New e-discovery rules that went into effect Dec. 1 pose a range of challenges for banks. And what the bankers are learning from complying with amendments to the Federal Rules of Civil Procedure can be extended to other companies grappling with e-discovery. InformationWeek's sister publication, Bank Systems & Technology, had freelance writer Peggy Bresnick Kendler discuss banks' compliance efforts with four experts.
Barry Murphy, principal analyst, Forrester Research: The amendments affect organizations in three ways. First, they require a framework for early attention. Organizations not ready to address issues when litigation or regulatory requests hit will immediately be behind.
Second, they give a safe harbor for data destruction, meaning there are no penalties for deleting electronically stored information in keeping with routine operation of IT systems if the party took reasonable steps to preserve it. However, this means that organizations must have granular retention policies in place, and technology to enforce those policies and audit the enforcement as well.
Finally, there's the requirement for native file production. Organizations must be able to produce electronically stored information in its native format with its metadata intact and prove a valid chain of custody. Again, this spotlights the need for technology to manage the full life cycle of information.
John Mancini, president of AIIM, the enterprise content management association: Companies need to know what electronic information they're storing and where it is. They need policies in place governing the management of electronic information, they need to follow those policies, and they need to be able to prove compliance. The it's-too-hard-to-produce argument won't stand up anymore. These sound simple and basic on the surface. But according to AIIM surveys, the environment in most firms is barely controlled chaos.
ARE BANKS PREPARED?
Murphy: In my experience, banks are only ready for specific discovery requests, like those relating to Securities and Exchange Commission Rule 17a-4. To comply with that rule, many banks have deployed e-mail archiving systems. However, they have done so only for brokers. Discovery truly applies to all employees and to all kinds of content, not just e-mail. The large banks I've spoken with have yet to connect records management with e-discovery, which says to me that they're definitely not ready to deal with the amended rules proactively.
Mancini: Banks and other organizations with pre-existing requirements related to electronic information are probably in better shape than most to deal with the new electronic discovery requirements. They already have some experience with managing electronic information in a structured fashion.
Michael Sears, VP of enterprise discovery, Mathon Systems: Banks, like most large institutions today, lack the fine-grain policies and the enforcement tools necessary to stay ahead of the wave of documents and e-mail. I say "fine grain" to mean those policies that closely consider the content, originator, receiver, and time/date of the communication. All of those factors should be considered in creating a records- and message-retention policy.
Most organizations decide en masse to maintain all documents for five years and then delete no matter what as a policy. That's not going to work for a court that's trying to facilitate a good-faith search for a needle in a haystack. You must have a detailed policy and then the mechanism to enforce.