Plan To Manage Electronic Data Now
The management of electronic data used to be a “nice thing to do.†Nowadays, the proper archiving, retention and monitoring, filtering and encryption of electronic data isn’t an option but imperative for financial institutions in order to meet compliance with regulations and federal law, including the Federal Rules of Civil Procedure (FCRP).
See Also: Real-World Strategies for Securing Remote Workforces and Data
According to Cynthia Jackson, a lawyer at Baker-McKenzie LLP, the need for a plan to manage electronic data means understanding the broad compliance issues, government mandates and e-discovery requirements a financial institution faces. Jackson is a recognized expert in global personnel-related initiatives.
“Clearly if you’re a financial institution, in this industry, you’ve got compliance requirements with Gramm-Leach Bliley and similar statutes of that nature that you must follow. Many of these discrete sets of statutes are unique to financial institutions and will apply only to them,†said Jackson.
Should an institution be publicly traded, Sarbanes Oxley will apply to them, she added.
If you handle consumers’ sensitive financial information or personally identifiable information, “There are a plenitude of various security notification laws enacted on a state level, in as many as 36 states, and pending federal legislation looming on the horizon that you’ll need to know and understand,†she noted, adding most of the pending legislation at state and federal levels are the result of the flood of information breaches that have occurred recently, including the TJ Maxx breach.
“So certainly you’ll want to know and understand data breach notification laws as they apply to your institution and where your institution’s customers are located,†she explained. She cautioned that financial institutions need to anticipate that even the best secured systems are still vulnerable to hacking. “You should be looking at implementing encryption when you’re handling customer information. You pray for the best, but prepare for the worst,†is Jackson’s recommended approach to locking down information.
Having a second line of security in way of encryption may protect an institution from real data loss, Jackson noted. “In California having the information encrypted is almost an affirmative defense,†she said. Jackson added that increasingly states are adopting rules, or at least practices that are similar to those reflected in federal court.
“So, with that in mind, the FRCP has been expressly amended to avoid any question as to what electronically stored information (ESI) is defined as. Although there has been no question as to what ESI is for some time, Jackson noted. The point made by the FRCP is that when information is requested, no longer talking about just printed media, but any type of electronically stored content, including data found in instant messages, PDA, blackberry emails, webmail, online journals (“web logs†or “blogsâ€), conferencing webcams, document and video transfers, and broadband voice services, “Virtually any type of data that is stored electronically, falls under this definition,†Jackson said.
Even before the electronic discovery rules of the Federal Rules of Civil Procedure (FRCP) became effective on December 1, 2006, more than one in five companies had electronic communications subpoenaed during the course of litigation or a government investigation in 2004. Ignorance of the new amendments to the FCRP can be costly, Jackson noted.
She explained absent a “litigation situation,†there is generally no universal duty to preserve electronically stored data (or other records), although certain types of record preservation such as for tax, employment, and corporate records may be required under various federal or state laws. A “litigation situation†on the other hand will trigger information preservation obligations, requiring a company to override its normal document destruction processes. The new amendments to the FRCP codify the need for a “litigation hold†of documents the company reasonably believes are discoverable in anticipation of litigation.
The “litigation hold†can be triggered long before the filing of an actual lawsuit, such as when the company receives any internal complaint to a “managing agent,†a preservation letter from a potential party or attorney threatening future litigation, prelitigation correspondence, notice of an investigation by a governmental agency, subpoena or governmental request for information, or filing of an administrative charge. Once there is a “litigation situation,†the company has a duty under the amendments to take affirmative steps to suspend immediately all routine document destruction and to preserve all records, including electronic data and possibly metadata therein, that it knows or reasonably should know will be relevant to the action or reasonably calculated to lead to the discovery of admissible evidence.
To Retain or Not To Retain?
There are three reasons to retain data. First are the statutory guidelines (like tax laws, HIPAA, other laws/regulations) and financial institutions need to know how long to hold data for them, she said.
Second is the business need, Jackson said. This data could range from product warranties to legal contracts and documents, (some of which may or may not coincide with legal jurisdiction.) You have to know is the contract expiring and do you need to hold it because of a statute of limitations? Find out at least by state, the longest statute, and have it be the presumptive hold for business need.
Third reason to retain data is litigation hold, and Jackson noted, “Litigation is the longest of the three data types you’ll want to hold on to.â€
Advice Jackson offered on retention need determination, “One size does not fit all. You’ll need to do some really stringent research on what data you need to keep, for what reason, and for how long.†For example, a research and development area may need to hold their documents longer, or possibly another department wants to track statistics, she explained.