June 2004 »
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
XML

Blog::Navigation


blogs.sun.com
Weblog
Login

Blog::Editing

Bookmarks::Blogroll

Bookmarks::News

Site notes

This page validates as XHTML 1.0, and will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device. It was created using techniques detailed at glish.com/css/.

Powered by Roller Weblogger.
All | General | Java | Music
« Previous day (Jun 13, 2004) | Main | Next day (Jun 15, 2004) »
20040614 Monday June 14, 2004
Document Retention Policies The first step in setting up a document retention policy is, as my old law school civil procedure professor used to say, make sure that everyone is invited to the party. This means you need to have the legal department, IT department, and the C level officers together in a meeting. Once you have defined what needs to be retained according to legal, then IT has to ensure that appropriate technology is in place to support the retention policy and the C level folks provide the funding and enforcement mechanisms. All are needed to implement what is essentially an infrastructure change. Some authors have suggested that since Sarbanes Oxley explicitly states that auditors must keep documents for seven years, some companies may not need to retain documents or not retain them for as long. I would suggest that the retention period for a company really needs to be determined by the company's legal advisors. Whatever period(s) of retention are agreed upon, they must be explicitly adhered to and clearly stated in the retention policy. And remember that litigation requires that lawsuit related documents have an additional hold placed upon them. One key point here is that if the policy states that documents are destroyed in 3 years and they are not destroyed, if a lawsuit is commenced, one cannot retroactively destroy documents. So at three years and one day, documents must be destroyed lest they inadvertently provide a smoking gun for the opposition. So how do we enforce this policy? That is where the technology enters in. Relying on human systems can be fraught with peril. A system doesn't hesitate to delete, migrate or retain. At its most basic level, a heirarchical file system that migrates and purges data addresses some of these issues. In Sun's case, we have SAM-FS. There are others out there. This coupled with a mechanism for applying a legal hold may be all that some companies need. At the other end of the spectrum, an archiving system may be required. An archiving system will reduce litigation expenses as most documents can be readily accessible. I was once a litigation support manager in a law firm. I was forced to design and assemble the component parts I needed to assist the firm and its clients. Now archiving systems are available off the shelf that address most needs. (marketing hat on) Sun and AXS-One offer a system which differs from the rest in that it can be modified for future needs by a workflow engine and extensions either developed by us or the customer. (marketing hat off). So to recap, one needs to develop the policy for compliance and to select appropriate technology to enforce that policy.
Permalink (2004-06-14 08:16:08.0/2004-06-14 08:16:08.0)
Trackback: http://blogs.sun.com/flag/entry/document_retention_policies
Copyright (C) 2003, Frank Lagorio's Weblog