by
Effective records management disciplines remain the major element in the development of successful electronic systems. In particular, electronic records need to be created, arranged, stored and retrieved so that they can meet the legal and regulatory demands placed on organisations. Electronic records are more vulnerable to distortion and loss. At the same time, they are more amenable to the legal discovery process than paper records. These were among the key messages from MER 2001, the Ninth National Conference on Managing Electronic Records held in Chicago from 24 – 26 September 2001.
More than 300 records managers, lawyers and information systems staff attended the conference organised by Cohasset Associates, the Chicago-based management consultants. The conference featured more than 30 speakers in 27 sessions Prof. Charles Nesson[1] of the Harvard Law School gave a keynote ‘performance’. John Jessen,[2] a leading expert on the gathering of electronic evidence for legal proceedings and a variety of other consultants, practitioners and vendors presented leading edge ideas and research, suggested approaches to particular problems or provided sound practical advice on introducing and sustaining electronic records management systems.
The events of 11 September inevitably affected the conference. Some delegates were unable or unwilling to travel. Many Federal employees were banned from flying. A short notice replacement was fielded for a speaker from the CIA who was, understandably, otherwise engaged. One presentation was delivered by a combination of a download from the Internet and a speakerphone link.[3]
In his keynote session, The Challenge of Legal, Professional and Operational Issues, which began the final day of the Conference, Professor Nesson presented a scenario. An employee had left Company A to join Company B, a major competitor, taking key company records and data – ‘the family jewels’ - with him on his laptop. Using a technique developed for his successful academic programme, he allocated roles to a panel of experts – a (real) judge, attorneys, records managers, systems managers, electronic evidence gatherers.
Prof. Nesson took the part of the CEOs of the respective companies. He interactively involved the panel to highlight the opportunities, difficulties and challenges facing those experts in balancing the needs and demands of their employers and clients in requesting, and defending, judicial action to retrieve the data. Key issues included:
w Presenting prima facie evidence of potential damage to Company A to convince the judge to issue a temporary restraining order (TRO) against Company B
w Dealing with the pressure at Company B to simply delete the offending records when they become aware of the action
w The difficulties of ensuring total deletion
w The impact on the personal privacy of the mobile employee and other members of his household of taking every PC from his home to identify the offending data and remove it
A number of other questions were raised:
w Did Company A have well-publicised policies controlling the copying of data from corporate systems for working at home and the personal use of corporate email?
w Should the judge notify Company B that the TRO request had been made, giving them time to take defensive action?
w Was it possible to target only files meeting agreed search criteria on the captured PCs, leaving other files untouched?
It was knockabout stuff with a serious purpose. Ultimately ‘corporate counsel’ for Company B ‘went home’. He felt unable to support his ‘CEO’s’ determination to seek and destroy the offending records and data. Immediately afterwards, his systems colleague discovered urgent problems forcing her to offer to ‘call [the CEO] back’ when he asked whether it would be possible to delete the relevant files ‘without trace’. I was left wondering, however, whether their counterparts would have been quite so principled in a real life situation?
Many of the detailed issues seemed strange from the UK’s less litigation conscious perspective. Nevertheless the key practical operating, evidential and technical principles apply to all common law jurisdictions. For those UK businesses operating in the US, it was a window on the process in which they are likely to become involved. In most international disputes, the US will almost certainly be the jurisdiction of choice.
John Jessen, in the Continuing Impact of ER, emphasised that while organisations could and should decide what constituted a record, the electronic discovery process would not stop there. It would target all data, including drafts and ‘hidden’ files. Judges and lawyers were becoming increasingly aware of the electronic environment but expertise was not universal. Judges had made apparently enlightened orders which demonstrated how little they knew. One judge agreed, for example, that it would be onerous for a defendant to make all its email records available to the plaintiff. He limited the order to the 13 years the plaintiff was employed, pre-dating the introduction of email into the company. Electronically aware lawyers were able to target their opponents’ electronic records and data effectively, while attempting to limit their own offerings to paper only.
Paper evidence produced from electronic records was necessarily incomplete. The extensive metadata associated with electronic files was missing. In the case of email, for example, any message created using Microsoft Exchange would have around 700 elements of metadata generated by the software and server associated with it. It would identify all recipients not just those in the printed message headers. The actual time of despatch from the server would appear, as opposed to the ‘time sent’ from the individual email account. Such factors might be vital in contract disputes or in complex frauds.
There was an additional need to take care. A judge had found derogatory remarks about himself when he applied the MS Word ‘track changes’ facility in an electronic submission. In a construction case, a recovered ‘delete this before submitting to the client’ note on a positive progress report had shown that the construction company knew that it couldn’t deliver the project on time. A client was able to use a ‘note’ hidden in an Excel spreadsheet, submitted by the design consultants as a statement of account, to prove that its new corporate logo had been produced originally for a previous client.
Electronic discovery and delivery was more cost effective than print out. A recent project had shown that recovering and delivering all relevant emails from a system electronically would be about five per cent of the cost of producing the same volume as paper print. The information recovered was also likely to be more accurate. The cost of legal analysis would be similarly reduced.
Law enforcement agencies, courts and regulators were increasingly treating electronic discovery as the norm. Organisations and their records managers should be prepared for the challenge this provided but recognise the benefits of a more effective process.
Earlier in the conference other speakers had addressed similar themes. Michael Prounis of Evidence Exchange, Inc. said that digital discovery was costing US business $13bn a year, more than computer security. He was introducing his company’s approach in Surviving the high-risk game of digital discovery. Despite this, digital discovery was ‘not on the radar screen of most businesses’. It was, he said, ‘the soft underbelly of corporate America’. It was a leadership issue and someone needed to accept responsibility.
Lance Urbas of Authentica Inc. emphasised how difficult it was for organisations to retain control of proprietary information once it had been transferred to someone else. His company’s method of encryption for email messages, involving single-use encryption keys held by a third party, ensured that only recipients with ‘digital rights’ would be able to access the contents of the message and attachments. They could not transfer those rights to an unauthorised third party by, for example, saving and forwarding a message.
Randy Kahn, of Pure Edge Solutions, Inc., an attorney specialising in electronic records, emphasised that proper discipline was a key issue in Building trustworthy e-records. It was important that the recording medium and associated process should be appropriate to the matter in hand. For example, while a voice mail message might nominally establish a valid contract, it was important to make it clear that a written – or at least more lasting - response was required. Trustworthy records required the ability to demonstrate the conscious management of storage, retention and control of the records created by the business. It was important, he said, to understand the records requirements of the various statutes and regulations. The demands of the regulators should be factored in when deciding how records are created and kept. Not having good records was not good business.
Managing only the content would mean that not everything electronic would be retained. It was necessary to try to re-create the ‘ 4 corners of the document’ which characterised the paper contract.[4] He introduced his five level Enforceable Transactions Maturity Model. This assessed five different levels of ‘progressive evidentiary weight’. The principle was the higher the risk or value of an action, the better the evidence needed.
Addressing more mainstream records issues, Laurie Fischer and Dick Fisher, two of Cohasset’s senior consultants stressed that where an organisation’s website was used to sell products or services the pages generated needed to be captured effectively and to become part of the official record keeping system. This was particularly true where an order might be placed or a contract established. Addressing the Issues and Challenges of Website Records as the opening session of the conference they accepted that the dynamic nature of a website might make this difficult. Web sites drew on a number of different live files which made the record particularly hard to pin down. Should the original pre web text be sufficient or should what the customer saw on the web page be the official record? They thought that both the original text and the web page should be retained as the context in which the transaction occurred. Any transaction or any contract generated through the live link should become part of the operating records of the business.
The nature of the relationship with live links to other sites should be fully understood. Records of transactions should be the responsibility of the third party. Process discipline was a core requirement. Additions and amendments to corporate websites should be part of a controlled process and should not be made ‘on the fly’. Those who saw the instant ‘updatability’ of the web page as a major plus would be upset, but it was essential to meet the requirements of regulators and of potential litigation. It might be impossible to get it absolutely right but demonstrating a sound business process would be a good start.
Sound policies and procedures for the management of electronic records provided the theme for a series of subsequent presentations by Cohasset consultants. Their core philosophy, similar to our own practice approach, was that all records should be managed to provide control of content, structure and context. This applied to electronic records to the same extent that it did to other formats. Carol Stainbrook, when discussing Applying Records Management Principles to Official Records, emphasised the need to ensure that the final form of the official record was properly distinguished and effectively managed. She identified six fundamental records management principles as the foundation of any approach. Records: should be retained because they were legally, historically and operationally necessary; could be found and accessed when needed; could be processed, read and used when found; could be interpreted within the context of the business; could be trusted; were destroyed appropriately in the regular course of business. Each principle produced particular challenges for electronic records. She also highlighted the need for unofficial records – drafts, earlier versions, etc. – to be controlled. In particular, they should be part of a retention programme to ensure prompt disposal. Given the size of the task, it was important to concentrate on the areas of greatest risk and to at least demonstrate awareness of those risks.
Organisations often suffered from ERM paralysis, according to Laurie Fischer. They were overwhelmed by the scale of the problem and so did nothing. They issued policy without procedures, installed document management systems with unreasonable expectations and without basic records management, replaced hardcopy records without planning for preservation of an electronic record or addressing the costs of migration and assumed that backing up the system was the equivalent of a records retention programme. She emphasised that information systems were not record keeping systems. A migration plan was essential. Operationally electronic records had limited physical control and lacked systematic intellectual management. They could be easily duplicated and instantaneously changed or updated.
She set out, in Electronic Records Management – a project checklist, the steps that needed to be taken to incorporate e-records into the RM programme. In addition to identifying and profiling electronic systems, doing records analysis and legal research, developing and implementing approved retention schedules and policies and procedures, she stressed the need for co-operation between the various stakeholders. An ERM project was not something that the records manager could handle alone. There was, though, a strong likelihood that they would need to drive the development process. She also suggested in inventorying electronic records, that electronic systems, electronic tools and electronic delivery mechanisms should be separately identified. This would help to distinguish between what was being generated and the way in which it was being done.
Dick Fisher subsequently supported this with A Checklist of Requirements for ERM which looked more closely at the technical and systems framework which was essential to a successful implementation.
The development of ERM software was being driven as much by the needs of venture capital as it was by the needs of records managers, according to research presented by Julie Gable of Gable Consulting. In A Look To The Future: The Factors Driving ERM Software she showed that the majority of software companies had used venture capital to fund the development of their business. Typically investors providing such funding had relatively short payback expectations. This encouraged the software companies to look for products which would provide that payback. The current focus, for example, was on email management software because there was a widespread perceived – and therefore profitable - demand for a workable solution.
Companies had to increase their level of marketing spend and change their marketing focus. Some of the early entrants into the market had changed their names to more closely identify them with their proprietary product. Provenance Systems[5], for example, had now become TruArc Inc. in line with TruArc® its new email management product. Importantly too, in other markets, venture capitalists had realised their cash by selling on their holdings to larger entities and the smaller suppliers had lost their identity, and their flexibility, as part of a wider grouping.
A relatively closed development loop existed in most of the companies. They developed new products and refined old ones, they said, in response to the comments and feed back from their existing customers. In Julie’s view, this effectively closed them off from others who might be thinking differently. It meant, for example, that the needs of creators and users of the records for topic-based retrieval had not been fully addressed. Records managers were more concerned with classifying and structuring the records to meet regulatory or evidential needs occurring down the line. The closed loop perpetuated this approach. A more flexible view of these different requirements was needed.[6]
Technology should not drive the enterprise electronic records and document management solution. The design of an ERMS should reflect the needs of different business areas while still facilitating document sharing across the enterprise, according to Karen Strong, President of Clarity Inc. Karen delivered her presentation, Enterprise Profiling: A Strategy for Enterprise Document and Records Management remotely as a download from an Internet site, and then answered questions on a speaker phone link. Karen identified records as a corporate asset which needed to be dealt with on an enterprise basis. However, each departmental application had its own requirements. Solutions were compartmentalised as a result. Enterprise profiling would facilitate a more effective approach. She described a method for collecting data from departments, by way of a web-based questionnaire, to build up a profile of the business. The model, which was then applied to the data, enabled the needs of a particular business area to be established and for relevant elements of the enterprise solution to be applied appropriately.
The key elements established within the model were workflow, repository, publishing, retention and security. By analysing the data it was possible to determine which of these should be applied in a particular business area. For example, a department handling repetitive transactions would need fewer elements of the programme than one dealing with more complex regulatory or control issues.
The client organisation must customise the model to suit its own needs. This was done by involving and consulting a representative group of stakeholders before the data collection process began. Identifying the best person(s) to ‘interview’ in each area was, as always, key to success. It ensured that the data collected was reliable and coherent. Collecting the data by web-based electronic questionnaire speeded up the analytical process. The raw data could be fed into the model with a minimum of human intervention. The model would then enable a suitable approach to be determined and implemented.[7]
Application Service Providers were unlikely to provide a viable alternative to in-house operations in developing compliant electronic records, Dr Charles Dollar concluded. Dr Dollar[8], an acknowledged expert in the development of electronic records systems and now a senior consultant with Cohasset, was looking at ASPs and Electronic Record Keeping Compliance.[9] There were undoubted cost benefits in the use of ASPs. This made them superficially attractive, particularly to the companies with less than 100 employees which made up the bulk of their customers. However, there were particular difficulties in applying the concept to electronic records management systems. To be compliant the system would need to capture electronic records, store and retain them, present them to users and preserve their integrity.
Many of the key elements would be foreign to ASPs or difficult to apply remotely. For example, it might be difficult to link all records together and to demonstrate that they had been generated (or destroyed) in the ordinary course of business and were contemporary with the relevant transaction. The concept of retention was not always well understood by the IT community.
Equally presenting evidence meant that originals should be reproduced ‘as created’. Presentation might be far into the future. The relevant search tools would have changed. The document attributes, including, for example, the signature might no longer be displayable. The data might not be re-workable because of system incompatibility. Microsoft as the dominant player in office products had done a pretty good job of making new versions backward compatible. Their view might change, however, as time moved on. By definition ASPs would update the software. A key element in compliant electronic records was maintaining integrity through such changes and demonstrating that nothing had been lost as records migrated between versions. His research on ASPs in the field showed that none covered all these elements satisfactorily. Even fewer employed all the technology tools needed to ensure compliance over the full range.[10]
In assessing the risk it was necessary to understand the core business and how critical electronic records were to the business. Could the business ‘afford to lose access to [its] electronic records'. How risky would the changeover be and was their a fall back position and exit strategy? A tightly drawn service level agreement (SLA) and proper understanding of the offering and the ASPs performance history and integrity would help to mitigate the risks. However, there was inevitably a mismatch between the essentially short-term focus of the ASP versus the potentially much longer timescale driving ERM. He was sceptical about the ability to develop a viable relationship.
Overall, this was a well-presented, thoughtfully structured and well-managed conference. The expertise and knowledge of speakers and the quality of their presentations was universally high. The supporting vendors were well chosen and their low-key approach tied in well with the tone of the conference. The coffee breaks, meals and networking receptions enabled delegates to meet in a relaxed way to discuss mutual challenges and to catch up on some of the applied solutions which have succeeded and, perhaps more importantly, failed.
And what abut the most important things? The downtown Chicago conference venue was excellent, as was the food at lunch. The ‘light’ refreshments provided at breakfast and at coffee breaks throughout the day were a delight and a constant temptation to those delegates with little will power. The receptions at the end of each day maintained the high standard set during the day. All in all, for this delegate at least, MER 2001 was great value.
[*] Inevitably, one of the frustrations of a multi-track conference is choosing between equally interesting alternatives running head to head as well as finding time to investigate the products and services offered by invited vendors and providers. These notes reflect those choices. However, delegates received comprehensive documentation for all sessions. CDs recording each of the sessions ‘as delivered’ will eventually support and supplement the printed notes. Reports on some of the other presentations of particular interest to UK records managers will appear in subsequent editions of the Bulletin.
[1] Prof. Nesson is William F Weld Professor of Law and Director of the
Berkman Center for Internet and Society at Harvard Law School. He is a specialist in evidence and most
recently co-edited Borders in Cyberspace:
Information Policy and the Global Information Infrastructure.
[2] John Jessen is Managing Director of Electronic Evidence Discovery,
Inc. and author of Defusing the time
bomb: A Practical Guide to Electronic Mail Issues
[3] I was one of only two delegates from outside North America. Other UK delegates who had originally registered cancelled.
[4] In strict legal terms nothing can be taken into account which is not contained within the agreed, and signed ‘4 corners of the document’. Hence the practice of signing or initialling each page of an agreement as well as at the end.
[5] The developers of Foremost, the first ERM product to achieve DoD 5015.2 certification in the US.
[6] I don’t share Julie’s view that records managers tend to classify by document type and users by subject. We would develop a file plan using key business functions and activities (not hierarchy or departments) as building blocks. The result looks very like her ‘user topic’ view. One of the great advantages of electronic over the paper records is being able to take several views of the same data from a single entry. We also use an approach to retention scheduling using a ‘records relating to [function/activity]’as the principal level of description and then, if necessary, dropping down to the precise records series for additional clarity.
[7] The method of delivery was an interesting use of the Internet to overcome travel problems. The whole presentation, audio and visual (with builds and automation), was downloaded from an intermediary’s website onto a laptop computer in the meeting room. It was then replayed to the conference audience. It was a timed PowerPoint presentation from a prepared script and apart from a couple of glitches, which meant restarting the spooling process, it went smoothly. How well did it work? On reflection, it suffered from the lack of real-time contact with the presenter and the consequent closed feedback loop. The presenter can’t read the reaction of the audience and adjust delivery to improve understanding. The audience has no ‘feel’ for the presenter and no focus for its attention which is distracted by ‘watching the technology work’. Allowing for these concerns, however, it was an innovative way of getting audience and speaker together at relatively short notice for an important and stimulating contribution
[8] Charles Dollar is the author of Authentic Electronic Records: Strategies for Long Term Access (Cohasset Associates Inc., Chicago 2000). He was an early pioneer of electronic records in the US National Archives and before joining Cohasset was also Associate Professor in the ground breaking Archives School of the University of British Columbia.
[9] The costs of keeping up with rapidly changing technology and software ‘versionitis’ encourage corporate organisations to look for others to shoulder some of the burden. This has led to the introduction of application service providers (ASPs) who host the relevant software on their machines and ‘rent’ it out to clients. The ASP is responsible for managing updates and delivering enhancements to the client.
[10] The elements he identified were Hash Digest, Digital Signature, Metadata/Audit trail, Records Repository, Technology Neutral Format, Media Renewal