislation, it is also a disservice to management.

Keep Everything
“Keep Everything” is a similarly risky strategy. Records have a legal and regulatory life. Beyond that life, there is no reason to keep the records. If a discovery process is started or a regulatory response is requested and old records still exist they must be delivered if requested. If they have been deleted at the end of their life cycle, they are no longer available. The courts will accept that they were deleted at the end of a reasonable cycle. If litigation or regulatory matters commenced prior to the regular life cycle the records must be preserved until the end of the litigation or inquiry.

Of these three strategies, only the “Keep Everything” approach could qualify for becoming an archive of unquestionable integrity. Unfortunately, just keeping all the records only adds to the cost. The additional qualities of a managed archive that are necessary to properly protect the enterprise are still needed.

Save Selectively
The selective retention of records undermines the integrity of the archive even before the records are saved. Described as either “delete everything but what is important” or “Save only what is necessary” the selective approach creates a mechanism that can easily be challenged in litigation. The biggest difficulty is to demonstrate what was deleted, why it was not necessary to be kept and that the deletion process was not used to conceal or discard critical records that should have been retained.

An additional problem is determining who decides. Do individual employees decide? Is the person who committed a serious infraction of the rules expected to carefully retain the proof of their infraction? What is the process for educating those responsible for the management of the records? How does a company prove that nothing of significance was deleted?

Some companies follow a policy of printing what they want to save and then delete the original records. Increasingly, regulators are interested in the other data that defines emails and records. This data, the meta-data, identifies the author, the creation date, the last modified date and for emails, the recipients. It is considered a part of the original record and should be retained along with the electronic record.

The Courts and Electronic Records Management
The Archive of Unquestionable Integrity™ is born from the idea that emails and other electronic records have the potential to both indict and exonerate. Numerous examples exist of how both companies and people have been indicted and even convicted based on evidence included in emails. Increasingly, email and electronic records are pivotal elements in court cases. The body of precedence and the definition of best practice is beginning to be more clearly defined.

There is an increasing intolerance for tampering with electronic records either by deletion, failure to save records or by changing the archive.

In recent court cases:

  • An executive was sentences to 2-3 years in prison for attempting to delete emails.
  • A company was fined over a million dollars because the CEO failed to insist on a written policy, failed to inform employees about the need to retain records in general and failed specifically to retain records with regard to the case in question. The merits of the case were never argued. The defendant lost.
  • A company was put out of business because it failed to ensure that records were not destroyed pending a regulatory investigation. The elaborate defense created to make their case was never presented because of the destruction of records.
  • Several companies were fined in excess of $8 million dollars for failing to preserve records as required according to industry regulations. All of these companies had policies, disaster recovery systems and what they thought were adequate retention systems.
  • Numerous executives have lost their right to manage public companies or work in their chosen fields. Some have been tried and convicted of obstruction of justice all because they failed follow clearly stated guidelines of about the proper management of records.
  • Sarbanes-Oxley has raised a new standard for proper records management. Section 802 changes the language in the Obstruction of Justice law to include the following:
  • Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 10 years, or both.

The balance is heavily biased against the enterprise. Emails are critical to the conduct of business and contain importance evidence that can properly defend honest business conduct. In order to make them available their archive must be above question.

The Archive of Unquestionable Integrity
The Archive of Unquestionable Integrity is an approach to corporate records management that is designed to ensure that the records are available to protect the enterprise whenever they are needed and to minimize the cost of regulatory and litigation response.

Unfortunately, we cannot prevent employees from making serious mistakes or even being just plain stupid. We can act to mitigate the effect of their actions on the corporation. To do so, the Archive of Unquestionable Integrity™ needs to be coupled with a proactive program of corporate leadership designed to protect the enterprise, its employees, executives and investors.

In order to be admissible as evidence or to withstand regulatory scrutiny:

  • The Archive cannot be adjusted by adding emails or other records after the fact
  • Records once in the Archive cannot be altered, destroyed or deleted before the end of their proper life cycle
  • The Archive can be proven to be complete and not selective
  • Records in the Archive can be preserved during investigation and litigation for the time required regardless of their life cycle retention requirements
  • Different types of records in the Archive can have different retention requirements and life cycles
  • The Archive must be able to properly preserve confidentiality, provide access and maintain secrecy as required by regulation
  • The Archive must be accessible to regulators as required
  • The Archive must meet all the regulatory requirements applicable to the enterprise
  • In addition, the enterprise must establish a rigorous and comprehensive written policy with regard to records management and retention. Further, the enterprise must train and test all employees in the standards of proper business conduct, correct netequette, company records management policies, applicable regulations and laws. The training is to reduce employee error. The testing is to ensure that the enterprise can demonstrate that it has fulfilled its obligation to inform employees.

On the surface, deleting emails quickly or after only a short retention period appears to be a clever way to avoid email risk. It is only on the surface. A closer examination of the facts reveals that deleting emails before their time increases risk and expense.

Copyright 2007 FMDC. All Rights Reserved.