Slashdot Mirror
Document Retention - How Long is Too Long?
darthtuttle asks: "With
the recent news of document destruction at Enron and the emails that have
been discovered in high profile cases such as MS -vs- DOJ document
retention seems to be a hot item right now. What document retention policies
do people have at their companies, and what steps do companies take to
make sure that documents are destroyed according to the policy when their
time is up so they don't come back to haunt the company later? Note: the
purpose of a document retention policy is not to keep documents, but to
make sure they get destroyed according to policy before someone outside
the company decides to use it against you. The big issues seems to be
backups and documents stored on peoples desktop/laptops. You don't
want those email server backup tapes from 2 years ago to be found, and
you don't want to find out that the CFO was saving -every- email they
ever got on their laptop."
Documents should be retained for the amount of time it takes to walk from your desk to the paper shredder.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
Many companies discourage archiving seemingly trivial things such as e-mail, which can bite in the butt later (Microsoft apparently didn't have such a policy during their recent litigation).
The sad part is that Microsoft technology makes archiving all too easy (Outlook/Exchange personal folder files, for instance). Even basic Internet POP/IMAP stuff is too easy.
One word: encrypt.
Vos teneo officium eram periculosus ut vos recipero is.
Depends on the document. Depends on the business. There is no one size fits all answer to this one. I know that in financial services, there are SEC mandated time frames for document retention as well as strict rules on how to dispose of documents as well.
this is getting old and so are you
blog
The company I contract to has a permanent retention policy. We have full backups back to the beginning of the existence of the company.
If companies have nothing to cover and nothing to hide, why should they be concerned about their deletion to begin with? Then again, I am sure paper memos are not kept forever, and if they can avoid lawsuits legally by deleting documents I would probably do the same in their position, as to not assist my prosecutors.
"I have not failed. I've simply found 10,000 ways that won't work." --Thomas Edison
we can retain documents pretty much indefinitely. We have a scan system where we can take any paper files and convert them to .pdfs, and then either save them to the hard disk, put them on a floppy or ZIP disk, burn them to CD, or even use the tape drive (assuming someone can find a spare tape) to save things. It makes it pretty easy to hold onto any documents we might need, even considering the size of some of these things (50+ Mb .pdfs for a lot of them).
Now what it doesn't do is stop someone from deleting the things, because I don't think there are _any_ security protocols on the machine to even slow someone down from doing so. But I don't see anyone pulling an Enron on it any time soon.
Kierthos
Mr. Hu is not a ninja.
The standard required by the National Audit Office and the District Auditor is seven years. In the private sector I'm not sure if there's agreed standard but three years is common IME.
you shouldn't have any worries, so keep it as long as you like.
;-), it would be best to ask your legal representation. We here posting to you in response can only tell you what our companies do, and here is my response to that.
However, and from the sounds of things, someone there wants some info to go away
The company I work for does insurance claims. We have paper trails all the way back to the early 80's, and backups of EVERYTHING from around 95 on. The premise here is that if it is important then, chances are decent that it could be again someday.
hthal
Sent from your iPad.
Personally, I think that corps shouldn't be allowed to destroy documents for at least 3-5 years -- all they're doing is covering their sins. Enron's a good example; they're destroying the evidence that they knew they were perpetrating a fraud against their investors. Destruction of the documents could mean that, as usual, the little guys get screwed and assholes like Ken Lay walk due to lack of evidence.
Pretty disgusting.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
It'd be nice to think the reason noone uses your own emails or backups against you is because you haven't done anything illegal, not because you've destroyed all the evidence.
Hello, corporate America.
-Berj
since a customer has become very unhappy with us and their version of events makes us a real bad guy. Fortunately, I *do* have every e-mail we exchanged over the last two years, all the documents we delivered, their comments, the schedule material they generated, and other bits of dross and minutia. The timelines and copies of everything (now on CD) have become a gold mine to our counsel and may well help us come to some graceful agreement on the issues without ending up in arbitration.
Bill Gates is a communist -- he's just more equal than the rest of us.
Policy at former job was "shred everything past 30 days, unless you absolutely need it". Electronic mail was kept on server (IMAP), and policy was to not download mail from server (broken often by Palm users). Files were supposed to be kept on servers (Novell) as well--broken often by laptop users taking work home with them.
Something also to be aware of: internal newsfeeds. These were supposed to have a short half-life, but policy enforcement was lax here. Nothing terribly important happened there, but it could have been an issue (think netscape's "Bad Attitude/Really Bad Attitude").
This is a Fortune 500 company.
While this might not work for everyone, I NEVER delete an e-mail and I log all of my instant messages. My policy regarding destruction of data? If it can be used against you, don't write it. Document retention (and destruction) policies are cover-ups at best. Remember when those guys went driving around shooting people with paintballs and videotaped it? Rather than having them agree to erase the tape after X days, why make it in the first place. I don't destroy digital records of my life. Why not? I sure as hell wouldn't be stupid enough to record anything I'm ashamed of doing.
t'nera semordnilap
Being a consultant... i wrote a documentation for some clients on how to clear documents and clean up their mail in Outlook, Netscape or whatever mail program they use.
Also, if you go by my method... let them know how to clear their cache, history, cookies, temp files, etc...
At one company I worked for in the past... a guy was fired and I had to clear out all his files on his laptop for the next employee. It ended up the guy got fired for surfing pr0n sites at work, which leaves me this question to answer... who in the hell would go to pr0n sites at work???
"The ones who dont do anything are always the ones who try to pull you down" -- Henry Rollins
Why should corporations have privacy when they have the potential to ruin so many lives?
[o]_O
Seriously -- if you don't check with the legal types on what the information is and what it relates to, you could be legally liable for obstruction of justice/personal harm. The lecture I got on this turned my hair curly. Make the lawyers earn their money and break down what you can and can't destory, and when. If you've got any kind of assets to protect, this is a must.
-- q
Document retention as defined here is only an issue if the company behaves in a manner that could be construed to be illegal, unethical, embarrassing, etc. Such is not always the case.
At my company, management treats its email archive as an asset and requires us to save as much work-related email as we think is prudent. (Obviously we don't save every last piece of spam or "what are you doing for lunch" email.) Since it's a relatively small company the hardware requirements for this storage are not very high.
So far, I am not aware of any case where management has had cause to regret this policy.
If you destroy a document, then the other side makes a statement, it would be hard for you do show proof that the statement is false, because you destroyed your evidence.
Fight Spammers!
If you knowingly destroy evidence of a crime, even on someone else's orders, you've just committed Obstruction of Justice, and possibly Conspiracy to Obstruct Justice. Those are what all the Watergate conspriators went to jail for.
Best Slashdot Co
When violence rules the world outside / And the headlines make me want to cry / It's not the time to just keep quiet
In the military we would have to either use a multi-stage shredder or burn the documents into a nice fine ash. Having seen some of the shredders that these large companies use, i wonder why they even bother wasting their time. Don't they know that the documents can still be reassembled?
I guess information security isn't that big of an issue to them...
I know our HR department just keeps documents however long federal law requires they be kept. Operations people keep documents for up to 2 years, but that is at the request of our clients.
.pst file gets too large, we tell them we're going to burn it to CD and give them a copy for archival purposes. This is after they sort through what they may need to access, and what they just need to keep to satisfy our clients or cover their own butts.
As far as worrying about people keeping old email/files on their local PC/laptop, we are very adamant about telling people not to do that. Should something happen to Windows (as often does), and we should reload their system, they could lose a lot of stuff. Most people are pretty good about putting anything they want to keep on network drives, which we backup nightly. Those tapes are only kept for 2 weeks, then the tape is recycled. If their
It's easy to stand out when the general level of competence is so low.
My large organization is probably a lot like many others.
We have a fairly extensive policy for managing records that has been developed over decades in a world dominated by paper.
There has been some effort to extend those policies into the electronic arena as well.
But I think the sheer volume of electronic records is making the certain impracticalities of those policies show.
Things like having people periodically review material and decide what to keep and what to archive and what to destroy - this requires more human time than any reasonable person is willing to commit. And, if the corporation thinks about the real costs of having a live human review those e-documents, they'll probably come to the same conclusion.
And I won't even mention the complications of moss-covered media that has stuff on it that no one has really inventoried carefully.
I have 8mm tapes from 7-8 years ago that I haven't looked at. There's several GB of stuff on it, but even I couldn't tell you what it all is.
It's probably includes the 12 page document that Oliver North faxed to me about the impending Enron collapse that was initiated by the Whitewater deal. 8)
"Provided by the management for your protection."
I've been saving all of my emails since 1995. SLASHDOT!!!!!!!!!!!!!!!!!1
This merely shows the sad state of affairs our corporations have made for themselves. If a company operatates completely within the law there is no reason to worry about old documents coming back to haunt the business.
Looking at it from another point of view, all of those documents are automatically protected under copyright. Copyright is an agreement between creators and the public - the creator gets an exclusive right to use the work for a time but then it belongs to the public domain. All of those destroyed documents are a form of theft from the public!
Don't just complain - DO something about it!
Run your business honestly, and keep the docs forever to prove it!
The technical demands for electronic documents would seem to dictate some of this. For example, we've been converting from Netware/Groupwise/Win9x to Win2k/Exchange/Win2k here. It doesn't change word-type documents, but it does change the email system and the backup system.
Sometime today I plan to decomission the Netware backup system -- derack the equipment and potentially reuse it in some other location as soon as next week. This will make all of our old backup tapes unreadbale, as our Win2k backup system uses not just different software but different physical media -- I can't read DLT7000 on a LTO Ultrium tape drive. I *think* I can read an ArcServe tape on BE 8.6, but the files are backed up as Netware-compressed and can't be restored but to a netware server. Once we decomission our last netware server (within a few months), all of those tapes are worthless without the infrastructure to restore the data.
The email system again is another matter, I need even more infrastructure and software to manage it (presuming I can restore it). Netware administrator, Groupwise installed (client and server), and so on.
Even so, we don't even keep old backup tapes. We have a 5 week rotation (1 full per week with daily incrementals). I used to keep old tapes, but they were unreliable (especially the DATs) and the software isn't always available. We USED to keep them (1 full per month), but I found myself with a shitpile of tapes that needed storing and a big blank media bill.
Eventually word/powerpoint and other apps will obsolete themselves to where the data, even if you can read the media, isn't usable. I know that we purge our email system daily of older > 6 months emails and we chase after users to ditch old documents as server space gets tight.
I can't imagine the tech demands of constant archiving of everything. I'd need to give half of my budget to EMC just to try to stay ahead.
When asked by a secretary if she could destroy old documents that were just taking up space, Samuel Goldwyn, the movie mogul replied:
Go ahead but just make sure you make copies of everything first
I've been swashdotted -- Elmer Fudd
As far as I know, they can audit you back to 7 years, so you should keep documents back at least that far.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Companies that want to set a uniform policy
on how long company email messages should be
retained can get a lot of help from companies
like Omniva (formerly Disappearing Inc.).
You can use their tools to cause old messages
to be reliably destroyed after, say, one year.
Disclaimer: I am biased; I wrote part of their
keyserver.
IANAL but since the government can go back 7 years and re-audit you for income tax, I figure it is safe to use that as a guideline. I mean, if no one has bothered you about something for seven years, and it hasn't had any changes since then it probaly isn't used anyway. But thats just my opinion, the company I work for doesn't have a formal policy.
A lot of people have posted that as long as you are legit then you shouldn't have to worry but that is just naive. The truth is that a well trained lawyer can take any document and manipulate the information to fit their needs. Add to that information taken out of context can be given uneducated scrutiny by the press and the general public resulting in a disaster.
To me, the best policy is whatever your legal requirements are and that's it. Destroy everything else.
We keep hearing the "If you have nothing to hide, then you have nothing to worry about" argument in all media formats, especially slashdot. Shouldn't this apply to corporations and government agencies as well? The proper way for the Feds to handle Enron would have been to send in armed agents to sieze hard drives and filing cabinets, rather than give them months to destroy everything. The same policy should be applied to Cheney's handling of his dirty oil company dealings. The same should have been applied to the Reagan/Bush administration during the Iran/Contra days. This biased application of forceful seizure of evidence has our prisons full of private citizens while crooked pols and crooked execs stroll around in search of their next scam.
If you need a Document Retention policy for any reason other than reducing storage space, it's time to check your ethics.
"What is the sound of one belly slapping?"
I'm not overly big on honesty, but if you are concerned about destroying your documents so that the department of justice/whoever can't get ahold of them, then your company has problems. It will catch up to you eventually, regardless of the destruction of documentation.
Some of us don't have anything to hide, and so we don't have a pressing need to make sure documents get destroyed in a timely fashion. On the other hand, comprehensive records can be very useful at some point to prove that you don't have anything to hide.
One of the biggest reasons in the business world (other than CYA) to destroy documents is due to space requirements. Ten years worth of paper trail can easily take up a small warehouse. With the advent of computer based storage, though, it is much more practical to keep comprehensive records for much longer lengths of time.
"If English was good enough for Jesus, it's good enough for everyone else."
Isn't there something against making a policy just to ensure you destroy evidence after awhile?
If you prove that a company had evidence they didn't give you during discovery just because they destroyed them so they couldn't be asked for them later, isn't that illegal at all?
Any lawyers on this?
-
Yes, I'm gay. This makes my chances of finding a romantic mate who's as big a geek as I am roughly 48 times your own chances. Now who's stupid?
I'm surprised at the question though. Are companies really so worried about their business practices that they must destroy evidence in order to remove liability? I should imagine that internal auditors would be more effective at keeping a company out of trouble than any policy of document destruction.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
The problem is hard on many levels. For example, many small companies have the, "we have nothing to hide" attitude, because they're not able to think in terms of large business dealings where years of internal email could be dragged out into court and used out of context.
Once you convince a company that document "retention" is valuable, many managers will immediately declare themselves exempt because they feel that they will one day need that email from a vendor thanking them for buying the Widget 10,000 last week.
What I think the industry really needs is some kind of software that manages information archives in a way that lets people specifically call out information that needs to be preserved as annotation. In this way, you could keep all of the headers of all of the mail and all of the filenames of all of the documents on a fileserver, but only keep the annotations (which may include some key points from an original).
I know that I would find this more useful than the usual way that people annotate documents (named folders).
This is a tough one...how do you choose between covering your own ass and covering the ass of your company? Which one is more important to you?
------
Today's Top Deals
This is a non-discussion. Basically, the question is this:
"I'm making profit by breaking or flexing the law to such extent that my business would not survive the lighting in a courtroom. I know this is immoral. To further improve my profits, I wish to know what a good balance between keeping mails for reference and deleting mails for protection is. Do I keep compromising information for a few months? A year?"
Folks - give your worst advice possible.
Stop the brainwash
We keep stuff forever. We still have data on 9-track tapes that we used to use on a prime system. Slowly but slowly we're burning it to CD but at the rate we're going, CD will be a legacy format....
It all seems backward to me. Destroying documents to get rid of any evidence of accountability.. What's up with that?
Certainly, there's a lot of stuff that isn't bad, but it can be viewed as bad in the context of history.. Lawrence Lessig got in trouble when he was appointed as Special Master in the Microsoft case because of an e-mail he wrote regarding the ease of installation (or lack thereof) of Netscape versus Internet Explorer, and the trouble installing the software caused..
It was just a silly e-mail to a friend, but it got blown out of proportion.
On the other hand, there have been instances in the past of very important and incriminating documents being kept by employees who felt that twinge of conscience and decided they shouldn't go in the shredder.
Document retention policies, in my opinion, should be based around keeping `important' documents (however that is defined), and shredding the lesser ones, in order to save space. No need to keep the e-mail regarding today's lunch outing, but it's a good idea to keep that list of patients...
Much of your document retention policy must be based on the Statutes of your area. In many cases, documents are required to be kept for 2-7+ years as a record of business. For example, if memory serves, Ontario requires documents be kept for 7 years. Nevada requires 2 years for civil matters, and 4 years for contract law (most corporate documents).
While it may seem a good idea to delete email after but a few weeks, the record of your conversations can be a lifesaver in contract disputes, where verbal or emailed agreements outside of the contract documents are considered part of the contract. Depending on the court, and jurisdiction, email can be given the same weight as facsimile conversations.
Thats our main document retention policy. I don't know about code or specifications though.
"You can now flame me, I am full of love,"
As usual, everything in the universe eventually ends up hitting jwz at some point. This story (read: rant) is a perfect example on how something as trivial as non-company-related-email lists set up by a few employees can land them and the company in hot water.
"What document retention policies do people have at their companies, and what steps do companies take to make sure that documents are destroyed according to the policy when their time is up so they don't come back to haunt the company later?"
This issue has never occurred to me. I think it speaks volumes on the business and corporate climate in the world that this question is asked in this particular framing.
If a company is putting anything in writing that could come back and haunt them at a later date, then that company's behavior is unethical at the very least.
I do live in the real world, however, and realize that these things are the reality. I just think it sucks.
How about this: If one decides to put something damaging into writing, think again. I know advising against the activity in the first place is a lost cause, so just don't put it in writing.
Of course, lucky for those of us who believe in conducting ourselves based on ethical behavior, and the judeo-christian standard of 'do-unto-others' (this from an atheist), there are plenty of really foolish people in positions of power who will continue to document their wrongdoing.
I'm not sure who the hell recommended the Cooking the Books fiasco and shredding of documents. When I worked in the Dallas office I was under Audit (as a computer person) and when I went on the periodic Accounting Audit the major thing that they stressed was you are their for the shareholder/investor NOT the company, regardless of other consulting opportunities.
This mess that was created is a result of someone performing outside the scope/requirements of their job.
Andersen cannot be held responsible (even though they will) for the illegal acts of a few.
Arthur Andersen has some of the brightest employees of any company I have ever worked for/with. Too bad they don't pay you until you become a partner. (I'm thinking of leaving Andersen off my resume! lol j/k)
2
It depends on what the regulations say governing a particular record type.
DOL, IRS, DOT, OSHA, EPA, etc. all have their own requirements for record retention times.
Probably the best thing anyone/business can do is discern what these are and keep only these items along with any record that's pertinent after time. But fulfilling legal recordkeeping requirements should be the top priority in such a review.
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
There is a legal principle called spoliation, which is a $5 word for destroying evidence. You can find that the mere fact you destroyed something hurts much more than whatever was in the document would have hurt.
Laws affecting technology will always be bad until enough techies become lawyers.
The U.S Army uses a system called MARKS (Modern Army Recordkeeping System) which includes destruction procedures. Every record within the MARKS system is supposed to have a disposition which indicates when it is to be destroyed. The system is designed so that there is no ambiguity about when to destroy the file (e.g., "destroy 1 year after expiration"). Any half-awake clerk can follow the instructions.
Usually the person creating the document knows it's proper scope, and can specify the disposition. Then anyone who receives the file just follows the instructions.
Necessary for any similar system for private companies would be
1) publish guidelines/SOPs/regulations for dispositions
2) make sure document authors specify destruction dispositions on all documents
3) publish SOPs for regularly purging documents
4) auditing to make sure that destruction dispositions are followed
The best way would to be to have some automation in there -- document creation tools modified to automatically insert this information, automated purging, automated auditing. Otherwise you're just adding a lot of workload to people who probably don't give a flying f--- about document destruction.
Robotiq.com is heavily tested on animals
Theres always the Mission Impossible solution.
[Insert pithy quote here]
Any material relating to a crime must not be destroyed or you will be guilty of obstructing justice and other related crimes. This is true as long as the statute of limitations has not run out on the crime committed. Some crimes, such as murder, have no statute of limitations and therefore the materials relating to the crime can never be destroyed without committing another crime.
That being said, if the penalties for obstruction of justice are less than that of the crime being committed then of course it's a good idea to destroy them immediately. It's just not legal to.
So, if you commit a crime and it's minor then save the evidence until the statue of limitations is up. If it's a major crime then you will possibly get in less trouble if all the evidence is destroyed immediately. Just remember that crimes tend to be cumulative so, for example, you could be convicted of both robbery and obstruction of justice and get a longer jail time or more penalties than if you never destroyed the evidence.
Sapere aude!
After all you have nothing to hide, right?
And your mother's maiden name, while you're at it. And your home address, SSN, birth certificate.
Nothing to hide, right?
Oh, and that letter you wrote to your realtor telling him the absolute lowest price you would accept for the house you're selling. I'm in the market for a new house and I could really use that information.
Besides, you have nothing to hide.
Nope, no sig
First off, one of the poster's arguments is a bit flawed. The poster states that the purpose of a document retention policy isn't to ensure that the document is kept, but to ensure that it's destroyed before it could be used in court, etc. This is incorrect. A good document retention policy covers both of those scenarios, as well as several others.
There are several good reasons why a document must be retained for a certain (or indefinate) amount of time - including legal reasons. Many businesses - even entire industries such as banking, telecom, finance, insurance, etc - must keep some records indefinately. In some cases, documents may need to be kept for a certain minimum amount of time - say three years or seven years - before being destroyed. In cases such as these, it's to satisfy certain legal or industry requirements, after which the prime reason for destruction is usually the cost of retention.
And yes, retention does cost money. You have to factor in the cost of paper (acid free, for those docs that aren't stored electronically), storage (environmentally controlled), disaster recovery (in cases the storage site burns down), media (for those docs that are stored electronically) and hardware to read the media.
Like you said, however, there are also valid reasons to ensure that some documents are not retained. In particular, e-mails. My company, for example, has a document retention policy stating that e-mail servers are not backed up. E-mail older than 45 days is automatically deleted. You're not allowed to auto-copy incoming e-mail to an alternate location or mailbox, to ensure that copies are kept elsewhere.
At a past client, e-mail servers were torn down monthly, had replacement hard drives installed, and had the server software reinstalled from scratch - importing in e-mail that is less than 30 days old. The old hard drives were shipped off to a destruction facility (managed by the client). All old servers had all media removed and shipped to the same facility. Any server or PC that was repurposed also had media replaced - again, the old media shipped off for destruction.
The most important thing about any document retention policy, however, is due dilligence. In every scenario - whether ensuring the destruction of past e-mails, the retention of legally sensitive documents, or the security of those documents - a good policy should cover everything.
--
Welcome to the land of the easily amused...
Should your company or business suddenly find itself needing to shred lots of documents in a hurry, maybe it's time you started doing business differently.
are 90 days unless specified by law as longer.
We are provided with secured document destruction bins, and email is aggresively deleted, no archive on a corporate connected machine is safe from deletion.
On a mildly related topic, does anyone know of a cheap device for safely obliterating CD's? I can't believe there is not a 100$ device that can destroy a CD and allow the safe disposal of the remains.
don't want those email server backup tapes from 2 years ago to be found
If they're not being saved for a specific reason, then destroy them. Don't keep them locked up in a safe or any such nonsense. Put them inside a nice subwoofer to magnetize them. Put them under the wheels of the UPS truck. Or just light them on fire. As for saving emails, I would guess the only way to keep people from doing that would be to do a web-based email solution , provided there is no cache saved on the local machine. Maybe via a java applet that doesn't allow copy/paste.
At where I used to work, there was a annual "Document Day." Basically, it is used to 1) clean the office and get rid of junk 2) delete documents that have been over 12 months old or have already been dealt with. It may seem illegal, but this is common practice in large corporations and especially financial companies. We're not talking about shredding documents to hide evidence, but shredding documents so that it cannot be used against you at some point later on. Emails, that may seem quite innocent can later be turned around and used against you.
:-)
For example, let's just say that you had a friend working at a competitor company. One day you go out to lunch and plan this over email that you would wait for him in his lobby. Years later, you still have that email. Now your company is being sued for stealing proprietary technology from the other company and the people higher up claim that no employee of that company has ever entered the rival company. This email that you used to make plans could potentially be used against you and your company.
It's a crazy crazy world...
There was always a joke running around the office of how a technophobe manager would print out his emails so that he could shred them.
_______________________________
"I'm not Conceited...I'm just a realist..."
This is a GREAT ask slashdot question.
I should imagine that internal auditors would be more effective at keeping a company out of trouble
I am guessing you have never worked as an internal auditor or known someone who worked as an internal auditor. They don't typically review accounting policies. They are more procedure oriented.
Even if the internatl auditors did know about this problem, they would have just reported to the board of directors who most likely would have filed the report in the cabinet with the sharp cutting teeth.
Something I've wondered about, along these lines, is scanning documents (bills, etc.) into a computer as they're received. From that point, the paper copy could be thrown away if the electronic copy was sufficiently 'official'. It seems like the electronic documents would also be a lot easier to organize, sort, and retain. Possible legal issues have kept me from doing so.
-Mike
This begs the question: Why would a large company want to keep / destroy documents?
Why keep documents:
1. The company May need the data in the future. (who erases old source code?)
2. Legal & regulatory laws & rules. The SEC, IRS, FDA, etc... requires many companies need to keep certain documents (e.g. Tax returns) for a specified amount of time (usually 1n10 years)
Why destroy all old documents:
1. There are many many documents in a large company, all the e-mails, reports, memos, meeting minutes, etc... Not all of these documents are to the long term benefit of the company, even if the creator / reciever believes it to be. Without examining each document, the executives do not know what is benign and what is catastrophic.
2. Retaining documents can be expensive. A compnay of 100 people could fill multiple closets, a company of 10,000 could fill warehouses. Yes, imaging solutions exist but are not cheap. Office space is not free.
3. If a company destroys only selected, possibly damaging information, it appears suspicious. If a company has a policy and consistantly follows it to destroy all old documents (shred, delete, burn backups, etc...) then if old information is not available, it is because of the policy.
"Norton Wipe Info"
Actually anything that provides DoD standard wiping.
Make sure to have the program make at least ten FULL passes. Next step: shred the hard drive.
Linux'rs... don't forget that by default 'shred' may not actually 'delete' the files you are trying to get rid of. So if for example you've got "Enron Accounting Data - John look at this something is going down big at the company.txt" you may want to make sure it's deleted.
Btw, I've used Norton's Wipe Info to remove things such as accounting files if I ever sold the computer or hard drive. In the past version there was a "Send To" option, but now it's gone. Anyone know why that is? Also, after I bought System Works for 2002, I noticed that there is no longer a "Wipe Free Space" option in either Wipe Info or Speed Disk. What gives?
Get your Unix fortune now!
If the Enron or Arthur Andersen execs walk, I wouldn't be surprised to see a legal presumption of guilt when documents are shredded prematurely or despite an explicit and lawful order to retain them.
The theory is simple and precedence is well-established - if a cop sees you see him then bolt, that's grounds for a reasonable presumption that you're guilty of *something* and the cops can stop and question you. It's not enough to throw you in jail, but you can be stopped and questioned while the guy who didn't flinch walks.
Same thing here - if you're deleting records that the state says you need to keep for N months, the burden in civil court (which only requires a "preponderance" of evidence anyway - 51%) is on you to prove that those documents weren't "smoking gun" evidence in support of the plantiff's case, not on them to prove they were.
If you're deleting records despite a lawful order, you have to prove that the documents were not incrimidating and that it didn't constitute obstruction of justice or contempt of court.
Of course this is something that would have to be handled on a case-by-case basis already... but the courts already do this when deciding admissibility of evidence discrediting a witness. If somebody has been convicted of perjury, the jury should know it because it's reasonable to ask whether they're lying again. If somebody has been shredding documents when they shouldn't have been, that again directly challenges their credibility elsewhere.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Why on earth do we want to be considering the destruction of any document in this age of near infinite storage?
I mean, what if the government adopted this policy. What if instead of keeping old documents until they could be declassified the government went ahead and destroyed them? Would we tolerate it? Then why would we tolerate it from business that are for the most part just like little governments?
Paper copies I understand getting rid of. For some companies just a years worth of records fills a small warehouse. But storage space is just so darn cheap and optical media is perfectly suited for long term archiving.
What if thirty years from now (in a fictional paradise) Microsoft went out of business and then the document stores were "declassified". We would finally be able to see exactly what they knew or didn't know about their monopolistic practices. Shouldn't we want to know the inside story so like good little students of history we could either avoid or repeat it (depending on your point of view)?
Our government has done and continues to do some bad, bad things. I mean the CIA implanted a microphone and 20 pounds of batteries in a friggin cat in the hopes he would perch outside the KGB headquarters...radiation testing on humans, stuff like that. But companies can do things that are just as bad.
I think they should pass a law that requires companies to store copies of all documents in escrow with an independant third-part for as long as they are in business. After that, anyone who wants a copy should be able to get it. Of course, some of the stuff will be "classified". If Company B purchases Company A they don't want Company A's secret recipie for sale. Customer billing information would need to be kept secret. But eventually, after enough time, the information would be abandoned and then it should be returned to the public so they can have a full and complete knowledge of what was going on.
How are we going to understand how Enron got away with it for so long if we let the wolf guard the chicken coop?
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
There is evidence that people both at Enron and Anderson destroyed documents after being explicitly told by a judge not to destroy anything. I'm not suggesting that some new regulations might not be in order, but I always prefer to improve enforcement of existing regs before we start considering new ones.
Nope, no sig
Unless you're running your whole business, you shouldn't be making policy about document archiving--you should be implementing it. It's true that there might be technical issues (such as "how do we preseve (or destroy) documents on laptops in remote offices") but it's totally ass-backwards to make business decisions on these issues.
This may be a good policy when you have something to hide. In the IT world, in my experience (and the experience of most of my peers it seems), old e-mail has helped way more often than it hurts us. If you use e-mail to document conversations, meetings, etc., a lot of disputes get resolved pretty quickly when you pull out an old e-mail and say, "See, here's what you said." or "See, here's what we said we would do."
This doesn't happen if we have to print "important" e-mails. Why? Two reasons. First, you usually don't know a year or two in advance which e-mails are going to be important some day. We may generate a thousand messages plus over the course of a project. Most of them are routine, or are only of passing interest. Every once in a while, however, there will be a design decision (or more likely a design compromise) that one party has conveniently forgotten.
Conversely, if someone can show us that we did, in fact, agree to do something, then we will commit to doing it. Our memories are cloudy too, and we do believe in delivering what we said we would.
The second reason paper filing doesn't work for most of us is that it's extra work. Want to file an e-mail - drag it to a folder. Done. Need to file a paper document - remember to print it, interrupt whatever you're doing to leave your desk, find the right folder (if there's room in the cabinet), file it. If you're on the road, remember to go back later, once you're back in the office, and follow the steps above. This works OK if you're an executive with a secretary dedicated to such tasks. Around here, at least, that perk has become too expensive for all except the most senior management. And, even though paper filing doesn't take much effort for a single document, it is a lot of work for hundreds of e-mails, it requires filing space that is in short supply, and it requires a degree of discipline that most people don't seem to have. Finally, even if you have a good paper filing system, it's much easier to search electronic files quickly.
This is exactly why electronic files are so dangerous in litigation - if you can search them quickly, so can your adversary. By prohibiting them, however, you reduce productivity across the entire company and increase costs. I'm not convinced that the legal eagles balanced the immediate cost benefits against the possible future risk. They only consider the dark side.
On a related note, I know I just read an article (here?) about how electronic documents have a life of their own thanks to widespread forwarding. Your retention policies may be almost meaningless if your correspondants keep everything.
Here's why:
Finally there are required retention and documentation times for many industries as well as "best practices" by many professionial organizations and certifying bodies.
Don't ask here for information on those but rather your own corporate lawyers as well as run a memo through the various departments for their specific requirements.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Note: the purpose of a document retention policy is not to keep documents, but to make sure they get destroyed according to policy before someone outside the company decides to use it against you.
Isn't this a rather flawed viewpoint? If you need to go about destroying old documents relating to business practice because you could later be incriminated or otherwise held accountable to them then your business model is probably flawed somewhere.... If you were doing things right all along and you were holding yourself accountable for your mistakes then there should be no fear of your documentation. Any mistakes could be written off as R&D and framed as additional assets to the company since you now have additional recources in teh form of quantifiable knowledge/learned experience. Your 'mitakes' are you tax breaks as long as you keep it floating
Wake Up!
-shpoffo
Maybe I have nothing to hide. But I encrypt my documents because I don't care that my personal business is seen by others.
There are issues which were "legitimate" at the time, but later came back to haunt them. GE and the PCBs in the upper Hudson is one. Corning and silicon breast implants are another. Abestos. Lead based paints. Did these companies wish they hadn't destroyed all those documents from scientists saying their products/actions were safe? Or did they end up destroying the "bad" evidence for plausible deniability?
Business destroy documents for lots of reasons. I think it's mostly so CEOs can take a stand and have "plausible deniability" to protect their asses. Luckily, there are always backups somewhere that will come back to haunt them.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
I work for an insurance company (where unforseen legal issues have a risk of biting us), so I'll go AC for this post:
We maintain a standard GF-F-S backup rotation, with archives going back as much as 7 years, but with loss of granularity at various intervals. This covers all our servers (except e-mail). Claims documents are imaged and preserved forever - and policy records are also preserved forever (though not all imaged).
E-mail is handled differently - we maintain a single backup tape that is overwritten twice monthly and discarded annually. We're mainly concerned with disaster recovery on the e-mail system, since anything that we distribute via e-mail genrally originates as a document on the servers.
User hard drives are not backed up at all. If a machine gets toasted, we simply replace the PC. Anything critical is stored on the network.
Mainframe backups are another story entirely, and I don't know how that's handled - we have an outsourcer and it's managed by a different area of the company. We keep policy data and financial/billing data there. Historical data is on a Wintel-based SQL system and handled as part of the PC backup.
We do a full database backup at the end of the year, as well - those (and the Claims data) go off-site to an archival storage house, and are daily backups are rotated out to a nearby building.
How long to keep a doc.... depends on the doc. Financials and related materials should be kept for 7 + 3 years. The IRS can audit 7 years back, and request documents for support 10 years back. Corprate brain trust documents (like a copy of original trademark forms) should just plain be kept. The note to your secretary about lunch.. destroyed before the wife finds it.
Basically however the rules for maintaining paperwork have been around since Bob Cratchett was doing books for scrooge and before.... why oh why does anyone think that making them bits and bytes instead of pen and ink changes anything.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
This is a non issue: Save documents for the period of time dealing with the Statute of Limitations dealing in your area. I work for an architecture firm. We archive documents for 7 years on site, then move them off site for another 13 years. That way in 20 total years, our statute of limitations is over and we can do what we wnat with the documents.
Please email all complaints to root@127.0.0.1 and the issue will be dealt with in due time.
Just make sure to use a cross-cur shreader. I saw on the news last night folks were taping the enron papers back together. How's that for a crappy job?
JET Program: see Japan, meet intere
I used to work for a small Non-profit, and we kept stuff around 6-7 years. We'd throw out boxes and boxes and boxes of stuff every spring. We didn't really have anything to hide, but we just didn't have any more room in the basement, and we couldn't afford a storage space to house all the stuff.
I usualy just burn the building down.
" ... Enron ...
... dirty oil company dealings ...
... Iran/Contra ..."
... Cheney
... Reagan/Bush
Clinton! Whitewater!
Clinton! Chinese campaign financing!
Okay, move along, nothing to see here.
Nope, no sig
How about just not doing anything you have to hide?
You make it sound like criminal behaviour is necessary and therefore a good scheme for destroying documents regularly is necessary...
Is it just me or is the only thing that really is important here is that Enron was hiding illegal activities (ie. tax evasion, etc) from people? Isn't that less than honest?
The death of one man is a tragedy; the death of a million is a statistic --Joseph Stalin
Funny you don't mention Clinton, who was quite possibly the most corrupt president of the last century. Now who's biased?
Storing docs takes space. That takes more money. I know that If the company I'm at kept all the incidental bs we email, it would build up real fast. Not to mention, it's always easy to dig through and find "incriminating" statements... They aren't really, but spindoctors can make it look that way. Mac guys post MS sux, so do the linux folks. The IT guys say they are going to kill the creep who wrote a snoop program. A non-techie emails that MS will pay us money for their screwup (it was just a joke she was making to her friend). Etc. All BS, nothing but opinions, venting, jokes, and speculation. Every company I've been at has that. You should see how people jumped when one of my friends scripts for an RPG got mailed to the wrong person by mistake... Let's face it, most of the email should be destroyed. Maybe even all of it. But keeping it more than a short period is stupid no matter what. Isn't it cool how people looking to burn you always take things the wrong way...
Long enough reach the ground, I'd say
all large companies have policies about document retention. talk to the lawyers for yours and they'll tell you what it is.
"if you don't have anything to hide..."
geez, thats the stupidest shit i've ever heard.
There was once a company called unshredder.com which sold software for shredded document reassembly. They're gone now, and their domain name has been acquired by the Art of Hacking, which kept Unshredder's original blurb on its site (linked above). I'm sure the FBI and other forensic agencies have similar capabilities, so if they're not already working on reconstructing the Enron stuff, it's probably due to political corruption, though I'm hardly surprised. I found most of this stuff out while shopping for shredders a couple months ago--I ended up getting a Royal Orca CIA 12x at Office Max. See my review here if such things interest you.
If you aren't legally required to maintain records of every email/document/etc, then why SHOULD you? Do you recall the Netscape fiasco where Microsoft subpoenad the history of every email to an employee bitch newsgroup? In that case Netscape had no legal duty to maintain backups and records of every posting, but because they made the mistake of not deleting them frequently suddenly they were required to provide them and were then barred from destroying them: It's an odd circumstance when you don't legally have to archive information, but if someone asks for it then suddenly it's legally protected and you have to defend and explain the context of every message, every word, etc, and of course everyone says something now and then that can be taken out of context (or alternately that they said in the heat of passion but backed down from).
Destroying old information quite simply removes the liability that it potentially represents, even if there is absolutely nothing indicting in it. It can also protect freedoms: Websites aren't legally required to keep IP logs, but if they DO then those IP logs can be subpoenad.
Maybe it sounds naive or simplistic, but I'm actually an honest person who doesn't break the law. This precludes any need I might have for a strategy to destroy possible evidence or enact a policy to organize such actions.
You don't need to destroy documents if you don't have something to hide.
-Rick
For further information on RM, here's a white paper on electronic document management, and a powerpoint presentation on records management and DOD certification.
Finally, I suggest consulting the U.S. National Archives for formal guidance, or in Canada the National Archives of Canada.
That's why honest companies save the context!
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Fire anyone that does anything unethical enough that you'd worry about their email being archived. Produce documentation to judge, showing termination of such employees as soon as it comes to your attention that they were doing these things. Don't worry about electronic paper-shredding again.
All of our stuff is originated electronically, and we have a policy of retaining backups forever (well, for as long as the media will survive, anyway), right the way back to day one.
You really have to wonder about companies who have a policy of destroying old data - just what the hell kind of illegalities are they involved with that they have to do this?!?!
People should not be afraid of their governments - Governments should be afraid of their people.
Of course it all reads like legalese so here are a couple of key points:
And
42 - So long and thanks for all the fish.
I work for a major computer corporation, big enough that they have their own Slashdot icon when a story about them comes up.
Looking briefly at our legal department's document retention information page, (the "Pack Rat Guidelines") I see that you are only supposed to keep "critical business documents for which you have a continuing business need". Generally, most documents are considered to be obsolete when superceded by a new version of the same document, the project is completed, or the document is more than one year old. Of course, there are plenty of exceptions to this rule.
But if you're not doing anything wrong, why not keep everything forever?
Even being sued and winning is expensive, and often times ideas get kicked around that are later shot down for legal reasons, and it's just as well that nobody know that the idea was considered. Also, things can be taken out of context, misinterpreted, or otherwise used against you.
Perhaps this is a minority viewpoint, but it seems to me that if you aren't breaking the law, aren't doing anything unethical, and aren't lying in your electronic communications, you can keep your documents forever and see that as a good thing.
I always had the idea this website was about bringing freedom to all information (wasn't that a quote from RMS or so?).
Old email conversations might prove to be negative in certain cases, however they also might prove to be positive. If the other side of the court room only shows their part of an email thread, you probably want to have that old backup right in front of you.
Bottom line: this only matters when you have more to loose than to gain from certain possible pending allegations. In other words: when you brake the law more often than live by it. What's your company policy? In Microsoft's case it must be: "what monopoly laws? Just tie all these things together!"
Or bottom line 2: just delete all electronic references to illegal activities as soon as possible (what, did I say delete? no wipe them out, zero them out or never type these things electronically anyways).
>3. If a company destroys only selected, possibly damaging information, it appears suspicious. If a company has a policy and consistantly follows it to destroy all old documents (shred, delete, burn backups, etc...) then if old information is not available, it is because of the policy.
:)
Why not just make it policy to destroy incriminating evidence, then? You can always tell the judge you did it because of company policy then, right?
Well, it turns out that you have an employee that sent a seemingly innocent comment to his friend at such a company ...
... "
You don't even need that much of a "real" issue for this to become an expensive litigation. I once worked for a law firm. (IANAL, no sensitive info coming out here) We represented one of the parties in a patent infringement suit. Just documenting and sorting the contents of a couple of dozen employees' hard drives -- in order to determine what needed to be provided in the discovery phase -- took a team of three people over a week. If you end up in litigation, someone has to go through everything to see what is covered under "all documents or materials relating to
Nope, no sig
Fight Spammers!
Sure, shredding/deleting documents can prevent them from being used against you, but it also prevents you from using them in your defense (or as evidence against someone else).
I saw one or two comments saying you should retain stuff for 7 years. Thay's what the IRS suggest's (and has a right going back that far too). Also, back when registers used to have a paper journal tape instead of a magnetic means of storing a journal, the company my mom worked for had to keep them for seven years (had a box for every year....it was a small store, so no big deal). Where I work, we seem to need new file rooms once every 2 years. The idiots running the department in question or the feds make them do it even though we have everything back to almost day one on the mainframe. What is a electronic record no good?
Here, in our department (IT at my place of work), we archive everything, but not for reasons you'd think. Almost all reports are archived just in case someone looses their report. You heard it right....LOOSING a report! Sometimes it's even important stuff that get's lost, thrown away or shredded. We had to beg to get a shredder just so we can make sure we shred the jams that have readable data on it. It's important to archive but it's also just as important to make sure that when a report needs shredded, or disposed of, that it's done in a fairly secure manner (burning is best....shreds can be taped if desparate enough....).
Gorkman
I once worked for a firm that had to turn over 1.5+ years of all R&D + financial records -- for an indeterminant period of time.
The cost of assembling those records was huge.
The idea of going months or years without them was impossible, which lead to the additional cost of copying them.
After that experience, I have reviewed my files once per year. If I really need it, I keep it.
If I don't really need it, it gets tossed.
It is not a question of hiding things. It is a question of avoiding a bigger burden down the line.
If I worked for a company with such a policy I would save off-site copies of all documents I sent or received. They would come in handy when things started to come apart and the suits started looking for scapegoats.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
True with respect to what internal auditing actually does. Personally, I've had more problems with document destruction by people who "just needed the storage space" on documents that I needed to defend them than the current debacle of "Andersening documents".
If you think deeply enough, you will have no single direction for your outrage.
The Penguin said it best:
A lot of tape and a little patience make all the difference. - Penguin (Batman Returns)
There's a reason why you need to have these policies, even if you're company is doing nothing wrong. Let's say you're company is sued somewhere down the line, and the court or the lawyers issue a subpoena for all information relating to Company B, which you've had a long-standing relationship with. You need to hand over ALL YOUR DATA. Do you know where all the e-mails you ever sent to the company over the past ten years are? Are there old backup tapes in the closet that you can't read because you don't have the equipment? Well, that's too bad, because if you don't hand over ALL THE DATA, it could look like you're hiding something, and get you (and the company) in hot water. Besides, let's say you're the SysAdmin that has to recover ten years' worth of back E-mails and find all the ones that are relevant, knowing your job may be on the line if you mess up. Not fun, huh?
So, you decide to get rid of data that's really old and no longer relevant. But how do you determine that? How would it look if you got rid of all your old data on an arbitrary date, only to get the subpoena the next day? You wouldn't look much better.
What these policies do set up "Any documents of any type that are older than xxx days get destroyed", regardless of their source. This is looked at much more kindly by the authorities, because it is a policy that is set up in advance, with no prior knowledge of any pending actions. And when you only turn over xxx days of documents, your lawyers can say "We've had this policy in effect for the past y years", it doesn't look as suspicious.
My problem is that, as an engineer, I'm supposed to keep documents past the retention limit (perfect example : patent applications and design information that take years to process.) However, our fscking Notes server is set up to delete ALL e-mails after xxx days, no matter what the source! And I found out the hard way that filing E-mails in folders on the server doesn't do squat, because those are cleaned out too! I have to manually lenghten the retention deadline on EVERY SINGLE DOCUMENT I need to have saved. (Or, save it off of the Notes servers. Not that I've ever done that...) ;)
Yeah, it's a PITA, but it's the price we pay for living in America, land of the Subpoena and home of the Class-Action Lawsuits!
If you keep your behavior above reproach then many of the problems become moot.
In a society that presumes innocence, you shouldn't even need to provide counter-examples. But here goes: docs are expensive to store and extremely expensive to retrieve and review even if totally innocent or even exculpatory. Docs are often requested for a fishing expedition unrelated to the complaint. Docs can be misread and misused by attorneys who are by definition extremely partisan.
"Keep everything with a dollar amount on it" is wise for personal use; I would guess that it would be wise for business as well.
There are problems you can get into retaining documents, but depending on your industry, you can get into worse problems destroying documents.
For example - a software problem results in death, property destruction, or something else bad 10 years after the software was implemented. Your company wants to show they were duly dilligent in designing and testing the software.
No documents saved - The company can show nothing. Company is in serious legal trouble.
All documents saved - If the company was dilligent, they should be able to show it. If not, well, they don't lose much.
Some documents saved - Could be serious trouble if someone finds a document showing or even remembers and testifies that the issue was raised up before, but there is no documentation of what was fixed, how it was fixed, or how the fix was justified.
Plus, you have to assume that all communications with a customer or contractor have been kept, especially if they were transmitted electronically, and realize under some circomstances destroying that same document on your end could be considered suspicious.
from a engineering meeting held in a very old us company that made machine tools where the installation of operator guards was discussed on some type of press they agreed to do it and someone mentioned that if the guards were removed later serious injury could result to the operator.
fast forward to 1985, the press made back in 1937 is still in use at some rundown plant staffed with illegal mexicans, it has not had any decent maintenance in decades and of course all the operator guards were removed to speed up production several owners ago.
some guy puts his hands in the danger zone and the press gets him.
the original company that made the press 48 years ago gets bagged on the grounds that they knew it was a dangerous machine that's why they mounted operator guards on it... the fact that persons unknown decades later removed those guards and no one trained the illegals on safe operation of this old rundown press was beside the point...
being an old family run company, they had records dating back to the founding apparently they never threw anything away and minutes from a 1937 meeting ended up costing them a couple of millions of $.
if the law or regulatory agency does not explictly require you keep the stuff, shred it as soon as you can, wipe the backup tapes as soon as possible and keep only the stuff you have to, the shortest time permitted.
reimage the corp laptops every 6 months to prevent packrat ceo's from keeping every email and their kids who use it at home to surf p0rn sites when dad isn't watching...
"...can you imagine a BEOWULF CLUSTER of these? That'd be some serious power!"
Considering the mindlessly litigious nature in which business in the US operate, a data control policy is absolutely necessary and in no way reflects the ethics of the organization in question.
There's another side to this too, kids. As someone who does expert testimony in cases involving data stored on personal computers, I can tell you that every individual also has a need for data control measures. Every one of us needs to shred documents, delete files, and scrub file slack space and "empty" space on our disks. Windoze users should also scrub out their swapfiles.
These are realities imposed upon us by the nanny state, which has grown a lot bigger since 9/11.
Just because you're paranoid doesn't mean they're not out to get you.
Even if you and everyone who works for your company is a Good Guy, there are still reasons you may want to destroy older documents that you're not legally required to keep. You might have an unscrupulous customer or competitor or even employee who decides it would be fun to sue you for some crap. Guess what: Suddenly every e-mail written inside the company, ever, is on display for everyone to see. And those things can be taken out of context. The kind of hyped language that, say, sales guys like to use can easily be interpreted the wrong way. Maybe somebody sends out an e-mail that says "I want you all to do whatever it takes to beat the competition and sell this customer! I mean it, no limits, whatever it takes!" Now, maybe that is evidence that the e-mail writer is condoning corrupt and/or illegal activities. Or maybe it's just typical motivational rah-rah. But your opponent's lawyers would probably have lots of fun with it.
That's just one dumb example, but my point is this: Just because you and your company have righteousness on your side doesn't mean your lives can't be made miserable.
"Biped! Good cranial development. Evidently considerable human ancestry."
Retain nothing, and enact all corporate strategy completely at random, in total ignorance of past history.
It's what you're doing anyway, right?
there. We were all on Exchange Servers so email retention went like this. Anything in the Inbox was deleted in 30 days. Any messages saved in other folders was deleted in one year regardless. You did have the option of saving off to your hard drive but PST files were a no-no. In addition, no external storage devices could be used without a senior VPs approval and an act of Congress. As far as when things started hitting the fan, we were inundated with emails to send any conversations, voice mails, correspondence, etc to the legal counsel's office. Of course, I'm sure that was taken care of in a very professional and ethical manner. So these days I apply for jobs and read slashdot and watch the Enron blaze grow larger and hotter. Al Sharpton was in yesterday, Jesse Jackson will be speaking tomorrow! Oh boy, the circus has come to Houston and it looks like its going to stay awhile.
HT
Stenography is what the court reporter is up to when s/he's throttling that little plastic box whenever someone's talking.
Steganography is the practice of hiding data in other data, which is what you appear to want to be talking about.
Hope that helps. Have a nice day.
My personal philosophy is to save anything that could save my rear (someone ordering me to do something that I may not think is right as well as my documented objection) and be careful to remove anything that could be used against me. I would expect that many would think this way.
Help Brendan pay off his student loans
Depending on the industry the company is working in, there could be regulatory mandates that could clearly state that you should keep your backups for an X number of years.
Some companies can't just stablish a policy to delete stuff to avoid nasty incidents later because they are lagaly prevented to do so.
IANAL but write like a drunk one.
Why would you need to destroy documents, if you're not doing anything wrong?
If you're sued, all your records on the topic can be subpoenaed. If you've never destroyed anything, you have to provide it all to the attorneys of the people suing you. Usually in hard copy.
The time and money it can take to do this, if you haven't been deleting anything, can be immense. It can run literally into the tens of millions of dollars and thousands of person-hours. On the other hand, if you've been deleting old documents regularly, you don't have that much to produce in the first place.
Never take moderation advice from sigs, including this one.
Companies do this not just to avoid legal attacks and misconstrued evidence. They also implement document retention policies to save money.
If I sue ABC company for sexual discrimination, the court may mandate a discovery process. During this discovery process, I can tell ABC Corp that I want all of their email that pertains to hiring/firing decisions for the past 5 years (for example). So far, so good.
This gets difficult if ABC corp switched from Netware to Windows two years ago and switched backup software at the same time. The process of recovering and reviewing that older information can quickly become time consuming and expensive, costing into the hundreds of thousands of dollars.
If ABC Corp has a document retention policy that says "We keep backups of email only for 6 months," then they don't have to worry about that older stuff and the potential cost of having to recover it when a lawyer goes on a fishing expedition.
Your sig:
Don't blame me, I voted for Nader.
My post is so off-topic that it's not even funny, but I have a bone to pick with you about your sig.
The tone of your sig suggests that Bush is screwing up. Maybe. But that means that the only people that would be "blaming" anyone would be people who didn't vote for him (e.g. Gore voters). However, your voting for Nader is quite possibly the reason that Gore isn't president. Therefore, if the Gore voters should be blaming anyone, it should be you.
Note: I am so embarrased that I actually wrote a post entirely about someone else's sig that I am posting this anonymously.
I work in the brokerage industry. We are required to keep all investor / broker communications a minimum of 6 years.
IANAL - If you write a policy, post it, email it, and get people to sign off on it and DON'T enforce it you're not going to be free of liability. Not enforcing it is not following due diligence and affords no more protection than not having a policy to begin with.
Shredding is a first step that is supposed to make it easier to thoroughly burn the document as the next step.
The firm is essentially a bunch of small firms made into one. The partners (LLP) are the owners of the company and have control over their clients. If I'm a partner in LA or NY why should what a partner in Houston does affect me. I agree there should be better auditing but as the Enron debacle has shown that would be insufficient.
The last time I worked at a company big enough to worry about this kind of stuff we had several policies on retention based on what the data was. Alas, I didn't find out how important it was to follow these policies until a bunch of stuff got subpoenaed. I hadn't been able to bring myself to expire a bunch of internal newsgroup stuff and well, it was bad. Not that we were doing anything illegal, quite the opposite...
So don't think it can't happen to you. Seriously. These policies exist for good reason.
Anyway, our policies. Source code was archived forever. Period. Financial data was kept to the letter of SEC regs as long as we had to keep it and no longer. Mail backups were recycled monthly.
Employees were strongly encouraged to delete mail after 30 days, but it wasn't enforced technologically. I think the rule was universally ignored.
Frankly, a lot of what the policies do is set up plausible deniability if the subpoena comes and the documents aren't to be found...
...and anyway, even if every single document being passed around your company is completely kosher and totally legal and can in no way be manipulated against your company in court, that doesn't mean that it *can't* be manipulated against your company in the marketplace, by other companies, many of which may be evil.
-Legion
"You are welcome to my email, but I wrote it all in old proprietary Microsoft formats, and we can't figure out how to read it."
Works just great unless the opposing lawyers are familiar with the "strings" command, in which case you countersue for DMCA violations.
Cheers,
Ben
The large corporation I work for's guidelines on intellectual property matters ("Prove to the court that the development work you did in 1986 led through uninterupted effort to the patent filing in 1993 which issued in 1997 which we're suing for infringement in 2002") are essentially infinite. I have bound laboratory notebooks, with some pages signed by witnesses, going back to 1983. I suspect that many of the old-school R&D companies (Bell Labs, IBM, Motorola) have records going back more than 50 years. I saw an exhibit at the Smithsonian back in the 80s that included bound lab notebooks borrowed from AT&T that had entries dated in the 1890s.
She keeps them with the Rose Law Firm and Waterwater records, so I'm sure they'll never come back to haunt me.
Once a document has been created, especially in an electronic form, you never can truely get rid of it, someone always seems to have a copy somewhere, someplace. I have taught several companies this.
The rule is simple, don't create documents that could cause your company problems if you aren't prepared to deal with those problems. Training people to do that is much harder however, too many folks create documents to CYA, and then end up getting said A fried because they wrote it down when they should have just shut up.
I'm guessing that someone (like M$) will try to include some sort of sender-defined document expiration in their next E-Mail client release. A similar feature already exists in many commercial E-Mail servers. The concept would work much like Digital Rights Management.
Internal corespondence will already adhere to the policy, and as other companies make policies that use this type of DRM, you will be covered there as well.
As a type of DRM, there could also be other features of this. For example, if you end relations with an organization, all of your E-Mails are automatically expired.
For a large company, a document retention and destruction policy is a necessity, specifically for legal reasons, but not for the reasons you're assuming. Every large company develops huge masses of information, and most of them back up that data to protect against short term loss. However, most companies don't want to keep it forever, so they destroy the old stuff to reduce storage needs, cut down on administrative costs associated with maintaining the records and protect against industrial espionage. The problem lies when the company comes under examination for a lawsuit. If there's a well described and religiously followed document retention policy in place, the court has no reasonable expectation that the company will still have documents that the policy marked for destruction. If on the other hand there is no real policy (or it's badly enforced) this opens up an avenue for liability wherein the corporate controllers say "we don't have documents X or Y because they were destroyed" and the judge then assumes they did it to hide something (and punishes accordingly) or assumes they're lying (and punishes accordingly). Also, when the prosecution or plaintiff asks for certain documents, the policy can limit the scope of the request so that your IT team isn't spending untold hours digging up archived stuff to turn over in satisfaction of a subpoena.
You should be careful not to fall into the logical trap that document destruction is only useful if you have something to hide. In this very litigious society, it's rarely that simple.
Virg
There are plenty of ways to get a law suit brought against your business without breaking a single law. People being suits against a company and just the cost of cooperating with the other guys discovery requests can be enormous.
Plus, did you think of the disk space requirements it takes to keep everything forever? Things need to be deleted in order to reduce IT infrastructure costs.
If you successfully do this and convince the person to lose their email, you're very good indeed.
The reality of it all is that the first thing anyone asks when you come in to reimage their machine is, "But what about my email? Will I still have it after this?" and get very upset if you say no.
Great intentions, but unfortunately a very tough sell.
--
Me spell chucker work grate. Need grandma chicken.
if you have documents that will cause great damage to you and your company in court and people will go to prison and the penalty for shredding documents even after the court has directed all shredding stop to preserve evidence is substantially less [which it probably is in the the enron case and most other great scandals] you'd be a fool not to keep shredding until the very moment the us marshals pry your hot sweaty fingers away from the shredder and handcuff you...
"...can you imagine a BEOWULF CLUSTER of these? That'd be some serious power!"
For an example of what can happen to you even if you haven't done anything wrong, go look here at what happened to Jamie Zawinski. During their monopoly trial, Microsoft subpoenaed the contents of the bad-attitude and really-bad-attitude internal blow-off-steam newsgroups at Netscape. I never heard of anything that came up in court as a result of it, but the privacy of the users of that list was violated, big-time.
To a Lisp hacker, XML is S-expressions in drag.
What we need is for some judge to rule that a company which has a document destruction policy for reasons of preventing discovery shall, as sanction, have the burden of proof reversed, in regards to some serious allegation made by some plaintiff suing a large company.
The way this question is posed sort of riles my feathers. Why? Because this question, and a lot of replies to it, give a lot of thought to how to *hide the bad things you are doing* instead of doing what's right. If you have a problem with your company doing lots of immoral or unethical things, you should work to have them stop doing those things, not simply come up with a better document retention policy so they don't get caught.
There are good reasons for a document retention policy. A big one is simply space. After about 5 years, documents tend to take up LOTS of disk space. They also become harder to search through, and thus harder to find things in when you need to. For user interface reasons, and technical reasons, many companies should have a document retention policy. But to have one mainly because the company is screwing over everyone else is a horrible idea. Get some moral backbone and simply do the right thing for once. Then you don't need to hide or make excuses.
You guys are all focusing on the "Don't do anything wrong, and don't worry" attitude. There are many "good" companies out there with "bad" employees. Sometimes these employees can send email that may make the company liable.
Example: Sexual Harrasement. Bob and Sue get along great together. They always joke about sexual stuff and one day Bob sends Sue an explicit joke via email. Another day Sue gets fired and sues the company for sexual harrasement as a way to get back at them. Since it was consenting, there is NO real harrasement there. They supena the emails, and BAMN she gets a chunk of cash.
Or another reason: Say a "bad" company sues the "good" company. They supena ALL the "good" company's emails. Would the "good" company really want company secrets from years ago getting out?
Email is such an informal medium, but it's treated like any other written medium. It's real easy to accidently be liable in email.
That's just moronic. They either had REALLY shitty lawyers, or a REALLY shitty judge, in which case they should have won on appeal. If they didn't, then it must be due to shitty lawyers. That really has little to do with retaining documentation and a lot to do with lawyers who apparently don't know how to mount a defense or cite precedence.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
I think it's quite clear now that corporations should implement strict data destruction policies. I think it's also quite clear that we need to have strict regulations in place regarding what sorts of data must be retained and for what length of time so that corporations like Enron cannot destroy the evidence of their crimes without facing dire consequences. I sincerely hope that the accounting industry in particular gets reformed and a non-accounting industry oversight group is appointed. If there's any justice in this world, those Enron execs and their Arthur Anderson accomplices will all be strung up for what they did. They should NOT be allowed to get away with their horde of cash while regular Enron employees get the shaft.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Retention of Firm Documents
1. Policy. All documents (including those kept in an electronic medium) created or received by the Firm that are necessary or appropriate to record or support the Firm's professional work product or administrative functions shall be retained for a Current Period plus six years (the "Retention Period"), subject only to specifically stated exceptions set forth below. Thereafter, they shall not be retained. Business Unit Leaders and Office Managing Partners are responsible for insuring that their units comply with this Policy.
2. Current Period. Current Period means, in most cases, the calendar year during which the document was created, revised or received. In some cases, Current Period means the effective life of the document. Examples of documents falling into the latter category are office leases, personnel files, contracts to which the Firm is a party, engagement letters relating to continuing client engagements, tax planning files and the "permanent file" of a continuing client.
As a general rule, choice of the appropriate Current Period and corresponding date of record retention termination should be made by the person who created or received the document in question, and not by the Records Center. Questions arising in connection with the choice of an appropriate Current Period should be directed to the appropriate Unit, Line of Business or Office Managing Partner, or the Office of General Counsel.
Note that in some situations, the Retention Period will have to be extended on a year-to-year basis, as when the IRS has not closed a particular tax year of a client within the Retention Period (the tax workpapers should be retained until it has).
3. Examples of Current Period Plus Six Years:
Working papers and correspondence files relating to the Firm's report, dated March 13, 1997, on the financial statements of Universal Widgets as of December 31, 1996: Terminate retention after December 31, 2003.
Lease dated November 1, 1993 covering a lease term of February 1, 1994 through January 31, 1995: Terminate retention after December 31, 2001.
Letter dated August 19, 1996: Terminate retention after December 31, 2002.
Permanent files deemed superseded on September 30, 1998: Terminate retention after December 31, 2004.
Tax, litigation, and bankruptcy planning files created in May 1998 covering the three-year period of 1998, 1999 and 2000: Terminate retention after December 31, 2006.
4. Record Type/Retention Period:
ABAS Files
Billing File - 6 years
Correspondence File - 6 years
Financial Statements - 15 years from record year
Permanent/Carry-Forward - "No date" while active, Current + 6 years from the "superseded date."
Reports - 15 years from the "period ending" specified in report
Superseded - Current + 6 years from the "superseded date"
Workpapers - Current + 6 years
TLS Files
Billing File - 6 years
Correspondence File - 6 years
Permanent/Carry Forward - "No date" while active, Current + 6 years from the "superseded date."
Planning - "No date" while active. Current + 6 years from the "superseded date."
Superseded - Current + 6 years from the "superseded date"
Tax Return - 15 years
TLS IAS - 15 years (Tax Return)
Workpapers - 6 years
The following exceptions to the general policy have their appropriate retention periods set forth in parentheses. For permanent retention, consider microfilming or other less bulky storage systems:
(a) Documents pertaining to Firm governance and regulatory matters (permanent).
(b) Agreements and related documents pertaining to mergers or acquisitions by the Firm, as designated by OGC (permanent).
(c) Minutes of meetings of the Firm's Board of Partners and Principals and the Board's Committees, as well as other Firm Committees designated by the Firm's Senior Partner (permanent).
(d) Certain legal or historical files designated by the General Counsel (discretion of OGC).
(e) Firm Policy Releases (until superseded). The partner or director leading the group issuing the policy should ensure that one full historical set of the Releases or Statements issued by it is retained permanently.
(f) Documents (i) relating to threatened or pending litigation involving the Firm or its personnel or (ii) subject to a subpoena (the longer of the termination of the litigation/subpoena matter or the Retention Period - consultation with OGC required before any disposition).
(g) Financial records, including tax returns, of the Firm (discretion of the Chief Financial Officer).
5. Documents To Be Retained for a Period SHORTER than the Retention Period:
(a) Practice Quality review documents, including reports, correspondence, questionnaires, and supporting workpapers that identify or relate to findings or evaluations of specified engagements, offices or individuals (12 months from date of creation, or less when it is determined by the Director, Audit Quality--or his or her counterparts in other Lines of Business--that they have served their intended purpose).
(b) Personnel records of former employees (Current Period plus three years).
(c) Internal administrative documents, such as office financial information (discretion of appropriate Unit, Line of Business or Office Managing Partner).
(d) Engagements terminated before completion, such as audit engagements where no report is issued (Current Period plus three years; all uncompleted engagements should be clearly marked as such).
6. Other Exceptions:
(a) Any person who creates or receives a document or class of documents that he or she believes should be the subject of an exception should refer the matter to OGC.
(b) OGC will notify the appropriate Records Center of any files that must be retained beyond their assigned destruction date due to pending litigation or other reasons. At that time the files will be retained indefinitely, and destruction will require specific approval of OGC.
(c) In reference to E-mails and general correspondence of any type, if the communication is necessary to support PwC work, it should be included in the engagement files, either electronically or in paper form. If it is not necessary to support PwC work, it should not be retained. Desk file or rough file material should be discarded at the end of the engagement.
7. Organization and Timing of Destruction:
Persons responsible for maintenance of Firm files should conduct a review of all files during each December to identify those files that should be destroyed promptly after December 31 of that year. Thereafter, during January of the following year, such documents should be destroyed only upon formal authorization from the designated partner.
... until there is an action (civil or criminal).
If that wasn't the case, then ripping up a credit card reciept after dinner could get you arrested. "Your honor, the accused could reasonably assume that someone would have sued him over the dinner bill. We haven't found anyone that wanted to, but we are sure that it could have happened, so the accused is guilty of destroying evidence."
Or, anyone caught with THC in their blood and marijuana on their person could get arrested for destroying evidence, and possesion. Then the state would try to show that if you combined the amount of marijuana that was smoked to get that THC level, and the amount on the person would have constituted intent to distribute.
Anything you throw away, anything you consume, all would wind up being crimes. Not potential crimes, but crimes. That is why the action (civil or criminal) has to exist before destroying the evidence is a crime.
Are you clueless?
Corporations are considered INDIVIDUALS under the law - a virtual person. Any high school business-related class taught you that, did you listen?
And yeah - I worked at Enron, and I agree that the execs should be impaled on a virtual (maybe even literal?) stake. But it seems funny how the Slashdot Collective screams when rights are violated against them, but screams for those rights to be violated against others.
Not all countries are as lawyer-run as the US of A. (Mind you, the lawyers are not allowed to defend the accused if defense conflicts with matters of national security). Some places, the courts would reject a lot of the crap you guys have to keep up with. They might even scorn you for wasting the time of the court if you got that far.
Granted, torts have given you as customers a lot in terms of safety, but this "document retention policy" is not as important in other countries.
According to popular myth, the US of A has enough lawyers for the entire world if you guys used the courts like the average world population does.
Anyhow, if you didn't have so many litigation concerns, storing documentation for a long period of time can be done relatively cheaply.
I'll ask tomorrow what our document retention policy is. Watch this space.
Stop the brainwash
The furhter irony of instituting a paper policy is that if someone does sue you, chances are your law firm will take your doucments and have them OCR'd into a searchable database so that they can go through it quickly.
I did this one summer back in college, in front of a PC all day w/tapes and tapes full of internal letters/documents/memos from a client that had to cataloged. The cost wasn't trivial either, we had two dozen people in front of PCs scanning each document, collecting the title, from, to, date, and subject. Plus another half-dozen or so QA people + 2 managers.
I'm thinking long termish. First of all, look at the MS case. They are looking at documents from the DR-DOS/Win 3.0 days. These are 10 year old documents and they have an impact on whether justice will be served or not. That very concept is defined by those documents; personally I don't think Gates himself ordered destructive actions towards competitors (so he shouldn't go to jail) but it's clear that there were some and mgmt knew of it.
Further look at the FOIA. There are 50 year old documents that tell us new things about history that are released all the time. I'd hate to think that a major crime could happen and be covered up so easily that in 50 years nobody could figure it out or see the truth.
For the most part, most people don't have anything to hide and shouldn't have to worry. I really have a problem with information destruction by policy, it's too similar to the nazi's burning books. In the digital age there isn't any reason to do it, space isn't a problem.
Everyone is a felon. Everyone is a criminal that deserves to spend years in jail. The only reason that most don't, is that they haven't pissed off the right person yet.
Keep in mind that something as inane as throwing away home electronic equipment is a felony. It is hazardous waste that was improperly disposed of. No one prosecutes this, but only because there isn't a reason.
When you realize this, everyone has something to hide. Caution isn't an admission of guilt. People use the same argument (Only the guilty have something to hide) against cryptography.
I don't want my trade secrets, my payroll, my desire to take over the competition, or my civil litigation that I settled out of court public knowledge. Any one of these things could be used against me in the right lawyers hands, and that just shouldn't be the case.
The argument is so fundamentally flawed that I am upset that it needs to be answered. Unfortunately there are enough backward thinking, overly simplistic, conservatives out there that make it necesary to argue the point.
Innocent people have more to hide than guilty people. That is the only reason they are still innocent.
Just wait until Ed McMahons "Neighborhood Watch" (not his idea, but he filmed the PSA for it) goes into action, and the American Stazi is born. Then you will start to realize how much your neighbors know about you, and exactly what laws you have broken.
Most OS deletes just delink the disk storage from the used-list, but don't erase it. A "strong delete" would write zeros in that storage. Technically you need to write random patterns several times in the old storage to truely erase it.
If the legal problems and deletion policies keep in the direction they are going, pretty soon companies aren't going to be able to have any sort of knowledge base repository at all. Problem resolution from a bug that was filed 17 months ago? Gone. A bug report gets filed again, there's nothing to document that it's a duplicate, developers spend unproductive time fixing a bug that doesn't exist any more. Design documents for your business process automation system? Gone. A key widgetframmiz inspection gets skipped and your product blows up. Your patient record file from your last visit to the hospital? Gone. That operation you had to remove your spleen, what was the condition that required that?
So the companies will exist in an amnesiatic daze about anything that happened more than 12 months ago that only Joe from accounting who retired last year had in his head?
Interesting choice of words, given the too-close-for-comfort ties between Enron and Washington :-)
At the large, faceless corporation where I work (no, it's not Micro$oft), we use Lotus Notes (never mind what we actually call it). There's a new template being sent around that enforces deleting e-mail after 90 days unless you explicitly archive it. We're all supposed to use it, ensuring that we don't have e-mails hanging around for years.
Are you that dumb?
Have you ever managed people, or been in a group that had a manager? Not likely, judging by the Slashdot Hive Mind's response.
In ALL groups, there are people that will violate the rules, even when those rules are heavy-handedly enforced.
What if your company is sued for discrimination? Even if the company, in policy, enforcement, and the actions of the leadership is 100% legal AND ethical, the ONE ROGUE EMPLOYEE can bring you down. In this case, what if that rogue employee was an intense afficionado of "N" word (I'm not going to spell it out -- I personally find it repugnant) jokes? BAM! You're toast, legally.
Or what about memos from the 50s? Remember, back then the "N" word bandied about at work wasn't frowned upon. Sometimes it was even encouraged. So now, here we are in 2002, and facing a discrimination lawsuit -- if you've still got those old memos from the 50s (remember - the Slashdot Horde doesn't destroy anything), it's going to take ALOT of billable hours by your lawyers to explain why your company wasn't violating standards then, and how just because alot of people were racist and discriminatory THEN doesn't mean that you're the same way NOW.
Man, for supposedly being such an above-average intelligence crowd, I'm honestly suprised that some of you have a real lack of ability to think outside your own (or the group's) paradigms.
Just because the leadership at Enron (where I had worked once) were a bunch of dishonest motherfuckers, doesn't mean that ALL are. What it does mean is that the apparent non-rules of accounting and such need to be revamped. Don't burn decent companies because one (or some) cultivated a culture of dishonesty and greed.
Oh yeah - and probably the most important thing I learned in the military:
CYA.
But I have to say, the_rev_matt, your signature struck a sweet note in my mind :)
I have quite the affinity for Faith No More, and that is one of my favorite Pattonisms. I wonder how many Slashdotters have heard the exquisite rant that is "Naked In Front of the Computer."
Your solution doesn't make sense for any but the smallest businesses, due mainly to infrastructure but also for legal considerations. For a large company, storing eternal backups of every piece of data generated represents a gargantuan storage, retrieval and maintenance operation that in the large majority of cases serves no useful purpose. For example, when I worked for a large bank, the IT department spent hundreds of thousands of dollars per year to store the backups and logs that we wanted to keep. It would have been an appalling waste of money and personnel to double that just to keep backups of information that we never needed anyway. Also, such records can be a huge liability to a company in the event of a lawsuit, even assuming that there's no wrongdoing. Simply sifting through all of the records for documentation relevant to a subpoena can consume massive resources, just to prove that none of the email you've stored for the last five years contains anything incriminating. A document retention (and destruction) policy can force a judge to limit the scope of a subpoena, thereby reducing the workload in satisfying the subpoena.
In the corporate world, lawsuits complicate such issues immensely. Don't make the mistake of assuming that the only reason to cover your butt is because you've done something wrong.
Virg
You can just save all of your documents as Micr@soft Word. The files will become unreadable after a few years anyway. Hmmmm, I wonder if that was designed as a feature?
Full story at http://www.jwz.org/gruntle/rbarip.html
We'd been using Groupwise for years because of its ability to do sophisticated calendaring and scheduling. It used to take a secretary several *days* of collecting schedules to schedule a meeting. With Groupwise people were able to schedule meetings without a secretary.
Self-scheduled meetings mean fewer support staff. 3 fewer support staff for one year mean we pay for the cost of the hardware + software in the first years savings. Don't forget the opportunity costs this saves -- we can be more flexible and efficient than we were, giving us greater business opportunities. It's a system that has not only paid for itself but made us money.
Mbox format? Well, we still would have needed GUI clients, more staffing and for what? Better archiving? I think our shareholders would rather get more value and I know I enjoy the pay raises that enhanced profitibility brings more than needless handwringing over standards compliance.
Huh? That doesn't even make any sense. Why would the company get in trouble for advising proper safety measure? I'm not saying it isn't true, but it hardly presents a compelling case for destroying old documentation. Just the opposite, I'd think. After all, the memo showed that the company considered the issue of injury and addressed it in their design. It wasn't their fault some random people in the intervening decades decided to be stupid.
set the mbox == /dev/null and you're set.
> I'm going to have to agree with the original poster. Unless your concern is security related (i.e. information theft), there really isn't a valid reason to be destroying documents for most law-abiding corporations.
How about the bottom line? I worked for a large bank. We spent massive amounts of money for storage space, personnel to maintain records and transport costs to keep data records for data from more than two hundred branches. The idea of retaining twice or three times the data just so that we didn't destroy any backup tapes would have cost more than four IT peoples' salaries.
Sorry, but there are many reasons that are perfectly valid for having a proper document retention and destruction policy in place, and it's only your lack of perspective on how much is involved with data protection that keeps you from seeing them. Don't assume that the only reason corporations destroy data is because they're trying to hide something.
Virg
At BestBuy, when I was a stockboy a long time ago, I believe we kept packing slips for 3 years. Those boxes sucked to carry to the dumpster!
I'm contracted to a state government, and let me tell you, everyone here saves EVERYthing for cover-your-ass purposes.. it's really sad to see every little memo back to 1997 in someone's inbox taking up PHAT amounts of disk space on the GroupWise server ... sigh
So, there are two other things to consider:
1. Keeping old records around can be expensive -- not only do you have to keep the media it's on, but you have to make sure you have the ability to read that media, and once you do, that you have the appropriate software and hardware to understand the message itself. Destroying them after you don't really need them any more saves a lot of expense. And, that doesn't even begin to talk about deteriorating backup media.
2. Similarly, part of the problem is in making sure that you have a *complete* record -- you don't want to have a partial record, where the mail to the CFO says "Hey! Let's screw the employees out of their pension," but not the corresponding mail from the CFO that says "That's illegal and immoral. You're fired." So, the idea is not so much to cover up past wrongs, as it is to make sure that you have a true archive.
3. The other thing is that there are some things that are embarassing, but not illegal -- the fact that the CEO didn't retire for health reasons, but was forced out because he got his secretary pregnant, for example.
I don't know about everybody else, but I use my e-mail as a record of what *I've* done, and 9 months (as somebody mentioned earlier) is not far enough back -- heck, every year we have performance reviews, and how am I going to say "This is what I did 11 months ago" if I don't have any record of what I did 11 months ago.
One of the funniest sites i've read in a very long time. And a great example....
You are assuming that Gore would do a better job than Bush. I dind't vote for any of the above, but I would assume someone who voted for Nader did so because they didn't trust either to do a good job. Gore voters might blame Nader voters, but the response is Gore was just as bad, and thus the sig (I voted for Nader) wouldn't change.
Personally I belive ballots are secert, and I will not tell you who I voted for. You can make guesses, which might or might not be correct. I might even give hints, but they could be intentionally misleading. The only thing that counts is what happened behind the curtian, and nobody but me knows for sure. (and even that is questionable, as evidenced by all the double punches in Florida, who appearently thought they were doing the right thing)
Often when a story of this type is made to demonstrate a particular political point that does not make sense it is because there is some additional piece of information which we are not being told. The original poster uses language that indicates a certain degree of contempt for the injured workers.
My guess would be that the factory using the machine would have had to do something like ask the manufacturer about removing the guard for the suit to have gone the way it did.
In any case the mere fact that a saftey guard was included would establish that the manufacturer knew that there was a likelihood of injury.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
This is too long.
Here's an excercise that will demonstrate the need for a document retention policy.
1.) Buy a tape drive for your computer.
2.) Put a tape in and back up the machine.
3.) Store the tape.
4.) Repeat this every day, but don't ever reuse a tape, and don't ever throw any of them away.
5.) 10 years from now, when you've spent $54,750.00 on tapes and have 3,654 of them to store and catalogue, reflect on why document retention policies are a good idea, even for the law-abiding.
6.) For an even more accurate experiment, pay your neighbor $0.02 per day per tape to store them for you, and add that cost to the cost of your backup media.
7.) For one more step, have a random stranger accuse you of making racist comments about him. With an attorney, review your backed-up email for all ten years to prove you didn't. Be sure to add your attorney's cost to your tally, and don't forget the value of the time you'll need to take off of work to do the review.
Starting to get a good picture?
Virg
Lets see is it a foreseeable possibility that someone would remove the guard? Yes. Did removing the guard render the machine inoperable? NO. Guilty - case closed. Don't believe me. Several years ago GM was succesfully sued because some guy was working on his GM car's fuel pump while he was smoking. Gas squirted on the guy his cigarette set him on fire, he ran down to the end of the block dove in a 1 ft deep pond and broke his neck paralyzing himself. GM (who I really can't blame for not forseeing this possibility) lost and paid a few million dollars. The above is certainly less far-fetched than the GM case so don't get so cockey - jurys can be idiots!
You just can't afford to take chances these days. I have my software set up to delete messages before I even fin
This ought to be a vile slander on the legal system. Unfortunately...
We don't back up e-mail or temporary directories. Policy. We keep backups for 6 weeks on a rotating basis. Policy.
I think that what we really need is a hierarchical storage system, but we don't have one. Partially bacause of cost, but I suspect that it's partially policy.
This is particularly stupid as each user has their own hard disk, and there's no policy on erasing it, just on backing it up.
Documents ought to be kept forever (assuming reasonable expense). Otherwise there should be an expiration date on each document, like tape libraries used to have. That lawyers are preventing this should be criminal. Unfortunately being innocent is scant protection.
.
I think we've pushed this "anyone can grow up to be president" thing too far.
Where I work we have a deparment wide email list (engineering, covers about 100 people), that someone decided should be preminatly archived. Well it turns out that a list of this size is good for two things: I brought in birthday donuts this morning; and I'm sick today, I'm on vacation, or I'm working from home. All discussions between engineers end up in emails directed only to the engineers involved, CCed to their boss. (much to the relief of the rest of us who are paid to get work done, not sort through email)
I am sympathetic to those of my colleagues who have written that an honorable company need not fear anything. I do concur with those who have responded so are, indeed, naive. Documents can be very costly and damaging, even as against the innocent, a "smoking gun document," need not have actually been the murder weapon to cast doubt on the innocence of the innocence. Many are the times a close case swings because of a random, ambiguous and otherwise innocuous document.
On the other hand, my colleagues who have written on the utility of unfiled archives are also correct. Few things are more valuable, and numerous are the times one can "save the day," by a few hours of rummaging to find the "holy grail document."
The problem is that there is no way to have prior knowledge which are the smoking gun documents and which are the holy grail documents. The HG docs can save your life, but the SG docs can kill you. And the likelihood of either situation is rare (although the costs and benefits, respectively, often are astronomical).
Meanwhile, having recent documents around is, simply put, necessary to the efficient operation of a business. That said, e-mails, because of the culture of e-mail use, these days are the single best source of SGDs in modern litigation.
So, a decent (that is responsible) retention policy should balance effectively these competing concerns, even for a truly and genuinely honorable commercial entity. The key idea is this, the retention period should be long enough that the likelihood that the HG-ness of a document will be recognized prior to destruction, and longer than the general utility of having any document handy, but no longer. Guess is somewhere between 18 months and three years, depending on the business.
The retention policy will have exceptions for important instruments, but will require an affirmative effort be made to avoid the axe. Thus, docs identified as HG in nature, after the period, like deeds, source code, contracts with term longer than retention, and special documents are automatically reupped, despite the policy.
The private business entity I am currently employed at has a very short 30 day policy on all e-mails. I'm not sure what the rest of the policys are on paper and other electronic documents, but nobody follows the 30 day rule anyway. As an earlier reply stated, Microsoft made it too easy to keep old messages by using PST files.
The whole point of ZANTAZ Digital Safe(TM) ( http://www.zantaz.com/services/index.cfm ) is archives that last and last - and take the controll away from each person. Sounds good for public cos, but I personaly wouldn't want someone else archiving my mail.
In the UK all Parliament minutes are recorded in a roomful of books called Hansard, I am sure the US has something similar. It is never destroyed.
Many companies are obliged to keep records of products for as long as those products are in use, this is particularly important in the Pharmaceutical industry. A few years ago Schering-Plough had their off-site document store (in Elizabeth, NJ) torched. They have had a fun time trying to put back together all the relevant documenation for the FDA inspectors.
Much documentation is about what companies research. It really needs to be held indefinitely, as current products or potential products are likely to be based on that research, directly or indirectly. Destroying knowledge is not what most companies really like to do (though you would be hard pressed to tell sometimes.)
Tax documents obviously only need to be kept for the duration of tax liability periods, though sales receipts that show customer information may be of more worth for longer.
One of my first jobs was programming a catalog system for a secondhand machine tool company. They sold drillstands, lathes, and all sorts of immense tools to anyone that wanted the junk. Many of these machines had been made in the early 1900's. For every machine there was a parts manual and an operations guide.
Sometimes you just have to keep the paperwork.
I'm probably going to be either ignored or modded down as a troll, but I feel the need to point out that document retention is a difficult issue and perhaps the /. community isn't really the best to debate this issue.
First, document retention policies are going to vary depending on the context. For example, lawyers frequently have to keep certain items for "X" years after a case ends. Tax documents need to be kept for "X" years. So the policy will vary based on 1) the type of business; 2) the jurisdiction; and 3) the particular type of document.
"Asking Slashdot" this question is begging for a crappy signal to noise ratio. Witness all the posts along the lines of "who cares if you have nothing to hide" or "destroy everything." The simple fact is that it would be prohibitively expensive to "save everything" once you get about 5 or so years into the life of a business. Who wants to store documents from a project or product that no longer exists and isn't used by anyone? On the other hand, you may need design documents from a ladder you designed and sold 20 years ago, because you may see a product liability action against you. Hence, the need for a document retention policy. It isn't simply about "making sure there is no evidence" or "making sure you don't get in trouble for destroying documents."
Every user should write there EMails as if the EMail was destined to be published on the front page of the New York Times.
Often people write things in EMail that they would not say if they were forced to commit the statements to writing. For example I remember one reviewer of a software design who responded with "the design is so bad it is going to kill a lot of people". Imagine some lawyer getting there hands on that. In confronting the author, the author was asked if they would have made that statement if they were preparing a written review of the design. The response was that user would not have said that in "writing" particularly since the software did not have any conceived uses that would effect human safety.
The problem is that most users view EMail as more akin to oral communication than written communication. Verbal conversation is often full of hyperbole, exageration, and other vagaries. However, when the same person is asked to commit there thoughts to written form (other than EMail) they are much more careful about what they say.
I worked for several years with a law firm that specialized in document retention law.
I always assumed it was best to just keep the documents forever. But I now know that documents should be destroyed as quickly as legally possible. A company needs to have a written, established, and formal document retention plan, and needs to follow it precisely.
Suppose a company doesn't have a plan, and isn't legally required to retain some kind of document for any length of time. If they keep 99% of those documents, but happen to have destroyed the one document requested in a lawsuit or investigation, they are in trouble. If they had a formal plan, and had destroyed all similar documents according to the plan, they would be fine.
Check out this site for more than you ever wanted to know about document retention law:
http://www.retman.com/index.htm
Just^W use^W some common sense^U
^C
^D
EOF
-- no carrier --
It finally came down to this. After years of hounding users to make backups now we'll have to hound users to stop backing up their systems!
;)
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
my context was not an american one, where corporations compete by litigation to a much larger extent than in the rest of the world (norway in this case. i attacked you, so you get a freebie cheap shot, if you're that kind a nerd).
:)
so, there would not be a NEED for a document retention policy, aside from possibly removing what is blatanly irrelevant for future (say, restaurant receits from company dinners, etc).
therefore, throwing away all correspondence older than 9 months would be unwise (without a sense of history, we are doomed to repeat our failures).
also, if you look at the question and my response, i didn't state that ALL document retention policies are bad. his question seemed to be asking "i'm not sure my operation holds up in court. do any of you guys have any experience with how long you should keep possibly compromizing data?".
i think it is unethical to answer a hacker in a chatrom asking "how do i break into my bank's web server? it uses apache 1.3.12, running on some variation of red hat 6.2. i'm not sure of the backend, since they've firewalled everything but apache". from my viewpoint, answering the question seemed unethical at best.
(unrelated, but interesting
as another fella pointed out, purging emails is no guarantee the words cease to exist. people tend to reply to emails, so the discovery process might reveal external sources of information that can be subpoenaed. you're back in shit creek.
does this kinda fill in the blanks in my reasoning? i was not saying that a document retention policy makes a corporation criminal (unless it involves burning relevant documents after a situation arises), but i was saying that it was immoral to answer the guy, given that you perceive his motivations to be more pragmatical than law-abiding and upstanding.
Stop the brainwash
They had clips of the Enron hearings on the news, and it seemed like in the audience was everybody's favorite movie executive Jack Valenti. Why the hell was he there?
Search for the discussion on "Lagom" here at Slashdot the other week and you will get the precise answer on how long to save documents!
OK, a very anal reply here, but...
"We were all on Exchange Servers so email retention went like this"
The use of the word "so" implies a causal relationship - "because we used Exchange, our email retention policy was necessarily like this..."
Since the rest of your post was along the lines of "these guys were nuts; I'm disgusted with it all; I occupy the moral high ground by virtue of bailing out", the implication is that Exchange caused this situation.
In reality, as many others have pointed out, document retention has nothing to do with either technology or personal preference. So please don't badmouth a perfectly good product (-1, Troll, for referring to a Microsoft product without slamming it), by trying to pin your bad experience on it.
Please allow me to share with you a story about a good friend of mine. He is a doctor, and doctors need to keep patient records.
Since there wasn't enough room to keep "historical" patient records in his clinic, he brought them home one box at a time and stored them in the attic. When the ceiling began to sag, and he feared that the house would cave in, he built a barn out side, and had the documents moved there. When the barn filled up, he built a second one, then a third one, until all three were full. At that point, he got an "annex" downtown, until that filled up with patient records.
At that point, he contacted the state government, to ask them how long he really needs to keep those patient records. Their answer, in his words, was, "When you die, your heirs better be able to produce those patient records."
And that, my friend, is what "to the pain" means. It means I leave you in pain, wallowing in freakish misery forever.
By the way, I would like to add that this is a true story.
xxxxxxxxxx O xxxxxxxxxx H xxxxxxxxxx xxxxxxxxxx W xxxxxxxxxx E xxxxxxxxxx L xxxxxxxxxx L xxxxxxxxxx.
The Enron documents that were shredded are likely the early drafts of the audit report. While it is quite likely that there will be electronic copies of the destroyed documents what the investigators would probably most like to get their hands on would be draft copies with handwritten annotations. It is unlikely in the extreeme that anyone wrote a document that was incriminating on its own, but quite likely that incriminating marginalia existed.
BTW in addition to their involvement in the Sunbeam and Waste Management debacles Anderssen were until recently blacklisted by the UK government who held them responsible for their losses in the Delorean fiasco.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
IF I and my co-workers [real engineers] followed the e-mail retention policies suggested by the security, legal and finance folks ... Your Cell Phones would not talk, Your networks would not net (let alone internet) computers wouldn't.
Have your damn policies but leave out the engineers doing the real design and engineering work out of the destruction loop.
In Canada it is also the last 7 years of filed tax returns and supporting documents. I believe it is the same in the US and may be a common length of time in western coutries.
It might also lead to campaign reform. Something that's WAY overdo.
I myself am a keeper of information. I have every email from every job Ive ever worked. Every joke, every attachment. Information is a most useful tool. One never knows when the content of one of those piffy emails may contribute to current efforts. I have more than one well prepared person fend off attacks deserved or otherwise, by simply referring back to a piece of email.
People need to remember and follow certain rules. Never say, or attach anything in an email that you can't handle being beat to death with. I make it a policy to carry out most interactions verbally. Its much harder to prove I said, "screw the customer I'll just delete their file" than it is to refer back to my email. Plausible denyability is the name the of the game.
I've kept jobs and gotten raises for nothing more than retained email. Think about it...
I think the key is really to just keep everything, but not do anything illegal. Or if thats too hard, just keep everything and no document the illegal going's on..
Though I can understand the need take measures to discourage industrial espionage, I still get the feeling that something is basically wrong with the reasoning in this article.
Let me ask a simple question: What kind of documents and/or e-mails would come back to haunt you later?
All I can think of are documents and mails in which unfair policies or actions are described (like in the Microsoft case).
If those policies and/or actions did happen in the past, wouldn't it be better to expose them?
Isn't that in the best interest of everyone involved, including the company, since it is given a chance to learn from its mistakes?
What company would you prefer to do business with, one that acknowledges its mistakes and takes responsibility for it, or one that 'hides' its mistakes, and 'pretends' to be perfect?
Basically, the solution is to hire a records manager with up to date certs and let them worry about it.
Ah, it was a joy to see Enron die. Now if only we could get all their co-conspirators thrown in jail for a few hundred decades. That would be reason for an enormous party. Goodbye Enron you won't be missed.
Corporations should be required to store documents indefinitely so that criminal cases can be brought at any time.
Make a backup onto CD and put it though a shredder.
I've seen people [try to] put floppys through before.
http://HavenWorks.com/business/research/enro n/
Enron News Meta Index.
Sod off, granpa.
Emails are like frisky bunny rabbits, they're everywhere. Forget the local boxes and servers, just think of every place they are routed to ...
If our own government writing over a deleted file at least four times do you think everyone else is doing that. Ever hear of En Case? That's some serious software recovery stuff !!