Digital Document Retention Policies and Post – Enron IT Governance

DAVID VAILEExecutive Director

Baker & McKenzie Cyberspace Law and Policy Centre , UNSW Faculty of Law

Digital Document Retention Digital Document Retention

David VaileDavid Vaile

Baker & McKenzie Baker & McKenzie Cyberspace Law and Policy CentreCyberspace Law and Policy Centre

University of NSW, Faculty of LawUniversity of NSW, Faculty of Law

http://www.bakercyberlawcentre.org/ddr/http://www.bakercyberlawcentre.org/ddr/

IntroductionIntroduction

• Recent changes in governance, cases

• White paper (copies available on request)

• Baker & McKenzie, ACLA, suppliers, Galexia

• Aimed at filling gaps for lawyers, IT,

management

• Starting point only – you need firm-specific

advice

Sources of IT riskSources of IT risk

• Beyond hackers, viruses and disasters

• Digital documents as a source of risk

• Overlap security: create, use, destroy

• Chaotic hybrid: paper, digital, portable

• Not just technology: usage, usability, policies

Digital documents – Key questions

Digital documents – Key questions

• Can you find it when you need it?

• Have you kept dangerous junk?

• Do you have a policy?

• Does it work for users?

• Do staff know why to keep or destroy?

Why does this matter?Why does this matter?

• Business process support

• PR and public confidence

• Litigation

• Governance

• Efficiency in the back office

Examples and fiascosExamples and fiascos

• Boeing CEO's embarrassing email

• McCabe v. British American Tobacco (BAT):

embarrassing ‘Evidence Destruction’ policy

• Enron: built on dodgy digital documents

• HIH: the inquiry

Where it hits the fan: Litigation and preparation for

it

Where it hits the fan: Litigation and preparation for

it• Critical role of preparation for document

analysis

• 3 teams involved: IT, legal, executive

management

• Three domains: pass the buck?

• Head in the sand?

• Beware of being too clever

McCabe v. BAT (Vic Sup Ct): Evidence destruction = BAT loses!

McCabe v. BAT (Vic Sup Ct): Evidence destruction = BAT loses!

• Critical documents were scanned

• 30,000 originals destroyed

• Although no litigation afoot at the time…

• BAT anticipated the likelihood of future claims

• Vic. Supreme Ct, appeal

• US DOJ very interested in original principle …

Types of digital documents — features

Types of digital documents — features

• Email: metadata (relevant for all), logs,

contents…

• Scanned documents: when, where, who?

• ‘Office’ documents: copies, junk, version

• Network and infrastructure logs

• Databases, web: transactions, state

Delusions of control?Delusions of control?

• IT as a control system

• Increasing independence of users

• Head office/Back office vs wandering road

warrior

• Policy must be realistic and workable

Overview of legal issues and compliance

Overview of legal issues and compliance

• Business reasons first

• Examples of legal obligations

• The big one: is it “Evidence”?

• Need specific assessment and advice

• Document your policy development process

• Test compliance

Sources of DDR legal obligation

Sources of DDR legal obligation

• Legislation (Tax,Corporations, Privacy, Spam

Acts…)

• Special case: rules of court

• ‘Common law’, cases such as McCabe v. BAT

• Industry codes (may be enforceable)

• Contract

Who requests the info?Who requests the info?

• Litigation: parties, courts

• Regulators

• Law enforcement

• Customers, suppliers

• Rivals or tactical litigants

Types of obligation (1)Types of obligation (1)

• Evidence for litigation

• Legal professional privilege

• Corporate governance by directors

• Taxation and money laundering

• HR, employment, admin, accounting….

Types of obligation (cont.)Types of obligation (cont.)

• Insurance

• Personal information: Privacy, Corporations Act

• IP: copyright, patent, DRMS

• Marketing: Spam Act

• Contract and outsourcing

• Industry good practice

LitigationLitigation

• Is litigation contemplated

• Nature of the industry

• What documents are relevant

• Where can we reasonably expect it?

• Document the creation of a policy

• And its implementation and review

The new corporate governance: Yikes!The new corporate governance: Yikes!

• Sarbanes Oxley (Sox)

• Basel II, CLERP 9

• US approach: litigate first, negotiate later

• Directors and execs personally liable

• Suddenly more serious!

• IT risks too; corporate governance response

Digital Document Retention Policy: First step to a solution?

Digital Document Retention Policy: First step to a solution?

• Systematic and documented practice

• Can justify destruction or retention

• Contents of a Digital Document Retention

Policy

• Implementation

• How to refine a DDR policy

Steps to assess for Archiving/DestructionSteps to assess for

Archiving/Destruction

• Required for current use?

• Required by contract?

• Required by law or regulation?

• Limitation period still applicable?

• Required for business reasons?

• Required for litigation?

Guidelines for inclusion in policy

Guidelines for inclusion in policy

• Sedona Principles (post Enron)

• AS ISO 15489 ‘Records Mgt.’ (AS 4309)

• US: DoD and NARA

• International: ISO 15489

• EU: Model Requirements for Management of

Electronic Records (MoReq)

IT contributions to a solution?IT contributions to a solution?

• Document management systems

• Rich documents and meta data

• Logs for transactions and accesses

• Access control, authentication

• Automated backup, archiving

• Targeted and reliable recovery

Legal contributions to a solution?

Legal contributions to a solution?

• Analysis of legally significant data

• Analysis of industry and business

• Description of obligations

• Litigation and other risk assessment

• Draft the document retention policy

• Governance briefings for board

An integrated package:An integrated package:

• Everyone needs to be aware (KISS)

• Policy, tools, practices, oversight

• Integrate w. other policies and routines

• Existing document management practices

• Reality checks: audits, reviews

• Where will you be when it hits the fan?

David VaileDavid VaileDavid VaileDavid Vaile

Baker & McKenzie Baker & McKenzie

Cyberspace Law and Policy CentreCyberspace Law and Policy Centre

University of NSW Faculty of LawUniversity of NSW Faculty of Law

http://www.bakercyberlawcentre.org/ddr/http://www.bakercyberlawcentre.org/ddr/