The vast majority of companies we interview do not follow their retention policies. The blame can be spread between legal, information technology and the business. This post will give 5 steps to help in-house attorneys succeed with Records Retention Policies.
To start in-house attorneys often treat records retention policies as a check box item. Yes, got a policy…..now bury head in sand. Information technology teams are tasked with implementing policies. In-house counsel typically does not know that more often than not, IT can’t execute these policies. Three reasons stand out why IT can’t make good on policy:
- The policy was created in a manner that does not make it technically possible (at least without significant time/cost commitment)
- IT has little idea what information exists and where to find it
- IT has other project priorities.
Next, the business (or end user) presents an even larger challenge for in-house teams. On one hand, the threat of end user productivity loss and reluctance to change makes the legal department cringe at the thought of pushing out policy and tracking compliance. On the other hand, legal teams tend to ignore end user considerations and assume they will do as asked (aka “told”). End user compliance with retention policies is horrific at best---across all spectrums of companies.
There is a better way to information governance that does not take even months to plan and implement. It does not even require significant experience. The method does, however, align the business goals of the General Counsel, Chief Information Officer and the Business. Legal and information technology departments are often cost centers to an organization—any impact they can drive to the bottom line is a win. Creating a properly aligned and automated information governance initiative that considers Legal, IT and the business can make significant impact on the bottom line (more about this later). If in-house counsel follows the following five steps, success is attainable:
1) Understand The Information
Understand what types of information (including sensitive information) the company has and where it is stored. (1-3 weeks)
2) Actionable Retention Schedule
Create a retention schedule that is pragmatic and actionable by IT and the business. (1 week)
3) Invest In Technology
Invest in the proper technology to automate retention and disposition. Companies have many systems that house information. Retention, disposition and litigation hold functionality needs to integrate and address all these systems. Similarly, IT and end users can’t be reliably asked to become file clerks and research what they have and whether it is eligible for disposition—it’s never going to happen successfully. (2-3 weeks)
4) Do not disrupt the business.
Meet end users and IT where they are. Utilize the tools and processes currently in place while complying with policies.
Automate retention. Automate litigation holds. Automate disposition. Remove the human element when possible.
For in-house attorneys, it ought to be evident over the past several years that corporate information growth is presenting business challenges. This phenomenon makes a records retention policy important to organizations of all sizes and industries.
Again, this ought to be familiar to in-house attorneys. However, a quick review:
- Litigation Costs - Companies that routinely experience litigation are intimately aware of the costs associated with identifying, producing, reviewing and maintaining information during discovery - Companies that are not heavily litigious may wrongly hedge their bet in this area. Much of this cost is avoidable.
- Storage Costs - Yes, storage costs have declined over time and yes the incremental cost to add storage hardware is small. In five years, the cost will likely be lower still. However, in five years, the cost will not have gone away. Companies will continue to purchase new storage, new backup hardware/software, new archiving hardware/software, new volume-based cloud products, new energy consumption, new offsite storage of paper and backups, etc. It never ends or gets curbed without some action.
- Privacy Breach Exposure - Exposure is inevitable. Will it be a hacker? Will it be an angry employee? Will it be a non-malicious employee that made a mistake? Will it be a vendor? Will it be a client? It’s hard to say. However, there are ample examples of privacy breaches that exposed sensitive information that the company had no need to retain. Had they only followed a retention policy, the threat would have not existed (or at least in the magnitude).
- Productivity - Employees create, share and utilize information at an alarming rate. As files, data and legacy information grow, it becomes difficult to organize, search and sift through the noise. Spring cleaning can lead to a more productive environment.
- Analytics - The noise from too much information often creates poor business analytics. The term “big data” is frequently tossed around for its many business benefits, but these projects are quickly parked due to the complexity of understanding data mapping.
Sound Information Governance can no longer be viewed as a back burner initiative. To avoid risk and cost associated with non-compliance, legal departments must consider how their policy decisions will affect the business. Success in this area can be expected if the proper steps are followed.
By Kevin Bley