This document discusses the importance of developing a data retention policy and procedures for organizations. It covers key points such as legal requirements for data retention from various regulations, conducting a risk assessment to determine retention periods, implementing policies and controls for digital data management, establishing litigation hold procedures, and monitoring for compliance. The presentation emphasizes that a data retention policy is necessary to meet legal and business needs while balancing operational costs, and can help reduce sanctions and discovery costs if litigation occurs.

1. Developing a Data Retention Policy “ Yep, son, we have met the enemy and he is us.” - Pogo, 1971 Presented by: Bill Lisse , CISSP, CISA, CGEIT, CHFI, GPCI, GHSC, CSSA Technology & Risk Services Manager

2. Required Disclaimers Legal – The presenter is not an attorney and the views expressed in this presentation are based on generally accepted practices; this presentation should not be construed as legal advice. Circular 230 - Under IRS Circular 230, we are required to advise you that, unless otherwise expressly indicated, any tax advice contained in this communication, including attachments, is not intended or written to be used and cannot be used, for the purpose of (1) avoiding penalties that may be imposed under Internal Revenue Code, or (2) promoting, marketing or recommending to another party any tax related matters addressed herein.

3. On December 1, 2006 the Federal Rules of Civil Procedure (FRCP) was approved in an effort to modernize and clarify discovery rules as they relate to electronically stored information (ESI). Criminal Penalties Civil Penalties Compliance Fines Securing, gathering, searching, and distributing electronic data for evidence for a civil or criminal case is known as electronic discovery, or eDiscovery. Why should business leaders care?

4. Compliance Example While the focus of the Sarbanes-Oxley Act was on public companies, §802 addresses the retention and destruction of records. Private companies are also expected to comply with SOX §802 when there is a “government interest” and can face fines plus up to twenty years imprisonment for knowing destruction, alteration or falsification of records with the intent to impede or influence a federal investigation.

5. Purpose of Retention/Destruction Retention Legal compliance Litigation preparedness Company’s reputation Business needs Destruction Reduce Operational Cost Asset protection Privacy

6. Preparation is Critical Step #1: Digital Data Mapping Step #2: Risk Assessment Step #3: Implement Digital Data Management Policies and System Control Procedures Step #4: Litigation Hold Procedures Step #5: Compliance Monitoring

7. Where is ESI stored and processed? Data Flow Diagram (DFD) Entity Relationship Diagrams (ERD) Upper-CASE Tools (Visio, Visible Analyst, etc…) ICOR Definition (IDEF) – 0 Inputs, Constraints, Outputs, Resources Process Maps Flow Charts Digital Data Mapping

8. Identify and document the method, location, and native file format of information created within the organization. HR Production Accounting Sales Network Attached Storage Storage Area Network Near Line Storage Data Warehouse Operational Application and Web Services Operational Application and Web Storage Data Warehouse Data Warehouse Data Stores Analytics and Reporting Services Content Management Backup

9. Risk Assessment Forming the Team Types of Data Retention Periods Cost of Retention

10. Interdisciplinary Team Approach The Team provides an enterprise understanding of data retention through: Comprehensive understanding of corporate policy and procedures related to regulatory compliance. Elimination a fragmented responses to inquiries and discovery requests Optimizes response to Litigation Discovery It’s not just about information systems

11. SEC Rule 17a-4 Electronic Storage of Broker Dealer Records Graham-Leach-Bliley Act (GLBA)- Financial Services Modernization Act -1999 Sarbanes – Oxley Act of 2002 FDA 21 CFR Part 11 DOD 5015.2 Department of Defense Health Insurance Portability and Accountability Act (HIPAA) Fair Labor Standards Act Occupations Safety and Health Administration (OSHA) Act Internal Revenue Service (IRS) Reform Act Food and Drug Administration Health and Human Services Retention Rules 20,000+ statutes and regulations require retention

12. Retention Periods Don't assume that the retention requirement for all business-related information is the commonly-quoted "7 years." There are a lot of variables depending on the industry, type of organization and type of information. Retention Periods vary based on the specific statute or regulation

13. Cost of Retention Cost/Benefit Analysis Costs of making data accessible for discovery The organization is not obligated to retain all information created or received, unless a business or legal obligation exists for an organization to maintain information. Retaining information beyond these reasons could pose liability for the organization.

14. Establishing the Data and Information Retention Policy Preservation and Retention Retention Policy Preservation and Retention Duty Compliance Litigation Creating Your Policy – This is not an IT Problem Document Destruction Retention Policy and The Litigation Hold Information Security Implement Digital Data Management Policies and System Control Procedures

15. Implement Digital Data Management Policies and System Control Procedures Specifically delineate the organization’s electronic records maintenance, storage, and destruction schedules. Determine how the organization would define “good faith operation” of its information systems, if required. FRCP Rules 37 and 37(f) provide for sanctions and safe harbors, while FRCP 26 provides for provisions to balance the proportionality of e-discovery requests for information.

16. E-mail and instant messaging are business records -- a common oversight, especially in smaller organizations that still have to comply. Consider MS Outlook .pst files Don't assume that limiting share space, size of user mailboxes, etc. will enforce retention or avoid any problems that may crop up related to it. Users will almost always adapt and find ways around your controls. Implement Digital Data Management Policies and System Control Procedures

17. Don't make the mistake of leaving current retention procedures in place (such as suspending tape or disk backup rotations) in the event of a pending investigation, audit or other litigation. This can lead to unwanted charges of destruction of evidence. Don't take a "delete everything" stance -- it's too risky and it's hard to prove you're not trying to cover something up. Implement Digital Data Management Policies and System Control Procedures

18. Don't take a "save everything" stance -- it can open up your organization to discovery risks and massive costs for storing and administering data. Don't assume access to archived data means you will be able to restore it within a reasonable amount of time. Don’t use boiler plate templates; tailor for the organization’s needs Involve lawyers to review, not create your policy Implement Digital Data Management Policies and System Control Procedures

19. Purpose of the policy Whom is affected by the policy What type of data and electronic systems are covered Identify roles and responsibilities (by position name) Describe the requirements in detail - legal, compliance and business Outline the procedures for ensuring data is properly retained Outline the procedures for data disposal/destruction Clearly document the legal hold procedures and how to respond to discovery requests Build a matrix correlating data type and corresponding retention period Identify audit requirements and policy enforcement Appendices - references and glossary Recommended sections of the data retention policy should include: Implement Digital Data Management Policies and System Control Procedures

20. Litigation Hold Procedures Identify all individuals responsible for receipt and processing of subpoenas (e.g., risk management departments). Documenting the organization’s current process to identify and communicate threatened or pending litigation. Documenting how information is preserved in during pending litigation.

21. Considerations: Who is responsible for establishing a legal hold How data and systems will be secured and for how long Who must be notified The cost and burden to preserve the data Under what circumstances the legal hold will be lifted How the organization expects to respond to the e-discovery request (through an external e-discovery litigation software vendor or through internal IT systems) Determining how large amounts of electronic data will be accessed, manipulated, and produced in response to an e-discovery request. Litigation Hold Procedures (continued)

22. Establish internal audits or controls to measure compliance with the organization’s storage, retention, and destruction policies. A records management storage, retention, and destruction policy that is not followed is not only useless, it is a potential liability. Don't assume that just because your retention policy says that everything is destroyed after a certain period of time that it actually is – Verify! Compliance Monitoring

23. Retention Engine Data Disposal Relational Data Archive Tapes Retention Audit Reporting and Messaging Paper Copy Content Management Retention Rules Other Content Management Disposal Process Paper Disposal Process Messaging Rules Engine Audit And Reporting Email Retention Source

24. Data Retention - Key Points Rule 26(a) says that companies must be prepared to disclose all relevant electronic data under their control including email, instant messages, sound recordings, proprietary databases, etc. Rule 26(f) says companies must know where and how all ESI is stored in their systems, and the potential recovery costs, timeframes, and alternatives. Rule 37(f) provides "safe-harbor" for those companies who are unable to provide discoverable ESI based on "good faith" application of standard business and IT processes.

25. Prescription (Best practices) 1. You really do need an data retention policy 2. You need to create and be able to demonstrate that you've got secure storage environment for your ESI 3. ESI needs to be searchable and retrievable in a timely manner

26. Conclusion A data retention policy is necessary for meeting legal, compliance, and operational business requirements Data retention should be balanced based on an understanding of the requirements and the operational business requirements While a data retention policy may not reduce the probability of litigation, it does: significantly reduce the probability of sanctions for non-compliance provide support for defending the unavailability of certain data reduce the cost of responding to e-discovery requests

27. Bill Lisse, Technology & Risk Services Manager Phone: (937) 853-1490 Email: wlisse@battellecpas.com Questions?