7 Steps to Building a Retention Management Program

1

• 7 Steps to Building a Retention Management
  Program
• R. Scott Murchison, CRM
• Director, Records Information Management
  Services
• MatchPoint Solutions

2
Learning Objectives

• The New Compliance Landscape
• What is Retention Management?
• Building a Retention Management Plan

3
The NewComplianceLandscape
4
The New Compliance Landscape

• Increased Regulation
• Sarbanes-Oxley (SOX)
• HIPAA
• Gramm-Leach-Bliley
• USA Patriot
• SEC, NASD
• PCI DSS
• E-Sign
• CA SB 1386

5
The New Compliance Landscape

• Increased Regulation
• Document internal controls
• Shield private or personal information
• Shield personal financial information
• Retain electronic information for specific time
  periods

6
The New Compliance Landscape

• Litigation Readiness and Response
• Revised Federal Rules of Civil Procedure (FRCP)
  e-discovery requirements
• California Electronic Discovery Act (AB 5)

7
The New Compliance Landscape

• Litigation Readiness and Response
• Include all electronically stored information
  (ESI)
• Lock down content from alteration
• Document full chain-of-custody of ESI

8
What is Retention Management?
9
Retention Management is

• Keeping business information only for as long as
  is needed to
• meet government or industry regulations
• defend a position in litigation or tax audits
• meet ongoing business activities

10
Retention The New Way

• Amendments to
• Federal Rules of Civil Procedure (FRCP)
• Went into Effect December 1, 2006
• Proceedings in U.S. federal courts
• Specifically addresses discovery of
  electronically stored information (ESI)
• That means electronic records and backup tapes

11
Retention More Than Paper

• Backup tapes and archival media (more on this
  subject later)
• Data on desktops and laptops (Word, Excel, etc.)
• Data on PDAs (Blackberry, PalmPilot, etc.)
• Data stored on file and mail servers (email, IMs,
  etc.)
• Databases
• Marketing collateral
• Voicemails
• Website / web pages

12
Retention More Than Paper

• Map Out ESI
• Deleted data
• Data on systems no longer in use
• Data in remote or third-party locations
• Copies of production data used in demos, test
  systems, etc.
• Retention Policies That Include ESI
• Email
• Electronic records
• Litigation Hold Procedures That Include ESI
• Simplify identification, retrieval and production
  of potentially relevant data
• Proactively prepare for electronic discovery
  requests (Litigation Readiness Team)

AIIM Compliance Solution Center Primer on FRCP,
2007
13
Applying Retention

• Retention Rules That Apply (partial list)
• 1 yr Period from personnel action for personnel
  records
• (Age Discrimination in Employment Act)
• 2 yrs Period for generation (government contract
• employment period)
• 3 yrs Period from contract payment (government
• contract records retention rule)
• 6 yrs Government contract statute of limitations

14
Applying Retention

• All retention rules for a particular record type
  must be considered
• Retention should be applied evenly, routinely and
  repeatably across all business units
• All records of the company should be included,
  regardless of media
• Retention requirements can change based upon
  events, e.g., subpoenas

15
Making Retention ManagementCompliant
16
Step 1. Know What You HaveStep 2. Create
Comprehensive PolicyStep 3. Create a Usable
Retention ScheduleStep 4. Establish
ProceduresStep 5. Train UsersStep 6. Audit
ComplianceStep 7. Litigation/Audit Readiness
The 7 Steps to Records Retention
17
Know What You Have

• Take and inventory of all your records
• Paper / physical (both on- and off-site)
• Data in databases
• Email archives (.pst/.nsf/IT archives)
• Network shares
• Backup media
• Determine who the owners of all records are

18
Step 1. Know What You HaveStep 2. Create
Comprehensive PolicyStep 3. Create a Usable
Retention ScheduleStep 4. Establish
ProceduresStep 5. Train UsersStep 6. Audit
ComplianceStep 7. Litigation/Audit Readiness
The 7 Steps to Records Retention
19
Create a Comprehensive Policy

• Comprehensive records management policy
• Definition of Record and Non-record or
  Transient Information
• Thou shalt dispose of records and information
  only in accordance with policy following the
  approved records retention schedule
• Include responsibilities and consequences of
  failure to follow
• Policy must be applied evenly, routinely and
  repeatably
• Policy must be applied to all information,
  regardless of format

20
What is a Record?

• Information regardless of medium created,
  received and maintained as evidence and
  information by an organization or person, in
  pursuance of legal obligations or in the
  transaction of business.
• ISO International Standard 15489-1
• Information and Documentation Records
  Management
• Its the ContentNot the Container

21
What is a Record?
Because Its the Content and Not the
Container

• Records
• Original, signed contracts
• HR records inside a PeopleSoft database
• Emails discussing personnel evaluations
• Marketing websites, brochures, and posters
• Images of invoices inside an SAP database

• Non-Records
• Drafts of unsigned contracts inside a document
  management database
• Templates used to build form documents
• Emails discussing lunch plans
• Informational posters (e.g. Benefits Sign-up
  Today)
• An SAP or PeopleSoft database

22
Step 1. Know What You HaveStep 2. Create
Comprehensive PolicyStep 3. Create a Usable
Retention ScheduleStep 4. Establish
ProceduresStep 5. Train UsersStep 6. Audit
ComplianceStep 7. Litigation/Audit Readiness
The 7 Steps to Records Retention
23
Create a Usable Retention Schedule

• KISS method
• Keep It Short and Sweet
• Simplify terms - use language that Helen Keller
  could see
• Eliminate redundancies
• Help IT understand how to apply event-based
  retention to electronic data
• Do the legal validation
• Create an Oversight Committee to approve the
  final draft and all future changes

24
Step 1. Know What You HaveStep 2. Create
Comprehensive PolicyStep 3. Create a Usable
Retention ScheduleStep 4. Establish
ProceduresStep 5. Train UsersStep 6. Audit
ComplianceStep 7. Litigation/Audit Readiness
The 7 Steps to Records Retention
25
Establish Procedures

• Applying the schedule
• Annually at a minimum
• Make it an Event
• Updating / adding / retiring
• Again, at least annually
• Oversight Committee approval
• Disposition procedures
• Consider shredding bins instead of recycling
• Approval by records coordinators, liaisons
• Exiting employee information

26
Establish Procedures
27
Step 1. Know What You HaveStep 2. Create
Comprehensive PolicyStep 3. Create a Usable
Retention ScheduleStep 4. Establish
ProceduresStep 5. Train UsersStep 6. Audit
ComplianceStep 7. Litigation/Audit Readiness
The 7 Steps to Records Retention
28
Train Users

• Applying the schedule
• Annually at a minimum
• Daily for non-records/transient information
• Add to new hire orientations
• How to read schedule
• What policy is
• How to find policy and schedule
• Who to ask with questions
• Exiting employees
• How to disburse
• How to dispose

29
Step 1. Know What You HaveStep 2. Create
Comprehensive PolicyStep 3. Create a Usable
Retention ScheduleStep 4. Establish
ProceduresStep 5. Train UsersStep 6. Audit
ComplianceStep 7. Litigation/Audit Readiness
The 7 Steps to Records Retention
30
Audit Compliance

• Compliance Monitoring
• Document full electronic audit trail
  (chain-of-custody)
• Keep vendor compliance statements (test them as
  well)
• Periodic department and user testing
• Compliance and remediation reporting
• Ongoing user training
• Follow up, Follow up, Follow up

31
Step 1. Know What You HaveStep 2. Create
Comprehensive PolicyStep 3. Create a Usable
Retention ScheduleStep 4. Establish
ProceduresStep 5. Train UsersStep 6. Audit
ComplianceStep 7. Litigation/Audit Readiness
The 7 Steps to Records Retention
32
Litigation/Audit Readiness

• Hold Procedures
• Plan a strategy before litigation happens
• Identify all ESI and map to retention schedule
• Identify all records custodians
• Include IT, Legal, Records, HR, Tax, and Business
  Unit representative
• Fully document all holds and review proactively
  and periodically to ensure holds are still active

33
Litigation/Audit Readiness

• New IT Backup Strategy
• Backup redefined for only disaster recovery
• Short retention period (30/60 days)
• Retain only archived information
• Retain application data consistent with
  retention schedule
• Include a data migration, or
  up-convert, strategy to
  keep
  data current

34
Compliant Retention Program
35
Step 1. Know What You HaveStep 2. Create
Comprehensive PolicyStep 3. Create a Usable
Retention ScheduleStep 4. Establish
ProceduresStep 5. Train UsersStep 6. Audit
ComplianceStep 7. Litigation/Audit Readiness
The 8 Steps to Records Retention
Step 8. Rinse, Repeat Continuous
Refinement
36
Steps You Can Take Today

• Comprehensive records management policy
• Up-to-date, simple-to-use retention schedule
• Evenly applied, routinely followed, repeatable
  procedures
• Legal/audit disposition hold procedure
• Fully documented compliance
• Audit, testing and enforcement

37
Questions?
Thank You
R. Scott Murchison, CRM Director, RIM
Services MatchPoint Solutions (510)
552-9960 smurchison_at_matchps.com smurchconsulting_at_g
mail.com