• United States



by Christie Hangey

Best Practices for Electronic Records Retention (Part One)

Feb 28, 20039 mins
CSO and CISOData and Information Security

RFG believes that IT executives should view effective electronic records retention as essential to the long-term viability of their enterprises. Effective electronic records retention policies allow an enterprise to defend its intellectual property rights and provide protection in times of litigation. IT executives need to define and classify electronic records, selecting those that will be archived. IT executives also should verify the authenticity of such records, in order to ensure they will be viewed as legitimate records in the future.

Business Imperatives:

  • Many enterprises make due with ad hoc electronic records retention policies. In addition, to manage paper documents, some organizations may already employ the help of an archivist, librarian, or other individual. Before implementing an archiving strategy, IT executives should examine, what, if any policies exist that are currently guiding electronic records retention. IT executives should also consult with any available archivists and/or librarians, to determine if practices used in the retention of physical records are relevant for e-records retention.
  • Traditionally, the term “records” referred to handwritten or typewritten documents. Today, however, the sphere has broadened to include those produced in an electronic format. IT executives need to determine what records are related and relevant to business functions, and what can and should be transmitted and stored in electronic form.
  • For a record to be considered as evidence in the future, its authenticity must be ensured. To do so, IT executives ought to validate that steps have been taken to define and outline access privileges, loss prevention, and security procedures to prevent corruption. Additionally, IT executives should demonstrate that they have established rules regarding which records are authenticated, by whom, and the means by which this will be done.

IT executives are increasingly faced with the challenge of maintaining enterprise critical information in electronic form. The surge in criticality, value, and volume of digital information is overwhelming, and is projected to continue to grow at a rate of 50 to 70 percent annually. This is fast outpacing IT’s ability to collect, store, and manage it. However, the importance of implementing a formal records retention process is critical if the enterprise plans on remaining viable in today’s business environment. Part One, this Note, will focus on definition, classification, and authentication of electronic records. Part Two will focus on formulation of an electronic records retention policy, and design of a storage infrastructure to support the process.

Additionally, lawmakers have begun to place their focus increasingly on electronic records retention, especially in light of high profile scandals such as Enron, making it essential for IT executives to focus on retention policies and procedures within their enterprise. A recent survey from Cohasset Associates, Inc. stated that 76 percent of respondents felt that there was a significant opportunity to improve the effectiveness of their record management program. More significantly, only 44 percent stated that their current system included provisions for electronic records.

As IT executives work to ensure protection of their data and viability of the enterprise, there are a number of steps to be taken. What follows is a guideline for IT executives to follow in their formulation of a retention policy. However, it should be noted that a definitive set of best practices does not exist. Various academic bodies have furiously debated the issue, and as of yet have not determined a “one-size-fits-all” plan. IT executives should examine specific requirements at their own enterprises, and adjust and modify the guidelines to best suit those requirements.

Definition and Classification

Before undertaking the task of formalizing the retention of electronic records, IT executives need to determine what constitutes an electronic record. Simply put, a record is any body of information that has been documented within a discernable sphere of activity. Traditionally this meant those that had been in written form, but it has come to include those created in an electronic format as well. When speaking of business activity, this can encompass financial records, research journals, e-mail, IM messages, and information contained within chat rooms, as the information pertains to the mandate or functions of the organization.

IT executives should determine what records are related and relevant to business functions. This can best be done through some form of a classification process, to determine the disposition of a record, i.e., whether or not the record should be kept or destroyed. To do so, IT executives can choose to involve the individual creator(s) of the record, or can centralize such a function. However, for purposes of authenticity and inclusiveness, it is best to automate and centralize the process as much as possible, for reasons that will be explored further in this Note.

As part of the classification process, IT executives also need to determine the continuing effectiveness of an electronic record. This will help to determine location and on which type of storage media the record should be retained. For example, a record could be stored online, nearline, or archived offline. Frequency of use is often the biggest consideration, but there are a number of other factors that IT executives ought to consider. For example, cost of storage hardware and software, as well as associated managements costs come into play. Although it may be preferred to store all records accessed on a monthly basis on a medium such as disk, it may be cost prohibitive to some enterprises. IT executives should weigh such factors in their decision making process.

Once records have been classified as being related to business functions, it will become important for IT executives to select which records (for example, e-mail, instant messages, journals, word processing documents) will be retained. Not all records related to business functions will warrant retention. Only those records that contain information critical to the functions of the business should merit long-term retention. For example, intra-office memos pertaining to the scheduling of routine staff meetings most likely should not be retained. IT executives, once they have defined, classified, and selected those records to be retained then need to turn their attention to authentication of the electronic record.

Record Authentication

IT executives should investigate preservation of “contextual” information, to validate the authenticity of the document in question. For example, contextual information can include the date and time the record was created, origins in the organization, recipients of the record, etc. This may be important to future litigation when it may not be evident why a record was created.

Because of their format, records kept in electronic form may be exposed to alteration and tampering. Therefore, it becomes imperative for IT executives to ensure the authenticity of the record for the record to be considered as evidence in the future. According to the International Research on Permanent Authentic Records in Electronic Systems (InterPARES), to “assess the authenticity of an electronic record, the preserver must be able to establish its identity and demonstrate its integrity.” Identity refers to the distinguishing characteristics of the record, such as author, date of creation, and date of transmission. Integrity refers to the incorruptibility of the record. InterPARES states that this does not mean that the record is exactly the same as when it was created, as factors such as deterioration over times come into play. Therefore, the physical integrity (such as the bit strings) may be compromised, so long as the message contained within is unaltered. In other words, it is the articulation of the content and elements of form that are most at stake.

IT executives must ensure that the electronic records remain unaltered. To do this, a number of policies need to be put in place, in conjunction with the overall process of e-record retention. IT executives in regulated industries or in situations where there are ongoing criminal and civil proceedings need to involve their legal or compliance departments in the determination of policies; and verify those policies with regulators before implementing them.

Most IT executives will assume that the originator of the electronic record has preserved its authenticity throughout its lifetime. However, to validate this approach, IT executives should ensure that a number of requirements are met. According to InterPARES, it will be important for IT executives to ensure that access privileges concerning annotation, creation, modification, record destruction, and relocation have been defined and effectively implemented. IT executives should have in place procedures to prevent, discover, and correct loss or corruption of records. Procedures to guarantee continuing identity and integrity of records against media deterioration and across technological change will need to be defined and implemented. Moreover, should authentication be required for legal or other purposes, IT should be able to demonstrate that they have taken steps to establish rules regarding which records should be authenticated, by whom, and the means of authentication.

IT executives should address immediately any of the basic requirements above not yet met at their enterprises. This can require both a procedural and a technological approach, to prevent any accidental or malicious alteration or destruction of records. IT executives will need to implement a management policy, and will need to decide who will be responsible for the day to-day maintenance of the electronic records. They can be maintained within the applications programs through which they were created. However, it oftentimes makes more sense, both for legal purposes and streamlining of the management process, to provide for a central electronic records management system. This can be incorporated with the document management system in place for paper records, to help streamline the process.

By placing control in the hands of a neutral records management team, IT executives are helping to ensure that such records may be considered as evidence in the future. This can be done logically or physically, for example through a central system maintained by an archivist or records manager, or through an outsourced third party. However, IT executives should analyze their individual enterprise needs to determine whether a decentralized or centralized approach, or some combination of the two, will be most likely to satisfy those needs.

RFG believes that defining and classifying records is the first step in a comprehensive electronic record retention policy. IT executives should make this a priority before formulating any retention procedures. Additionally, authentication is imperative if records are to be considered as evidence in the future. IT executives should take the steps necessary to ensure that contextual information is preserved and that the documents are not corrupted over time.

RFG analyst Christie Hangey wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Ms. Hangey.