Slashdot Mirror
Document Retention - How Long is Too Long?
darthtuttle asks: "With
the recent news of document destruction at Enron and the emails that have
been discovered in high profile cases such as MS -vs- DOJ document
retention seems to be a hot item right now. What document retention policies
do people have at their companies, and what steps do companies take to
make sure that documents are destroyed according to the policy when their
time is up so they don't come back to haunt the company later? Note: the
purpose of a document retention policy is not to keep documents, but to
make sure they get destroyed according to policy before someone outside
the company decides to use it against you. The big issues seems to be
backups and documents stored on peoples desktop/laptops. You don't
want those email server backup tapes from 2 years ago to be found, and
you don't want to find out that the CFO was saving -every- email they
ever got on their laptop."
Depends on the document. Depends on the business. There is no one size fits all answer to this one. I know that in financial services, there are SEC mandated time frames for document retention as well as strict rules on how to dispose of documents as well.
this is getting old and so are you
blog
since a customer has become very unhappy with us and their version of events makes us a real bad guy. Fortunately, I *do* have every e-mail we exchanged over the last two years, all the documents we delivered, their comments, the schedule material they generated, and other bits of dross and minutia. The timelines and copies of everything (now on CD) have become a gold mine to our counsel and may well help us come to some graceful agreement on the issues without ending up in arbitration.
Bill Gates is a communist -- he's just more equal than the rest of us.
Seriously -- if you don't check with the legal types on what the information is and what it relates to, you could be legally liable for obstruction of justice/personal harm. The lecture I got on this turned my hair curly. Make the lawyers earn their money and break down what you can and can't destory, and when. If you've got any kind of assets to protect, this is a must.
-- q
The technical demands for electronic documents would seem to dictate some of this. For example, we've been converting from Netware/Groupwise/Win9x to Win2k/Exchange/Win2k here. It doesn't change word-type documents, but it does change the email system and the backup system.
Sometime today I plan to decomission the Netware backup system -- derack the equipment and potentially reuse it in some other location as soon as next week. This will make all of our old backup tapes unreadbale, as our Win2k backup system uses not just different software but different physical media -- I can't read DLT7000 on a LTO Ultrium tape drive. I *think* I can read an ArcServe tape on BE 8.6, but the files are backed up as Netware-compressed and can't be restored but to a netware server. Once we decomission our last netware server (within a few months), all of those tapes are worthless without the infrastructure to restore the data.
The email system again is another matter, I need even more infrastructure and software to manage it (presuming I can restore it). Netware administrator, Groupwise installed (client and server), and so on.
Even so, we don't even keep old backup tapes. We have a 5 week rotation (1 full per week with daily incrementals). I used to keep old tapes, but they were unreliable (especially the DATs) and the software isn't always available. We USED to keep them (1 full per month), but I found myself with a shitpile of tapes that needed storing and a big blank media bill.
Eventually word/powerpoint and other apps will obsolete themselves to where the data, even if you can read the media, isn't usable. I know that we purge our email system daily of older > 6 months emails and we chase after users to ditch old documents as server space gets tight.
I can't imagine the tech demands of constant archiving of everything. I'd need to give half of my budget to EMC just to try to stay ahead.
Some of us don't have anything to hide, and so we don't have a pressing need to make sure documents get destroyed in a timely fashion. On the other hand, comprehensive records can be very useful at some point to prove that you don't have anything to hide.
One of the biggest reasons in the business world (other than CYA) to destroy documents is due to space requirements. Ten years worth of paper trail can easily take up a small warehouse. With the advent of computer based storage, though, it is much more practical to keep comprehensive records for much longer lengths of time.
"If English was good enough for Jesus, it's good enough for everyone else."
As usual, everything in the universe eventually ends up hitting jwz at some point. This story (read: rant) is a perfect example on how something as trivial as non-company-related-email lists set up by a few employees can land them and the company in hot water.
First off, one of the poster's arguments is a bit flawed. The poster states that the purpose of a document retention policy isn't to ensure that the document is kept, but to ensure that it's destroyed before it could be used in court, etc. This is incorrect. A good document retention policy covers both of those scenarios, as well as several others.
There are several good reasons why a document must be retained for a certain (or indefinate) amount of time - including legal reasons. Many businesses - even entire industries such as banking, telecom, finance, insurance, etc - must keep some records indefinately. In some cases, documents may need to be kept for a certain minimum amount of time - say three years or seven years - before being destroyed. In cases such as these, it's to satisfy certain legal or industry requirements, after which the prime reason for destruction is usually the cost of retention.
And yes, retention does cost money. You have to factor in the cost of paper (acid free, for those docs that aren't stored electronically), storage (environmentally controlled), disaster recovery (in cases the storage site burns down), media (for those docs that are stored electronically) and hardware to read the media.
Like you said, however, there are also valid reasons to ensure that some documents are not retained. In particular, e-mails. My company, for example, has a document retention policy stating that e-mail servers are not backed up. E-mail older than 45 days is automatically deleted. You're not allowed to auto-copy incoming e-mail to an alternate location or mailbox, to ensure that copies are kept elsewhere.
At a past client, e-mail servers were torn down monthly, had replacement hard drives installed, and had the server software reinstalled from scratch - importing in e-mail that is less than 30 days old. The old hard drives were shipped off to a destruction facility (managed by the client). All old servers had all media removed and shipped to the same facility. Any server or PC that was repurposed also had media replaced - again, the old media shipped off for destruction.
The most important thing about any document retention policy, however, is due dilligence. In every scenario - whether ensuring the destruction of past e-mails, the retention of legally sensitive documents, or the security of those documents - a good policy should cover everything.
--
Welcome to the land of the easily amused...
This begs the question: Why would a large company want to keep / destroy documents?
Why keep documents:
1. The company May need the data in the future. (who erases old source code?)
2. Legal & regulatory laws & rules. The SEC, IRS, FDA, etc... requires many companies need to keep certain documents (e.g. Tax returns) for a specified amount of time (usually 1n10 years)
Why destroy all old documents:
1. There are many many documents in a large company, all the e-mails, reports, memos, meeting minutes, etc... Not all of these documents are to the long term benefit of the company, even if the creator / reciever believes it to be. Without examining each document, the executives do not know what is benign and what is catastrophic.
2. Retaining documents can be expensive. A compnay of 100 people could fill multiple closets, a company of 10,000 could fill warehouses. Yes, imaging solutions exist but are not cheap. Office space is not free.
3. If a company destroys only selected, possibly damaging information, it appears suspicious. If a company has a policy and consistantly follows it to destroy all old documents (shred, delete, burn backups, etc...) then if old information is not available, it is because of the policy.
If you aren't legally required to maintain records of every email/document/etc, then why SHOULD you? Do you recall the Netscape fiasco where Microsoft subpoenad the history of every email to an employee bitch newsgroup? In that case Netscape had no legal duty to maintain backups and records of every posting, but because they made the mistake of not deleting them frequently suddenly they were required to provide them and were then barred from destroying them: It's an odd circumstance when you don't legally have to archive information, but if someone asks for it then suddenly it's legally protected and you have to defend and explain the context of every message, every word, etc, and of course everyone says something now and then that can be taken out of context (or alternately that they said in the heat of passion but backed down from).
Destroying old information quite simply removes the liability that it potentially represents, even if there is absolutely nothing indicting in it. It can also protect freedoms: Websites aren't legally required to keep IP logs, but if they DO then those IP logs can be subpoenad.
Unfortunately, in most jurisdictions, fraud is considered an action in tort, which usually carries a 2 year staute of limitations.
/home help with this on Unix systems). Backups of business e-mails, word processing documents, spreadsheets, databases and the like would be retained just like their paper counterparts.
...
If I were designing a document retention policy for a legitimate company, I would have counsel prepare a schedule of all statutes of limitations that could reasonably apply to each of the company's activities. Documents would be classified according to which activity(ies) they were relevant to, and then set the retention period according to the longest statute of limitations for that activity + 2 years (or whatever statute of limitations governs general tort claims in the jurisdiction) for each classification.
This would cover not only the possibility that we might need the docs to prosecute a lawsuit, but also that we might have to defend a tort claim brought under the "discovery rule." (i.e., the statute of limitations doesn't begin to run until the harm is discovered).
Finally, with regard to electronic documents and e-mail, I would try to ensure that users were trained to delete e-mail of a purely personal nature as soon as they read it (small disk quotas for
With a policy like this in place, the company could rest assured that they would always have all the evidence necessary to protect their rights and to defend themselves should it become necessary to do so.
A company operating on the shady side of the bleeding edge of what is and is not legal, like Enron seems to have been doing, would be another question entirely
utter rubbish
Well, it turns out that you have an employee that sent a seemingly innocent comment to his friend at such a company ...
... "
You don't even need that much of a "real" issue for this to become an expensive litigation. I once worked for a law firm. (IANAL, no sensitive info coming out here) We represented one of the parties in a patent infringement suit. Just documenting and sorting the contents of a couple of dozen employees' hard drives -- in order to determine what needed to be provided in the discovery phase -- took a team of three people over a week. If you end up in litigation, someone has to go through everything to see what is covered under "all documents or materials relating to
Nope, no sig
there. We were all on Exchange Servers so email retention went like this. Anything in the Inbox was deleted in 30 days. Any messages saved in other folders was deleted in one year regardless. You did have the option of saving off to your hard drive but PST files were a no-no. In addition, no external storage devices could be used without a senior VPs approval and an act of Congress. As far as when things started hitting the fan, we were inundated with emails to send any conversations, voice mails, correspondence, etc to the legal counsel's office. Of course, I'm sure that was taken care of in a very professional and ethical manner. So these days I apply for jobs and read slashdot and watch the Enron blaze grow larger and hotter. Al Sharpton was in yesterday, Jesse Jackson will be speaking tomorrow! Oh boy, the circus has come to Houston and it looks like its going to stay awhile.
HT
If you get an email (or hardcopy) message from your boss saying, "screw the client," you'd damn well better keep it. You know what happens if you don't? That's right, with no documentation pointing upstream, you are now the sacrificial goat. Don't think for an instant that a boss willing to screw a client would treat you any differently.
Better still, if the action your boss proposes is illegal, not only should you keep several copies at home and at work, but you may wish to blow the whistle yourself, depending on your paricular moral compass.
The last thing you should do is destroy the message. When the big, bad boomerang-o-karma comes back your way, you'll have no recourse but to take it squarely in the nads.
I take drugs seriously.
Another poster further down made a good point - you either hang on to every document, forever, or you discard some of them. As soon as you discard or destroy anything, there's a question of why you did so. Was it because you had no further use for the document in question, or because you had something to hide?
Document retention policies help answer that question. If your company policy is to destroy electronic copies of anything more than 12 months old, then when you end up in court and someone asks you "Why don't you have these documents any longer? Perhaps they were destroyed because they were incriminating evidence, hmm?!?" you can honestly tell them "I have no idea. Company policy is that anything older than 12 months gets erased, so we shredded the backup tapes 3 years ago."
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
This firm had nothing to hide, but was still burned badly by a poorly thought out document retention policy. Needless to say, they have since changed policies.
Please note that my friend had just taken over the IT department when this happened. He was not the individual suing.
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
Retention of Firm Documents
1. Policy. All documents (including those kept in an electronic medium) created or received by the Firm that are necessary or appropriate to record or support the Firm's professional work product or administrative functions shall be retained for a Current Period plus six years (the "Retention Period"), subject only to specifically stated exceptions set forth below. Thereafter, they shall not be retained. Business Unit Leaders and Office Managing Partners are responsible for insuring that their units comply with this Policy.
2. Current Period. Current Period means, in most cases, the calendar year during which the document was created, revised or received. In some cases, Current Period means the effective life of the document. Examples of documents falling into the latter category are office leases, personnel files, contracts to which the Firm is a party, engagement letters relating to continuing client engagements, tax planning files and the "permanent file" of a continuing client.
As a general rule, choice of the appropriate Current Period and corresponding date of record retention termination should be made by the person who created or received the document in question, and not by the Records Center. Questions arising in connection with the choice of an appropriate Current Period should be directed to the appropriate Unit, Line of Business or Office Managing Partner, or the Office of General Counsel.
Note that in some situations, the Retention Period will have to be extended on a year-to-year basis, as when the IRS has not closed a particular tax year of a client within the Retention Period (the tax workpapers should be retained until it has).
3. Examples of Current Period Plus Six Years:
Working papers and correspondence files relating to the Firm's report, dated March 13, 1997, on the financial statements of Universal Widgets as of December 31, 1996: Terminate retention after December 31, 2003.
Lease dated November 1, 1993 covering a lease term of February 1, 1994 through January 31, 1995: Terminate retention after December 31, 2001.
Letter dated August 19, 1996: Terminate retention after December 31, 2002.
Permanent files deemed superseded on September 30, 1998: Terminate retention after December 31, 2004.
Tax, litigation, and bankruptcy planning files created in May 1998 covering the three-year period of 1998, 1999 and 2000: Terminate retention after December 31, 2006.
4. Record Type/Retention Period:
ABAS Files
Billing File - 6 years
Correspondence File - 6 years
Financial Statements - 15 years from record year
Permanent/Carry-Forward - "No date" while active, Current + 6 years from the "superseded date."
Reports - 15 years from the "period ending" specified in report
Superseded - Current + 6 years from the "superseded date"
Workpapers - Current + 6 years
TLS Files
Billing File - 6 years
Correspondence File - 6 years
Permanent/Carry Forward - "No date" while active, Current + 6 years from the "superseded date."
Planning - "No date" while active. Current + 6 years from the "superseded date."
Superseded - Current + 6 years from the "superseded date"
Tax Return - 15 years
TLS IAS - 15 years (Tax Return)
Workpapers - 6 years
The following exceptions to the general policy have their appropriate retention periods set forth in parentheses. For permanent retention, consider microfilming or other less bulky storage systems:
(a) Documents pertaining to Firm governance and regulatory matters (permanent).
(b) Agreements and related documents pertaining to mergers or acquisitions by the Firm, as designated by OGC (permanent).
(c) Minutes of meetings of the Firm's Board of Partners and Principals and the Board's Committees, as well as other Firm Committees designated by the Firm's Senior Partner (permanent).
(d) Certain legal or historical files designated by the General Counsel (discretion of OGC).
(e) Firm Policy Releases (until superseded). The partner or director leading the group issuing the policy should ensure that one full historical set of the Releases or Statements issued by it is retained permanently.
(f) Documents (i) relating to threatened or pending litigation involving the Firm or its personnel or (ii) subject to a subpoena (the longer of the termination of the litigation/subpoena matter or the Retention Period - consultation with OGC required before any disposition).
(g) Financial records, including tax returns, of the Firm (discretion of the Chief Financial Officer).
5. Documents To Be Retained for a Period SHORTER than the Retention Period:
(a) Practice Quality review documents, including reports, correspondence, questionnaires, and supporting workpapers that identify or relate to findings or evaluations of specified engagements, offices or individuals (12 months from date of creation, or less when it is determined by the Director, Audit Quality--or his or her counterparts in other Lines of Business--that they have served their intended purpose).
(b) Personnel records of former employees (Current Period plus three years).
(c) Internal administrative documents, such as office financial information (discretion of appropriate Unit, Line of Business or Office Managing Partner).
(d) Engagements terminated before completion, such as audit engagements where no report is issued (Current Period plus three years; all uncompleted engagements should be clearly marked as such).
6. Other Exceptions:
(a) Any person who creates or receives a document or class of documents that he or she believes should be the subject of an exception should refer the matter to OGC.
(b) OGC will notify the appropriate Records Center of any files that must be retained beyond their assigned destruction date due to pending litigation or other reasons. At that time the files will be retained indefinitely, and destruction will require specific approval of OGC.
(c) In reference to E-mails and general correspondence of any type, if the communication is necessary to support PwC work, it should be included in the engagement files, either electronically or in paper form. If it is not necessary to support PwC work, it should not be retained. Desk file or rough file material should be discarded at the end of the engagement.
7. Organization and Timing of Destruction:
Persons responsible for maintenance of Firm files should conduct a review of all files during each December to identify those files that should be destroyed promptly after December 31 of that year. Thereafter, during January of the following year, such documents should be destroyed only upon formal authorization from the designated partner.
... until there is an action (civil or criminal).
If that wasn't the case, then ripping up a credit card reciept after dinner could get you arrested. "Your honor, the accused could reasonably assume that someone would have sued him over the dinner bill. We haven't found anyone that wanted to, but we are sure that it could have happened, so the accused is guilty of destroying evidence."
Or, anyone caught with THC in their blood and marijuana on their person could get arrested for destroying evidence, and possesion. Then the state would try to show that if you combined the amount of marijuana that was smoked to get that THC level, and the amount on the person would have constituted intent to distribute.
Anything you throw away, anything you consume, all would wind up being crimes. Not potential crimes, but crimes. That is why the action (civil or criminal) has to exist before destroying the evidence is a crime.
I take it that you've never suggested to management that a bug, in the project you've been working on, be fixed, only to have that suggestion declined. That bug may have been completely harmless, and management may have been fully justified in saying ignore it. However, lawyers can use that information against you. That (plus several others that people here have pointed out) is why it is a good idea to destroy documents in a timely manner.
I worked for several years with a law firm that specialized in document retention law.
I always assumed it was best to just keep the documents forever. But I now know that documents should be destroyed as quickly as legally possible. A company needs to have a written, established, and formal document retention plan, and needs to follow it precisely.
Suppose a company doesn't have a plan, and isn't legally required to retain some kind of document for any length of time. If they keep 99% of those documents, but happen to have destroyed the one document requested in a lawsuit or investigation, they are in trouble. If they had a formal plan, and had destroyed all similar documents according to the plan, they would be fine.
Check out this site for more than you ever wanted to know about document retention law:
http://www.retman.com/index.htm
If the documents are already shredded, eg: the court asks for them on day 92 and you can prove the shredding was done on schedule and in accordance with an open policy, then you will almost certainly get away with it.
If the court asks for the documents before the shredding date, even if they ask the day before (and it will generally be fairly obvious they are about to ask), then you will be in contempt of court if they are shredded nonetheless. It would be negligent to *allow* them to be shredded.
Finally we have to remember that documents are kept for good reasons. They are often needed long after they are produced and ongoing relationships with another company (eg: Andersen with Enron) is a clear case where this will be the case (you never really know when you will need to see last years accounts to check a detail in todays).
It is also in companies like Andersen and in their employees and directors' interests to keep many document to save their backs in potential litigation. You need to be able to prove exactly who gave what authority for what decision when. If you can't then you can get screwed over at any stage.
Accountability works both ways. The documents can be your best friends or your worst enemies, and you will rarely know which until something blows up in your face. This is why last minute shredding occured at Andersen (although as Enron's auditors they ought to have known it was about to go into meltdown...).
this signature is a virus, please make me your