November 11, 2010

ARMA Session-Retention for Electronic Records-Or, Don Skupsky, some of your tips should sleep with the fishes

by Cary J. Calderone, Esquire

Donald S. Skupsky, JD, CRM, FAI, MIT is certainly one of the most respected and recognized Records Management thought leaders.  If he is not the Godfather of Records Management, he is certainly a Godfather.  His book/treatise is still the foundation for many corporate Record Information Management programs.  However, coming from my background as a lawyer and IT consultant, (see blog post "Who are you talking to?") some of the RIM ideas he presented in this talk are really not applicable in the 21st century world of managing electronic data.  Case in point, he suggested companies have a policy to delete email after only 30-45 days?  Whoa!  This is really not a "best practice" for most companies.   Let me explain.  

When I started helping companies update their RIM programs and become DRED ready, I found some challenges with the old guard Records Managers who cut their teeth, and perhaps their fingers, on paper. The drill was, declare a Record, protect it for the retention period and shred the other convenience copies.  Simple.  As readers of this blog already know, there are many reasons why this approach no longer works for email and other fast-moving electronic forms of communication.  (see Shout out to Records Managers)

While Mr. Skupsky has expanded on his original definition of what is a "Record" to allow companies to define it to include various electronic forms, at other times during his presentation, he seems to completely forget the main reasons companies have and use technology.  For example, let's consider his suggestion of as little as a 30 day retention period for email.  Under his 30 day policy, users are supposed to take any email that qualifies as a "Record," (defined by the company policy) and move it to another document management system or, print it out for safekeeping and storage.  Even if your company does not already have a specific legal requirement (like SEC 17 a-4, or Sarbanes-Oxley) to retain email communications, there is a very good chance employees who use their email as a work productivity tool have a habit of keeping them for later reference for at least a year or two, if not forever.  Can you imagine how many people would not bother complying with the rule if it meant moving only select "Record" emails to another system or printing them out for safekeeping? 

In today's world, employees are using search technology, like Google Desktop and other search engines and crawlers, to mine their own electronically stored information for answers.  It is a basic form of Knowledge Management and in many cases, a major productivity enhancement.  So, if you have a 30 day deletion rule, and nobody wants to follow it, chances are, they won't.  Which means you will end up with a policy that ultimately shows at least one part of your RIM program is a sham.  Not a good move if you end up in litigation someday.  

Moreover, even if the 30 day policy is supported enough to pass a test in a discovery dispute in court, it is still not advisable.  What about your early case assessment needs?  Email that might be critical to determine if a potential matter has merit, may be deleted from your servers, but it will likely still be in the possession of your potential adversaries.  Or, perhaps it was printed out, or kept in another management program.  How many hours will it take to retrieve and review those stored emails?

Even assuming your employees are willing to perform all the extra work to print and/or move those potentially critical emails, some of them may have content that would show that your employee(s) made a mistake.  How much effort will your employee(s) expend to store, search and retrieve those darn emails that may show they should be terminated?  I would bet that at least a few employees might just let those pesky emails get deleted after 30 days and hope for the best.  Once again, the result is potential discovery trouble for your company.

While I appreciated much of the presentation, it was a little bothersome to hear Mr. Skupsky's dismissive description of "groupware tools" which he "does not like."  In the tech industry these might be separate development applications or wikis or even Instant Message comment threads.  Does Mr. Skupsky believe that all of these amazing advances in the area of software and collaborative development will just go away because they are difficult to track and maintain according to a simple Records Retention Schedule???   I am betting the answer is a resounding "No."  These will be distributed and used and even more tools will be invented.  And, realistically, this will be so even if these tools make records management, more challenging.  Facebook, Twitter, and Cloud applications, may make managing records more difficult, but they are not going away.  We have to learn to proactively manage them.

I understand and respect the established industry protocols and efforts of any company in maintaining a working RIM program, but without a better understanding of how and why the new technologies are employed, creating "dream world" easy-to-manage electronic records policy, is not ultimately going to be productive, and may cause very serious issues in an otherwise well-intentioned RIM program. 

I could not argue against some of his ideas without giving Mr. Skupsky a chance to explain himself, so I spoke with him after the session.  The next blog post will cover our discussion.   

No comments: