Frank Lagorio's Weblog

Document Retention Policies The first step in setting up a document retention policy is, as my old law school civil procedure professor used to say, make sure that everyone is invited to the party. This means you need to have the legal department, IT department, and the C level officers together in a meeting. Once you have defined what needs to be retained according to legal, then IT has to ensure that appropriate technology is in place to support the retention policy and the C level folks provide the funding and enforcement mechanisms. All are needed to implement what is essentially an infrastructure change. Some authors have suggested that since Sarbanes Oxley explicitly states that auditors must keep documents for seven years, some companies may not need to retain documents or not retain them for as long. I would suggest that the retention period for a company really needs to be determined by the company's legal advisors. Whatever period(s) of retention are agreed upon, they must be explicitly adhered to and clearly stated in the retention policy. And remember that litigation requires that lawsuit related documents have an additional hold placed upon them. One key point here is that if the policy states that documents are destroyed in 3 years and they are not destroyed, if a lawsuit is commenced, one cannot retroactively destroy documents. So at three years and one day, documents must be destroyed lest they inadvertently provide a smoking gun for the opposition. So how do we enforce this policy? That is where the technology enters in. Relying on human systems can be fraught with peril. A system doesn't hesitate to delete, migrate or retain. At its most basic level, a heirarchical file system that migrates and purges data addresses some of these issues. In Sun's case, we have SAM-FS. There are others out there. This coupled with a mechanism for applying a legal hold may be all that some companies need. At the other end of the spectrum, an archiving system may be required. An archiving system will reduce litigation expenses as most documents can be readily accessible. I was once a litigation support manager in a law firm. I was forced to design and assemble the component parts I needed to assist the firm and its clients. Now archiving systems are available off the shelf that address most needs. (marketing hat on) Sun and AXS-One offer a system which differs from the rest in that it can be modified for future needs by a workflow engine and extensions either developed by us or the customer. (marketing hat off). So to recap, one needs to develop the policy for compliance and to select appropriate technology to enforce that policy.

What is Compliance anyway? Many people have been asking what is compliance? Compliance means that you, as a company will not only obey, but take affirmative action to comply with the various new Federal laws recently enacted as a result of corporate malfeasance. These ideas behind these laws started with DOD rules for document handling and then were embellished. So you have SEC rules, Sarbanes Oxley legislation, Patriot Act rules, Basel 2 in Europe, Hippa with regard to personnel and privacy and others. These rules specify various document retention periods, retention media (WORM drives) etc. What is particularly invasive however is that it must all be audited and the auditors must be watched as well. Some companies are taking a wait and see approach because no case law has developed nor appealed which spells out in particular what is actually "the law". This is a poor idea. Federal agencies will frequently attempt to intimidate what they feel is appropriate behavior. Look no further than Attorney General Spitzer in his fight over NYSE compensation as an example. What is required immediately is that at least a company have a plan in place unless you are specified as a fast track company ie. Financial sector.

Securites Industry Association Show Yesterday I attended the SIA in New York at the Hilton Hotel. I have a law degree, a 20 year background in technology, worked in law firms, did litigation support, and I have to tell you I was amazed at the hype and damned lies I heard around compliance with various regulations. Some vendors went so far as to say they were certified (Not possible) for Sarbanes Oxley. Another vendor claimed a competitors clients as their own. It was shameful. On another note, there is a new magazine that has just been published called "Corporate Compliance Advisor". It has a real world example article, a analysis article, Sarbanes Oxley and HIPPA sections, as well as a litigation preparedness article. I found their Sarbanes Oxley software roundup to be severely lacking. However, the price, $99.00 annually is steep for the information contained therein. But specialized information can be pricey. One sidenote, Gartner has a nice full page ad on the inside cover. One notable quote "Firms that focus only on compliance will miss the chance to strengthen corporate governance and transparency, which in turn can lead to better-informed decision making and higher ROI." I think this captures the idea that we can turn lemons into lemonade and treat compliance as an opportunity to improve profits. See www.advisor.com or complianceadvisor.com for details.

Is Sarbanes Oxley a Trojan Horse for Attorney Client Priviliege? In recent discussions around compliance with Federal Mandates such as Sarbanes Oxley, a new topic has emerged. Do the regulations erode attorney client privilege? The thinking goes like this: email is protected when there is a reasonable expectation of privacy. If I send email to my corporate attorney and that email is reviewed on a random sample by a compliance officer, then my attorney client privilege is possibly compromised. If I am at my company and dealing with some matter and because I use a key work like sexual harassment and the keyword causes a key word review for questionable material, does that breach attorney client privilege? If so in either case does that mean that compliance officers should officers of the court, ie. attorneys or potentially legal staff who can maintain attorney client privilege? Or should legal department email be excluded from review? Can the proverbial cat be put back in the bag? This is only one issue among many that will require close review of corporate policies in general and email policies in particular.

Email Archiving & Compliance; Book Review We have a reseller agreement in place with AXS-One to resell their email archiving product. This product works in conjunction with SAM-FS, our hierarchical storage manager. We now have a pretty complete story for Sarbanes Oxley and SEC compliance issues. With the pending new legislation we are going to be prepared to assist customers with these requirements. And they are requirements! Penalties for non-compliance range from fines to jail/prison. So this blog will track those issues and hopefully provide an education around these issues. I have just finished reviewing the book, "Email Rules", by Nancy Flynn and Randolph Kahn, ESQ. In my opinion this book is out of date. However, if one has never considered email policies before and one is still in a college MIS course, it might provide some background information. For most business folks, it does provide a beginning. For IT, your time is better spent elsewhere