Retention Rules Set to Change

Are you spending enough time with the company lawyers? You may be spending more real soon.

Amendments to the U.S. Federal Rules of Civil Procedure (FRCP), set to go into effect December 1, will alter the way companies retain and delete data. (See Insider: Email Archiving Hits Bottom.) The FRCP rules are put into effect by the Supreme Court to govern civil procedures in U.S. courts.

Among other things, the new rules require both parties to discuss as early as possible where important data is located and develop a plan for retrieving it. Also, parties must produce data in a "reasonably usable" format, usually the native format in which the data is stored, such as PST files for Exchange.

All this means that storage administrators may be saving less data, but they'll need to do more work up front to make sure they're saving the right stuff in the right way.

So, while the lawyers wrangle in any civil lawsuit, storage administrators will be called on to help answer key questions such as:

The new rules won't hold a corporate defendant liable for failing to produce records if the company made a "good faith" effort to set a retention/deletion policy. This means a company can usually delete data according to established company policies, but cannot delete in anticipation of litigation. Also, a company may not have to produce data on legacy tape drives unless the other side proves in advance the data is relevant to the case.

While the new rules affect civil cases, so far there are no changes in criminal cases, or industry-specific regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA).

There could be changes coming, though, as questions continue to rise on the effectiveness of Sarbanes-Oxley and HIPAA. (See Research Finds HIPAA Ineffective.) Last week, for example, the SEC proposed giving smaller companies extra time to comply with parts of Sarbanes-Oxley, pushing the deadline from July 15, 2007, to December 15, 2007, because of the financial burden compliance puts on smaller firms.

And this week, the New York Stock Exchange said a survey conducted by Opinion Research Corporation found nearly 97 percent of CEOs are unhappy with the extra expenses of Sarbanes-Oxley, and 34 percent say they spend twice as much on compliance regulations than they did three years ago.

So how can IT pros best keep up with changes? A good place to start is in a meeting with legal counsel to set policies for retaining and deleting records in accordance with these new rules.One source says storage administrators should be implementing data retention policies but not setting them. Francis Lambert, compliance adviser to email archiving and professional services vendor Zantaz, says that job belongs to the lawyers.

Next Page: How Will This Affect Admins?

When asked how much the new rules will affect storage admins, Lambert says "it depends on how strongly your legal counsel takes this. If your legal group integrates this as part of corporate strategy, then it will affect you. I dont believe storage people should be creating policy around federal rules of civil procedure. That's not their job. Tracking this stuff is a full-time-and-a-half job." Lambert's company offers professional services around electronic discovery and data retention.

Lambert does think storage admins should push the legal staff to create policy if there is none. "If there's not a program to create policy, storage people should be driving that because they're right on the front line," he asserts.

Charles Brown, CIO of safety equipment inspection firm Fire Materials Group, says getting ready for the new rules is part of the ongoing process of working with legal counsel regarding all types of compliance."Technology is just a piece of the overall process," Brown says. "The dog wags the tail here. Operations and business processes lead the charge in this case. IT is just a support operation."

Brown says even for IT, compliance is at least as much an issue of policy as technology.

"It's a headache, if you don’t look at the bigger picture," he says. "You have to work with the folks who need you to retain documents and set a specific methodology. Half the battle is having a good, easy-to-understand matrix of document types, disclosure types, and retention requirements. It's much easier for the IT group to get their heads around that business process if they work with the legal group to make themselves aware of all the regulations out there."

Just as IT should not set legal policy, Zantaz's Lambert says the legal department should not get too involved with the technology.

"Does legal need to know what metadata is? Yes. A PST file? Yes, because that's how you transport data," he says. "But they don't need to know how it's done."For Scott Oliver, principal at law firm Pooley & Oliver, it's impossible to separate the technical and legal aspects because his company's job is to pore through documents that may be relevant in lawsuits.

But he says good technology tools no doubt will help deal with the changes. For instance, his firm uses the Clearwell Email Intelligence Platform to sift through email more efficiently. (See A Demographic of One.) Oliver says the requirement to produce documents in their native electronic format makes it easier to use archiving and search tools on documents from the other side in a lawsuit.

"You can take the PST file and dump it into the Clearwell system," he says. "With respect to document retention and document destruction, that's not significantly affected. Whatever your current practice is, that's fine -- as long as it's not done in anticipation of litigation."

— Dave Raffo, News Editor, Byte and Switch