Back in the paper age it was easy to keep track of documents. The expense of copying and sending reams of paper, plus the sheer bulk meant that companies had a much easier time keeping track of how many copies had been made of a particular record, where it was stored, who had access to it, and even when it was destroyed.
Today however, it is much more difficult. Disc drives hold thousands of gigabytes and are smaller than your thumb, and these, along with online storage and E-mail, have made it much easier to disseminate information. It has also made it much easier for the wrong people to get their hands on these records, and more difficult to keep track of whom has access.
U.S. courts have also realized the value of electronic documents. New rules regarding E-discovery, or electronic discovery, mean that it is more important than ever for a company to keep track of its documents, says Chris Mangano, vice president for sales and marketing for Mercadien Technologies in Hamilton. Mangano is the organizer for the firm’s “Lunch and Learn” series, which will present “E-Discovery: Understanding Your Risks,” a free workshop by Michelle Bennett on Wednesday, June 25, at 8:30 a.m. at Mercadien’s headquarters on Quakerbridge Road. For reservations call 609-689-2345.
Mangano has been an IT consultant in the investment industry since 1986, even before he graduated from college. “A friend’s father was in the industry and he saw the potential for using computers to help a company grow,” Mangano says. He graduated from Rider in 1990 with a degree in business administration and organizational behaviors. In the early 1990s he managed and ran an IT consulting group in partnership with a friend, Blase Salvatore. They sold the company in 2000, and Salvatore joined Mercadien. In 2005 Mangano had the opportunity to work with his friend again on a special project at Mercadien. The project eventually turned into a fulltime position.
The new rules of E-discovery mean that governance is the best way to reduce risk before a problem arises. “A company’s most important asset is information,” Mangano says. “Most companies have a lot of it and don’t do nearly enough to protect it. Governance requires not just a different set of skills in your organization, but also a different mindset. It also requires departments that have not been used to working together to think about collaboration in a whole new way.”
What is E-discovery? The term refers to any process in which electronic data is searched for, located, or obtained for use as evidence in a civil or criminal legal case. The new rules for E-discovery broaden the scope on the type of information that can be requested, as well as who may be questioned about that information. “A company should now be prepared to bring its human resources director, its CIO, or network managers to discovery,” says Mangano.
The nature of computer documents makes them particularly easy to search and investigate. Documents that would take hours or even days to be read as hard copy can be quickly and easily searched electronically. E-discovery can include both the search of a specific computer and its hard drive or it can be carried out online.
What can be searched? The courts have ruled that in that in E-discovery the term “document” can include a wide variety of materials including calendar files, images, audio files, websites, computer programs, E-mail, attachments, and documents. Even viruses and spyware can be investigated in E-discovery.
The nature of digital data is that it appears in many places, and so can be very difficult to destroy. A Word document for example, is first saved on the originator’s computer. It may then be attached to an E-mail and sent to other company employees for review, then sent out of the office to a client. The document can be saved on the hard drive of the computer of each person who opens that E-mail. Even if the document is killed on each computer where it has been opened and saved, an image of it may still exist on that computer’s hard drive. In addition, a company that uses online archiving for documents may have that Word document saved on its archives.
Also, digital data is almost impossible to completely destroy. If it gets into a network of computers the data can appear on multiple hard drives. Also, digital files, even if deleted, can be recovered. The only really dependable way to permanently delete data is to physically destroy all of the hard drives where it is found.
How to protect your company. The risk for non-compliance during an investigation is considerable, says Mangano, and includes substantial fines and penalties. Companies must put policies in place before a problem arises.
“Every company should have controls, policies, and procedures in place regarding data retention, data management, and protocol,” says Mangano. These policies must include not just how data is kept and secured, but also how and when it is destroyed. If data that is no longer available is requested during E-discovery a company must be able to show that it had a specific policy on how long that information was kept before it was destroyed.
These policies can be complex, and they often may be different for different departments in a company as well as different types of documents. For example, policies regarding employee records and company financial records must obviously follow state and federal laws. But a company should also create policies regarding in-house and out-of-company E-mail as well as other company documents.
“E-mail is now the most common form of communication, and a company must have controls on how E-mail documents and attachments are handled,” Mangano says. “Not only E-mail that is sent by employees, but E-mail and attachments that are received from other companies.” For example, if a sensitive document is received from another company, how is it kept? Is it streamed to an offsite retention facility? Or is it destroyed?
Another area to consider is how fast a company can locate old or archived information if it is needed. “How do you get something back ? Can you tell if something is missing? How secure is your information, physical or online? These are all issues a company needs to consider,” he says.
The best protection for a company is to come up with a policy for all of these issues, says Mangano. Even if that plan is incomplete, showing that you are working on developing a policy “can reduce your vulnerability” should you be asked for records by the courts.