Information Management 101 for Corporations

Georgetown CLEAdvanced Computer & Internet Law Institute

Marc MartinPartnerK&LNG(202) 778-9859 mmartin@kl.com

Peter Kurilecz CRM CARecords ManagerNextel Communications, Inc.(703) 433-4000Peter.Kurilecz@Nextel.com

Introduction

Retention Requirements

Security, Privacy and Confidentiality

1. Electronic Business Record Retention Requirements

�Electronic business record retention regulations establish periods of retention, acceptable storage media, and organizational requirements for electronic records. �Failure to maintain sufficient records can mean violating multi-layered laws and regulations that can result in hefty fines, imprisonment and bad publicity.

What is a “Business Record” for Your Company?

� A “Business Record” may include any medium used to communicate or record company- or business-related information, whether in written, electronic, or voice form.

� Examples include the following in any medium: business agreements, calendars (including Outlook calendar entries), contracts, correspondence, customer complaints, databases, diagrams, e-mails, government-issued licenses (e.g., FCC, PTO, etc.) or penalties (e.g., IRS, SEC) and related correspondence, invoices, leases, litigation files, meeting minutes, memoranda, notes, photographs, regulatory filings, sales projections, spreadsheets, and voice mails.

� Examples of electronic forms of media include, but are not limited to, home PCs, laptops, CDs, DVDs, cellular phone voice mail and text messages, VOIP-transmitted voicemail/email, instant messages, faxes via email, pagers, and PDAs.

Criteria -- Trustworthy Electronic Business Records

Integrity – complete and unalteredSecurity – protection of confidentiality and privacyAuthenticity – origin must be reliably demonstratedAccessibility – with respect to time and technological access (degradation of data, availability of necessary hardware)

Where Electronic Business Records Matter

� In the courtroom (e.g., Rules of Evidence)� In commerce (e.g., proper execution,

protecting confidential information)� Before administrative agencies

(e.g., HIPAA data format standards)

U.S. Approach to “Information Management Law”

� Federal and State Statutes� Rules of Procedure and Evidence� Common Law� Industry-Specific Regulations� Contractual Agreements

There is no single, comprehensive law governing information management. Rather, law is comprised of:

Federal Law and Regulations

� Sarbanes-Oxley (SOX) requires all public companies to retain its documents related to its financial audits (i.e., “audit workpapers”) for seven years. Such documents could include website records, internal control reports (and the documents used to create them), regulatory filings, and litigation-related documents. Improper destruction of records can result in a 20-year prison sentence.

Public Companies:

Federal Law and Regulations

Additional SOX Retention Implications� SOX makes it a crime to knowingly alter or

destroy any document with the intent to impede, obstruct, or influence the investigation of any matter within the jurisdiction of a department or agency of the U.S. or in relation to or in contemplation of any such matter.

� Earlier standard was limited to where individual intentionally destructed or impeded an investigation that the individual knew to be pending or imminent.

Federal Law and Regulation

� IRC Sec. 6001 – Records must be maintained so long as they are subject to audit under the Internal Revenue Code. This means all documents must be kept for at least three years, some for six, and some should be kept permanently. Failure to comply can result in penalties.

IRS Retention Rules:

CONTINUED

Federal Law and Regulation

� Rev Proc 97-22 – Provides guidance to taxpayers that maintain books and records by using an electronic storage system that either images their hardcopy(paper) books and records, or transfers their computerized books and records, to an electronic storage media, such as optical disk.

IRS Retention Rules:

Federal Law and Regulation

� Rev Proc 98-25 – Specifies the basic requirements that the IRS considers to be essential in cases where a taxpayer’s records are maintained within an ADP system.

IRS Retention Rules:

Federal Law and Regulation

� Securities Industry— Record retention regulations (e.g. Rules 17a-3,

17a-4 for Brokers/Dealers, 17ad-6 and 17ad-7 for transfer agents, NASD Rule 3110, NYSE Rule 440)

� Health care— HIPAA regulations – medical records must be

retained at least 6 years, and at least 2 years after the death of a patient. Penalties for noncompliance include up to $250,000 and up to 10 years in prison.

� Internet access providers & telecommunications companies

— Communications Assistance to Law Enforcement Act (CALEA).

CONTINUED

Federal Law and Regulation

� 18 CFR 225— Preservation of Records for Natural Gas

Companies� 18 CFR 356

— Preservation of Records for Oil Pipeline Companies

� 17 CFR 257— Preservation and Destruction of Records of

Registered Public Utility Holding Companies and of Mutual and Subsidiary Service Companies

CONTINUED

State Law

� Many states recognize an independent tort of spoliation. Destruction of evidence, including electronic evidence, can be a ground for independent penalties or lead to adverse inferences in litigation.

� In the event of any potential litigation, you must STOP scheduled document destruction and retain all documents that may be relevant to the litigation.

“Spoliation”

Consequences

� Andersen was ruined by information management issues, among others.

� Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, U.S. Bancorp, Piper Jaffray and Salomon Smith Barney fined $1.65M each for failing to properly preserve email communications.

� SG Cowen fined $100,000 for deleting emails (by reusing backup tapes) before expiration of retention period

� Carlucci v Piper Aircraft – judgment of $10M to plaintiff. Defendant failed follow procedures and destroyed records during discovery phase 102 FRD 472 (S.D. Fla, 1984)

Consequences

� Applied Telematics v. Sprint. Sprint produced certain electronic tapes of computer transactions. It later resumed its practice of re-using other tapes not produced, effectively destroying non-produced records. The Court said Sprint “knew or should have known that this information was relevant” and required Sprint to pay the cost of obtaining comparable information from other sources.

� Frank Quattrone urged his employees in an email to “clean-up” files as the government was investigating CFSB’sallocations of IPO shares. He was convicted of obstruction of justice and sentenced to 18 months in prison. CSFB paid a $100M to settle related civil claims.

CONTINUED

Contractual RetentionObligations

Standard Retention Covenants in Contracts� [Company A] and [Company B] shall

maintain complete and accurate records of all amounts billed to and payments made by [B], in accordance with GAAP. [A] and [B] shall each retain such records for a period of three (3) years … and maintain billing detail for the same time period. [A] and [B] shall provide reasonable supporting documentation to each other concerning any disputed invoices.

Contractual Retention Obligations

� Duty to return versus duty to destroy –potential conflict with statutory requirements.

� Admissibility of electronic records in court –where’s the signed original?

� Tangible versus non-tangible records.— Redlines and drafts on hard drives— Archived e-mail w/ attachments

Where are the Electronic Business Records?

New workplace technologies such as instant messaging, PDA-based email, cellular SMS (text messaging), VOIP communications, and traditional email make it increasingly difficult to ensure that data is actually deleted. Multiple copies of any given business record may exist –on networks, on back-up tapes, and on employee hard drives, home PCs and handheld devices. Note advent of portable hard drives on key chains, Ipods and Palm PDAs (T5).

Consequences

� Easley, McCaleb & Assoc., Inc. v. Perry. A court ordered that deleted files on a defendant’s computer hard drive are discoverable.

� Global Research Analyst Settlement – In 2003, the government’s case, leading to a $1.4 Billion settlement, was based on its discovery of harmful company emails.

CONTINUED

Consequences

The Email: “I used Sandy to get my kids into the 92nd Street Y pre-school (which is harder than Harvard) and Sandy needed Armstrong’s vote on our board to nuke Reed in Showdown.”– WSJ, 11/11/02The Press Report: “Former top Citigroup analyst Jack Grubman said in an e-mail that he raised his rating of AT&T stock in part because his boss helped get Grubman’s twin daughters into an exclusive nursery school.” – USA Today, 11/14/02

CONTINUED

Don’t Forget the Metadata

Courts have held electronic versions of documents are discoverable even where paper versions have been produced.

Metadata information in electronic records may provide important clues concerning, among other things, authorship, history of edits, and dates of creation.

Software solutions can delete metadata.

2. Security, Confidentiality and Privacy

� Privacy laws regulate collection, use and disclosure of personal information.

� Information security laws can trigger liability and disclosure obligations in event of corporate network security breaches.

� Intellectual property laws can trigger vicarious/3rd party liability for infringement.

� Contractual obligations arising from NDAs govern protection of and access to workplace electronic records

Federal Law and Regulation

� SOX requires establishment of internal controls by publicly traded companies.

� Electronic Communications Privacy Act (ECPA) requires employee consent prior to monitoring electronic communications.

� Digital Millennium Copyright Act (DMCA) can create liability if infringing records are made publicly available.

Federal Law and Regulation

� Children’s Online Privacy Protection Act (COPPA)� HIPAA – Section 1173(d)(2) requires that safeguards

must be in place to protect patient data and protect authenticity of data. Penalties for noncompliance include fines up to $250,000 and up to 10 years in prison.

� FACTA – 16 CFR 682 – Any person who maintains … consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. Effective 1 June 2005

State Law

� California requires individuals to be notified when certain personal information is subject to security breach (federal agencies considering same rule).

� Many states govern disposition of personnel records and certain kinds of medical records (HIV, drug/alcohol, mental health, etc.)

� Texas HB 698 – A business must dispose of personal identifying information…by shredding, erasing or other means…to make it unreadable or undecipherable. A business that does not dispose of a …record…in the manner required…is liable for a civil penalty of up to $1,000 for each record.

Consequences

� DoubleClick created a public firestorm over Internet privacy when it acquired Abacus Direct and proposed to exploit its personal identity information for Internet marketing purposes. Public pressure compelled DoubleClick to retract its proposal.

� Eli Lilly & Co. inadvertently revealed the personal identities of thousands of subscribers to its Prozac email newsletter, by using the “TO” instead of the “BCC” field.

Contractual Confidentiality Obligations

What is the issue?� Ensure your company protects:

(a) its own confidential information, such as trade secrets, from disclosure to others and (b) other parties’ confidential information shared with it under an NDA or other contractual agreement.

Contractual Confidentiality Obligations

Why is there a problem?� Traditional confidentiality terms/conditions

focused on tangible documents.� As electronic documents became prevalent, more

opportunities to make mistakes, inadvertent disclosure.

� Lack of strong records management means greater likelihood that your confidential information will be disclosed or that your employees will breach a confidentiality obligation arising in contract.

Contractual Confidentiality Obligations

Typical confidentiality clauses and NDAs:� Defines what is confidential information.� Lists exceptions to protection.� Sets limitations on the use and care of

confidential information.� Describes remedies – injunctive relief.

CONTINUED

Other Contractual Confidentiality Issues

Protecting Your Own (and other parties’)Confidential Information in an Electronic World.� Limit access to records on a “need to know” basis.� Use employee confidentiality agreements.� Create internal firewalls.� Replication through e-mail.

— Distribution lists— Posting documents on shared drives— Password protection and encryption

Security-related Liability

� Internal/third party misappropriation of trade secrets

� Digital Millennium Copyright Act (DMCA) liability (defeating protective technology)

� Violations of Computer Fraud and Abuse Act (anti-hacking law)

� Employee Misconduct