Download presentation
Presentation is loading. Please wait.
1
Digital Document Retention Policies and Post – Enron IT Governance DAVID VAILE Executive Director Baker & McKenzie Cyberspace Law and Policy Centre, UNSW Faculty of Law
2
Digital Document Retention David Vaile Baker & McKenzie Cyberspace Law and Policy Centre University of NSW, Faculty of Law http://www.bakercyberlawcentre.org/ddr/
3
Introduction Recent changes in governance, cases White paper (copies available on request) Baker & McKenzie, ACLA, suppliers, Galexia Aimed at filling gaps for lawyers, IT, management Starting point only – you need firm-specific advice
4
Sources of IT risk Beyond hackers, viruses and disasters Digital documents as a source of risk Overlap security: create, use, destroy Chaotic hybrid: paper, digital, portable Not just technology: usage, usability, policies
5
Digital documents – Key questions Can you find it when you need it? Have you kept dangerous junk? Do you have a policy? Does it work for users? Do staff know why to keep or destroy?
6
Why does this matter? Business process support PR and public confidence Litigation Governance Efficiency in the back office
7
Examples and fiascos Boeing CEO's embarrassing email McCabe v. British American Tobacco (BAT): embarrassing ‘Evidence Destruction’ policy Enron: built on dodgy digital documents HIH: the inquiry
8
Where it hits the fan: Litigation and preparation for it Critical role of preparation for document analysis 3 teams involved: IT, legal, executive management Three domains: pass the buck? Head in the sand? Beware of being too clever
9
McCabe v. BAT (Vic Sup Ct): Evidence destruction = BAT loses ! Critical documents were scanned 30,000 originals destroyed Although no litigation afoot at the time… BAT anticipated the likelihood of future claims Vic. Supreme Ct, appeal US DOJ very interested in original principle …
10
Types of digital documents — features Email: metadata (relevant for all), logs, contents… Scanned documents: when, where, who? ‘Office’ documents: copies, junk, version Network and infrastructure logs Databases, web: transactions, state
11
Delusions of control? IT as a control system Increasing independence of users Head office/Back office vs wandering road warrior Policy must be realistic and workable
12
Overview of legal issues and compliance Business reasons first Examples of legal obligations The big one: is it “Evidence”? Need specific assessment and advice Document your policy development process Test compliance
13
Sources of DDR legal obligation Legislation (Tax,Corporations, Privacy, Spam Acts…) Special case: rules of court ‘Common law’, cases such as McCabe v. BAT Industry codes (may be enforceable) Contract
14
Who requests the info? Litigation: parties, courts Regulators Law enforcement Customers, suppliers Rivals or tactical litigants
15
Types of obligation (1) Evidence for litigation Legal professional privilege Corporate governance by directors Taxation and money laundering HR, employment, admin, accounting….
16
Types of obligation (cont.) Insurance Personal information: Privacy, Corporations Act IP: copyright, patent, DRMS Marketing: Spam Act Contract and outsourcing Industry good practice
17
Litigation Is litigation contemplated Nature of the industry What documents are relevant Where can we reasonably expect it? Document the creation of a policy And its implementation and review
18
The new corporate governance: Yikes! Sarbanes Oxley (Sox) Basel II, CLERP 9 US approach: litigate first, negotiate later Directors and execs personally liable Suddenly more serious! IT risks too; corporate governance response
19
Digital Document Retention Policy: First step to a solution? Systematic and documented practice Can justify destruction or retention Contents of a Digital Document Retention Policy Implementation How to refine a DDR policy
20
Steps to assess for Archiving/Destruction Required for current use? Required by contract? Required by law or regulation? Limitation period still applicable? Required for business reasons? Required for litigation?
21
Guidelines for inclusion in policy Sedona Principles (post Enron) AS ISO 15489 ‘Records Mgt.’ (AS 4309) US: DoD and NARA International: ISO 15489 EU: Model Requirements for Management of Electronic Records (MoReq)
22
IT contributions to a solution? Document management systems Rich documents and meta data Logs for transactions and accesses Access control, authentication Automated backup, archiving Targeted and reliable recovery
23
Legal contributions to a solution? Analysis of legally significant data Analysis of industry and business Description of obligations Litigation and other risk assessment Draft the document retention policy Governance briefings for board
24
An integrated package: Everyone needs to be aware (KISS) Policy, tools, practices, oversight Integrate w. other policies and routines Existing document management practices Reality checks: audits, reviews Where will you be when it hits the fan?
25
David Vaile Baker & McKenzie Cyberspace Law and Policy Centre University of NSW Faculty of Law http://www.bakercyberlawcentre.org/ddr/
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.