selling rim in your organization: tears and...
TRANSCRIPT
Selling RIM in your Organization:
Tears and Fears
Thérèse P. Miller, Esq. | Shook, Hardy & Bacon LLP
ARMA Tri-Chapter Spring Seminar | April 6, 2011
Business Case for RIM
Legal Perspectives
Overview
What is a Business Case?
Why a Business Case for RIM?
Business Drivers
RIM as a Tool to Mitigate Risk
Best Practices
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
3
What is a business case?
A business case supports planning and decision
making
It includes:
• the reasons for the project
• the expected business benefits
• the expected business and legal risks
• the options considered
• the expected costs of the project
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
4
Elements of a Business Case
Executive Summary
Background
Objectives
Risks
Options
Resources
Cost
Benefits
Recommendation
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
5
Source: iStockphoto
Why a Business Case for RIM?
Identifying, Understanding, and Prioritizing the
Risks
Special Circumstances for your Company
• Highly Litigious Industry
• Highly Regulated Industry
Health Care, Financial
• Corporate Changes
M&As, Divestitures
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
6
Data Deluge
The Economist:
“Wal-Mart, a retail giant,
handles more than 1m
customer transactions
every hour, feeding
databases estimated at
more than 2.5 petabytes—
the equivalent of 167 times
the books in America’s
Library of Congress
And decoding the human
genome involves analysing
3 billion base pairs—which
took ten years the first time
it was done, in 2003, but
can now be achieved in
one week.”
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
7
Source: The Economist
the world contains an unimaginably
vast amount of digital information
which is getting ever vaster ever more
rapidly
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
8
U.S. Supreme
Court on RIM
“’Document retention policies,’
which are created in part to keep
certain information from getting
into the hands of others, including
the Government, are common in
business. It is, of course, not
wrongful for a manager to instruct
employees to comply with a valid
document retention policy under
ordinary circumstances.”
Arthur Andersen LLP v. U.S., 125 S.
Ct. 2129 (May 31,
2005)
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
9
D. Utah
“[i]nformation management policies
are not a dark or novel art.
Numerous authoritative
organizations have long
promulgated policy guidelines for
document retention and
destruction.”
“it is clear that ASUS’lack of a
retention policy and irresponsible
data retention practices are
responsible for the loss of
significant data.”
Phillip M. Adams & Assoc., LLC v. Dell, Inc., 621 F. Supp.
2d 1173, 1194 (D.
Utah 2009)
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
10
Business Drivers for RIM
E-Discovery
Compliance
• Federal, State, and International
Records and Data Security
Increased Use of Technology
Leveraging Technology Investments
Online Storage Costs
Transparency
Corporate Policies and Standards
Best Practices
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
11
Source: iStockphoto
ARMA Tri-Chapter Spring Seminar
12
4/6/2011 ©Thérèse P. Miller
Cross-Disciplinary RIM Committee
Assemble a Cross-Disciplinary Governance Team:
• Legal Department
Marketing lawyers, Litigators, Employment lawyers
• Marketing and Communications
• Information Security
• Information Technology
• Compliance
• HR
• Key Business Stakeholders
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
13
RM Working with IT and Legal
The story is no longer:
• Paper = RM and Electronic = IT
New Web 2.0 concerns:
• Privacy
• Information Security
• Digital Records
• Processing Data
• Personal Information as a Property Right
• Integrity of the Information
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
14
Source: The Economist
EDRM
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
15
Federal Rules of Civil Procedure amended in 2006
specifically address electronically stored information
(ESI)
Information Management
if you have relevant data and information at the time the
preservation obligation arises, you must preserve it —even if you could have disposed of it in compliance with your records retention schedule
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
16
Records Lifecycle Paradox
We can’t keep
everything
forever…
We can’t throw
everything
away…
4/6/2011 ©Thérèse P. Miller
17
ARMA Tri-Chapter Spring Seminar
Approaches to RIM Programs
Reactive
• Indexing and searching content after a problem
E.g. data-mining or categorizing data after searches (e.g. Autonomy, Google, etc.)
• Requires technology investment only
Proactive
• Indexing content as it is created (XML, metadata, bibliographic coding, taxonomies, records management, etc.)
• Requires investment in people, processes, and technology
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
18
Critical Success Factors
Top-Down Support from Senior Management
Proper Planning and Commitment
User Involvement
Education and Training
User-Friendly System and Business Processes
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
19
Benefits to RIM
1. To Control the Creation and Growth of Records
2. To Reduce Operating Costs
3. To Improve Efficiency and Productivity
4. To Assimilate New Records Management Technologies
5. To Ensure Regulatory Compliance
6. To Minimize Litigation Risks
7. To Safeguard Vital Information
8. To Support Better Management Decision Making
9. To Preserve the Corporate Memory
10. To Foster Professionalism in Running the Business
Source: http://www.epa.gov
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
20
Analyzing the Risks
Identify the Risks
Analyze Tools Necessary to Mitigate Risks
Define and Communicate Approach and how it will
mitigate the risks
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
21
Source:The Economist
Identifying the Risks
Litigation
• Responsiveness, Fines, Penalties, Civil and Criminal Sanctions, Ethical Discipline, Damage Awards
• Higher costs of e-discovery
Investigations
Higher costs of storage
Privacy
Loss of business-critical information
Data loss
Bad PR/Reputation Diminishment
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
22
Consequences
Monetary Sanctions
• Qualcomm, Zubulake, Morgan Stanley
Criminal Sanctions
• Arthur Anderson, Quattrone
Fines
• Merrill Lynch
Adverse Inferences or Preclusion
• In re NTL
Cost-Shifting
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
23
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
24
“The Securities and Exchange Commission said Monday that it had fined Merrill Lynch & Company $2.5 million for failing to provide promptly e-mail messages that the agency sought over a 16-month period.
Merrill Lynch neither admitted nor denied wrongdoing. But it did agree to refrain from future violations of securities laws, and it was also censured by the agency.”
March 14, 2006
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
25
“Morgan Stanley will pay $12.5 million to resolve charges that it failed to produce e-mail in arbitration cases and falsely stated that the messages were lost in the Sept. 11, 2001, attacks.”
“We didn’t find evidence that Morgan Stanley intended to hold back e-mails, but it was a case of one hand not knowing what the other was doing,” the authority’s chief of enforcement, Susan L. Merrill, said in an interview.
September 28, 2007
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
26
Elements of a Good RIM Program
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
27
Employee Training & Communication Plan
Monitoring Adherence to Policy and RRS
Procedures for Suspending Retention for Legal Hold
Records Retention Schedule (RRS)
Standard Operating Procedures (SOPs)
RIM Policy & Glossary
Tools
Paper
• Offsite Storage
Electronic
• Data Archives
• Structured Databases
• Email Archives
• Document Management Systems
• Preservation Systems
• Content Management Systems
• Records Management Systems
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
28
Source:The Economist
Financials
Internal and External CostsCalculate a Return on Investment (ROI)Suggest a Cost Center (IT, Legal, RM)
Example: • 300% = [(400K profits – 100K initial investment)/ 100K] x 100%
Potential Costs if no RIM:• 1 out of 5 large organizations spends more than $10 million
each year on litigation (excluding settlements and judgments)
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
29
Best Practices Resources
The Sedona Guidelines for Managing Information and Records In The Electronic Age (2007)
• http://www.thesedonaconference.org/
ARMA International, GARP: Generally Accepted Recordkeeping Principles (2009)
• http://www.arma.org/garp/garp.pdf
ISO 15489-1:2001
National Archives and Records Administration (NARA) Toolkit
• www.archives.gov/records-mgmt/toolkit/
National Association of State Chief Information Officers (NASCIO)
• http://www.nascio.org
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
30
The Sedona Guidelines
1. An organization should have reasonable policies
and procedures for managing its information and
records.
2. An organizations information and records
management policies and procedures should be
realistic, practical and tailored to the
circumstances of the organization.
31
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
The Sedona Guidelines
3. An organization need not retain all electronic information ever generated or received.
4. An organization adopting an information and records management policy should also develop proceduresthat address the creation, identification, retention, retrieval and ultimate disposition or destruction of information and records.
5. An organizations policies and procedures must mandate the suspension of ordinary destruction practices and procedures as necessary to comply with preservation obligations related to actual or reasonably anticipated litigation, government investigation or audit.
32
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar
33
Questions?
Thérèse P. Miller, Esq. | Shook, Hardy & Bacon LLP | [email protected]
Twitter: @theresepmiller
ARMA Tri-Chapter Spring Seminar | April 6, 2011