If the policy is sound and consistently implemented over the enterprise, the corporation can walk into court with confidence, knowing that discovery won't find anything that it doesn't want to be found. But to achieve this sound and consistently implemented policy, the corporation has to train employees—and integrate this policy into its culture. Without doing so, it will rightly lack the confidence that its system is protected. It is much more likely to lose—because without a sound, well-implemented policy, it will know that "discovery" is bound to discover something it has no clue about.
Technology is essential, but compliance is key.
Introduction
In December 2006, the federal courts initiated sweeping new evidentiary rules governing discoverable corporate records, including rules that consider even routine voicemail messages corporate "records." These rules all but mandate that plaintiffs have workable, consistent records-management policies, along with systems that allow their rules to be implemented. Because of the incredibly complex nature of what now constitutes a discoverable record, this is creating a nightmare-like headache for corporate attorneys.
This new federal mandate requires:
- A pre-discovery meeting in which contending parties have to demonstrate their records-management policies—at this meeting, the lack of such a policy could have dire legal consequences.
- This corporate policy must present a rational way of managing, retaining, and discarding documents—including documents held by outside attorneys, CPAs, and others who create documents for the company that belong to the company.
- This policy must recognize that every email is a document—a record—and, along with other corporate records, emails can't just be discarded without a policy for managing the retention and destruction of records.
Why should corporate attorneys care? Because they have no option but to care.
By changing evidentiary rules, the federal courts have said "enough is enough"—and corporate lawyers have to make sure their clients or employers can follow these new evidentiary rules or face the risk that they'll lose in court over what is basically a fundamental technicality.
Compliance requires rock-solid policies that are widely and consistently implemented. Establishing corporate records-management policies that are technically in compliance with the new federal evidentiary rules is complex but not difficult. However, enforcing universal compliance across an enterprise that may encompass dozens of locations and thousands of employees empowered to create records may be nearly impossible. Mandates from corporate attorneys—even if these mandates are known and understood, which is in itself a monumental undertaking—have little impact on employees with little incentive to follow complex rules that add labor without adding productivity.
Faced with the need to impose compliance, corporate attorneys are running into issues ranging from human nature to the technical limitations of today's software.
Compliance Barriers
First, there is no "silver bullet" software system that will allow risk-managing attorneys to impose across-the-enterprise standards. Many vendors promise such miracles; in practice, they are unable to work as promised. Records-management policies fundamentally impact the way a company does business—it has to cover everything from archiving emails to authorizing who can create what documents. A technical solution—all by itself—does not, and cannot, provide the answer. Right-for-the-enterprise technology is essential—but that technology must be sensitive to the corporate culture, to the nature of the business, and especially to the way every person in the company works.
Next, because of the complexity of records management, mandates won't work—yet compliance with strict rules is required if records are to be managed in line with the new federal expectations. Realistically, corporate compliance will require both a high level of top-down C-level management focus and a sweeping, across-the-board employee buy-in. Ultimately, records-management compliance is in the hands of each employee with a computer or a phone. As a result, any truly complex system will be met with anything from passive-aggressive avoidance to open defiance. Front-line workers, hourly employees, and in-office staff trying to meet production quotas—or their service equivalents—have little incentive to comply with complex, time-eating records-management rules. Their managers—who are also judged on productivity—know this and will focus on enforcing rules that generate promotions and bonuses rather than those that will protect the enterprise from hostile discovery in a hypothetical future lawsuit.
Faced with these seemingly competing interests—strict technical compliance vs. operational realities and unwilling buy-in—in-house counsel and outside counselors both have to be particularly aware of how these new rules drive records-management requirements and discovery requirements.
Managers and employees required to comply with complex new rules will not be happy, but to the courts, that makes no difference. There is no way around the fact that this new federal mandate will impact corporate culture, and because any such sweeping change will require across-the-board buy-in, attorneys will find that instead of issuing mandates, they will need to seek and secure buy-in. Men and women used to issuing orders will have to find ways to "sweet-talk" virtually everybody in the company in order to secure routine and daily compliance with records management. Any human resources director will quickly tell you just how hard obtaining such compliance will be—yet the consequences, if not the in-house policies, are indeed black and white.
Compliance will be far easier if the underlying technical solution deployed to implement the new records-management policy is itself easy to use and painless to implement and essentially improves the end users' fundamental jobs. However, if the technical solution is complex and user-unfriendly, if it makes their jobs more difficult, takes more time, and doesn't help employees and managers meet their primary goals—i.e., the ones they are evaluated upon—then the records-management "solution" will fail, and the company will remain vulnerable.
Despite the fact that there is a fundamental technical component to any compliant records-management program, selecting that system and implementing it across the enterprise cannot be assigned to IT alone—everybody has to be a part of the solution, and the "cheerleader" making this happen will have to be the corporate attorney.
Understanding the Culture
At a fundamental level, outside attorneys generally don't worry about records management themselves—they know they can invoke "attorney-client privilege." So they don't have to manage their data or destroy it—because, legally, it's safe and protected.
But at a corporation, attorneys do have to worry about those records—how to file them for discovery compliance, how long to keep them, and when to destroy them. Policies regarding this now impact every employee with a PC or a phone who creates or receives documents. They have to put these new documents into a process that classifies them. That is the core of any records-management policy—and if the front-line record-creating employees don't properly classify and file the documents they create, corporate risk mounts. Getting their willing and consistent compliance becomes a matter of modifying corporate culture in such a way that compliance becomes the norm—as routine as the 10:30 coffee break.
The bottom line for any successful records-management implementation is this: without altering the culture of the company, compliance will be impossible. Without compliance (at the lowest level as well as the highest), the company will be at substantial legal risk.
From a legal perspective, it is relatively easy to create a "keep it all" or "destroy it all" records-management policy that will be legally acceptable but operationally inappropriate—or even impossible. Records-management technology has limits that can run afoul of the limits of corporate culture. It is tempting to push for the extreme form of legal compliance, but in implementing any records-management program, it is essential to recognize that "extremes" are not going to work. A successful system is one that bridges legal requirements, technology, and corporate culture.
Here's an example of the kinds of issues faced today: how do you even find all the copies of the record you're ready to destroy? For instance, an attached document sent via email from one person to another creates at least six copies in six separate locations. Corporate-wide backups, the forwarding of the email by others, and the saving of the attached document to laptop hard drives add further copies, not all of which remain connected to a central corporate network. A further complication is that many employees make "convenience copies" of documents, "just in case." Unless the default is manually disabled, Microsoft Office—the core operating technology for most corporations today—goes even further and automatically creates multiple backups of every document, just so users don't "lose" a file. This auto-backup goes on automatically, even if this convenience is counterproductive to records-management policy.
Any coherent records-management policy has to recognize all of these factors—and be prepared to address them via both technology and human-factor compliance.
The failure to have a consistent, coherent policy invites opposing attorneys to say to themselves, "We know we can get that information because we know you have it...somewhere." How do you strike a balance between the "we want everything" kind of discovery and a rational destruction-of-records policy?
Setting aside the federal mandate, even with the best will in the world, most companies cannot comply with records-management expectations. Technological quick fixes are a myth—where the rubber meets the road, they don't work as advertised. Of course, finding and destroying all copies of records is difficult, but at least this is potentially possible. Yet there are legal risks—along with serious operational business risks—that go with destroying too many records too soon.
The Bottom Line
Technology will never be able to do more than mitigate the problem. As a result, effective policies need to balance the myth of absolute black-and-white granular control with the gray-area reality of business.
- Technology is essential to the solution, but there is no silver-bullet technical solution, no matter what the sales literature says.
- There are no black-and-white solutions—lawyers have to compromise, and they have to internally sell rather than mandate their policy needs.
- Records management is all about being practical—you need a practical, workable solution. A pristine policy that covers every little potentiality is inherently unworkable. However, a short, understandable policy is far better than no policy.
- If you can train all employees to implement a policy, they'll comply. If the policy is so complex that your employees can't explain it under oath, they won't be able to implement it, and you can't win in court.
- There can be no "executive" waiver. Everybody has to be part of the solution, with no exceptions—if only because C-level executives will be under infinitely more scrutiny; their emails and Word documents and voicemails are far more likely to be subpoenaed.
Once you have decided to put a federally compliant records-management system in place, once you realize that buy-in is the key to gaining compliance—which is, in turn, the key to success—you still need to know where to start. Implementing a valid records-management solution is best done by following the 80-20 rule. Start implementation with easy-to-manage records, and save the most contentious problem—email—for last.
Do not start with email. From a legal perspective, email is the most painful and the most high-risk problem. However, it is also the most difficult to "fix." Not only is email compliance fraught with all kinds of technical exceptions, but it is also "personal" and therefore the hardest to get buy-in on. Learn from experience: get the basic/simple records-management compliance done, debug the processes, and get them in place—then tackle the email nightmare.