What Every CIO Needs to Know about Records Management

By Courtney Macavinta

The U.S. Justice Department's anti-trust case against Microsoft starting in 1997 was the first major lawsuit to put corporations on guard about a new type of company record that could potentially be used during litigation: email. By now it is taken for granted that where there's an alleged corporate scandal, there's a damning email waiting to be discovered. To deal with this "e-discovery," and to comply with countless new data regulations, most enterprises realize that the records management process must move from the basement to the boardroom.

"It is a CIO issue," says Larry Ponemon, founder of the Ponemon Institute, which surveys Fortune 500 companies to advance ethical information and privacy management practices. "When companies get into a legal dispute or regulatory problem, they have all of these documents and records that can become a smoking gun. The cost of discovery is enormous."

Deciding how to best manage electronic records is topping CIOs' agendas for good reason. A survey by Harris Interactive found that 68 percent of U.S. employees have used company email in ways that put their company at risk legally. Moreover, organizations that are sued and fail to store records properly may face hefty court fines or financial judgments. At the same time, regulations -- such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the USA Patriot Act -- require companies to maintain better control of records, from financial statements to telecommunications, to patient records. In some cases, executives can be held personally liable for violations or failure to comply.

For CIOs, records management is a tough balancing act -- the issue is not just how to store records but which records need to be archived and for how long. In addition, records must be easily accessible and secure. Like many CIO responsibilities, records management requirements can't be solved by technology alone. Best practices must cover people and processes, too.

Know what you have
Companies create and compile droves of content -- from emails to images to customer data -- that can be considered a "record" when it comes to lawsuits and regulations. Experts say records management is ultimately about mitigating risk by knowing what to preserve and protect and what to purge.

"CIOs needs to understand that, moving forward, they need to build an infrastructure that not only supports the efficiency of e-discovery but that provides them with an inventory of what content they have," says Robert Markham, principal analyst for Forrester Research Inc., who with analyst Barry Murphy co-wrote the report, Kissin' Cousins: eDiscovery and Records Management.

The first step is taking inventory of company records stored on servers, desktops, laptops, PDAs and even corporate mobile phones. Next, the question is: What needs to be archived for legal and regulatory purposes? CIOs can initiate a process throughout the company in which each department inventories all records it creates. Then records should be classified based on universal guidelines such as data format, usage, security level, regulatory requirements for data elements, and how long they must be preserved.

Know your policies and procedures
Analysts say that CIOs not only must have a good understanding of the regulatory requirements for records retention but also must develop policies to classify and retain documents as they're created.

For example, it might put a company at risk to delete emails related to human resources/employee issues. At the same time, keeping drafts of proposals isn't always recommended. According to a Gartner Inc. report on best practices for records management, another critical component of any plan is to create a records retention schedule that includes the department that generated the record, retention period, reference to any statutory requirements for the record type, and the date the record may be destroyed.

Markham adds that it's the CIO's role "to allow the business departments to set up policies around their content, to enforce polices for the retention and creation of records, and to make sure the storage medium is the correct medium for the type of content."

When it comes to e-discovery, CIOs should take the lead from their corporate legal team to create an efficient process for accessing, reviewing, and turning over documents related to legal proceedings. Forrester's Murphy suggests working closely with the legal office to ensure that records management procedures are consistent, repeatable, and defendable.

"The CIO has to enforce these policy and procedures," Murphy says. "A CIO's job is to create an e-discovery platform so lawyers don't have to re-find and re-review memos that come up in cases."

Know where technology fits in
Markham and Murphy agree that although there are numerous records management software suites on the market, technology is not an elixir. Rather, software enables companies to document and enforce policies to adequately secure data repositories so records can be easily retrieved when needed.

For instance, companies can use software to classify content based on metadata and then archive records in a common data repository that allows records to be searched and viewed in their native application. Many email applications now come with integrated features that help create a digital paper trail for tracking purposes. Enterprise rights management software, on the other hand, can allow companies to control access to all of their electronic records or create an audit trail of who accessed a record.

So when it comes to deciding on records management tools, CIOs should make sure they understand their business partners' needs before they deploy, the Forrester analysts conclude in their report.

"Turn to vendors whose solutions can address all aspects of the electronic discovery process -- search tools to sort through enterprise content, collaborative document management to ease the review of content, and the ability to produce content in a common format for other litigation parties," Markham and Murphy write. "Technology is only as good as the policies it supports."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News.com, Business 2.0, Red Herring, and The Washington Post.