With a robust electronic records retention system in place, companies could quickly answer such questions. However, industry observers note, few of the records-retention regulations enacted over the past decade have been strongly enforced, and most companies have done little to comply with them.
Analysts warn that the fallout from the Wall Street meltdown will quickly lead to stricter enforcement of existing laws - including the Sarbanes-Oxley Act, the Electronic Signatures in Global and National Commerce Act, the US Securities and Exchange Commission 's Rule 17A-4, and the Gramm-Leach-Bliley Act - and perhaps some new ones targeting the financial services industry.
At the same time, the US health care industry faces more scrutiny as it hastens to move to a national e-health system .
Today, only 10 to 15 percent of US corporations have electronic records retention systems in place, according to Gartner. "In terms of a good electronic records systems, I would say it's closer to zero," said Debra Logan, an analyst at the consulting firm.
"There will be an increase in regulations," predicted Hugo Torres, IT director at Great Florida Bank. "We've gotten wind of it. We'll be more heavily regulated than before."
Until two years ago, Torres said, it was common for four bank examiners to audit Great Florida Bank annually. Last year, as the crisis grew, 12 examiners inspected its records. Torres said he's bracing for even more auditors in 2009, as state and federal agencies scour every commercial and consumer loan to make sure that the banks performed adequate due diligence to determine the borrowers' ability to pay.
Logan said that stronger retention systems will also help companies to better defend themselves against legal action by disgruntled customers or employees.
"The amount of litigation that's going to be generated out of this Wall Street meltdown is going to be unbelievable. The regulators will be asking the banks what happened," Logan said. Lawsuits stemming from problems at government-backed mortgage finance companies Freddie Mac and Fannie Mae "will result in systemic change," she added.
Bill Savarino, a partner at Washington-based law firm Cohen, Mohr LLP and an expert in e-mail retention and other regulatory issues, said he expects that Congress will overreact to the Wall Street crisis and enact new legislation.
"I don't know if it's necessary," he said. "If they enforce the stuff they've got, we should be fine."
Savarino, who has been advising IT managers on data retention issues for the past seven years, said companies that are implementing retention systems today often do little more than keep data for 30, 60 or 90 days and then hit the delete button. In such cases, legacy documents are unavailable and it isn't possible to show trends over time, he noted.
"I do not subscribe to the 30-, 60-, 90-day policy. I think they are woefully inadequate, and I don't think they comply with most rules and regulations," Savarino said. "When regulators audit regularly and investigate regularly, that's when they're going to start discerning who's keeping e-mail and who's not. They just haven't been doing that on a regular basis."
Savarino said IT managers and corporate legal departments should take the following three steps to prepare for the coming oversight onslaught:
o Learn what the data retention laws require specific industries to do.
o Install packaged archival and retrieval tools, because it's too difficult to handle those tasks manually.
o Use outside legal advice.
"I know that sounds self-serving," Savarino acknowledged, "but outside lawyers can help companies figure out what the laws are and establish retention schedules and determine how to set up electronic archive 'buckets' to hold on to e-mail and documents."
Lawyers can also help set policies, procedures and parameters to deal with litigation holds, which require firms on notice of a potential lawsuit or government investigation to retain all potentially relevant electronic documents. Two years ago, Congress approved the Federal Rules of Civil Procedure, which set a baseline for which electronic documents must be retained and retrievable by corporate litigants in a court case.
Nonetheless, most companies "are standing there like deer in the headlights," Logan said.
"We have to have a more disciplined process for working with electronic records regulations," she said. "We need to have people in charge of managing information for the entire company. Today, everyone's expected to manage their own data."
As e-discovery pressures grow, companies and regulators must work together to determine which business documents are truly critical, Logan added. "People have to start throwing stuff away. It's not all precious," she said. "There needs to be some change to separate the wheat from the chaff."