The Rules of Electronic Record-Keeping
Strategies for planning and budgeting for data migration and conversion, and guidelines for compliance with data-retention laws and regulations.
November 4, 2002
Is it Data or is it Evidence?
The rule of thumb is to have a data-retention policy that requires your organization to save data records as dictated by federal and state laws (see "Wait--Don't Trash That Record"). Consulting an accountant, an attorney or a records manager can help you determine which business records you're required to keep. Check with ARMA International (www.arma.org) and the Information Requirements Clearinghouse (www.irch.com)--see "Sites To See" at right for more information on these organizations. Of course, with so much of today's enterprise data created and edited on computers and delivered via e-mail, the original copy and all draft versions of memos, letters and other business documents, including budgets and contracts, can live for years on your company's computers, servers and backup media. That's great for disaster recovery purposes, but it can prove troublesome if, during pretrial discovery in a civil suit, a plaintiff uncovers documents that support its claim. And if you find you're not required to save non-business-related records--employees' personal e-mail, for instance--don't. You'll save on storage costs and overhead, and you'll limit the potential liability of a "smoking gun."
No matter which side of a lawsuit you're on, it's important to suspend e-mail autodelete functions and stop recycling backup tapes at the outset. If you accidentally destroy documents you're required to present, you could be accused of evidence tampering or obstructing justice; at the very least you might cause the judge or jury to perceive that you have something to hide. You might also destroy documents that would refute your opponent's claims.
Discovery procedures require you to analyze and determine the volume of e-mail and other electronic data relevant to a case. Deleted files can often be found in unallocated disk space, so forensics experts can recover them even if they have been overwritten. You can extract information from PCs and servers using a bit-level imaging technology to find deleted files.
Either side in a case can request that the other produce electronic documents from servers, backup tapes, voicemail and e-mail systems as well as from desktop PCs, laptops, handheld computers and even personal home computers that employees use for business. It's basically no different from requesting documents contained in a file drawer. But that doesn't mean you can simply print out the electronic documents. Courts historically have rejected hard copies when the plaintiff requests electronic documents.
At the very least, be aware that copies of any and all data could become evidence for your opponent in a legal action. If you store all data in large document repositories and don't have a data-retention policy and procedures for restricting non-business-related documents and messages, you raise the risk of an inadvertent e-mail message becoming a liability.
Take Microsoft. The company was put on the defensive in antitrust proceedings after the Justice Department uncovered incriminating e-mail messages. Microsoft could have avoided this problem if it had implemented and followed a document-retention policy consistently across its data and e-mail stores. The good news for Microsoft, however, was that it was able to produce from its archives e-mail messages that helped its case--messages that were allegedly deleted from AOL's and Netscape's backup tapes. More recently, Merrill Lynch's lack of an effective data-retention policy caused the firm major embarrassment when an investigation by the New York State Attorney uncovered internal e-mail messages from some analysts criticizing stocks they had been promoting publicly.
So enterprises should limit data retention to the exact sum of its parts--solely those documents and records needed for operational, historical and legal purposes. Institute policies and procedures for managing data repositories so you're prepared and protected in the event of litigation. Your records-retention policy also should distinguish between business and non-business communications, which requires training employees on maintaining the former and deleting the latter. A data-retention policy will hold up best in court if it's enforced consistently across the enterprise.
You also need a solid media storage strategy to improve accessibility to data and ensure the data's longevity. Frequently used data, including e-mail and corporate directories, for instance, is typically maintained on magnetic disks that are available to users at all times. Data that's accessed less frequently, including old payroll information, however, is migrated to more cost-effective, near-line storage technologies, such as optical jukeboxes or tape libraries.
Backups maintain a permanent or redundant record in case of lost data or disaster--you probably run daily, weekly and monthly backups of data to tape, in full or in increments. You may also maintain and archive your monthly backups both on- and off-site for years, depending on your organization's backup policy. Once near-line data is no longer accessed and becomes obsolete, it's typically sent to offline status and available only from an archived tape backup or in analog format.
In the short run, it makes economic sense to migrate data from online to near-line and then to offline storage--this frees hard-disk space for the data that demands regular and immediate access. In the long run, however, it can hide some of your true storage costs.
Today's magnetic disks have a life expectancy of about three years. That's a good benchmark for planning and budgeting data migration from older disks to newer ones. Tape formats have a life span of about five to seven years if they are stored properly. But if you recycle the old tapes, beware that these tapes may contain records that by law must be retained after this seven-year period if no permanent record exists in analog form.
In that case, you have to copy the data onto new tapes--a costly process. For example, 4-mm tapes that hold 12 GB to 40 GB of data cost $10 to $20 per cartridge. Newer tapes holding 100 GB to 200 GB cost more than $100 per cartridge. You can preserve the old storage hardware and software to access the media even if you upgrade your tape technology, but it's not easy. Once maintenance and support contracts for old equipment expire, you can't renew them. Besides, vendors would rather sell you new equipment than maintain their old stuff.
Another option is to migrate data from older tape formats to newer ones, or copy it to optical discs. Storage media vendors claim that 5.25-inch or 12-inch optical disc media will last 100 years if stored properly. But this media will evolve, too, requiring hardware and software upgrades someday.
In addition, when optical media starts to wear out with use over time or because of poor storage conditions, you'll have to copy the data onto new media. You may also need to refresh it using current computer systems and applications. Some of the applications you used to access media five to 10 years ago--say, VisiCalc and WordStar, for instance--are history now. Although digital formats aren't expected to last as long as analog, they provide multiple, simultaneous access and a means to search by keyword. They also let users manipulate the data for viewing or printing. Paper and microfilm, meanwhile, are projected to last centuries, depending on their composite materials, how they are stored and how frequently they are accessed.
ERP Rollout TimePros and Cons of Typical Data Record Formats |
Save this, Trash That
So, bottom line, how do you reduce the cost of electronic data retention? Rather than keep everything "forever," keep only the data that's required for operational, historical or legal reasons. This means breaking down data into manageable document and record components to determine its value and retention period, and instituting an internal records-retention policy. You may need to keep purchase orders for only seven years, for instance. This approach won't extend the life of your digital media, but it can reduce costs and improve the speed and efficiency of accessing information from your data stores. It also can minimize the risks associated with potential litigation.
Everyday decisions on the hardware, e-mail system, document-management application and backup software you purchase, meanwhile, can affect your organization's legal interests. You may find document-management systems, such as Documentum's Documentum 5 and SGP International's Dox, useful. These tools help manage document life cycles, from creation to deletion or permanent retention, including the proper time frames for keeping documents so you can comply with the legal and regulatory limits for retention periods.
Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. Write to him at [email protected].
Federal and state laws dictate how you should keep your electronic records. The UETA (Uniform Electronic Transactions Act) adopted in many states, for example, and the Electronic Signatures in Global and National Commerce Act of 2000 define a record as information "created, generated, sent, communicated, received or stored by electronic means." And Title 44, Sec. 3301 of the U.S. Code defines a public record as all "books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics."
ERP Rollout TimeHow Long to Keep Records |
Enterprises are required by federal and state laws to maintain records for business, legal and tax purposes. Although many business records have a three-year shelf life, federal and state tax records usually need to be maintained for seven or more years. Employee and financial records need to be permanently stored and have special reporting requirements set by the FLSA (Fair Labor Standards Act), OSHA (Occupational Safety & Health Administration) and SEC (Securities and Exchange Commission). And records that may be the subject of litigation should be maintained beyond the period of the applicable statute of limitations.
Also, federal and state regulations vary according to business sectors, and state laws have different requirements for tax and worker's compensation records. Under the HIPAA (Health Insurance Portability and Accountability Act), for instance, health-care providers must keep documents relating to uses, disclosures and authorization forms on patient information for six years. And pharmaceutical companies need to comply with FDA requirements for electronic records and signatures in lieu of paper documents and handwritten signatures to ensure authenticity and confidentiality.
You May Also Like