Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
5/22/2014
1
Managing Records in an E-Discovery WorldMonday, June 2nd, 10:00 – 11:30 a.m.AT&T Executive Education Conference Center, Room 1032014 SCCE Higher Education Compliance Conference
Presented by:• Seth Gilbertson, Associate Counsel, SUNY Office of General Counsel• Nedra Abbruzzese-Werling, Director of Compliance & SUNY System-wide
Records Management Officer
Required Propaganda
The State University of New York
• Largest comprehensive university system in the United States
comprised of 64 institutions
• research universities
• academic medical centers
• liberal arts colleges
• 468,000 students in more than 7,500 degree and certificate programs
• nearly 2 million in workforce and professional development programs
• nearly 3 million SUNY alumni
• community colleges
• agricultural and technical institutes
• online learning network
5/22/2014
2
Where Do We Come From
Nedra'sNedra'sNedra'sNedra's OfficeOfficeOfficeOffice
Seth's Office
• Go over some records management and retention
concepts and issues in an era of e-hoarding
• Scare you with e-discovery basics and legal
considerations
• Consider some practical solutions for institutions
struggling to address the challenges presented by
e-discovery
Goals
a2
Slide 4
a2 Not yet editedabbruzne, 4/17/2014
5/22/2014
3
• Understanding that records retention (and destruction) is
really important to compliance
• How to develop and implement a robust records retention
schedule and records management program at your campus
• Develop a strategy for managing the increasing burdens of E-
discovery by:
(1) Establishing an e-discovery system/procedure at your
campus, and
(2) Instituting a culture of best practices for handling
potentially discoverable records before, during, and after the
e-discovery process
Hopeful Takeaways
Records Retention &
Management
ESI- Electronically Stored Info
5/22/2014
4
What is a Record
1. Any documentary material files, data, photos, recordings, books, tapes, films, papers,
metadata, EMAIL, post-it notes, etc.
2. That is received, stored, produced or
transmitted by any department, office,
employee or agent in the course of business; and
3. Has a LEGAL, OPERATIONAL or HISTORIC
value to the institution
• Process of identifying, classifying, using,
securing, retaining/storing, prioritizing,
archiving, preserving, retrieving, tracking, and
disposing of ‘RECORDS’
• Disposing of records that no longer serve a
need (legal/ operational/ historic) for the
institution
• Disposing of things not considered ‘records’
What is Records Management
5/22/2014
5
We no longer live in the world of paper and boxes
Why Does Records Management Matter
a1
• Increased volume of
the information
• Way we store records
becomes more complex
• The management and
processing of this
universe of information
much more difficult
Why Does Records Management Matter
a5
Slide 9
a1 This is not edited yet - no worries...abbruzne, 4/17/2014
Slide 10
a5 This is not edited yet - no worries...abbruzne, 4/17/2014
5/22/2014
6
• Rising fiscal and operational
expense of “e-discovery”• process by which information
must be retained and exchanged
pursuant to legal proceedings
mandates
• Rising fiscal and operational
cost of information
governance, security, and
utilization
• Burdens will only get bigger
with growing world of
information
Why Does Records Management Matter B
ad
Wo
rse
a8
Volume of Information is growing• In a recent calendar year, 1.8 million terabytes of data
• Terabyte: one trillion bytes, or 1,000 Gigabytes
• 1 Terabyte = 1,000 copies of the Encyclopedia
Britannica
• 10 terabytes = All of the printed material in the Library
of Congress
• 67 terabytes = ALL of data in ENTIRE library of
congress (including images)
How Bad Is It?• Corporation created 5 million pages of data for 1 trial
that only included 5,000 exhibits
Context: How Much Information Are We Talking About
Slide 11
a8 This is not edited yet - no worries...abbruzne, 4/17/2014
5/22/2014
7
Records versus ESI
• ESI = Electronically Stored Information
• Everything on hard drives, servers, wireless devices, etc.
is ESI
• Only ESI with legal, operational, or historical value is
a record
• ESI can become a record, when . . .
• Reasonable anticipation of litigation converts relevant ESI
by making it valuable to a legal process• Audit by an oversight agency or public information request has same effect
• BUT, only ESI that exists at moment of "trigger" can
convert to record
What Does This Mean
• Most of the
information your
institution is storing is
not even a record
• Most emails = not
records
• All that stuff on
Professor X’s (or
Administrator Y's) desk
and email account?
Not records . . . yet
5/22/2014
8
Inadequate Records Management: How Did We Get Here
• Some organizations didn't focus on electronic
documents as business records
• Digital information still in infancy
• Little centralized records management oversight
• Volume of electronic content and capacity grew
exponentially and in tandem
• IT departments are service–oriented and reluctant
consider compliance issues when making
infrastructure decisions
• Poorly trained end-users driving process
E-Discovery Basics Now
5/22/2014
9
E-Discovery Generally
Definition =
A short hand term for the process of
preserving and exchanging
electronically-stored information (ESI)
in the context of modern litigation or
other legal processes
E-Discovery Generally
If I am not a lawyer, why should I Care?
• There are lots of types of “E-Discovery”
• State & Federal Lawsuits
• Freedom of Information/Sunshine Requests
• Audits/Program Reviews
• Criminal Investigations
• Internal investigations
• Stakes are high whenever information is at issue
5/22/2014
10
E-Discovery Generally
• Almost every legal process requires preservation
and/or production of records
– Legal processes tend to be document intensive,
and are becoming more so as the available
documentation proliferates
– Who has what, and where, and how (are they
storing it)?
– Adherence to records management policy is critical
in properly defending lawsuits, administrative
actions and audits.
What a difference an "E" makes
• Constantly evolving as old concepts (i.e., discovery) are applied to new technologies (i.e., "e")
• Impacted by a dramatic increase in quantity of potential "evidence"
• Led to huge increase in costs associated with discovery
– Who pays?
5/22/2014
11
Mo' E, mo' problems
• Standard set by Federal Rules of Civil Procedure and court decisions– Zubulake
• Often used to describe the pre-discovery (but equally important) process of implementing litigation holds
• Requires collaboration between IT, legal, RecordManagement departments, and the cooperation of end users (custodians)
Some ESI, Some Problems
More ESI, More Problems
Most ESI, Most Problems
Relevant Quiz
OCR notifies your institution that a student filed a complaint alleging that she was denied reasonable accommodations when an accounting professor made her take a quiz in class. Due to an anxiety disorder, the student is allowed to take exams in a distraction-free environment. OCR now formally "requests" "all relevant materials."
• Does this present an e-discovery event on your campus?
5/22/2014
12
E-Discovery Steps
1. Manage Records Seriously
2. Determine Litigation Hold Triggers
3. Identify Relevant Records
4. Preserve Relevant Records
5. Review Records/Information
6. Produce Records/Information
7. Clawback?
8. Explain
Triggers
• Events that cause an organization to
consider implementing a legal hold (LH)
– “Reasonably Anticipates Litigation”
– Or other legal process
• Require prior planning
and regular
communication
with legal counsel
Walking LH Trigger
5/22/2014
13
More on That Guy
More on That Guy
5/22/2014
14
More on That Guy
Trigger Factors
• Likelihood of litigation / enforcement action
• Type of potential evidence
– Location
– Control
– Durability
• Cost/Benefit?
• History
5/22/2014
15
One More From Banksy
Triggers?
• President denies Professor Suyou tenure after mixed recommendations from evaluators
• Visitor at baseball game calls athletic department to complain that hot dog gave him food poisoning, saying “you’ll hear from my lawyer”
• Unhappy with the level of service provided, your college terminates a contract with a software vendor
5/22/2014
16
Litigation/Legal Holds
• Purpose to avoid “spoliation”
• Policies are moving toward administrative
access to all institutional records and devices
(more to come)
• All programs/devices should be capable of
permanent retention
– Better archiving = easier process
• Holds should be custom-fit to circumstances
• Coordinate with "adversary"?
Legal Hold Steps
• Identify potentially relevant records
– Requires preservation of all relevant information
– But no need to keep what you didn't have to before (safe harbor)
• Identify Key Players
• Locate records/data to be preserved
– Data mapping
– Inventory
– Interviews
5/22/2014
17
Key Players
Counsel
IT
RMO
Key Players
End User
5/22/2014
18
Legal Hold Steps
• Counsel issues Legal Hold to Key Players (copying IT)
• Legal Hold should include:
– The nature of the Triggering Event;
– The ESI or other records that are subject to the Legal Hold;
– A brief, general description of the legal obligations related to Legal Holds;
– Instructions for preserving the relevant ESI (including any transfer instructions);
– Contact information for the Key Person to receive legal and IT advice.
Legal Hold Steps
Should we Notify the Custodians?
– Usually yes, but
– We don’t let the fox implement a litigation hold
on the hens
• Consider self-interest
Don't forget about third parties (i.e., cloud vendors) and even plaintiff(s)
– Must usually notify adversary if third party holds data
5/22/2014
19
Legal Hold Steps
• Coordinate with Legal & Key Players to implement hold
– Native format best
– Include back ups?
– Who takes possession?
• Document steps taken
• Maintain regularly
• Plan for ongoing collection
– Mirrored accounts?
The Relevant Quiz
Your office for disability services sends emails
to professors at the beginning of each
semester informing them of the
accommodations granted for students in their
classes.
• Are any emails subject to a hold?
• How do you obtain them?
5/22/2014
20
The Relevant Quiz
Your policy for accommodation requests
is available online and sent to students
electronically every year. Your institution
is currently in the process of revising it.
– Is the policy subject to a hold?
– How do you obtain it?
Reviewing
• Can be done as part of LH, prior to disclosure, or both
• Will often be based on negotiated parameters or court
order• Meet and confer
• Labor-intensive
• Many tools now available
• Technology assisted review?
• Cost-shifting big concern
• Outside experts common
• Know what you produce
• Document process
5/22/2014
21
The Relevant Quiz
Neither the professor nor the office for disability services saved the accommodation emails, but IT thinks they are on a back up tape along with millions of other emails. The limited searching technology available is only able to narrow it down to 4,000 potential emails.
– Who searches these?
– Who pays?
– What if you don’t find them?
What's This?
• Must document and clearly explain the steps taken (or not taken) during discovery
– Important for proportionality determinations
– Show your work
• Don’t get too bogged down with the nuts and bolts of e-discovery and forget to defend the case
– Know what you produce and be able to tell its story
– Beware of tactical use
• First step is making sure counsel and IT understand each other
5/22/2014
22
Establishing a Records
Management Program
• When keeping records:• Records Retention: is there a set process/ schedule
• Information security: Are records safe?
• Data Governance: Are they clearly organized
• Data Mapping: What and where
• Who is the custodian
• When purging records:• Dispose of safety?
• In a timely manner?
• Authority to dispose of records?
Records Management Considerations
a11
Slide 44
a11 This is not edited yet - no worries...abbruzne, 4/17/2014
5/22/2014
23
• Data breaches: • information that should have no longer been in an
institution’s possession is compromised
• Information Requests:• when the documents requested should not have
been retained because they were past their
required retention (which may have been 0), the
immense administrative burden and legal risk is
self-inflicted
Risks of Unclear Records Management Process
Benefits of Records Retention & Management
• Ensures records are retained only as long as they are
actually needed for administrative, fiscal, legal, or
research purposes
• Creates the records it needs, and none that it doesn’t
• Ensures prompt disposal of unnecessary records
• Ensures safe and secure storage of records
• Eliminates time and effort required to service and sort
through superfluous records to find needed information
• Information retrieved quickly
• Respond quickly to auditors and subpoenas
• Helps an institution to know what records it possesses
5/22/2014
24
• Cost savings
• Frees storage space and equipment for important
records and for new records
• Facilitates the identification and preservation of
archival records
• Eliminates the potential fire hazard of storage of large
quantities of valueless records
• Helps with implementation of legal holds
• Allows for better control and access to records
• May be required by law
• Helps facilitate disaster planning
More Benefits of Records Retention & Management
Objectives of Records Management
1. Regulatory Compliance• Are the records required by law available in the
format and the timeliness needed
2. Document Management• Are the business records being managed in the most
cost effective and functionally useful manner while
still ensuring their security
• Does the record management plan account for
electronic information
3. Assigns Responsibility• Puts someone at the wheel
5/22/2014
25
Safe Harbor
• Federal Rule meant to address the overbroad preservation
many litigants and potential litigants felt they had to undertake
to ensure they would not later face sanctions
• Rule requires:
• Must still disclose all relevant records that exist at the time
litigation is reasonably anticipated
• Destruction does not meet good-faith requirement if
litigation hold should have been implemented
• Retention/destruction policy must be reasonable and
defensible
• Failure to follow policy can extinguish protection
• Same basic rule applies in nearly every legal venue
How to Get Started
5/22/2014
26
How to Get Started
• Policy and Procedure:• Start by drafting (or hopefully updating) a records policy
and records schedules
• Schedules codify multiple retention periods into one set
of documents
• Schedules: • Determine how you will classify records
• Records in academia best organized by subject matter
and subject category
• Determine workable categories & timeframes
• Develop user-friendly schedules for departments• Involve constituents from beginning
Classifying Records for a ScheduleEXAMPLE
ACADEMIC AFFAIRS & INSTRUCTION
Accreditation records Course listing
Curriculum development records Instructor's course syllabus or lesson plan
Academic program proposals Instructor's grade records, test scores, and
marking sheets
Curriculum/program registration records List of students majoring in a field of study
Master plan and related documents Class Schedule
Course information records Course or laboratory attendance records
Faculty and faculty-student research
records
Completed examination test papers and
answer sheets
Records of Institutional Review Boards Evaluations of course instructor
Records relating to tax-free use of alcohol
Radiation use log
5/22/2014
27
Then Break It Down
Components of a Records Management Policy
• Defines and classifies records
• Controls lifespan, ‘records cycle,’ retention
• Delegates power to destroy records
• Eliminates uncertainty about retention, responsibility
and, hopefully, the existence of specific records
• Reduces universe of information by allowing for
predictable destruction of records and other data
= Safe Harbor
• Controls access
• Information security
5/22/2014
28
• Assigns responsibility
• Records Management Officer
• High level oversight
• Plans for litigation
• Process for litigation holds
• Makes Records Management everyone’s job
• Establishes a process for converting paper
records to electronic format
Components of a Records Management Policy
What Your Records Schedule Should Accomplish
• Reduces universe of
information by allowing for
predictable destruction of
records and other data
• Reduces the amount of
paper and ESI that
Professor X (and
Administrator Y) is
needlessly storing
• Recognizes through a policy
that records management is
everyone’s job
5/22/2014
29
Considerations When Drafting a Policy
• Relevant State laws
• Statutes of Limitation
• Laws that specify retention of documents
• Relevant Federal laws
• Statutes of Limitation
• Laws that specify retention of documents (i.e. international)
• Any state oversight body that would have the
authority to approve a schedule you create
• Laws surrounding electronic conversion
• Constituent Inputs!
Converting Paper to Electronic Format
5/22/2014
30
Legal Considerations for Converting Paper to Electronic Format
• Federal Rules of Evidence 1001 to 1003 (adopted
by many states) deal with the need to produce an
original document in legal proceedings except when
otherwise allowed
• Duplicate made by an electronic process
"that accurately reproduces the original"
is allowed except when a question is raised about
the duplicate's genuineness
• Some medical records still kept in paper format
• Look to your State laws
Records Policy Should Set Standards for Electronic Conversion
• Accurate Representation of Original:
• Electronic images should accurately and completely reproduce all the
information in the records being imaged
• Usable Format:
• Imaged records will not be rendered unusable due to changing or
proprietary technology before their retention and preservation
requirements are met
• Records cannot be changed once converted:
• Imaging system will not permit additions, deletions, or changes to the
images without leaving a record of such additions, deletions, or changes
• Records can be authenticated by employees:
• Designees of the institution will be able to authenticate the imaged records
by competent testimony or affidavit which shall include the manner or
method by which tampering or degradation of the reproduction is
prevented
5/22/2014
31
Practical Considerations for Electronic Conversion
• Conversion is extremely time consuming
• Ensure your institution has:
• adequate IT Storage System
• proper tools for conversion (quality scan with OCR capability)
usable formats
• adequate staffing
• Document Management System for sorting records is ideal
• Green
• Improves productivity
• Ensures authenticity and reliability of information resources
• Can be duplicated and protected at less cost than paper records
• Essential for managing records appropriately
• Reduces state and federal public information laws and discovery
compliance costs
• Increases the likelihood of success of records migration &
preservation strategy
• Provides long-term cost savings (reducing the need for parallel
recordkeeping systems, i.e., paper and electronic)
• National Archives endorses moving to Electronic Recordkeeping (ERK)• Site: Why Federal Agencies Need to Move Towards Electronic Recordkeeping
Electronic Recordkeeping Benefits
5/22/2014
32
Consider a Document Management System
• Efficient retrieval and access system
• Helps facilitate better Data Governance
• Greater speed of document retrieval
• Centralizing force for information
• All information required to be sorted in the same way
• Indexing by text and type
• Avoidance of Human Error
• Helps with personnel turnover and vacations
• Cost – return on Investment
• Integration with other systems, including email
You Have a Policy – Now What?
5/22/2014
33
Steps for Instituting Your Records Policy
• Publish Records Management Policy, Procedure, and
Schedules in place where other all other institution policies
are located
• Tone from the top - Designate RM as an important and
essential initiative
• Identify key people responsible for moving records
management forward
• Liaison/ Custodian in each office
to facilitate compliance in
office
• Reward compliance with policy
• Integrate IT Systems with Records
Management plan
Steps for Instituting Your Records Policy
• Assemble a committee with select members from each
department
• Legal
• Record Management
• Compliance
• HR
• Finance
• Information Technology
• Define clear goals
• Set dates for each phase of the project
• Designate leader of committee
• Records Management Officer
5/22/2014
34
Steps for Instituting Your Records Policy
• Conduct a records inventory• Identify records that currently exist as well as where and
how they are maintained and secured
• Paper
• Electronic
• Combination
• Use records inventory to develop a plan for disposing
of records that have already exceeded their required
retention periods
• Set specific goals for process with realistic completion dates
• Establish time frames for getting existing records, documents,
and ESI in compliance with new schedules
Information Security Considerations
As you inventory data and records, consider:• Where is your Sensitive Data
• Encryption
• Access
• Screen vendors
• Locking doors and file cabinets
• Mobile devices clean, password-protected, under
institution control
• Synchronize security with records retention
• Destroy records appropriately
5/22/2014
35
Communication and Training
• Develop a roll-out plan that includes training of all
employees
• Ensure staff training to reinforce policy• Annual training of all employees
• Manage records plan when employees leave
• Develop plan with each office and train them on applicable
functional schedules
• Train all new employees
• Offer continuous support to
offices with records questions
• Listserv
• Website
• Campus newsletter
Create a Culture of Records Management at Your Institution
• Don’t wait until storage becomes a problem
• Continual training and communication with
offices and records liaisons
• Communicate the risks
• Disposition should be carried out regularly, at
least once a year• Facilitate annual disposal of records
• Host a Campus Records day
• Host a Records Management Week
5/22/2014
36
Continual Monitoring
• Establish a continual audit and review process
• Add compliance with retention schedules to
your internal audit plan
• Review Records Management Policy and
schedules on an annual basis and update when
necessary
• Legal changes
• Operational changes
• Personnel changes
• Completeness, relevancy, clarity
Eliminating Records
5/22/2014
37
How to Dispose of Records Properly
• Consignment to a paper recycling plant
• Shredding services (particularly for records
containing confidential information)
• Confidentiality:• Disposition should be carried out in a way that
ensures confidentiality of individuals named in the
records is protected
• Document Your Destruction: • Record identity, inclusive dates, and approximate
quantity of records that are disposed of
Setting up a Process for
E-Discovery at Your Campus
5/22/2014
38
E-Discovery Procedure
Purpose: To ensure that institution is
prepared to comply with information
demands that arise in the context of
litigation, administrative proceedings,
audits, investigations, and Freedom of
Information Law (FOIL) requests.
+
Safe Harbor
E-Discovery Procedure
• Defines Legal Hold, Custodians, Triggering Events,
Key Persons, etc.
• Gives specific responsibilities to Counsel,
Custodians, Key People, IT
5/22/2014
39
E-Discovery Procedure
• Sets up framework for preparing for and
managing legal holds and e-discovery cases
• Response Team
• Lists best practices for pre-discovery RM
• Creates tracking mechanism
• Mandates Compliance
• Remember, this is already our legal obligation,
the procedure just organizes our approach
• Gives actors authority and resources
Response Team
• Counsel + IT + RMO + ?
• Charged with Policy
Compliance
– Communicates Regularly
– Manages Legal Holds
• Tracking
– Trains Constituents
– Reports to Management
– Review/Production
5/22/2014
40
Other Points to Consider
• Enforce policy through discipline
• Must inform Counsel of Triggering Events
• Ensure existing local policies agree with E-Discovery and RR policies
• OGC must provide guidance
• Consider E-Discovery and RR policy when contracting
• Implement local policies to supplement E-Discovery policy
• Consider BYOD issues
Keys to Success
• Assign actual People
• Publicize Policy
• Train
• Audit
• Enforce
• Integration with IT resources
5/22/2014
41
Email Management
Managing Email Records
Retention policies are best applied
to information by subject, not by
the medium on which it is stored.
That’s why we don’t have retention
policies for paper.
5/22/2014
42
Are emails records? • Most emails are NOT records
• United States Supreme Court endorsed the idea
that unnecessary email should not be retained Arthur Andersen LLP v. United States, 544 U.S. 696 (2005)
Why don’t we have a set retention period for
all emails? • Email is simply a medium
• Retention periods are best tied to the information
in a record, not the medium on which it is stored
Managing Email Records
Managing Email Records
What should your Records policy say about email?• Records transmitted through email systems have the
same retention periods as records in other formats that
are related to the same function or activity
• Campus and University officials may delete, purge, or
destroy emails that are records if:
• records have been retained for the minimum
retention period
• are not being retained for a legal action or otherwise
subject to a litigation hold or for an audit
• All other emails that are not records should be deleted
on a regular, consistent basis
5/22/2014
43
How to Manage and Reduce Email Volume
Adopt a Policy
where email is deleted after a certain period of time
by default • Use a document management system for email (such
as outlook) and make the auto-delete features default
• Ensure you have communicated auto-delete feature to
campus
• Ensure you have enabled protocols to override the
auto-delete features in the event of a litigation hold
Email Policy Elements
1. Require use of a University-issued email account
2. Require retention of emails that are records by
subject matter in accordance with your records
policy and schedule
3. Clearly identify policy scope - Who is covered
• Employees
4. Reference the University’s existing Acceptable
Use Policy
• If you don’t have an Acceptable Use Policy,
you should
5/22/2014
44
Email Policy Elements
5. Explain mechanism for retaining email records
that are actual records
6. Set privacy expectations for email
• As in, “There are no expectations of privacy”
7. Describe local procedures for email retention
for individual user
8. Set Procedures for exceptions to the auto-
deletion protocols
• In cases of litigation holds, discovery
requests, Freedom of Information Requests,
Audits, or retaining emails that are records
Email Policy Elements
9. Establish policy training and education
10. Mandate compliance with Policy
• Employee discipline as enforcement tool
11. Require periodic review of the policy to
ensure it is current
12. Identify two individuals who will be charged
with ensuring campus compliance with the
policy
• RMO/ Legal Counsel
• IT person
5/22/2014
45
From: Nedra Abbruzzi-WhirlingTo: Seth GilbertsonSubject: What is the retention period for email?
"Wanna meet at the Congress for lunch at
12:30? My treat."
1. Documentary Material?2. Transmitted or stored by College?3. Has legal or operational value?
= 0.00
From: Sally Student
To: Prof. Smith
Subject: What is the retention period for email?
"Prof. Smith, attached please find my answers to the take-home exam for POLS-203"
1. Documentary Material?
2. Transmitted or stored by College?
3. Has legal or operational value?
= 6 Months
5/22/2014
46
Why Seth Hates Email
• Seldom constitutes a Record
• Rarely helpful to Defense:"Cindy,
Let's discuss your promotion over dinner.
Best,
VP Johnson"
Of course, I will choose a very public and
well-lit restaurant and several colleagues will
be there. Nevertheless, if you would rather,
we can just talk about it in the office on
Monday. Your choice will have no effect on
my decision.
Email & Other Records Resources
Email Resource:
SUNY Email Retention Guidance• The purpose of the guidance is to help SUNY
campuses with regard to retention of emails
Other SUNY Resources:
• SUNY Records Retention and Disposition Policy
• SUNY Legal Proceeding Preparation (E-Discovery)
Procedure
• SUNY Compliance Website Page on Records
Management
5/22/2014
47
Hope We Didn’t Put You To Sleep
We had a ball