While most in-house counsel know it’s now imperative to develop a records retention policy to handle government investigations of alleged corporate wrongdoing and to prevent damaging electronic evidence seeping out in discovery, the really hard part is enforcing the policy so it actually works.

From making sure personnel follow stringent records retention and destruction policies to getting employees to change their behavior when it comes to e-mail usage, compliance is the new and difficult challenge facing in-house counsel.

“There is a lot of advice out there on what the elements of a good document retention policy are,” notes Boston attorney Michael R. Heyison, who advises clients on records management and compliance. “But the real challenge is once you put it in place, how do you get people from the top to the bottom of the organization to comply with it?”

To ensure compliance top to bottom throughout a company, experts advise in-house counsel to:

• select software that integrates both hard copy and electronic data in a records retention policy, and manages information based on user input;

• ensure their companies diligently and consistently educate and train employees by department, rather than through a one-size-fits-all approach; and

• create a separate records retention policy just for e-mail.

Diane Carlisle, director of professional resources at ARMA International, the association for information management professionals, notes that “developing the policy is one thing, but it doesn’t do anybody any good if it just sits on a shelf. In fact it can be worse for you if it just sits on a shelf.”

Technology Solutions

Scores of technology companies have entered the market with software solutions to help organizations manage their documents for compliance. By automating the process of records retention and destruction, these solutions take the guesswork out of compliance and leave the individual employee with little more to do than input data to categorize their documents.

Regulations such as Sarbanes-Oxley and HIPAA (the Health Insurance Portability and Accountability Act), to name just some, have spawned a niche of technological products that aid companies in retaining and destroying documents according to federal or state laws.

The most effective of these, according to sources, are products that handle both hard copy and electronic data, and manage information based on user input.

“It is the solution of the future,” says Peter B. Sloan, a Kansas City, Mo. attorney who counsels clients on information management. “It is expensive, but there is not a means currently to do it nearly as well without that technology.”

While the myriad of software products available are nuanced in the features they offer, most have templates that require users to categorize documents every time they are created.

For example, an individual employee might have to enter information such as the date the document was created, who created the document, what information it contains, and regulations that govern its destruction. Certain programs will integrate directly with e-mail systems, such as Microsoft Outlook, so that users are prompted to categorize and file their messages every time they hit the send button.

And advanced search tools can help companies quickly locate documents during discovery. Conversely, these systems can be used to prove that documents were destroyed based on strict schedules governed by law.

(See below for a sampling of some electronic data management products currently available.)

Sloan calls these electronic records management systems “fairly easy and not time consuming to use,” and he notes that they will be used with increased frequency by companies over the next decade. “We’re just on the cusp of this.”

But while Sloan touts the benefits of 24-hour accessibility and ease of use with these programs, Carlisle cautions that fallible humans are still inputting the information.

“If you misclassify information then you run the risk that you prematurely destroy it, or it’s destroyed outside of the retention schedule, and that is very bad,” Carlisle warns.

In addition to off-the-shelf software solutions, many companies offer proprietary solutions and consulting services to help organizations with compliance.

Alice Lawrence of the Missouri-based Jordan Lawrence Group says many companies have developed records management policies over the last year or two, but they have no idea how to enforce those policies.

“I think the biggest problem is user discretion and lack of a centralized system to enforce a program,” Lawrence says.

Her company offers a proprietary solution called “Enforcement Solutions,” a web-based product that handles both electronic and hard copy data. The system sends out automated messages to employees about compliance and non-compliance with retention and destruction schedules. With e-mail, for example, employees will get a notice two to four times a year telling them to discard information older than a certain date.

The Jordan Lawrence Group was featured in a leading practices profile of the Association of Corporate Counsel America for its work with Applica Inc., which needed to develop a records management program following a large acquisition in 1998.

Training And Education

But human beings are not programmable machines, and sources warn that the larger challenge of compliance is changing behavior in the work environment. To accomplish this Herculean task takes consistent training, education and, most importantly, top-down messaging of the critical importance of compliance.

“People are going to comply with the things that management convinces them are important,” says Carlisle.

Several industry sources suggest that training could be best handled by assigning responsibility at the department level.

For example, a manager in the finance department would be responsible for ensuring that all of her employees have been trained in compliance, while a human resources manager would have the same responsibility in his department. Since different divisions within a company face different compliance challenges, this system often works better than a one-size-fits-all company-wide training program.

Professionals differ in their views, however, as to whether training should be handled online or in person.

Online training programs offer the convenience of 24-hour access by employees, and they don’t cut into an employee’s work time, sources say. Managers are able to track employee training as certain programs require the individual to take a test in compliance, or electronically guarantee that they have read and understand the material.

“I’m a big proponent of using the online tools,” says Carlisle, noting that web-based training systems become more cost efficient if employees need a refresher or if the company requires multiple compliance tests a year for employees.

Services like WeComply.com offer customizable training programs to meet a company’s industry-specific needs. And other vendors like South Carolina-based Pinneast offer online courses to help employees understand compliance issues surrounding HIPAA and OSHA standards, for example.

Pinneast offers 56 different courses for HIPAA alone, each tailored for different organizational settings in the health care industry, according to Pinneast President Brian Popken. And the company has designed an entire website, www.healthcare-u.com, that is devoted entirely to healthcare industry compliance issues and training.

“It’s essentially an online corporate university environment,” says Popken, who names Dow Chemical and Nortell Networks among his customers.

Pinneast’s products can range from $299 a month for less than 500 users, to about a $1,000 a month for several thousand users.

But Lawrence, of the Jordan Lawrence Group, says that online training doesn’t allow people the benefit of human interaction where they can speak up and ask questions about compliance.

Live training “gives people an avenue to say ‘I don’t understand this retention stuff,’” says Lawrence. “You wouldn’t get that on a one-sided web interface.” Lawrence does add that companies should have information about compliance available on their intranets for employees to consult whenever necessary.

Boston attorney Heyison suggests to his business clients that new employees be trained about job-specific compliance duties, and that they be reminded regularly at meetings about the importance of compliance. Heyison even suggests that compliance be a part of both an employee’s job description and something they are evaluated on in reviews.

“The problem with a lot of training is that it’s way too abstract,” says Heyison. “My recommendation is that you break it into small groups of people and that you use actual documents in situations that this group of people will encounter.”

Ultimately, compliance needs to constantly be on people’s minds, sources say. Regular reminders from management, discussions in workgroups or meetings, and mandatory training sessions can all help convey the importance of compliance.

“I’ve often heard that you can tell someone something once or twice and they will then know it,” says Sloan. “But you need to tell that same person something five or six times for them to do it.”

The Challenge Of E-Mail Compliance

Most attorneys agree that e-mail is a different animal when it comes to compliance.

The casual nature of the electronic correspondence, and the employee’s feeling that e-mail is somehow private, has landed many companies in hot water during litigation. As a result, e-mail often requires extra diligence on the part of management when it comes to addressing it in policies and enforcing compliance.

However, according to a 2003 American Management Association study of e-mail policies in the workplace, only 34 percent of companies have written e-mail retention and deletion policies. And an even smaller number, 27 percent, trained employees on those policies. This, despite the fact that 14 percent of respondents reported having been ordered by a court or regulatory body to produce employee e-mail, and that one out of every 20 companies reported having battled a workplace lawsuit triggered by e-mail.

“Any corporation should have a separate policy on e-mail,” insists Larry Bates, president of the Chicago chapter of ARMA International. “And it’s not an easy matter.”

Some sources suggest designing a policy to limit the amount of control employees have over their e-mail, which can be accomplished with auto-purge functions that delete e-mail after a certain period of time.

Another feature can be employed whereby a pop-up message appears with every e-mail message, reminding the employee that the information belongs to the company. Spot audits of employees’ computers can also help to convey the seriousness of compliance.

Sloan cautions, however, that things like automatic e-mail purging fail to take into consideration the content of the e-mail – another reason he favors record management technologies that can handle e-mail along with hard copy documents.

“They are an answer to the dilemma of how to manage e-mail based on its content rather than its medium,” Sloan adds.

Even with automated solutions in place, the most effective way to ensure compliance with e-mail policies is through education and training, sources say.

When counseling clients about records management and compliance, Sloan administers a web-based “E-Quiz” that provides employees with 10 different scenarios to consider the dangers of e-mail correspondence – everything from sending e-mails that refer to the boss in unpleasant terms to receiving and sending racy jokes at work. At the end of the quiz, individuals are provided with the correct answers and explanations to the questions. They are also given a terse reminder that e-mail belongs to the company.

“The bottom line is we want employees of companies to have an ‘uh-oh’ feeling when they are using the Internet or e-mail,” says Sloan. “The ‘uh-oh’ feeling is that thing that happens before we write something down on paper at work and put it in a business file.”

Boston attorney Brian E. Pastuszenski, who served as a panelist at a recent Compliance Week seminar in Boston, says a few good war stories from outside counsel can also help to remind in-house counsel and employees of the importance of compliance with e-mail policies.

* * *

Software Solutions For Records Retention Compliance Abound

A plethora of software applications and consulting services exist to help companies manage their records to comply with strict state and federal retention requirements. Some of the most helpful are those that manage the integration of both hard copy documents and electronic data, according to technology professionals at law firms and companies.

Automated processes also help to ensure that employees are complying with corporate mandates for retention and destruction of documents. Companies might want to look for the DoD5015.2 stamp of approval on products, which indicates that the product uses the same standards required by the Department of Defense. Basically what this means is that when a file or information is deleted from the system, it really is gone for good.

Below are a sampling of records management and compliance products that in-house counsel and their technology gurus might want to explore. (This is not an exhaustive list of all features of a product, nor is it an endorsement of any company or its products).

Accutrac – The Accutrac Records Management Software Program manages physical and electronic records from creation through disposition in a centralized records repository. An e-mail management feature allows users to classify e-mail records into the system by connecting with desktop e-mail systems.

An un-editable copy of each e-mail is stored in the repository and can be retrieved or disposed of. Organizational retention policies can be entered into Accutrac to automate the process of records retention. For more information, go to www.accutrac.com.

Documentum – Documentum’s Records Manager product manages physical and electronic data. It allows users to define how long records should be kept and to indicate what should be done with the records after that period of time. Records Manager is DoD5015.2 compliant. For more information about Documentum products, go to www.documentum.com.

EMC²– The Centera Compliance Edition is an integrated hardware and software solution for records management. An automated system of checking data integrity guarantees content authenticity. The program also ensures that records cannot be prematurely erased, in accordance with mandated regulations or internal corporate policies. Information is managed at the individual record level so that each record is retained, protected and disposed of according to its own policy, so both compliant and non-compliant data can be stored on the same system. For more information, visit www.emc.com.

FileNet – The FileNet Records Manager software stores records only for as long as they are legally required, holds records when necessary for litigation and discovery, and ensures that expired records are destroyed. Records Manager has applications for the finance industry (SEC compliance), governmental agencies (FOIA requirements and more), the insurance industry (HIPAA), the manufacturing and utilities industries, and cross-industry regulations such as Sarbanes-Oxley and the Patriot Act. For more information, go to www.filenet.com.

FileSurf – Software products allow for the management of both hard copy and electronic data through a system letting users enter key information about each file when filing it in the records management system. FileSurf has a special feature that integrates with Microsoft Outlook so that e-mail messages can be dragged and dropped into the FileSurf system. The program can be configured to prompt e-mail users to file messages upon hitting the ‘Send’ button. Retention schedule features allow users to identify documents that are due for archiving or destruction based on specified criteria. FileSurf is DoD5015.2 compliant. For more information, visit www.filesurf.co.uk.

iManage – Offers enterprise-wide content management systems. The WorkSite MP suite is specifically tailored to address compliance with Sarbanes-Oxley through configurable templates. The program allows compliance officers to create virtual workspaces to securely communicate compliance-specific issues to regulators, board members and audit committees. Audit trails are kept to verify various electronic communications within the company. More information can be found at www.imanage.com.

Iron Mountain – An industry leader in records management, Iron Mountain offers solutions for business records, healthcare records, digital archives and more. The company offers customized retention and disposal programs, dealing with both hard copy and digital documents. Iron Mountain also emphasizes risk control associated with legal and regulatory compliance. For more information, visit www.ironmountain.com.

KVS Inc. – Known mainly in the industry for its archiving software, KVS Inc. also offers extensive compliance solutions. Specifically, the Enterprise Vault Compliance Accelerator product manages e-mail to help companies comply with NASD and SEC regulations by allowing users to monitor and track e-mails. For more information, go to www.kvsinc.com.

LegalKEY – The LegalKEY Automated Records Management System is an enterprise-wide records management system that handles both hard copy files and electronic data. The system manages files from creation to final disposition, and uses a barcode technology to manage the circulation of documents. Many law firms already use the LegalKEY technology to manage client files. More information about this product can be found at www.legalkey.com.

Questions or comments may be directed to the writer at [email protected].