Slashdot Mirror

← Back to Stories (view on slashdot.org)

Document Retention - How Long is Too Long?

Posted by Cliff on from the c-y-a dept.

darthtuttle asks: "With the recent news of document destruction at Enron and the emails that have been discovered in high profile cases such as MS -vs- DOJ document retention seems to be a hot item right now. What document retention policies do people have at their companies, and what steps do companies take to make sure that documents are destroyed according to the policy when their time is up so they don't come back to haunt the company later? Note: the purpose of a document retention policy is not to keep documents, but to make sure they get destroyed according to policy before someone outside the company decides to use it against you. The big issues seems to be backups and documents stored on peoples desktop/laptops. You don't want those email server backup tapes from 2 years ago to be found, and you don't want to find out that the CFO was saving -every- email they ever got on their laptop."

13 of 405 comments (clear)

  1. Re:Cover WHAT? by nomadic · · Score: 3, Insightful

    One word: encrypt.

    Encryption wouldn't do much in this case; if the FBI comes in with a warrant, they're going to want them decrypted. What are you going to say to them? "Uhhh, they're unreadable, because they've all been encrypted. And we lost the key."

    Of course, encryption makes it easier to obstruct justice, but the people involved generally place more value on their own freedom and career rather than their company's welfare (as they should).

  2. What you all are missing. by RazzleFrog · · Score: 5, Insightful

    A lot of people have posted that as long as you are legit then you shouldn't have to worry but that is just naive. The truth is that a well trained lawyer can take any document and manipulate the information to fit their needs. Add to that information taken out of context can be given uneducated scrutiny by the press and the general public resulting in a disaster.

    To me, the best policy is whatever your legal requirements are and that's it. Destroy everything else.

    1. Re:What you all are missing. by Ian+Bicking · · Score: 3, Insightful
      While a trained lawyer can take any document out of context and manipulate, your trained lawyer has the opportunity to put that document back in context -- if other documents are still available. Documents -- especially electronic documents -- can be saved from destruction fairly easy. Do you think an employee is more likely to save the vast number of documents that help prove good intentions, or the one document that does not?

      Also, documents can be useful to the company itself. While for the most part, you are innocent until proven guilty and thus less evidence is better, a document can provide evidence of any number of things that the company would want to keep. For instance, employee theft, that someone independently created something before or in parrallel with another company, etc.

      Also, you should be honest about who you are protecting. Are you protecting the company, or some of the employees of the company? Enron's destruction of evidence does not seem to be to protect the company. The company is nearly dead, and the company is made up of the shareholders, not the executives. Any document destruction at this point is clearly not to the benefit of the company.

  3. Re:According to Arthur Andersen's Employee Handboo by kevinank · · Score: 3, Insightful
    As Richard Nixon learned first hand, a couple of months backlog can be a ...um... excruciating source of embarrassment.

    I'm surprised at the question though. Are companies really so worried about their business practices that they must destroy evidence in order to remove liability? I should imagine that internal auditors would be more effective at keeping a company out of trouble than any policy of document destruction.

    --
    LibBT: BitTorrent for C - small - fast - clean (Now Versio
  4. Presumption of Guilt by coyote-san · · Score: 3, Insightful

    If the Enron or Arthur Andersen execs walk, I wouldn't be surprised to see a legal presumption of guilt when documents are shredded prematurely or despite an explicit and lawful order to retain them.

    The theory is simple and precedence is well-established - if a cop sees you see him then bolt, that's grounds for a reasonable presumption that you're guilty of *something* and the cops can stop and question you. It's not enough to throw you in jail, but you can be stopped and questioned while the guy who didn't flinch walks.

    Same thing here - if you're deleting records that the state says you need to keep for N months, the burden in civil court (which only requires a "preponderance" of evidence anyway - 51%) is on you to prove that those documents weren't "smoking gun" evidence in support of the plantiff's case, not on them to prove they were.

    If you're deleting records despite a lawful order, you have to prove that the documents were not incrimidating and that it didn't constitute obstruction of justice or contempt of court.

    Of course this is something that would have to be handled on a case-by-case basis already... but the courts already do this when deciding admissibility of evidence discrediting a witness. If somebody has been convicted of perjury, the jury should know it because it's reasonable to ask whether they're lying again. If somebody has been shredding documents when they shouldn't have been, that again directly challenges their credibility elsewhere.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  5. Double-edged sword by Ldir · · Score: 5, Insightful
    This has also been a hot issue where I work. Our legal department recently mandated a draconian policy of automatically deleting ALL e-mail after nine months. We are not allowed to file any electronic correspondance unless we print it out and save the paper.

    This may be a good policy when you have something to hide. In the IT world, in my experience (and the experience of most of my peers it seems), old e-mail has helped way more often than it hurts us. If you use e-mail to document conversations, meetings, etc., a lot of disputes get resolved pretty quickly when you pull out an old e-mail and say, "See, here's what you said." or "See, here's what we said we would do."

    This doesn't happen if we have to print "important" e-mails. Why? Two reasons. First, you usually don't know a year or two in advance which e-mails are going to be important some day. We may generate a thousand messages plus over the course of a project. Most of them are routine, or are only of passing interest. Every once in a while, however, there will be a design decision (or more likely a design compromise) that one party has conveniently forgotten.

    Conversely, if someone can show us that we did, in fact, agree to do something, then we will commit to doing it. Our memories are cloudy too, and we do believe in delivering what we said we would.

    The second reason paper filing doesn't work for most of us is that it's extra work. Want to file an e-mail - drag it to a folder. Done. Need to file a paper document - remember to print it, interrupt whatever you're doing to leave your desk, find the right folder (if there's room in the cabinet), file it. If you're on the road, remember to go back later, once you're back in the office, and follow the steps above. This works OK if you're an executive with a secretary dedicated to such tasks. Around here, at least, that perk has become too expensive for all except the most senior management. And, even though paper filing doesn't take much effort for a single document, it is a lot of work for hundreds of e-mails, it requires filing space that is in short supply, and it requires a degree of discipline that most people don't seem to have. Finally, even if you have a good paper filing system, it's much easier to search electronic files quickly.

    This is exactly why electronic files are so dangerous in litigation - if you can search them quickly, so can your adversary. By prohibiting them, however, you reduce productivity across the entire company and increase costs. I'm not convinced that the legal eagles balanced the immediate cost benefits against the possible future risk. They only consider the dark side.

    On a related note, I know I just read an article (here?) about how electronic documents have a life of their own thanks to widespread forwarding. Your retention policies may be almost meaningless if your correspondants keep everything.

  6. Re:Technological demands by watanabe · · Score: 5, Insightful

    "I can't imagine the tech demands of constant archiving of everything. I'd need to give half of my budget to EMC just to try to stay ahead."

    This is partly because you don't use standards compliant systems. I have all my non-junk e-mail going back to 1994 saved, from a variety of HP, Solaris, Irix and Linux machines across maybe nine e-mails. It's all in instantly recognizable mbox format. If you are going to go with Netware, Win2k, etc. Then of course you are going to have these problems! The companies that make those systems make their profits selling new versions of software.

    Maybe it would save your company money to choose a system which does not build in 2 year obsolescence into its business plan.

  7. Re:According to Arthur Andersen's Employee Handboo by stinky+wizzleteats · · Score: 3, Insightful

    Considering the mindlessly litigious nature in which business in the US operate, a data control policy is absolutely necessary and in no way reflects the ethics of the organization in question.

    There's another side to this too, kids. As someone who does expert testimony in cases involving data stored on personal computers, I can tell you that every individual also has a need for data control measures. Every one of us needs to shred documents, delete files, and scrub file slack space and "empty" space on our disks. Windoze users should also scrub out their swapfiles.

    These are realities imposed upon us by the nanny state, which has grown a lot bigger since 9/11.

    Just because you're paranoid doesn't mean they're not out to get you.

  8. Re:Actually being a Former Andersen Employee by standards · · Score: 3, Insightful

    Andersen cannot be held responsible (even though they will) for the illegal acts of a few.

    Why the hell not? What happened to self auditing? What happened to rules in regulations that they are to follow to prevent this kind of major scandal?

    Let me tell you - if company employees break the law for the company, it's still the company that's breaking the law. Heads should roll - and gross mismanagement should result in long, long prison terms for Andersen management.

    Why hire Andersen if they don't even have a handle on how well their working with one of their biggest clients???

  9. Real World Reasoning by virg_mattes · · Score: 5, Insightful

    For a large company, a document retention and destruction policy is a necessity, specifically for legal reasons, but not for the reasons you're assuming. Every large company develops huge masses of information, and most of them back up that data to protect against short term loss. However, most companies don't want to keep it forever, so they destroy the old stuff to reduce storage needs, cut down on administrative costs associated with maintaining the records and protect against industrial espionage. The problem lies when the company comes under examination for a lawsuit. If there's a well described and religiously followed document retention policy in place, the court has no reasonable expectation that the company will still have documents that the policy marked for destruction. If on the other hand there is no real policy (or it's badly enforced) this opens up an avenue for liability wherein the corporate controllers say "we don't have documents X or Y because they were destroyed" and the judge then assumes they did it to hide something (and punishes accordingly) or assumes they're lying (and punishes accordingly). Also, when the prosecution or plaintiff asks for certain documents, the policy can limit the scope of the request so that your IT team isn't spending untold hours digging up archived stuff to turn over in satisfaction of a subpoena.

    You should be careful not to fall into the logical trap that document destruction is only useful if you have something to hide. In this very litigious society, it's rarely that simple.

    Virg

  10. Your Solution is Oversimple by virg_mattes · · Score: 4, Insightful

    Your solution doesn't make sense for any but the smallest businesses, due mainly to infrastructure but also for legal considerations. For a large company, storing eternal backups of every piece of data generated represents a gargantuan storage, retrieval and maintenance operation that in the large majority of cases serves no useful purpose. For example, when I worked for a large bank, the IT department spent hundreds of thousands of dollars per year to store the backups and logs that we wanted to keep. It would have been an appalling waste of money and personnel to double that just to keep backups of information that we never needed anyway. Also, such records can be a huge liability to a company in the event of a lawsuit, even assuming that there's no wrongdoing. Simply sifting through all of the records for documentation relevant to a subpoena can consume massive resources, just to prove that none of the email you've stored for the last five years contains anything incriminating. A document retention (and destruction) policy can force a judge to limit the scope of a subpoena, thereby reducing the workload in satisfying the subpoena.

    In the corporate world, lawsuits complicate such issues immensely. Don't make the mistake of assuming that the only reason to cover your butt is because you've done something wrong.

    Virg

  11. Different Spin by cfulmer · · Score: 4, Insightful

    So, there are two other things to consider:

    1. Keeping old records around can be expensive -- not only do you have to keep the media it's on, but you have to make sure you have the ability to read that media, and once you do, that you have the appropriate software and hardware to understand the message itself. Destroying them after you don't really need them any more saves a lot of expense. And, that doesn't even begin to talk about deteriorating backup media.

    2. Similarly, part of the problem is in making sure that you have a *complete* record -- you don't want to have a partial record, where the mail to the CFO says "Hey! Let's screw the employees out of their pension," but not the corresponding mail from the CFO that says "That's illegal and immoral. You're fired." So, the idea is not so much to cover up past wrongs, as it is to make sure that you have a true archive.

    3. The other thing is that there are some things that are embarassing, but not illegal -- the fact that the CEO didn't retire for health reasons, but was forced out because he got his secretary pregnant, for example.

    I don't know about everybody else, but I use my e-mail as a record of what *I've* done, and 9 months (as somebody mentioned earlier) is not far enough back -- heck, every year we have performance reviews, and how am I going to say "This is what I did 11 months ago" if I don't have any record of what I did 11 months ago.

  12. DR is a hard problem -- many competing concerns by werdna · · Score: 3, Insightful

    I am sympathetic to those of my colleagues who have written that an honorable company need not fear anything. I do concur with those who have responded so are, indeed, naive. Documents can be very costly and damaging, even as against the innocent, a "smoking gun document," need not have actually been the murder weapon to cast doubt on the innocence of the innocence. Many are the times a close case swings because of a random, ambiguous and otherwise innocuous document.

    On the other hand, my colleagues who have written on the utility of unfiled archives are also correct. Few things are more valuable, and numerous are the times one can "save the day," by a few hours of rummaging to find the "holy grail document."

    The problem is that there is no way to have prior knowledge which are the smoking gun documents and which are the holy grail documents. The HG docs can save your life, but the SG docs can kill you. And the likelihood of either situation is rare (although the costs and benefits, respectively, often are astronomical).

    Meanwhile, having recent documents around is, simply put, necessary to the efficient operation of a business. That said, e-mails, because of the culture of e-mail use, these days are the single best source of SGDs in modern litigation.

    So, a decent (that is responsible) retention policy should balance effectively these competing concerns, even for a truly and genuinely honorable commercial entity. The key idea is this, the retention period should be long enough that the likelihood that the HG-ness of a document will be recognized prior to destruction, and longer than the general utility of having any document handy, but no longer. Guess is somewhere between 18 months and three years, depending on the business.

    The retention policy will have exceptions for important instruments, but will require an affirmative effort be made to avoid the axe. Thus, docs identified as HG in nature, after the period, like deeds, source code, contracts with term longer than retention, and special documents are automatically reupped, despite the policy.