Selling RIM in your Organization: Tears and Fears. Thérèse P. Miller, Esq. Shook, Hardy & Bacon LLP ARMA Tri-Chapter Spring Seminar April 6, 2011

Transcription

1 Selling RIM in your Organization: Tears and Fears Thérèse P. Miller, Esq. Shook, Hardy & Bacon LLP ARMA Tri-Chapter Spring Seminar April 6, 2011

2 Business Case for RIM Legal Perspectives

3 Overview 3 What is a Business Case? Why a Business Case for RIM? Business Drivers RIM as a Tool to Mitigate Risk Best Practices

4 What is a business case? 4 A business case supports planning and decision making It includes: the reasons for the project the expected business benefits the expected business and legal risks the options considered the expected costs of the project

5 Elements of a Business Case 5 Executive Summary Background Objectives Risks Options Resources Cost Benefits Recommendation Source: istockphoto

6 Why a Business Case for RIM? 6 Identifying, Understanding, and Prioritizing the Risks Special Circumstances for your Company Highly Litigious Industry Highly Regulated Industry Health Care, Financial Corporate Changes M&As, Divestitures

7 7 Data Deluge The Economist: Wal-Mart, a retail giant, handles more than 1m customer transactions every hour, feeding databases estimated at more than 2.5 petabytes the equivalent of 167 times the books in America s Library of Congress the world contains an unimaginably vast amount of digital information which is getting ever vaster ever more rapidly And decoding the human genome involves analysing 3 billion base pairs which took ten years the first time it was done, in 2003, but can now be achieved in one week. Source: The Economist

8 8

9 9 U.S. Supreme Court on RIM Arthur Andersen LLP v. U.S., 125 S. Ct (May 31, 2005) Document retention policies, which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct employees to comply with a valid document retention policy under ordinary circumstances.

10 10 D. Utah Phillip M. Adams & Assoc., LLC v. Dell, Inc., 621 F. Supp. 2d 1173, 1194 (D. Utah 2009) [i]nformation management policies are not a dark or novel art. Numerous authoritative organizations have long promulgated policy guidelines for document retention and destruction. it is clear that ASUS lack of a retention policy and irresponsible data retention practices are responsible for the loss of significant data.

11 Business Drivers for RIM 11 E-Discovery Compliance Federal, State, and International Records and Data Security Increased Use of Technology Leveraging Technology Investments Online Storage Costs Transparency Corporate Policies and Standards Best Practices Source: istockphoto

12 12 4/6/2011 Thérèse P. Miller ARMA Tri-Chapter Spring Seminar

13 Cross-Disciplinary RIM Committee 13 Assemble a Cross-Disciplinary Governance Team: Legal Department Marketing lawyers, Litigators, Employment lawyers Marketing and Communications Information Security Information Technology Compliance HR Key Business Stakeholders

14 RM Working with IT and Legal 14 The story is no longer: Paper = RM and Electronic = IT New Web 2.0 concerns: Privacy Information Security Digital Records Processing Data Personal Information as a Property Right Integrity of the Information Source: The Economist

15 EDRM 15 Federal Rules of Civil Procedure amended in 2006 specifically address electronically stored information (ESI)

16 Information Management 16 if you have relevant data and information at the time the preservation obligation arises, you must preserve it even if you could have disposed of it in compliance with your records retention schedule

17 Records Lifecycle Paradox 17 We can t keep everything forever We can t throw everything away 4/6/2011 Thérèse P. Miller ARMA Tri-Chapter Spring Seminar

18 Approaches to RIM Programs 18 Reactive Indexing and searching content after a problem E.g. data-mining or categorizing data after searches (e.g. Autonomy, Google, etc.) Requires technology investment only Proactive Indexing content as it is created (XML, metadata, bibliographic coding, taxonomies, records management, etc.) Requires investment in people, processes, and technology

19 Critical Success Factors 19 Top-Down Support from Senior Management Proper Planning and Commitment User Involvement Education and Training User-Friendly System and Business Processes

20 Benefits to RIM To Control the Creation and Growth of Records 2. To Reduce Operating Costs 3. To Improve Efficiency and Productivity 4. To Assimilate New Records Management Technologies 5. To Ensure Regulatory Compliance 6. To Minimize Litigation Risks 7. To Safeguard Vital Information 8. To Support Better Management Decision Making 9. To Preserve the Corporate Memory 10. To Foster Professionalism in Running the Business Source:

21 Analyzing the Risks 21 Identify the Risks Analyze Tools Necessary to Mitigate Risks Define and Communicate Approach and how it will mitigate the risks Source: The Economist

22 Identifying the Risks 22 Litigation Responsiveness, Fines, Penalties, Civil and Criminal Sanctions, Ethical Discipline, Damage Awards Higher costs of e-discovery Investigations Higher costs of storage Privacy Loss of business-critical information Data loss Bad PR/Reputation Diminishment

23 Consequences 23 Monetary Sanctions Qualcomm, Zubulake, Morgan Stanley Criminal Sanctions Arthur Anderson, Quattrone Fines Merrill Lynch Adverse Inferences or Preclusion In re NTL Cost-Shifting

24 24 March 14, 2006 The Securities and Exchange Commission said Monday that it had fined Merrill Lynch & Company $2.5 million for failing to provide promptly messages that the agency sought over a 16-month period. Merrill Lynch neither admitted nor denied wrongdoing. But it did agree to refrain from future violations of securities laws, and it was also censured by the agency.

25 25 September 28, 2007 Morgan Stanley will pay $12.5 million to resolve charges that it failed to produce in arbitration cases and falsely stated that the messages were lost in the Sept. 11, 2001, attacks. We didn t find evidence that Morgan Stanley intended to hold back s, but it was a case of one hand not knowing what the other was doing, the authority s chief of enforcement, Susan L. Merrill, said in an interview.

26 26

27 Elements of a Good RIM Program 27 RIM Policy & Glossary Standard Operating Procedures (SOPs) Records Retention Schedule (RRS) Procedures for Suspending Retention for Legal Hold Monitoring Adherence to Policy and RRS Employee Training & Communication Plan

28 Tools 28 Paper Offsite Storage Electronic Data Archives Structured Databases Archives Document Management Systems Preservation Systems Content Management Systems Records Management Systems Source: The Economist

29 Financials 29 Internal and External Costs Calculate a Return on Investment (ROI) Suggest a Cost Center (IT, Legal, RM) Example: 300% = [(400K profits 100K initial investment)/ 100K] x 100% Potential Costs if no RIM: 1 out of 5 large organizations spends more than $10 million each year on litigation (excluding settlements and judgments)

30 Best Practices Resources 30 The Sedona Guidelines for Managing Information and Records In The Electronic Age (2007) ARMA International, GARP: Generally Accepted Recordkeeping Principles (2009) ISO :2001 National Archives and Records Administration (NARA) Toolkit National Association of State Chief Information Officers (NASCIO)

31 The Sedona Guidelines An organization should have reasonable policies and procedures for managing its information and records. 2. An organizations information and records management policies and procedures should be realistic, practical and tailored to the circumstances of the organization.

32 The Sedona Guidelines An organization need not retain all electronic information ever generated or received. 4. An organization adopting an information and records management policy should also develop procedures that address the creation, identification, retention, retrieval and ultimate disposition or destruction of information and records. 5. An organizations policies and procedures must mandate the suspension of ordinary destruction practices and procedures as necessary to comply with preservation obligations related to actual or reasonably anticipated litigation, government investigation or audit.

33 33

34 Questions? Thérèse P. Miller, Esq. Shook, Hardy & Bacon LLP ARMA Tri-Chapter Spring Seminar April 6, 2011