Slashdot Mirror
Document Retention - How Long is Too Long?
darthtuttle asks: "With
the recent news of document destruction at Enron and the emails that have
been discovered in high profile cases such as MS -vs- DOJ document
retention seems to be a hot item right now. What document retention policies
do people have at their companies, and what steps do companies take to
make sure that documents are destroyed according to the policy when their
time is up so they don't come back to haunt the company later? Note: the
purpose of a document retention policy is not to keep documents, but to
make sure they get destroyed according to policy before someone outside
the company decides to use it against you. The big issues seems to be
backups and documents stored on peoples desktop/laptops. You don't
want those email server backup tapes from 2 years ago to be found, and
you don't want to find out that the CFO was saving -every- email they
ever got on their laptop."
One word: encrypt.
Encryption wouldn't do much in this case; if the FBI comes in with a warrant, they're going to want them decrypted. What are you going to say to them? "Uhhh, they're unreadable, because they've all been encrypted. And we lost the key."
Of course, encryption makes it easier to obstruct justice, but the people involved generally place more value on their own freedom and career rather than their company's welfare (as they should).
If you destroy a document, then the other side makes a statement, it would be hard for you do show proof that the statement is false, because you destroyed your evidence.
Fight Spammers!
A lot of people have posted that as long as you are legit then you shouldn't have to worry but that is just naive. The truth is that a well trained lawyer can take any document and manipulate the information to fit their needs. Add to that information taken out of context can be given uneducated scrutiny by the press and the general public resulting in a disaster.
To me, the best policy is whatever your legal requirements are and that's it. Destroy everything else.
I'm surprised at the question though. Are companies really so worried about their business practices that they must destroy evidence in order to remove liability? I should imagine that internal auditors would be more effective at keeping a company out of trouble than any policy of document destruction.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
If the Enron or Arthur Andersen execs walk, I wouldn't be surprised to see a legal presumption of guilt when documents are shredded prematurely or despite an explicit and lawful order to retain them.
The theory is simple and precedence is well-established - if a cop sees you see him then bolt, that's grounds for a reasonable presumption that you're guilty of *something* and the cops can stop and question you. It's not enough to throw you in jail, but you can be stopped and questioned while the guy who didn't flinch walks.
Same thing here - if you're deleting records that the state says you need to keep for N months, the burden in civil court (which only requires a "preponderance" of evidence anyway - 51%) is on you to prove that those documents weren't "smoking gun" evidence in support of the plantiff's case, not on them to prove they were.
If you're deleting records despite a lawful order, you have to prove that the documents were not incrimidating and that it didn't constitute obstruction of justice or contempt of court.
Of course this is something that would have to be handled on a case-by-case basis already... but the courts already do this when deciding admissibility of evidence discrediting a witness. If somebody has been convicted of perjury, the jury should know it because it's reasonable to ask whether they're lying again. If somebody has been shredding documents when they shouldn't have been, that again directly challenges their credibility elsewhere.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Why on earth do we want to be considering the destruction of any document in this age of near infinite storage?
I mean, what if the government adopted this policy. What if instead of keeping old documents until they could be declassified the government went ahead and destroyed them? Would we tolerate it? Then why would we tolerate it from business that are for the most part just like little governments?
Paper copies I understand getting rid of. For some companies just a years worth of records fills a small warehouse. But storage space is just so darn cheap and optical media is perfectly suited for long term archiving.
What if thirty years from now (in a fictional paradise) Microsoft went out of business and then the document stores were "declassified". We would finally be able to see exactly what they knew or didn't know about their monopolistic practices. Shouldn't we want to know the inside story so like good little students of history we could either avoid or repeat it (depending on your point of view)?
Our government has done and continues to do some bad, bad things. I mean the CIA implanted a microphone and 20 pounds of batteries in a friggin cat in the hopes he would perch outside the KGB headquarters...radiation testing on humans, stuff like that. But companies can do things that are just as bad.
I think they should pass a law that requires companies to store copies of all documents in escrow with an independant third-part for as long as they are in business. After that, anyone who wants a copy should be able to get it. Of course, some of the stuff will be "classified". If Company B purchases Company A they don't want Company A's secret recipie for sale. Customer billing information would need to be kept secret. But eventually, after enough time, the information would be abandoned and then it should be returned to the public so they can have a full and complete knowledge of what was going on.
How are we going to understand how Enron got away with it for so long if we let the wolf guard the chicken coop?
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
This may be a good policy when you have something to hide. In the IT world, in my experience (and the experience of most of my peers it seems), old e-mail has helped way more often than it hurts us. If you use e-mail to document conversations, meetings, etc., a lot of disputes get resolved pretty quickly when you pull out an old e-mail and say, "See, here's what you said." or "See, here's what we said we would do."
This doesn't happen if we have to print "important" e-mails. Why? Two reasons. First, you usually don't know a year or two in advance which e-mails are going to be important some day. We may generate a thousand messages plus over the course of a project. Most of them are routine, or are only of passing interest. Every once in a while, however, there will be a design decision (or more likely a design compromise) that one party has conveniently forgotten.
Conversely, if someone can show us that we did, in fact, agree to do something, then we will commit to doing it. Our memories are cloudy too, and we do believe in delivering what we said we would.
The second reason paper filing doesn't work for most of us is that it's extra work. Want to file an e-mail - drag it to a folder. Done. Need to file a paper document - remember to print it, interrupt whatever you're doing to leave your desk, find the right folder (if there's room in the cabinet), file it. If you're on the road, remember to go back later, once you're back in the office, and follow the steps above. This works OK if you're an executive with a secretary dedicated to such tasks. Around here, at least, that perk has become too expensive for all except the most senior management. And, even though paper filing doesn't take much effort for a single document, it is a lot of work for hundreds of e-mails, it requires filing space that is in short supply, and it requires a degree of discipline that most people don't seem to have. Finally, even if you have a good paper filing system, it's much easier to search electronic files quickly.
This is exactly why electronic files are so dangerous in litigation - if you can search them quickly, so can your adversary. By prohibiting them, however, you reduce productivity across the entire company and increase costs. I'm not convinced that the legal eagles balanced the immediate cost benefits against the possible future risk. They only consider the dark side.
On a related note, I know I just read an article (here?) about how electronic documents have a life of their own thanks to widespread forwarding. Your retention policies may be almost meaningless if your correspondants keep everything.
Isn't this a two-edged sword? What if that "friend" remembers, and is willing to testify, that that "Seemingly innocent comment" wasn't so innocent at all? Wouldn't it be helpful to have documentation of the comment *and the context* to support your argument that he remembers it wrong?
A document retention policy might also be advisable for the additional reason that it's not a good idea to have documents lying around when both the authors and recipients are long gone from the company (perhaps even deceased), and no one at the company understands what the documents mean or why they were prepared. At that point, there's no benefit to retaining the documents: they can serve only as potential ammunition for an adversary in a lawsuit. An adversary can draw erroneous inferences even from innocently prepared documents, and if you can't put the author on the witness stand to say, "That's not what I meant," what do you do?
(Note that so-called "ancient" documents -- which in federal court means documents more than 20 years old, see Fed. R. Evid. 803(16) -- are ordinarily admissible as evidence just like testimony from an eyewitness even though they are hearsay.)
If you keep your behavior above reproach then many of the problems become moot.
"I can't imagine the tech demands of constant archiving of everything. I'd need to give half of my budget to EMC just to try to stay ahead."
This is partly because you don't use standards compliant systems. I have all my non-junk e-mail going back to 1994 saved, from a variety of HP, Solaris, Irix and Linux machines across maybe nine e-mails. It's all in instantly recognizable mbox format. If you are going to go with Netware, Win2k, etc. Then of course you are going to have these problems! The companies that make those systems make their profits selling new versions of software.
Maybe it would save your company money to choose a system which does not build in 2 year obsolescence into its business plan.
Considering the mindlessly litigious nature in which business in the US operate, a data control policy is absolutely necessary and in no way reflects the ethics of the organization in question.
There's another side to this too, kids. As someone who does expert testimony in cases involving data stored on personal computers, I can tell you that every individual also has a need for data control measures. Every one of us needs to shred documents, delete files, and scrub file slack space and "empty" space on our disks. Windoze users should also scrub out their swapfiles.
These are realities imposed upon us by the nanny state, which has grown a lot bigger since 9/11.
Just because you're paranoid doesn't mean they're not out to get you.
Andersen cannot be held responsible (even though they will) for the illegal acts of a few.
Why the hell not? What happened to self auditing? What happened to rules in regulations that they are to follow to prevent this kind of major scandal?
Let me tell you - if company employees break the law for the company, it's still the company that's breaking the law. Heads should roll - and gross mismanagement should result in long, long prison terms for Andersen management.
Why hire Andersen if they don't even have a handle on how well their working with one of their biggest clients???
For a large company, a document retention and destruction policy is a necessity, specifically for legal reasons, but not for the reasons you're assuming. Every large company develops huge masses of information, and most of them back up that data to protect against short term loss. However, most companies don't want to keep it forever, so they destroy the old stuff to reduce storage needs, cut down on administrative costs associated with maintaining the records and protect against industrial espionage. The problem lies when the company comes under examination for a lawsuit. If there's a well described and religiously followed document retention policy in place, the court has no reasonable expectation that the company will still have documents that the policy marked for destruction. If on the other hand there is no real policy (or it's badly enforced) this opens up an avenue for liability wherein the corporate controllers say "we don't have documents X or Y because they were destroyed" and the judge then assumes they did it to hide something (and punishes accordingly) or assumes they're lying (and punishes accordingly). Also, when the prosecution or plaintiff asks for certain documents, the policy can limit the scope of the request so that your IT team isn't spending untold hours digging up archived stuff to turn over in satisfaction of a subpoena.
You should be careful not to fall into the logical trap that document destruction is only useful if you have something to hide. In this very litigious society, it's rarely that simple.
Virg
Everyone is a felon. Everyone is a criminal that deserves to spend years in jail. The only reason that most don't, is that they haven't pissed off the right person yet.
Keep in mind that something as inane as throwing away home electronic equipment is a felony. It is hazardous waste that was improperly disposed of. No one prosecutes this, but only because there isn't a reason.
When you realize this, everyone has something to hide. Caution isn't an admission of guilt. People use the same argument (Only the guilty have something to hide) against cryptography.
I don't want my trade secrets, my payroll, my desire to take over the competition, or my civil litigation that I settled out of court public knowledge. Any one of these things could be used against me in the right lawyers hands, and that just shouldn't be the case.
The argument is so fundamentally flawed that I am upset that it needs to be answered. Unfortunately there are enough backward thinking, overly simplistic, conservatives out there that make it necesary to argue the point.
Innocent people have more to hide than guilty people. That is the only reason they are still innocent.
Just wait until Ed McMahons "Neighborhood Watch" (not his idea, but he filmed the PSA for it) goes into action, and the American Stazi is born. Then you will start to realize how much your neighbors know about you, and exactly what laws you have broken.
Your solution doesn't make sense for any but the smallest businesses, due mainly to infrastructure but also for legal considerations. For a large company, storing eternal backups of every piece of data generated represents a gargantuan storage, retrieval and maintenance operation that in the large majority of cases serves no useful purpose. For example, when I worked for a large bank, the IT department spent hundreds of thousands of dollars per year to store the backups and logs that we wanted to keep. It would have been an appalling waste of money and personnel to double that just to keep backups of information that we never needed anyway. Also, such records can be a huge liability to a company in the event of a lawsuit, even assuming that there's no wrongdoing. Simply sifting through all of the records for documentation relevant to a subpoena can consume massive resources, just to prove that none of the email you've stored for the last five years contains anything incriminating. A document retention (and destruction) policy can force a judge to limit the scope of a subpoena, thereby reducing the workload in satisfying the subpoena.
In the corporate world, lawsuits complicate such issues immensely. Don't make the mistake of assuming that the only reason to cover your butt is because you've done something wrong.
Virg
"Andersen cannot be held responsible (even though they will) for the illegal acts of a few."
Sure they can. Especially now that it looks like as many as 80 employees might have been involved. Do you think they all just got together at lunch one day and decided to make some confetti, just for fun?
Managers in a company with a sizeable bunch of employees wandering around shredding documents illegally are clearly either criminally corrupt or criminally stupid. In either case they'll get no sympathy from me.
So, there are two other things to consider:
1. Keeping old records around can be expensive -- not only do you have to keep the media it's on, but you have to make sure you have the ability to read that media, and once you do, that you have the appropriate software and hardware to understand the message itself. Destroying them after you don't really need them any more saves a lot of expense. And, that doesn't even begin to talk about deteriorating backup media.
2. Similarly, part of the problem is in making sure that you have a *complete* record -- you don't want to have a partial record, where the mail to the CFO says "Hey! Let's screw the employees out of their pension," but not the corresponding mail from the CFO that says "That's illegal and immoral. You're fired." So, the idea is not so much to cover up past wrongs, as it is to make sure that you have a true archive.
3. The other thing is that there are some things that are embarassing, but not illegal -- the fact that the CEO didn't retire for health reasons, but was forced out because he got his secretary pregnant, for example.
I don't know about everybody else, but I use my e-mail as a record of what *I've* done, and 9 months (as somebody mentioned earlier) is not far enough back -- heck, every year we have performance reviews, and how am I going to say "This is what I did 11 months ago" if I don't have any record of what I did 11 months ago.
I am sympathetic to those of my colleagues who have written that an honorable company need not fear anything. I do concur with those who have responded so are, indeed, naive. Documents can be very costly and damaging, even as against the innocent, a "smoking gun document," need not have actually been the murder weapon to cast doubt on the innocence of the innocence. Many are the times a close case swings because of a random, ambiguous and otherwise innocuous document.
On the other hand, my colleagues who have written on the utility of unfiled archives are also correct. Few things are more valuable, and numerous are the times one can "save the day," by a few hours of rummaging to find the "holy grail document."
The problem is that there is no way to have prior knowledge which are the smoking gun documents and which are the holy grail documents. The HG docs can save your life, but the SG docs can kill you. And the likelihood of either situation is rare (although the costs and benefits, respectively, often are astronomical).
Meanwhile, having recent documents around is, simply put, necessary to the efficient operation of a business. That said, e-mails, because of the culture of e-mail use, these days are the single best source of SGDs in modern litigation.
So, a decent (that is responsible) retention policy should balance effectively these competing concerns, even for a truly and genuinely honorable commercial entity. The key idea is this, the retention period should be long enough that the likelihood that the HG-ness of a document will be recognized prior to destruction, and longer than the general utility of having any document handy, but no longer. Guess is somewhere between 18 months and three years, depending on the business.
The retention policy will have exceptions for important instruments, but will require an affirmative effort be made to avoid the axe. Thus, docs identified as HG in nature, after the period, like deeds, source code, contracts with term longer than retention, and special documents are automatically reupped, despite the policy.
I myself am a keeper of information. I have every email from every job Ive ever worked. Every joke, every attachment. Information is a most useful tool. One never knows when the content of one of those piffy emails may contribute to current efforts. I have more than one well prepared person fend off attacks deserved or otherwise, by simply referring back to a piece of email.
People need to remember and follow certain rules. Never say, or attach anything in an email that you can't handle being beat to death with. I make it a policy to carry out most interactions verbally. Its much harder to prove I said, "screw the customer I'll just delete their file" than it is to refer back to my email. Plausible denyability is the name the of the game.
I've kept jobs and gotten raises for nothing more than retained email. Think about it...