Document Retention, Document Management and Data Warehousing in Outsourcing

October 9, 2009 by

Business enterprises must comply with a multitude of laws and rules governing the retention of business records.  Destruction or loss of business records could cause serious loss to the enterprise and its trading partners.  Fines might be levied under regulatory audits.   Documents supporting novelty, originality or date of reduction to practice might result in a loss of a business process patent.   In litigation, the enterprise might be unable to present evidence or rebut contradictory evidence.  Recognizing the need for electronic storage, legislatures and courts worldwide have adopted various “electronic signature” and “electronic documentation” statutes and rules allowing, as probative evidence, documents stored solely in electronic form, provided that certain notarial protections such as immutability (non-changeability), provenance and other customary factors for attesting to the origin and custody of the record are satisfied.  Records may also incriminate, so routine destruction of old records is advisable where no law or rule requires continued retention.

In response to such needs, service providers in logistics, storage, warehousing and data warehousing have developed an industry for the “life cycle management” of documents.  The life cycle includes document creation, gathering of related records, organization of directories and data bases under organizing principles, record storage, distribution, document retention, retrieval, accessibility, destruction and reporting and record keeping of the life cycle itself.  Such services involve different methods, cost structures and risks to the customer.

Recent jurisprudence establishes new rules governing “electronic discovery” under the Federal Rules of Civil Procedure.  The impact of such rules on document retention, document management and data warehousing in outsourcing should be clearly understood by both outsourcing customers and services providers.  Prudence dictates a number of “best practices” in records management in outsourcing.

Records Retention Policies and Procedures.

This article does not intend to list all laws that might require temporary or permanent document retention.  Rather, it is critical that each enterprise adopt policies and implement procedures for compliance with record keeping and record destruction requirements of law.

Right of Access to Records in Criminal Proceedings.

This article does not intend to discuss the right of the criminal defendant to obtain information, or the right of the prosecutor to obtain evidence through police investigations.  However, criminal negligence for corporate misdeeds is punishable under certain public statutes.  Accordingly, maintenance of “best practices” in records management could make a difference in outcomes for both the enterprise and its managers.

Right of Access to Records in Civil Dispute Resolution.

Right of Access to Records in Mediation.

Most business managers might agree to mediation if it is not onerous and does involve detailed is closures of business records.

Right of Access to Records in Arbitration.

In general, arbitrators have no mandate to compel adverse parties to engage in any disclosure or discovery phase for the identification of records that might have a relevance or probative value in dispute resolution.   The rules of arbitration of most common arbitral administration organizations generally do not require any such compulsory disclosure.

Right of Access to Records in Litigation.

Mandatory Discovery.
The U.S. Federal Rules of Civil Procedure 26 through 37 govern discovery in civil actions of any nature that may be adjudicated by U.S. federal courts.  These rules permit the giving of notice, formulation of legal and factual issues and revelation of facts through pre-trial procedures including depositions and discovery.    Rule 26(b)(1) defines very broadly the scope of mandatory disclosures by an adverse party in response to a request for discovery:

Parties may obtain discovery regarding any matter, not privileged, that is relevant to the claim or defense of any party, including the existence, description, nature, custody, condition, and location of any books, documents, or other tangible things and the identity and location of persons having knowledge of any discoverable matter.   For good cause, the court may order discovery of any matter relevant to the subject matter, involved in the action.  Relevant information need not be admissible at trial if the discovery appears reasonably calculated to lead to the discovery of admissible evidence.

In general, confidential business information may be discoverable and subject to a protective order so that the requesting party does not publicize it.

Scope of Discovery Must be Proportional to the Benefit.
Rule 26(b)(2) imposes general limits on discovery under a “proportionality” test.  A federal court may limit the frequency or extent of use of “discovery” methods if the court determines:

  • the discovery sought is unreasonably cumulative or duplicative, or is obtainable from some other source that is more convenience, less burdensome or less expensive;
  • the party seeking discovery has had ample opportunity by discovery in the action to obtain the information sought; or
  • the burden or expense of the proposed discovery outweighs the likely benefit, taking into account the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at stake in the litigation, and the importance of the proposed discovery in resolving the issues.

Payment for Cost of Disclosing Records and Information.
Normally, the courts presume that the cost of researching and producing the requested records and information in the discovery process must be paid by the responding party.  However, under Rule 26(c), the court may shift the cost to the requesting party to avoid “undue burden or expense.”  Oppenheimer Funds, Inc. v. Sanders, 437 U.S. 340, 358 (1978).

Common Law Approach to Equitable Determination of Cost Allocation and Cost-Shifting for Discovery of Records, including Electronic Records.
Different courts have adopted different standards and tests for balancing the costs and likely benefits.   The most influential response to the problem of cost-shifting in the discovery of electronic records was the eight-factor list adopted by U.S. Magistrate Judge James C. Francis IV in Rowe Entertainment, Inc. v. William Morris Agency, Inc., 205 F.R.D. 421, 429 (S.D.N.Y. 2002).   More recently, District Judge Shira Scheindlin of the same district court adopted a different rule to tailor the Rowe Entertainment principles to add one new factor and omit two unnecessary factors.   Zubulake v. UBS Warburg LLC, __ F.3d __, NYLJ May 19, 2003, p. 37, cols. 1-6, p. 28, cols. 1-5 (S.D.N.Y. March 2003) (claim for alleged wrongful discharge due to claimed sex discrimination in employment).   The Zubulake court reasoned that the factors should be weighted and that they should be not be predisposed, or “slanted,” as the Rowe Entertainment rules might do, in favor of shifting the costs of production from the responding party to the party requesting the electronic records.

The following table compares the two decisions:

Rowe Entertainment Factors
(without any order of importance or priority)
Zubulake Factors
(in numbered order of importance and priority)
1.The extent to which the request is specifically tailored to discover relevant information.
1. The specificity of the discovery requests.
2. The likelihood of discovering critical information.
3. The availability of such information from other sources. 2. The availability of such information from other sources.
4. The purposes for which the responding party maintains the requested data.
5. The relative benefits to the parties of obtaining the information. 7. The relative benefits to the parties of obtaining the information.
6.  The total cost associated with production (a test of absolute cost without reference to the amount in dispute). 3.  The total cost of producing the requested information as compared to the amount in controversy (a test of proportionality of cost to the amount in dispute).
4. The total cost of producing the requested information as compared to the resources available to each party (a test of proportionality of financial resources).
7.  The relative ability of each party to control costs and its incentive to do so. 5.  The relative ability of each party to control costs and its incentive to do so.
8.  The resources available to each party. [See factor #4 above.]
6. The importance of the issues at stake in the litigation.

Types of Storage of Electronic Records.
Retention of documents in electronic form allows cheaper and faster access, with easier determination whether a document is protected from the discovery process by some form of evidentiary privilege (e.g., attorney-client communication, attorney work product, husband-wife spousal privilege, etc.).   Judge Scheindlin’s opinion in Zubulake toured the types of methods for record keeping, with reference to accessibility and ease of production.

Whether electronic data is accessible or inaccessible turns largely on the media in which it is stored. Five categories of data, listed in order from most accessible to least accessible, are described in the literature on electronic data storage:

1. Active, online data:
“Online storage is generally provided by magnetic disk. It is used in the very active stages of an electronic records [sic] life – when it is being created or received and processed, as well as when the access frequency is high and the required speed of access is very fast, i.e., milliseconds.” Examples of online data include hard drives.

2. Near-line data:
“This typically consists of a robotic storage device (robotic library) that houses removable media, uses robotic arms to access the media, and uses multiple read/write devices to store and retrieve records. Access speeds can range from as low as milliseconds if the media is already in a read device, up to 10-30 seconds for optical disk technology, and between 20-120 seconds for sequentially searched media, such as magnetic tape.” Examples include optical disks.

3. Offline storage/archives:
“This is removable optical disk or magnetic tape media, which can be labeled and stored in a shelf or rack. Off-line storage of electronic records is traditionally used for making disaster copies of records and also for records considered ‘archival’ in that their likelihood of retrieval is minimal. Accessibility to off-line media involves manual intervention and is much slower than on-line or near-line storage. Access speed may be minutes, hours, or even days, depending on the access-effectiveness of the storage facility.” The principled difference between nearline data and offline data is that offline data lacks “the coordinated control of an intelligent disk subsystem,” and is, in the lingo, JBOD (“Just a bunch of disks”).

4. Backup tapes:
“A device, like a tape recorder, that reads data from and writes it onto a tape. Tape drives have data capacities of anywhere from a few hundred kilobytes to several gigabytes. Their transfer speeds also vary considerably.The disadvantage of tape drives is that they are sequential-access devices, which means that to read any particular block of data, you need to read all the preceding blocks.” As a result, “[t]he data on a backup tape are not organized for retrieval of individual documents or files [because] .the organization of the data mirrors the computer’s structure, not the human records management structure.” Backup tapes also typically employ some sort of data compression, permitting more data to be stored on each tape, but also making restoration more time-consuming and expensive, especially given the lack of uniform standard governing data compression.

5. Erased, fragmented or damaged data:
“When a file is first created and saved, it is laid down on the [storage media] in contiguous clusters. As files are erased, their clusters are made available again as free space. Eventually, some newly created files become larger than the remaining contiguous free space. These files are then broken up and randomly placed throughout the disk.” Such broken-up files are said to be “fragmented,” and along with damaged and erased data can only be accessed after significant processing.

Of these, the first three categories are typically identified as accessible, and the latter two as inaccessible. The difference between the two classes is easy to appreciate. Information deemed “accessible” is stored in a readily usable format. Although the time it takes to actually access the data ranges from milliseconds to days, the data does not need to be restored or otherwise manipulated to be usable. “Inaccessible” data, on the other hand, is not readily usable. Backup tapes must be restored using a process similar to that previously described, fragmented data must be de-fragmented, and erased data must be reconstructed, all before the data is usable. That makes such data inaccessible.  Zubulake v. UBS Warburg LLC, __ F.3d __, NYLJ May 19, 2003, at cols. 5-6 (S.D.N.Y. March 2003).

The Bottom Line: Who Should Pay for Producing Copies of “Accessible” Records and for “Inaccessible” Records.
In Zubulake, the court ordered the defendant, employer UBS Warburg LLC, to pay the cost of producing e-mails stored in active use or on archived optical disks.   The court remanded to a magistrate judge the allocation, in accordance with the Zubulake court’s seven-factor test, the costs of producing e-mails stored on backup tapes.   Production of records from the backup tapes and from archived optical disks was estimated to cost were estimated at  $300,000.   In this case, the terminated employee had been earning $500,000 a year in compensation, and the employer was a major international investment bank.

In the final analysis, this raises issues for enterprises (and their records management service providers) in connection with litigation strategy.

Best Practices in Records Management in Outsourcing.

In the era of electronic signatures, electronic litigation discovery and mandatory reporting procedures for publicly traded companies, certain “best practices” are emerging.

Service Level Agreements and Standards of Care.

Records management services agreements have generally defined the service provider’s standard of care both in legal terms (degree of negligence) and in technological and business terms (specified business procedures whose inputs and outputs are objectively measurable as service level agreements).

Business Purposes and Risks in Rapid Accessibility to Business Records.
Enterprises might wish to think twice before storing all e-mails on easily accessible storage means, such as Storage Area Networks, network attached storage and other “online” or “near-online” technologies.  If the enterprise is defending against a claim of unfair employment termination, it might be advantageous not to spend the additional cost for the more rapid method of access.   However, if the enterprise is considering use of historical e-mails for development of a knowledge basis using semiotic, robotic knowledge generation tools, the shareholders will probably reap great economic benefit from the “online” and “near-online” technologies.

Service Level Agreements.
All documents are not created equal.   The customer’s records retention policy must be clear.  The customer may need the right to change the SLA’s in response to newly mandated record keeping requirements, ranging from a longer statute of limitations to more detailed accounting reports under the Sarbanes-Oxley Act of 2002 (more related links at end of article).

International Records Management.
Records management generally should be maintained in the country where the records originate.   As enterprises globalize, internationalization of records management follows.   As a result, the peculiar legal issues relating to international business transactions should be identified and resolved as part of any international records management service contract.

Data Warehousing.
This phrase “data warehousing” describes the consolidation of disparate forms and types of data under “one roof,” that is, in a manner accessible from one program.   As digital information becomes more easily accessible to the data masters, so it may be more easily accessible to those, acting in litigation, seeking to obtain copies of that information.

Limitation on Liability.

An enterprise customer’s loss due to “poor” records management can come from any one of several sources, including:

  • loss of business records required to comply with contractual, statutory, regulatory or judicial obligations.
  • loss of goodwill.
  • fines and penalties from failure to maintain records, or to file official declarations and “returns” that are based on such records.
  • adverse evidentiary presumption in case of proven spoliation of evidence.
  • loss of rights in a trade secret.
  • loss of rights in a patent or patent application.
  • compulsory disclosure of business records that constitute an admission against interest in litigation.

Before agreeing to limitations on liability, the enterprise customer should consider each of these business risks and evaluate the likely impact on the enterprise.   Alternatively, the solution might lie in an enhanced SLA or more detailed statement of work.

Insurance and Other Risk Mitigation.

The enterprise and its corporate officers, directors and even shareholders may become directly or vicariously liable for the negligence or willful misconduct of its external service providers that provide records management services.    The corporate risk manager should review the company’s and the service providers’ insurance policies for errors and omissions, directors’ and officers’ liability insurance and coverages for valuable papers and business continuity.

Securities Law Compliance.

Record keeping is now a strict obligation under the U.S. federal and state securities laws.  The Sarbanes-Oxley Act of 2002 amended the federal securities laws to require that the CEO and the CFO certify that the financial reporting systems are adequate.    Service providers in the field of records management and document management should determine how much risk they are willing to assume in relation to liability arising out of:

Insurance and Other Risk Mitigation.

  • erroneous document retention policies of the enterprise customer;
  • negligence or gross negligence by the records manager; and
  • faulty procedures in any transfer or storage of data, including commitments of complete redundancy, data mirroring and disaster recovery.

Periodic Inspections and Verifications.

Trust depends on continued reliability.  Audit and inspection are a normal part of the outsourcing processes.  In the field of records management, the preparations for the date change in the year 2000 launched a global business process of disaster recovery testing.  Normal records management should have periodic inspections and verifications to ensure the processes continue as promised and, more important, as may be required to comply with emerging applicable law.

Internal Controls and Corporate Governance under Sarbanes-Oxley: Planning and Audit Processes in Outsourcing

October 9, 2009 by

Outsourcing poses a challenge to corporate governance principles and internal controls.

Compliance Mandate.

The rules are both simple and complex. They are set forth in the Sarbanes-Oxley Act of 2002 and related regulations of the Securities and Exchange Commission, the Internal Revenue Service, the Department of Labor and the U.S. Sentencing Commission and the fiduciary duties of directors and officers to shareholders.

Personal Assets of the Directors.

Directors are now putting their personal assets at risk. The agreements by certain former corporate directors of Enron and WorldCom, announced in early January 2005, to pay millions of dollars to shareholders from the personal funds of directors highlights the seriousness of the director’s fiduciary duty to exercise due care in managing a corporation.

Compliance Solved.

How can directors manage their statutory and common law duties without assuming unfair risk? Simply put, directors must understand the business, and all aspects of the business. Outsourcing is a normal element of any business.

Internal Controls.

Internal controls and effective management of any business enterprise depend on four basics. These basics apply to internally and externally sourced business processes.

  • Design of process;
  • Dialogue on design, auditability and monitoring of the process;
  • Documentation of the process as it is to be performed and as performed; and
  • Disclosure of the financial impact of the process as performed.

guide_1

Compliance Enhanced.
Properly conceived and structured, outsourcing can enhance compliance with Sarbanes-Oxley “internal control” procedures.  The design and implementation of any outsourcing agreement should contain appropriate safeguards and procedures to ensure that the processes performed by the service provider meet these internal audit and control criteria.

Planning for Compliance and Audit.
Your outsourcing service provider, as well as your internal business developers and lawyers, should have a clear plan to comply with these elements.   If you want advice, Bierce & Kenerson, P.C. can provide value.  wbierce@outsourcing-law.com.