Plan To Manage Electronic Data NowThe management of electronic data used to be a â€œnice thing to do.â€ Nowadays, the proper archiving, retention and monitoring, filtering and encryption of electronic data isnâ€™t an option but imperative for financial institutions in order to meet compliance with regulations and federal law, including the Federal Rules of Civil Procedure (FCRP).
According to Cynthia Jackson, a lawyer at Baker-McKenzie LLP, the need for a plan to manage electronic data means understanding the broad compliance issues, government mandates and e-discovery requirements a financial institution faces. Jackson is a recognized expert in global personnel-related initiatives.
â€œClearly if youâ€™re a financial institution, in this industry, youâ€™ve got compliance requirements with Gramm-Leach Bliley and similar statutes of that nature that you must follow. Many of these discrete sets of statutes are unique to financial institutions and will apply only to them,â€ said Jackson.
Should an institution be publicly traded, Sarbanes Oxley will apply to them, she added.
If you handle consumersâ€™ sensitive financial information or personally identifiable information, â€œThere are a plenitude of various security notification laws enacted on a state level, in as many as 36 states, and pending federal legislation looming on the horizon that youâ€™ll need to know and understand,â€ she noted, adding most of the pending legislation at state and federal levels are the result of the flood of information breaches that have occurred recently, including the TJ Maxx breach.
â€œSo certainly youâ€™ll want to know and understand data breach notification laws as they apply to your institution and where your institutionâ€™s customers are located,â€ she explained. She cautioned that financial institutions need to anticipate that even the best secured systems are still vulnerable to hacking. â€œYou should be looking at implementing encryption when youâ€™re handling customer information. You pray for the best, but prepare for the worst,â€ is Jacksonâ€™s recommended approach to locking down information.
Having a second line of security in way of encryption may protect an institution from real data loss, Jackson noted. â€œIn California having the information encrypted is almost an affirmative defense,â€ she said. Jackson added that increasingly states are adopting rules, or at least practices that are similar to those reflected in federal court.
â€œSo, with that in mind, the FRCP has been expressly amended to avoid any question as to what electronically stored information (ESI) is defined as. Although there has been no question as to what ESI is for some time, Jackson noted. The point made by the FRCP is that when information is requested, no longer talking about just printed media, but any type of electronically stored content, including data found in instant messages, PDA, blackberry emails, webmail, online journals (â€œweb logsâ€ or â€œblogsâ€), conferencing webcams, document and video transfers, and broadband voice services, â€œVirtually any type of data that is stored electronically, falls under this definition,â€ Jackson said.
Even before the electronic discovery rules of the Federal Rules of Civil Procedure (FRCP) became effective on December 1, 2006, more than one in five companies had electronic communications subpoenaed during the course of litigation or a government investigation in 2004. Ignorance of the new amendments to the FCRP can be costly, Jackson noted.
She explained absent a â€œlitigation situation,â€ there is generally no universal duty to preserve electronically stored data (or other records), although certain types of record preservation such as for tax, employment, and corporate records may be required under various federal or state laws. A â€œlitigation situationâ€ on the other hand will trigger information preservation obligations, requiring a company to override its normal document destruction processes. The new amendments to the FRCP codify the need for a â€œlitigation holdâ€ of documents the company reasonably believes are discoverable in anticipation of litigation.
The â€œlitigation holdâ€ can be triggered long before the filing of an actual lawsuit, such as when the company receives any internal complaint to a â€œmanaging agent,â€ a preservation letter from a potential party or attorney threatening future litigation, prelitigation correspondence, notice of an investigation by a governmental agency, subpoena or governmental request for information, or filing of an administrative charge. Once there is a â€œlitigation situation,â€ the company has a duty under the amendments to take affirmative steps to suspend immediately all routine document destruction and to preserve all records, including electronic data and possibly metadata therein, that it knows or reasonably should know will be relevant to the action or reasonably calculated to lead to the discovery of admissible evidence.
To Retain or Not To Retain?
There are three reasons to retain data. First are the statutory guidelines (like tax laws, HIPAA, other laws/regulations) and financial institutions need to know how long to hold data for them, she said.
Second is the business need, Jackson said. This data could range from product warranties to legal contracts and documents, (some of which may or may not coincide with legal jurisdiction.) You have to know is the contract expiring and do you need to hold it because of a statute of limitations? Find out at least by state, the longest statute, and have it be the presumptive hold for business need.
Third reason to retain data is litigation hold, and Jackson noted, â€œLitigation is the longest of the three data types youâ€™ll want to hold on to.â€
Advice Jackson offered on retention need determination, â€œOne size does not fit all. Youâ€™ll need to do some really stringent research on what data you need to keep, for what reason, and for how long.â€ For example, a research and development area may need to hold their documents longer, or possibly another department wants to track statistics, she explained.