How to Design a Legally Defensible

Records Retention Plan Robert Fowler | Jordan Lawrence

CIPP US and Professional Services Manager

Jacki Cheslow | Avis Budget Group

CCEP and Senior Manager, Corporate Compliance & Corporate Records

Jennifer Smith Finnegan | Herrick, Feinstein LLP

Partner and Co-Chair of E-Discovery Committee

Upon completion of this session, participants will be able to:

1. Design a legally defensible records retention plan

2. Implement a successful retention program across the

enterprise

3. Leverage your records retention program in litigation

Learning Objectives

2

Corporate Objectives

Legal Landscape

Where Companies Miss the Mark

Developing Your Records Plan

Inventory

Retention Schedules

Implementation & Enforcement

Records Plan

Effective Litigation Holds

Program Agenda

3

Corporate Objectives

Find Information

Compliance

Efficiency

Savings Reduce Storage & Discovery Costs

Retention

Supporting Processes

Eliminate Obsolete Records

Manage & Protect

Discovery

4

Corporate Objectives

Find Information

Compliance

Efficiency

Savings Reduce Storage & Discovery Costs

Retention

Supporting Processes

Eliminate Obsolete Records

Manage & Protect

Discovery

90% of records, once filed, are never referred to again

95% of references are to records less than 3 years old

67% of data loss is directly related to user blunders

30% of paperwork is useless and could be eliminated

5

Legal Landscape & Considerations

Responding to government

audits and investigations

Obligations as a Party to

Litigation

Focus on ESI

6

Records Management Issues = Compliance Issues

Regulatory environment has

become highly aggressive

Body of ESI is growing

exponentially

Complexity of both content and

records is growing

Locations where records exist is

expanding

7

Missing the Mark: Policies Don’t Equal Action

8

Missing the Mark: Policies Lack Clear Guidance

9

Missing the Mark: Policies Lack Clear Guidance

10

Missing the Mark: Employees Are Confused

11

Know Your Information

Sensitive What

Where Retention Media

“Records Datamap” 12

Profile Your Business Folks

What: Pension Records 1

. Where: Human Resources 2

. Sensitive: SSN, PII, GID’s 3

. Process: Saved to thumb drive – sent to audit firm 4

. Retention: Permanent 5

.

13

Record Types

Start With What’s Familiar

| Advertising Records | Audit Reports | Backstock | Brand Strategy | Benefit Filings | Budget Records | Contracts | Coupon Records | Credit Card Reconciliations | Customer Complaints | Daily Sales | Design Sketches | Floorset Documents | Import Documentation | Inbound Merchandise | Inventory Projection 14

Applications

| Addept | Agile | Ariba e-Procurement | Ariba e-Sourcing | ASN Re-Route | Aspect Workforce Management | Blue Martini | Barrow Book | B-Smart FSA | Epiphany | Health Systems International | HireRight | Life Safety Database | My Customer | TeamMate

Start With What’s Familiar

15

| Retention | Sensitive | Locations | Movement

Email Personal Archives Laptop Paper Shared Drives

FTP Extranet Express Mail Third Parties Secure Mail

Business Need Tax Support Industry Standard Requirements Regulations

Then Go Deep

Customer Information Personally Identifiable Information Government Issued IDs Financial Information Employment Information Sensitive Information (EU)

16

Records

Inventory

Draft

Retention

Schedule

Steps to an Effective Program

17

Retention Schedule Best practice

retention.

Easy for employees

to understand.

Incorporates

industry standards.

Defined trigger

event.

18

Regulatory Tagging

Secure Disposal

Vital Record

PCI Data Security Standards

EU Data Protection Directive

SOX

FACTA

GLBA

HIPAA

ITAR

19

Records

Inventory

Draft

Retention

Schedule

SME &

Functional

Expert

Validation Legal

Review

Finalize

Retention

Schedule

Steps to an Effective Program

20

Executive Support

Partner with Subject Matter Experts

Legal

Compliance

Internal Audit

IT & Security

Privacy

Tax

Implementation

21

Build a Records Coordinator Network

Business Area Representatives

“Feet on the Street”

Receive program updates and notifications

Work with the Technology Group

Review backup practices

Review other related policies

Implementation

22

Develop a Communication Plan

Tool Kit

Internal website

Blogs

Job aids

Posters & flyers

Implementation

23

Enforcement

Annual policy notifications

Routine disposal practices

Processes for onsite/offsite storage

Maintain an audit trail

Program Training

Employee Accountability (Auditing)

Implementation

24

IMPLEMENTATION Publish Retention Schedule

Publish Policies

Communicate Directives

Training

Disposal

ASSESSMENT Identify Records

Sensitive Information Tagging

Regulatory Tagging

Gain Insight into Current Practices

DEVELOPMENT Approve Retention Schedule

Address Legacy Processes

Approve Policies

ENFORCEMENT Annual Policy Communication

Routine Disposal

Compliance Monitoring

Periodic Auditing

I

A

D E

>

25

Increased Efficiency & Productivity:

faster filing and retrieval of information

fewer misfiles

Decreased cost and litigation risk:

Reduced need for filing equipment, supplies and floor space

Reduced costs for document collection, review and

production (both electronic and paper)

Reduced risk of adverse results in litigation from lost

documents

Reduced cost for costly recovery of vital records

Leveraging Your Records Plan: Selling Your Program

26

Datamap of Record Types

27

Datamap of Applications

28

Leveraging Your Records Inventory: Where Email Lives

52% | save email to shared drives

50% | personal archives

43% | save to workstation hard drives

29% | printed and filed

10% | save to laptops

7% | save to external hard drives

2% | forward email to personal accounts

83% of Employees save email outside the

central messaging environment

29

Leveraging Your Records Inventory: Reference Value of Email

100%

55%

19%

0% 0%

20%

40%

60%

80%

100%

< 6 Months 6 Months to 1 Year 1 to 3 Years 3 + Years

30

Leveraging Your Records Inventory: Strategic Rules for Email Deletion

31

General Information (Short-term Value)

Information (Intermediate

Value)

Records (Long-term Value)

Retention Strategies for Unstructured ESI

32

• Consult with an e-Discovery specialist

and your Attorneys

• Identify case issues and information

custodians

• Issue a WRITTEN AND ELECTRONIC

litigation hold

• Partner with IT

• Focus on management of costs from

step one and manage for life of litigation

• Focus on risk management evaluation

SO… What do you do if… WHEN YOU GET SUED?

33

Process should be, repeatable and enforceable It

should be well-documented, closely-monitored

and transparent

Issue timely, written legal holds

Ensure record custodians understand what is

required and how to comply

Follow up with audit trails, one-on-one interviews,

supervised collection

Effective Legal Holds

34

Provide for periodic updates and reminders

Account for employee mobility and turnover

Consider third-party custodians

Thoroughly document actions and the basis

for decisions

Effective Legal Holds

35

Complete a records inventory

Build policies from industry-specific standards

Build retention schedules from industry best practices

Partner with subject matter experts

Build a network of records coordinators

Develop a “Tool Kit”

Communicate and train business people

Distribute litigation hold notices (track compliance)

Routinely dispose of obsolete records CUT STORAGE COSTS | REDUCE PRIVACY RISKS | REDUCE DISCOVERY EXPENSE

Audit the program

Program Development Check List

36

Questions

37

Continue the Conversation

Follow us on Twitter

@ARMANNJ

… and find us on LinkedIn by searching ARMA Northern New Jersey Chapter

… or visit our website at

www.armannj.org

How to Design a Legally Defensible

Records Retention Plan

Robert Fowler | Jordan Lawrence

CIPP US and Professional Services Manager

Jacki Cheslow | Avis Budget Group

CCEP and Senior Manager, Corporate Compliance & Corporate Records

Jennifer Smith Finnegan | Herrick, Feinstein LLP

Partner and Co-Chair of E-Discovery Committee