Digital Document Retention Policies and Post – Enron IT Governance DAVID VAILE Executive Director Baker & McKenzie Cyberspace Law and Policy Centre , UNSW Faculty of Law
Dec 19, 2015
Digital Document Retention Policies and Post – Enron IT Governance
DAVID VAILEExecutive Director
Baker & McKenzie Cyberspace Law and Policy Centre , UNSW Faculty of Law
Digital Document Retention Digital Document Retention
David VaileDavid Vaile
Baker & McKenzie Baker & McKenzie Cyberspace Law and Policy CentreCyberspace Law and Policy Centre
University of NSW, Faculty of LawUniversity of NSW, Faculty of Law
http://www.bakercyberlawcentre.org/ddr/http://www.bakercyberlawcentre.org/ddr/
IntroductionIntroduction
• Recent changes in governance, cases
• White paper (copies available on request)
• Baker & McKenzie, ACLA, suppliers, Galexia
• Aimed at filling gaps for lawyers, IT,
management
• Starting point only – you need firm-specific
advice
Sources of IT riskSources of IT risk
• Beyond hackers, viruses and disasters
• Digital documents as a source of risk
• Overlap security: create, use, destroy
• Chaotic hybrid: paper, digital, portable
• Not just technology: usage, usability, policies
Digital documents – Key questions
Digital documents – Key questions
• Can you find it when you need it?
• Have you kept dangerous junk?
• Do you have a policy?
• Does it work for users?
• Do staff know why to keep or destroy?
Why does this matter?Why does this matter?
• Business process support
• PR and public confidence
• Litigation
• Governance
• Efficiency in the back office
Examples and fiascosExamples and fiascos
• Boeing CEO's embarrassing email
• McCabe v. British American Tobacco (BAT):
embarrassing ‘Evidence Destruction’ policy
• Enron: built on dodgy digital documents
• HIH: the inquiry
Where it hits the fan: Litigation and preparation for
it
Where it hits the fan: Litigation and preparation for
it• Critical role of preparation for document
analysis
• 3 teams involved: IT, legal, executive
management
• Three domains: pass the buck?
• Head in the sand?
• Beware of being too clever
McCabe v. BAT (Vic Sup Ct): Evidence destruction = BAT loses!
McCabe v. BAT (Vic Sup Ct): Evidence destruction = BAT loses!
• Critical documents were scanned
• 30,000 originals destroyed
• Although no litigation afoot at the time…
• BAT anticipated the likelihood of future claims
• Vic. Supreme Ct, appeal
• US DOJ very interested in original principle …
Types of digital documents — features
Types of digital documents — features
• Email: metadata (relevant for all), logs,
contents…
• Scanned documents: when, where, who?
• ‘Office’ documents: copies, junk, version
• Network and infrastructure logs
• Databases, web: transactions, state
Delusions of control?Delusions of control?
• IT as a control system
• Increasing independence of users
• Head office/Back office vs wandering road
warrior
• Policy must be realistic and workable
Overview of legal issues and compliance
Overview of legal issues and compliance
• Business reasons first
• Examples of legal obligations
• The big one: is it “Evidence”?
• Need specific assessment and advice
• Document your policy development process
• Test compliance
Sources of DDR legal obligation
Sources of DDR legal obligation
• Legislation (Tax,Corporations, Privacy, Spam
Acts…)
• Special case: rules of court
• ‘Common law’, cases such as McCabe v. BAT
• Industry codes (may be enforceable)
• Contract
Who requests the info?Who requests the info?
• Litigation: parties, courts
• Regulators
• Law enforcement
• Customers, suppliers
• Rivals or tactical litigants
Types of obligation (1)Types of obligation (1)
• Evidence for litigation
• Legal professional privilege
• Corporate governance by directors
• Taxation and money laundering
• HR, employment, admin, accounting….
Types of obligation (cont.)Types of obligation (cont.)
• Insurance
• Personal information: Privacy, Corporations Act
• IP: copyright, patent, DRMS
• Marketing: Spam Act
• Contract and outsourcing
• Industry good practice
LitigationLitigation
• Is litigation contemplated
• Nature of the industry
• What documents are relevant
• Where can we reasonably expect it?
• Document the creation of a policy
• And its implementation and review
The new corporate governance: Yikes!The new corporate governance: Yikes!
• Sarbanes Oxley (Sox)
• Basel II, CLERP 9
• US approach: litigate first, negotiate later
• Directors and execs personally liable
• Suddenly more serious!
• IT risks too; corporate governance response
Digital Document Retention Policy: First step to a solution?
Digital Document Retention Policy: First step to a solution?
• Systematic and documented practice
• Can justify destruction or retention
• Contents of a Digital Document Retention
Policy
• Implementation
• How to refine a DDR policy
Steps to assess for Archiving/DestructionSteps to assess for
Archiving/Destruction
• Required for current use?
• Required by contract?
• Required by law or regulation?
• Limitation period still applicable?
• Required for business reasons?
• Required for litigation?
Guidelines for inclusion in policy
Guidelines for inclusion in policy
• Sedona Principles (post Enron)
• AS ISO 15489 ‘Records Mgt.’ (AS 4309)
• US: DoD and NARA
• International: ISO 15489
• EU: Model Requirements for Management of
Electronic Records (MoReq)
IT contributions to a solution?IT contributions to a solution?
• Document management systems
• Rich documents and meta data
• Logs for transactions and accesses
• Access control, authentication
• Automated backup, archiving
• Targeted and reliable recovery
Legal contributions to a solution?
Legal contributions to a solution?
• Analysis of legally significant data
• Analysis of industry and business
• Description of obligations
• Litigation and other risk assessment
• Draft the document retention policy
• Governance briefings for board
An integrated package:An integrated package:
• Everyone needs to be aware (KISS)
• Policy, tools, practices, oversight
• Integrate w. other policies and routines
• Existing document management practices
• Reality checks: audits, reviews
• Where will you be when it hits the fan?
David VaileDavid VaileDavid VaileDavid Vaile
Baker & McKenzie Baker & McKenzie
Cyberspace Law and Policy CentreCyberspace Law and Policy Centre
University of NSW Faculty of LawUniversity of NSW Faculty of Law
http://www.bakercyberlawcentre.org/ddr/http://www.bakercyberlawcentre.org/ddr/