Although the media has extensively covered the former U.S. Secretary of State's use of a personal email account for government business, it has paid little attention to a report issued by the Department of State's Office of the Inspector General (OIG) on March 11, 2015. The report, Review of State Messaging and Archive Retrieval Toolset and Record Email, revealed widespread records management failures at the Department of State and the apparent causes of those failures. If similar practices were followed in a private business, they could lead to severe problems, both in compliance and in litigation.

The OIG report studied use of the State Department’s email archiving system (SMART), which went into operation in 2009 with the intent of facilitating the retention of official records. SMART is designed to capture record emails designated by the user and to allow them to be searched and retrieved. According to federal statutes, federal regulations, the Foreign Affairs Handbook, and other regulatory materials, items that contain information about “the organization, functions, policies, decisions, procedures, operations, or other activities of the Government” may be records subject to retention. Despite this broad definition, out of 1 billion emails generated in a given year, only 40,000 to 60,000 of those were preserved as official records. The OIG’s study also revealed that in the Washington, D.C. offices, the leading user of the system in 2013—four years after its institution—was actually Information Resource Management!

The OIG chalked up the poor numbers to several things: lack of central oversight, misunderstanding by personnel of archiving requirements, employee resistance to retrieval by others of the material, perceived sensitivity, and poor system design. Each of these presents a lesson for organizations using records management programs.

  1. Lack of central oversight. One of the key goals of records programs is to impose a uniform method of retaining material that has business or other value to an organization -- and to eliminate items that have outlived their usefulness. Where programs are not adequately supervised by management, even sophisticated records programs can devolve into chaos and spawn individual data hoards. Disorganization increases costs, both in the ordinary course of business and in litigation. Data hoarding by employees often defeats the prescribed retention periods and multiplies the amount of data that must be examined in litigation or an investigation. And where an organization’s employees exhibit inconsistent compliance with a records policy—one under-retaining, the next observing the policy, and the next over-retaining—litigation can turn away from substantive issues to discovery-on-discovery, which incurs additional costs and risks. Inconsistencies may also call into question an organization’s intent and lead to civil or criminal sanctions.
  2. Misunderstanding of archiving requirements. Many organizations have a nominal records retention policy, but when litigation or an investigation hits, potential witnesses frequently have only a dim recall of their company’s program or how it is supposed to work. A key aspect of effective records management is periodic refresher training that helps employees internalize the key concepts—and at a minimum to know to consult the company’s records policy. Refresher courses and requiring employees periodically to affirm their understanding of, and their observance of, your organization’s records policy can be effective tools for enhancing compliance.
  3. Perceived sensitivity and adequate security. The State Department’s records program was frustrated by employees’ perceptions that making the information retrievable would compromise operations. In pre-planning, this concern is easily addressed by creating security precautions and permissions groups that prevent sensitive information from leaving a workgroup prematurely. Whether by perception or reality, the failure to address sensitivity and security in an organization frequently leads to important data being stored on individual PCs and laptops – parts of the IT infrastructure that are at best outside backup methods and vulnerable to equipment failures. But storage on individual devices (particularly portable ones) also presents a serious data security risk, as was made evident by the Edward Snowden affair.
  4. Poor system design. Many organizations lavish attention on retention periods but neglect some fundamentals: how to identify a record, how to recognize the original, and how to classify particular documents. Employees must be able to rely on a good definition of a business record that needs to be retained, regardless of the format in which it is stored. Some problems arise where management simply makes assumptions about what records employees handle or employs a “top-down” view in which employees are left to fit particular types of records into categories that do not reflect the real-life function of documents. A good records program involves polling the company’s departments to determine actual records practices—and designing a process that employees can live with and respect.

In addition, several key functions of records policies are impeded when records programs are not correctly deployed. First and foremost, records programs are designed to reduce “clutter,” and when records are not correctly retained and organized, they fail of their intended purpose. Second, records programs are designed to eliminate data that no longer has a business purpose but could fuel litigation. Finally, records retention policies set the expectations of adversaries in litigation or investigations: if the policy says the company should have a document, and the company does not have it, then there could be problems. Likewise, if the policy says certain records should have been retired—but it comes out that employees have circumvented the policy and stashed them—then adversaries may attack the notion that there is a records policy at all. In many ways, having a poorly planned and executed records program can be worse than not having one at all.