When Sarbanes-Oxley was enacted in 2002, it woke people up to the importance of document retention and management programs. In the years since then, the number of regulatory requirements have only increased.
For instance, the Health Insurance Portability and Accountability Act (HIPAA) includes specific requirements for patient information. The amendments to the Federal Rules of Civil Procedure regarding e-discovery are clear -- documents that may be the subject of litigation must be quickly and easily accessible.
The challenge for corporate executives today is crafting a policy that adequately addresses all the ins and outs of the different requirements. In a CIO.com piece published May 23, the CIO Executive Council offers four general guidelines for an effective document retention policy:
- Get the definitions right. Be sure to include all the different types of records. To determine what's needed, get input from peers and purchase toolkits to help sift through the information. One CIO quoted in the piece says he got buy-in from his executive peers and from corporate counsel by putting it in terms of dollars: "The cost ... in a federal lawsuit could be huge if we don't properly address retention."
- Balance the needs of legal, IT and general users. This isn't easy, because everyone has different needs, but doing so is worth it. Good communication with everyone when you're in the drafting process is important. If it makes sense to give management more storage space than the other users have, for example, then do so.
- Remember that retention is for the long term. The formats in which you save your documents and other files must be easily transitioned in the event of technology upgrades or replacements, according to the experts quoted in CIO.com.
- Craft policies so that they will pay the company as well as avoid penalties. For example, one company was able to resolve a vendor dispute in its favor because its retention policy was broad enough to include the e-mail traffic with that vendor.