selling rim in your organization: tears and...

Selling RIM in your Organization:

Tears and Fears

Thérèse P. Miller, Esq. | Shook, Hardy & Bacon LLP

ARMA Tri-Chapter Spring Seminar | April 6, 2011

Business Case for RIM

Legal Perspectives

Overview

What is a Business Case?

Why a Business Case for RIM?

Business Drivers

RIM as a Tool to Mitigate Risk

Best Practices

4/6/2011 ©Thérèse P. Miller ARMA Tri-Chapter Spring Seminar

3

What is a business case?

A business case supports planning and decision

making

It includes:

• the reasons for the project

• the expected business benefits

• the expected business and legal risks

• the options considered

• the expected costs of the project


4

Elements of a Business Case

Executive Summary

Background

Objectives

Risks

Options

Resources

Cost

Benefits

Recommendation


5

Source: iStockphoto

Why a Business Case for RIM?

Identifying, Understanding, and Prioritizing the

Risks

Special Circumstances for your Company

• Highly Litigious Industry

• Highly Regulated Industry

Health Care, Financial

• Corporate Changes

M&As, Divestitures


6

Data Deluge

The Economist:

“Wal-Mart, a retail giant,

handles more than 1m

customer transactions

every hour, feeding

databases estimated at

more than 2.5 petabytes—

the equivalent of 167 times

the books in America’s

Library of Congress

And decoding the human

genome involves analysing

3 billion base pairs—which

took ten years the first time

it was done, in 2003, but

can now be achieved in

one week.”


7

Source: The Economist

the world contains an unimaginably

vast amount of digital information

which is getting ever vaster ever more

rapidly


8

U.S. Supreme

Court on RIM

“’Document retention policies,’

which are created in part to keep

certain information from getting

into the hands of others, including

the Government, are common in

business. It is, of course, not

wrongful for a manager to instruct

employees to comply with a valid

document retention policy under

ordinary circumstances.”

Arthur Andersen LLP v. U.S., 125 S.

Ct. 2129 (May 31,

2005)


9

D. Utah

“[i]nformation management policies

are not a dark or novel art.

Numerous authoritative

organizations have long

promulgated policy guidelines for

document retention and

destruction.”

“it is clear that ASUS’lack of a

retention policy and irresponsible

data retention practices are

responsible for the loss of

significant data.”

Phillip M. Adams & Assoc., LLC v. Dell, Inc., 621 F. Supp.

2d 1173, 1194 (D.

Utah 2009)


10

Business Drivers for RIM

E-Discovery

Compliance

• Federal, State, and International

Records and Data Security

Increased Use of Technology

Leveraging Technology Investments

Online Storage Costs

Transparency

Corporate Policies and Standards

Best Practices


11

Source: iStockphoto

ARMA Tri-Chapter Spring Seminar

12

4/6/2011 ©Thérèse P. Miller

Cross-Disciplinary RIM Committee

Assemble a Cross-Disciplinary Governance Team:

• Legal Department

Marketing lawyers, Litigators, Employment lawyers

• Marketing and Communications

• Information Security

• Information Technology

• Compliance

• HR

• Key Business Stakeholders


13

RM Working with IT and Legal

The story is no longer:

• Paper = RM and Electronic = IT

New Web 2.0 concerns:

• Privacy

• Information Security

• Digital Records

• Processing Data

• Personal Information as a Property Right

• Integrity of the Information


14

Source: The Economist

EDRM


15

Federal Rules of Civil Procedure amended in 2006

specifically address electronically stored information

(ESI)

Information Management

if you have relevant data and information at the time the

preservation obligation arises, you must preserve it —even if you could have disposed of it in compliance with your records retention schedule


16

Records Lifecycle Paradox

We can’t keep

everything

forever…

We can’t throw

everything

away…

4/6/2011 ©Thérèse P. Miller

17

ARMA Tri-Chapter Spring Seminar

Approaches to RIM Programs

Reactive

• Indexing and searching content after a problem

E.g. data-mining or categorizing data after searches (e.g. Autonomy, Google, etc.)

• Requires technology investment only

Proactive

• Indexing content as it is created (XML, metadata, bibliographic coding, taxonomies, records management, etc.)

• Requires investment in people, processes, and technology


18

Critical Success Factors

Top-Down Support from Senior Management

Proper Planning and Commitment

User Involvement

Education and Training

User-Friendly System and Business Processes


19

Benefits to RIM

1. To Control the Creation and Growth of Records

2. To Reduce Operating Costs

3. To Improve Efficiency and Productivity

4. To Assimilate New Records Management Technologies

5. To Ensure Regulatory Compliance

6. To Minimize Litigation Risks

7. To Safeguard Vital Information

8. To Support Better Management Decision Making

9. To Preserve the Corporate Memory

10. To Foster Professionalism in Running the Business

Source: http://www.epa.gov


20

http://www.epa.gov/

Analyzing the Risks

Identify the Risks

Analyze Tools Necessary to Mitigate Risks

Define and Communicate Approach and how it will

mitigate the risks


21

Source:The Economist

Identifying the Risks

Litigation

• Responsiveness, Fines, Penalties, Civil and Criminal Sanctions, Ethical Discipline, Damage Awards

• Higher costs of e-discovery

Investigations

Higher costs of storage

Privacy

Loss of business-critical information

Data loss

Bad PR/Reputation Diminishment


22

Consequences

Monetary Sanctions

• Qualcomm, Zubulake, Morgan Stanley

Criminal Sanctions

• Arthur Anderson, Quattrone

Fines

• Merrill Lynch

Adverse Inferences or Preclusion

• In re NTL

Cost-Shifting


23


24

“The Securities and Exchange Commission said Monday that it had fined Merrill Lynch & Company $2.5 million for failing to provide promptly e-mail messages that the agency sought over a 16-month period.

Merrill Lynch neither admitted nor denied wrongdoing. But it did agree to refrain from future violations of securities laws, and it was also censured by the agency.”

March 14, 2006


25

“Morgan Stanley will pay $12.5 million to resolve charges that it failed to produce e-mail in arbitration cases and falsely stated that the messages were lost in the Sept. 11, 2001, attacks.”

“We didn’t find evidence that Morgan Stanley intended to hold back e-mails, but it was a case of one hand not knowing what the other was doing,” the authority’s chief of enforcement, Susan L. Merrill, said in an interview.

September 28, 2007


26

Elements of a Good RIM Program


27

Employee Training & Communication Plan

Monitoring Adherence to Policy and RRS

Procedures for Suspending Retention for Legal Hold

Records Retention Schedule (RRS)

Standard Operating Procedures (SOPs)

RIM Policy & Glossary

Tools

Paper

• Offsite Storage

Electronic

• Data Archives

• Structured Databases

• Email Archives

• Document Management Systems

• Preservation Systems

• Content Management Systems

• Records Management Systems


28

Source:The Economist

Financials

Internal and External CostsCalculate a Return on Investment (ROI)Suggest a Cost Center (IT, Legal, RM)

Example: • 300% = [(400K profits – 100K initial investment)/ 100K] x 100%

Potential Costs if no RIM:• 1 out of 5 large organizations spends more than $10 million

each year on litigation (excluding settlements and judgments)


29

Best Practices Resources

The Sedona Guidelines for Managing Information and Records In The Electronic Age (2007)

• http://www.thesedonaconference.org/

ARMA International, GARP: Generally Accepted Recordkeeping Principles (2009)

• http://www.arma.org/garp/garp.pdf

ISO 15489-1:2001

National Archives and Records Administration (NARA) Toolkit

• www.archives.gov/records-mgmt/toolkit/

National Association of State Chief Information Officers (NASCIO)

• http://www.nascio.org


30

http://www.thesedonaconference.org/

http://www.arma.org/garp/garp.pdf

http://www.archives.gov/records-mgmt/toolkit/




http://www.nascio.org/

http://www.nascio.org/

The Sedona Guidelines

1. An organization should have reasonable policies

and procedures for managing its information and

records.

2. An organizations information and records

management policies and procedures should be

realistic, practical and tailored to the

circumstances of the organization.

31


The Sedona Guidelines

3. An organization need not retain all electronic information ever generated or received.

4. An organization adopting an information and records management policy should also develop proceduresthat address the creation, identification, retention, retrieval and ultimate disposition or destruction of information and records.

5. An organizations policies and procedures must mandate the suspension of ordinary destruction practices and procedures as necessary to comply with preservation obligations related to actual or reasonably anticipated litigation, government investigation or audit.

32



33

Questions?

Thérèse P. Miller, Esq. | Shook, Hardy & Bacon LLP | [email protected]

Twitter: @theresepmiller

ARMA Tri-Chapter Spring Seminar | April 6, 2011

mailto:[email protected]

selling rim in your organization: tears and...

Documents