Records Information Management - Whitepapers
Organizations across all industry sectors are attempting to
control the mounting flood of digital information being generated
daily—90% of it unstructured.
Conversation with Randolph A. Kahn, Esq. - President/Founder Kahn Consulting, Inc.
There is a lot of talk about Information Governance (IG),
but what is it really and why should you care? One definition is that
IG is the holistic approach to managing information that considers
the policies, procedures, processes, controls, and technologies that
allow an organization to better manage information assets from
creation through disposal and at all the various points in between.
If executives really believe information is still a vital asset, then
they need to rethink their entire information strategy. Keeping
everything forever ensures that employees are overwhelmed
by a mountain of outdated and unneeded content, and
in turn, business critical information will never be found
To date, many executives have only paid
lip service to the notion that information
is an asset and that they need to get
involved. For organizations to effectively
harness their information as an asset, they
will need to transform the way they manage
the vast quantities of business content
across their enterprise. They also need to
find tools and partners to help. Given the
exponential information growth, having
ready access to information in ways that
are "faster, better, cheaper" and "legally
compliant" is increasingly difficult. In
addition, the consequences of information
mismanagement are now greater than ever.
The following case summaries illustrate some of the technical challenges presented by the new
electronic discovery (eDiscovery) rules, and how to address them. The cases highlight how
technology, along with policy review and familiarity with the changes in the Federal rules of
Civil Procedure, can meet those challenges.
Content Analytics (Text Analytics + Mining) refers to the text analytics process plus the ability to visually
identify and explore trends, patterns, and statistically relevant facts found in various types of content spread
across internal and external content sources.Content Analytics is the activity of using special software tools
to better understand digital content. In other words, using powerful software applications for business
intelligence purposes on all sorts of digital content.
Don't take the position that because information is an asset that you should keep it indefinitely just in case
you might need it someday. This position is not sustainable and only makes your "disposal" problem more
complex and challenging down the road when you do wake up and find out that you just can't keep everything
forever. At minimum, you will have everything but won't have any idea what "everything" really is – how does
that help anyone?
ILG is more than just another acronym. It's a way of managing information over time with the necessary
controls to advance good business practices. ILG encompasses policies, processes, practices, and technology
used to manage information throughout its life starting with creation and ending with proper disposal. Sounds
simple on the surface, yet organizations struggle with the complexity of managing an expanding universe
of electronic information, more laws that dictate how information is managed, and greater consequences
for failing to get it right. Remember information is an asset that allows your business to be "faster, better,
cheaper". ILG promotes business productivity and efficiency and allows your organization to be "legally
Despite the hopeful thinking that electronic discovery (eDiscovery) would "go away" with the
changes in the Federal Rules of Civil Procedure (FRCP) five years ago, the facts remain that
eDiscovery is still a headache and major expense during the litigation process.
eDiscovery costs have been continually spiraling out of control, and have been magnified by
economic conditions in which companies with declining revenues nonetheless have to defend
more expensive litigation. With the ever-growing volume of data that companies produce and
store, and expanding technology environments in which information is parked, the exercise to
unearth, secure, assess, review, and produce potentially relevant Electronically Stored Information
(ESI) is becoming more complex.
Information is like a vehicle, you need a place to park.
Over the past couple of decades, the business world has evolved from being paper-based into one almost
in entirely electronic form. Virtually all new information is born digital and may never make it into paper
form. The evidence, of all kinds of business activities, contractual obligation, rights and responsibilities, upon
which most global organizations will have to rely for business or legal purposes, is an electronic record.
No single recent development has simultaneously affected both legal and IT departments as profoundly as the revised Federal Rules of Civil Procedure ("FRCP"). The revised FRCP, with its requirements that legal departments "become familiar with"their organization's IT systems so they can "meet and confer" to discuss those systems with the opposing side in litigation (for example), require an unprecedented alignment between legal e-discovery procedures, IT capabilities, and records and information management practices.
Electronic discovery (the process of finding, preserving and producing digital information responsive to a legal matter) has today captured the attention of lawyers, executives, IT professionals, and others like never before. One analyst firm posits that new federal rules for e-discovery are a key factor in the growing demand for information management software.
The following case summaries illustrate some of the technical challenges presented by the new electronic discovery rules, and how to address them. The cases highlight how technology, along with policy review and familiarity with the changes in the Federal Rules of Civil Procedure, can meet those challenges.
The reality today is that organizations have the mandate, the motivation, the information, and the tools to get information security right. This paper presents a series of industry-focused case studies designed to help organization understand what can go wrong, and how to get it right.
E -discovery is a critical challenge for all organizations, and one that can only be successfully addressed through a combination of people, processes, and technology. This paper is the first in a series of three that are designed to help organizations quickly understand how to get started with understanding and addressing their e-discovery challenges. This paper focuses on the role that technology plays in preparing for, and responding to, e-discovery requests.
Recent changes to the Federal Rules of Civil Procedure (FRCP) require that legal and IT departments work more closely than ever before. The new rules require organizations to understand and manage information in a new way that bridges the gap between the business view of information and the IT view of information. To accomplish this, among other things, organizations should create a detailed sources profile of their Electronically Stored Information (ESI). This will help organizations identify the sources that they will produce information from during e-discovery. To get started, organizations should evaluate their current approach to email management and archiving.
Kahn Consulting was engaged by Hitachi Data Systems to evaluate the company's Content Archive Platform. The purpose of this Evaluation is to assess the product's compliance with general information and records management principles and to gauge its suitability as a platform for the secure, long-term storage of trustworthy electronic business records.
In undertaking this engagement, Kahn Consulting exclusively relied upon information supplied by Hitachi Data Systems through internal and external documentation, and interviews with Hitachi Data Systems' representatives. Kahn Consulting did not evaluate the Content Archive Platform in a live or laboratory setting or otherwise field-test any Hitachi Data Systems' products.
Kahn Consulting was engaged by ArcSight to evaluate the company's ArcSight Enterprise Security Management system. The primary purpose of this Evaluation is to assess the product's utility as a platform for collecting, analyzing, correlating, and generally managing computer security log files as evidence. In conducting this Evaluation, Kahn Consulting has assessed ArcSight capabilities against criteria derived from broad legal and regulatory requirements and best practices for the management of electronic information and records. The proper management of computer security log file information should be undertaken by organizations in the context of a formal, policy-driven program of people, processes, and technology.
Kahn Consulting was engaged by EMC Corporation ("EMC") to evaluate the company's Celerra product line. The primary focus of this evaluation is those Celerra capabilities that address the integrity, accessibility, security, and privacy of information. In conducting this evaluation, Kahn Consulting has assessed Celerra's capabilities using criteria derived from broad compliance requirements and best practices related to information management.
E-discovery is critical to the way that organizations manage themselves and their digital information during normal business operations and in connection with litigation, investigations, and audits. The amount of time, money, and resources expended on e-discovery can be staggering for those organizations that are unprepared. Content analytics is a tool that organizations should evaluate and consider as a key weapon in helping them better survive and even win the e-discovery battle. This brief provides a high-level overview of content analytics; discusses the value it can bring to the e-discovery process; and provides key considerations for organizations evaluating or adopting content analytics for e-discovery.
COMPLIANCE BRIEF SERIES
Kahn Consulting has developed a series of 10 Compliance Briefs. These 2-page documents are designed to provide a short, executive-level view of key information management laws, regulations, and issues. Written for information management practitioners from all backgrounds, these Compliance Briefs will help you build a basic understanding of the key issues impacting Information Management Compliance in your industry today.
SEC Rule 17a-4 Brief
COBIT and COSO Brief
E-SIGN Act Brief
Federal Rules of Civil Procedure Brief
Gramm-Leach-Bliley Act Brief
FDA Part 11 Brief
Privacy Laws Brief
Sarbanes-Oxley Act Brief
Retention Laws Brief
Kahn Consulting was engaged by EMC Corporation to evaluate the company's Centera Governance Edition storage platform ("Centera"). The primary purpose of this Evaluation is to assess the product's utility as a platform for the retention of electronic records and other digital information required for legal and regulatory purposes. Rather than focusing only on specific laws or regulations, in conducting this Evaluation Kahn Consulting has assessed Centera functionality against criteria derived from broad legal and regulatory requirements for admissibility, electronic evidence, and records management. Retaining and managing digital information in manner that will satisfy the courts and regulators depends on a proper program of technology, people, and technical and procedural controls. This Evaluation assesses the value that Centera may bring to such a program.
Global organizations face new compliance requirements and challenges from a variety of new sources. The CIO must play a leadership role in ensuring that these organizations adequately address relevant IT compliance criteria. This paper outlines a strategy for CIOs tackling compliance issues in their organization. Rather than focus exclusively on specific laws or regulations, it explores a high-level approach to IT compliance issues – regardless of the laws or regulations in play.
Electronic discovery is nothing new. As far back as the 1970s the courts were working to address the production of electronic information and to define the reasonable limits of e-discovery. Fast forward to today, and we find organizations using information technology as their primary means of doing business and generating business information – but the same challenge remains. Companies, courts and litigators alike are still trying to define the reasonable limits of electronic discovery, even as rapidly evolving technologies continue to change how business is done and litigation is resolved.
As companies continue to use tools like email and instant messaging to conduct business and new technologies like blogging find their way into the corporate culture, businesses should consider the legal impact of these technologies on their organizations. From banks to drug companies, from retail to real estate, organizations in every industry, of every shape and size, need to understand that doing business digitally requires more of them than a simple point and click. It requires that they recognize the legal value of the information their technologies create and receive, as well as the responsibility to preserve and produce that information for legal proceedings, no matter what form it's in or where it resides.
This report examines the evolution required in the thought processes and evaluative criteria of CIOs, and outlines a new approach designed to help IT departments successfully anticipate and address their compliance needs. It explains why good information management practices should be driven by "faster, better, cheaper," and not by "fear, uncertainty, and doubt." Although information management failure clearly has a downside in the compliance context, it also has an upside in the business and operational context that cannot be ignored. Managing information properly might be a compliance requirement, but it is also essential to business success.
With so much of business today done electronically, organizations facing a lawsuit, investigation or an audit should expect that they will have to find and produce electronic information as part of the discovery process. Even though prosecutors and regulators have routinely required the preservation and production of electronic evidence for many years now, the process has continued to prove complicated and burdensome - for three reasons. One, the volume of digital information is growing exponentially; two, it is ubiquitously mismanaged; and three, it has become a target in the discovery process. Organizations using information technology to do business need to properly capture and manage the digital information they generate. However, many organizations continue to fall short when it comes to managing information in preparation for electronic discovery. Organizations can mitigate much of e-discovery's expense and inconvenience by developing a management plan that incorporates the right people, processes, and technology.
These are challenging times for the executives who run public companies, and perhaps even tougher times for those who manage the executives. Companies are paying handsomely for their employees' misdeeds and even for their mistakes. After all, it is not just intentional records destruction that is at issue. In light of this new reality, directors and officers need to rethink their role in managing the lifeblood of the modern corporation - its information assets. When the failure of a few employees to properly manage information can decimate the company's reputation, wipe out billions in company stock valuation, or even take the company down, directors and officers have not choice but to take action.
17 CFR 240.17a-4 stipulates specific record keeping requirements for certain exchange members, brokers, and dealers in the securities industry. It expressly allows for the storage, retention, and reproduction of records by means of "electronic storage media," subject to certain conditions. Sun Microsystems, Inc. has developed its Sun StorEdge Compliance Archiving System technology for use by exchange members, brokers, and dealers (among others) for the storage of electronic records in accordance with 17a-4, and has retained Kahn Consulting to evaluate this technology and provide an independent opinion on whether or not the product satisfies the relevant SEC requirements.
There are now hundreds, if not thousands, of laws and regulations that impact the way information is stored, transmitted, retained, used, managed, and destroyed. The law is increasingly imposing tough new requirements on IT departments. Whether it is securing the network, purging the email system, or managing databases, IT professionals need to understand the impact that today's legal environment has on their activities – or risk the consequences. While IT legislation arguably incorporates a wide range of topics, from antitrust law to zip files, this report focuses on those laws, regulations, courts cases, and other legal developments that have a direct impact upon the individuals responsible for purchasing, implementing, and managing IT systems. In addition, rather than focusing on specific laws or regulations, this report examines the practical impact of these legal developments on IT management and decision-making.
A growing number of court cases address the way that organizations manage electronic records and information. These cases demonstrate not only the consequences of information mismanagement, but also the necessity of keeping records management practices up-to-date. Failing to manage information according to its value has had – and will continue to have – profound business and legal consequences. As a result, organizations need to adapt their thinking on business records.
There has been no shortage of media, trade, and analyst coverage around the passage of the Sarbanes-Oxley (SOX) law. No doubt, this far-reaching corporate governance and financial accountability mandate has had dramatic impact on the way that public companies document their business and the way that CEOs and CFOs account for their company's financials. But after the cloud of "FUD" (fear uncertainly & doubt) has settled, how does SOX actually impact CIOs and corporate IT departments?
Information Lifecycle Management (ILM) has emerged as an approach to enterprise storage that is designed to align business needs and storage practices by basing storage infrastructure decisions largely on the value of information. For example, by storing less valuable information on less expensive storage infrastructure, ILM promises economic benefits while maintaining sufficient access to information and acceptable service levels for enterprise applications. As organizations move forward with ILM, it is critical that compliance considerations play a large part in ILM strategy, particularly when it comes to data classification standards and policies. Moreover, enterprises should leverage expertise found within the records and information management community, which has long understood that all information has a "lifecycle."
The Sarbanes-Oxley Act and recent court decisions emphasize the critical need for enterprises to take control of digital information in the context of audits, investigations, and litigation. Failure to preserve and produce content related to such proceedings can have serious consequences, including court sanctions, fines, and jail terms of up to 20 years. Enterprises need to act today to ensure that policies, procedures, and technology tools are adequate to support the preservation and production of electronic evidence.
For broker-dealers, there are three separate concepts related to third-party issues that should be considered individually when implementing new archiving processes, technologies, and vendor relations. These concepts are: Designated Third Party (D3P), Second Copy, and Escrow. This document has been prepared in response to questions commonly raised by securities firms about these requirements, and is specifically designed to help IT/IS departments understand their implications. The focus of this document is D3P, although the other two concepts are also discussed briefly. This document does not address all questions relating to these issues, and readers with specific questions should consult legal counsel.
At its core, SOX is an attempt to improve the accountability and transparency of public companies. Accountability and transparency depend upon trustworthy and accurate business records. In essence, business records serve as the bedrock of accounting and financial reporting systems. Earnings figures, for example, do not materialize from thin air - rather they derive from documentation of business transactions - invoices, purchase orders, contracts, payment information, and so on. Obviously, if these records are inaccurate, so too will be the information in the accounting system. As such, compliance with SOX relies on a foundation of information and records management practices that ensure the trustworthiness and accuracy of business records.
It is critical then, that companies understand how SOX impacts information and records management practices. This report examines the impact of SOX on this area and explores ways that companies might address SOX in their own information and records management programs.
Whether by choice or circumstance, technologists are increasingly being drawn into the world of information management compliance and, as such, would do well to become familiar with the challenges that lie ahead. This paper examines the shift that is occurring for IT/IS departments, the factors driving it, and the key issues for technologists. This paper also provides a survey of related law and regulations that affect the way information systems and e-records should be managed.
Dowload from sponsor's website
Email messages and other forms of digital data increasingly form the core of information that organizations rely upon to reliably document their business activities. At the same time, high-profile business failures, headline-grabbing investigations, and new and existing laws and regulations put every organization's approach to managing information under increased scrutiny. Despite this, many organizations fail to understand that the unique nature of e-mail and e-records require investment in policies, practices and technology specifically designed to protect and promote their overall trustworthiness. A failure to do so can have disastrous legal, business, and operational consequences. The anatomy of an e-mail message demonstrates the importance of an e-record's authenticity, chronology, integrity, and in some cases, its confidentiality. Case law serves to demonstrate the importance of capturing and maintaining trustworthy electronic records.
Interest in information management is no more apparent than within the securities industry. Securities regulators are serious about information management, and the topic has received unprecedented scrutiny in the business press. It is within this context that this paper provides a brief overview of the law and technology of trustworthy e-records. Today more than ever, organizations must have the ability to create, capture, transmit, and store e-records in a trustworthy fashion. This paper examines why trustworthy e-records are needed; how trustworthiness can be created; and the role that WORM (Write Once, Read Many) media can play in the management of trustworthy e-records.
Today, more than ever, senior executives and managers in corporate America and government agencies have ample reason to move records management to the top of their agendas. Managers need look no further than the daily headlines to realize that failing to take records management seriously is no longer an option. Organizational accountability depends on it, laws and regulations compel it, shareholders and citizens demand it, and effective business processes require it. Whether it is the FBI admitting that it misplaced documents germane to the Oklahoma City bombing, or a stockbroker deleting email in violation of a court order, it is clear that records management has never been more important or more challenging than it is now. This paper examines the importance of records management for corporations and government agencies. It also explores the consequences of failing to take seriously the need to update and expand records retention practices to address information technology. Finally, it provides an overview of an approach to records management that can help organizations promote and protect their business and legal interests.
Written for: Legato Systems, Inc. Download
The impact of being unprepared can be disastrous – resulting in thousands of hours of lost employee labor, and millions of dollars in consulting and legal fees. In some cases, litigants have been forced to search, copy and produce millions of email messages at their own cost. In other cases, litigants have been required to create special computer programs to find and extract discoverable data and files believed to have been deleted. It is clear that organizations need to act now to prepare for the e-discovery challenge. This paper examines the importance of developing and enforcing e-discovery policies and practices, investing in supporting technology, and educating employees. It also explores the consequences of failing to prepare for e-discovery. Finally, it provides an overview of an approach that can help organizations prepare for ediscovery.
Written for: Legato Systems, Inc. Download
Any business can make a mistake or a poor judgment call. But it's particularly painful when a loss or failure is caused by the very technologies meant to facilitate doing business. The consequences of nonexistent or unmanaged e-business records can bring the mightiest of enterprises to its knees. Digital files are susceptible to corruption and alteration. Hardware and software technology systems are required to access, reconstruct, and render records into human-readable form. This process is easily attacked in litigation short term. Over the long term, as technology evolves, the records will become inaccessible or unreliable due to inaccurate rendering. Thus, they will not be available when most needed. So how should a company manage its systems to protect its business and legal interests in the long run?
Published by: Eastman Kodak Company Download
The allure of the electronic signature ("e-signature") is simple. End-to-end digitization of valuable transactions with remote parties enables business to occur more quickly and less expensively, thereby increasing competitive advantage, or in the case of government, improving service delivery. In the absence of e-signatures, digitization can only occur up to the point that a signature is required, at which point the couriers take over and the queue at the DMV begins. This paper discusses the technology behind e-signatures, the business aspects of e-signature implementation and the critical legal issues attached to e-signature use. It was written to provide organizations with a foundation of knowledge that they can bring to bear on the e-signature implementation process.
Written for: PureEdge Solutions Download
Software as a Comprehensive SEC Rule 17a-4 Solution
Good record-keeping practice demands that records be carefully managed to ensure that they remain auth