Increasingly, the need for a written, highly structured document and data management policy is becoming vital to any private company. While the recently enacted Sarbanes-Oxley (SOX) rules promulgated by the Securities and Exchange Commission require such a written policy for public companies, there are ample reasons for private companies to also adopt a written document and data management policy.
Various statutes now require most companies, whether public, non-profit or private, to securely maintain written records in regard to certain aspects of their personnel information and business operations. Under the Health Insurance Portability and Accountability Act (HIPAA), for example, companies may be sued if a security breach or other mishap results in the unauthorized disclosure of medical records. The controversial Patriot Act requires disclosure to the federal government of certain customer data and can subject the disclosing company to a lawsuit if the customer was not sufficiently advised of the possibility of such disclosure. A proposed amendment to the federal Rules of Civil Procedure would require lawyers representing parties in litigation to discuss document management systems of their clients prior to any legal proceedings. Another proposed amendment to the federal Rules of Civil Procedure would provide a safe harbor for companies that lose information but have otherwise acted in good faith, precluding any sanctions for such information loss. Certain state laws, such as the California Online Privacy Protection Act of 2003, require website disclosure of privacy policies in regard to personally identifiable information (such as name, address, credit card number, social security number, email address, etc.), which should include a statement about the security procedures in place to protect such information.
Prudence also dictates that written records be maintained in the event of employee claims or litigation involving the company. Companies should also be vigilant in documenting incidents involving any inappropriate or improper behavior by an employee. Emails and instant messages are now often crucial in determining court cases. Employee emails are generally considered to be the property of the employer, and the company