1 ©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

The merger of information governance and records and information management

Randolph Kahn, Esq.Kahn Consulting

What Do You Do for a Living?

“More than 3 years after the Sept. 11 attacks, more than

120,000 hours of potentially valuable terrorist-related

recordings have not yet been translated …and computer

problems may have led the bureau to systematically erase

some Qaeda recordings…[t]he investigation found that

limited storage capacities in the system meant that older

tapes had sometimes been deleted automatically to make

room for newer materials, even if the recordings had not

yet been translated”

Information Perfect Storm

3

Volume

988 exabytes of new data 2010

200+ billion email per day

Value

All kinds of business being done

More laws and regulations

Liability

Greater downside

Info mismanagement ubiquitous

SO what do you do in a down economy with less IT budget

After funneling billions in investor money… Fairfield …is offering up its explanation to investors . . . firm supplied falsified trading documents. . . what now appear to have been fake electronic records…

WSJ, 3/2/09

“making patient data more accessible has the unpleasant side effect if it potentially falls into the wrong hands” WSJ, 3/4/09

How Do You Define Success?

Intelligence Agencies’ Databases to Be Linked

“… nearly five years after the intelligence community was rebuked by the 9/11 commission for failing to “connect the dots” and detect the attack…New technology is addressing a more basic problem…Spies often have trouble emailing colleagues…email addresses aren’t readily accessible, and messages sometimes get eaten by security filters.“Today, an analyst’s query might scan only 5% of the total intelligence data in the U.S. government, said a senior intelligence official. ” WSJ 2/22/09

“If we aren't

supposed to eat animals, why are

they made with

meat?”

Let’s Level Set—True or False

•IT cares about the value of information in their systems?

•Back up is the same as records retention?

•Bad info management practices means responding to document requests in a lawsuit is super duper fun?

•IT buys technology today without considering its legal and compliance needs?

•Discovery is the act of finding something really great in places you never imagined?

“I think

people tend

to forget that

trees are

living

creatures.

They're sort

of like dogs.

Huge, quiet,

motionless

dogs, with

bark instead

of fur.”

Jack Handy

What Is Compliance?

“Compliance” is conformity with some criteria

•Sources of compliance criteria

•Laws & regulation (SEC, Sarbanes Oxley, Part 11)

•Industry standard (ANSI, ISO)

•Company policy (RM, E-mail, Privacy, IT Security)

•Best practice

“Data Breach at Army Hospital

Sensitive information on about 1000 patients…was exposed”WSJ June 3, 2008

“Smoking kills. If you're

killed, you've lost a very

important part of your life.”

Brooke Shields

What Does Failure Look Like?

“In an Aug. 15, 2005, voicemail messages addressed to company salespeople, an …employee… followed up on a “weight and diabetes sell sheet” they had recently been sent.” “…the document written by Dr. Geller doesn’t accurately reflect the company’s position in 2000. In fact, it was not Dr. Geller’s ultimate view either. It was an initial draft for discussion purposes.” “In response to a plaintiffs’ attorney’s question, Dr. Geller responded that the statement was “an artifact of an earlier discussion document.” WSJ 2/27/2009

“Bank of America

Subpoenaed on Bonuses”

WSJ 2/27/2009

Information Management Compliance

1. Policies and Procedures

2. Executive Responsibility

3. Delegation

4. Communication and Training

5. Auditing & Monitoring

6. Consistent Enforcement

7. Continuous Improvement

“A corporation can act through natural persons, and it is therefore held responsible for the acts of such persons…on the other hand in certain circumstances, it may not be appropriate to impose liability upon a corporation, particularly one with a compliance program…”

U.S. Dept. of Justice

“When you come to a

fork in the road, take it.” Yogi Berra

Key 1: Policies and Procedures

•GOOD directives

•Policy v. procedures

•Tells employees what to do

•Tells the “world” you care

•Change only when needed

“Thus, the court has already found, as a matter of fact, that Rambus anticipated litigation when it instituted its document retention program” Rambus v. Infineon

"There Are Three Kinds of People -Those Who Can Count and Those Who Can't”

In Fund-Fee Case, Emails May Hold KeyWSJ, 7/17/09

Different Policies for Different Uses

RIM

Disaster Recovery Back up

Storage

Discovery

“ Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy.“

Albert Einstein FDA Says Cookie Dough . . . has tested positive for E.coli … FDA has been examining…records. WSJ, 6/30/09

“..In an employment discrimination suit ... the employer sent the policy to the employee via a mass email containing two links to the policy and did not require any further action ... the employee claimed that he received a large volume of mass company emails daily and that he could not specifically remember the arbitration policy. Although an email ‘tracking log’ indicating the time and date that the employee opened the email, the employer could not prove that the employee had actually read the email or clicked on the links. The court determined that the mass email did not constitute sufficient notification and further admonished the employer for not taking ‘the incredibly simple and inexpensive step of configuring their system to log when and if employees clicked on the links.’" Campbell v. General Dynamics

Policy Changes to Reflect Business Reality?

YOU MAKE THE CALL:

As volume and value of email goes up, new policy should dictate:

A. All email will be purged

B. All email will be “retained”

on back up tapes forever

C. Make a PST of everything

before the CIO, the rat that she

is no longer allows you

“ . . .we see no evidence of fraud or badfaith in a corporation destroyingrecords if it is no longer required bylaw to keep and which are destroyed inaccord with its regular practices. As wehave previously observed, storage ofrecords for big or small businesses is acostly item and destruction of recordsno longer required is not in and ofitself evidence of spoliation.”

Moore v. General Motors

If a wolf can take down a deer from either flank, does that make him bambidextrous?

Does Policy Dictate In-house or Outhouse

Where do you keep your information

Cloud Computing

Software as Service

ASPA computer once beat me at chess, but it was no match for

me at kick boxing.

“Gmail Glitch Shows Pitfalls: Failure Spurs Concern Over Reliability of Online Software” WSJ 2/26/09

PayPal Users Hit

by Global Service

Outage

WSJ, 8/4/09

Key 2: Executive Responsibility

•Only way to ensure consistency across enterprise

•Policy does not happen from below

•Sets the tone for corporate culture

•Holds the purse stringsThe man who smiles when things go wrong has thought of someone to blame it on.

Robert Bloch

Will they listen:

As CEO, I want to remind you that our Records Management and Legal Hold Policies require that you retain records and preserve any information that may be needed for a lawsuit…

As Records Manager, I want to remind you that our Records Management and Legal Hold Policies require that you retain records and preserve any information that may be needed for a lawsuit…

Executives Pay the Price

Danis v USN court addresses CEO's failures:

CEO “personally took no affirmative steps to ensure that the [document retention] directive was followed.”

He did not direct that the company “implement a written, comprehensive document preservation policy, either in general or with specific reference to the lawsuit.”

He “did not instruct that any e-mail or other written communication be sent to staff to ensure that they were aware of the lawsuit and the need to preserve documents.”

I am not a vegetarian because I love animals;

I am a vegetarian because I hate plants.

Whitney Brown

Key 3: Delegation of Responsibilities

Notice to IT Department:

Please be advised that the Legal Hold Policy mandates thatall those in the care, custody and control of potentiallyrelevant electronically stored information and othertangible objects musts be properly garnered and thereafterpreserved for threatened or imminent formal matters…

Danis Case (Continued)

The lawyers did “nothing to ensure that all. . . employees

who handled documents that might be discoverable were

aware of the lawsuit and the need to preserve documents.”

Directors failed to take, “any active role in implementing a broader preservation policy,” and did not follow up with the CEO “to determine if their directive had been implemented.”

“Son, if you really want something in this life, you have to work for it.

Now quiet! They're about to announce the lottery numbers.”

Homer Simpson

Key 4: Communication and Training

• Messaging of changes or position on a topic

• Tells employees what to do and how to do it

• Should be on-going

• May provide the only protection to the institution.

Which message has the desired effect?

A. “The records management policy helps the company increase productivity and save money…”

B. “Do it, if you want your check…”

C. “Following the records management policy helps you manage your work load and allows the company be a more efficient business by having ready access to customer information, which in this environment may be the difference between winning

Key 5: Auditing and Monitoring?

“…Bloomberg News reported over the weekend, Intel’s general counsel stated that e-mails for 151 employees who were to have been instructed to retain them as possible evidence in the AMD antitrust trial were lost by virtue of a single IT manager misreading a spreadsheet where the employees’ names were first distributed”

BetaNews 3/19/ 2007

“Fluor's e-mail retention policy provided that backup tapes

were recycled after 45 days. If Fluor had followed this

policy, the e-mail issue would be moot. Fluor does not explain

why, but it maintained its backup tapes for the entire 14-

month period.” Murphy Oil v. Fluor Daniel

Key 6: Consistent Enforcement

“I dream of a better tomorrow, where chickens can cross the road and not be questioned about their motives.” “For companies, A Tweet in Time Can Avert a PR Mess” WSJ Aug, 3, 2009

“New technology to help marketers and media companies send videos via email.” WSJ, April 2 , 2009

Can you make these seemingly inconsistent statements work with a simple policy fix?

“We manage information in a medium independent way, so that company records may be in any electronic system”

“The company voicemail system will be purged in the ordinary course of business every 30 days”

Bring “Old School” Business Rules Forward

When mere data becomes information requiring real management

“The program …is aimed not at consumers, but at sales staff, accountants, and others who need to mash up data from different sources to solve business problems.” “Do The Mash” New York Times

“Obama Announcement by Text Sends Message About Medium”

WSJ Aug. 23, 2008

Key 7: Continuous Improvement

You Make The Call?

“For this lawsuit, back-up tapes of all email are to be preserved until further notice”, even though policy states that back-up tapes are to be used for disaster recovery purposes only and should be purged after 30 days.

“Please be advised that accounting records will be retained on back-up WORM disks and thereafter select records will be purged when their period of retention has been met.”

“If you rob a bank and your pants fall down, its OK to laugh, and its OK to let your hostages laugh too, because come on, life is funny.” Jack Handy

Manage “Under One Roof”

“I find that the further I go back, the better things were, whether they happened or not.”

Mark Twain

Increasingly, knowing what information exists and where, is no small challenge

Having as much “under one roof” is better for management

Fewer technologies allows for better use of resources

Conclusions

• Simplify(people, process &technology)

• Manage the content

• Use fewer technologies more efficiently

• Anticipate problems

• Compliance methodology may be difference between winning and losing

"Why does Sea World have a seafood restaurant? I'm halfway through my fish burger and I realize, Oh man ... I could be eating a slow learner.”

Thanks

He who laughs last didn't get it.

Randolph A. Kahn, ESQ.

rkahn@kahnconsultinginc.com

847-266-0722 www.twitter.com/InfoParkingLot

Q&A

25 ©2010 Hewlett-Packard Development Company, L.P.

To learn more on this topic, and to connect with your peers after

the conference, visit the HP Software Solutions Community:

www.hp.com/go/swcommunity

26