Document Retention - How Long is Too Long?

darthtuttle asks: "With the recent news of document destruction at Enron and the emails that have been discovered in high profile cases such as MS -vs- DOJ document retention seems to be a hot item right now. What document retention policies do people have at their companies, and what steps do companies take to make sure that documents are destroyed according to the policy when their time is up so they don't come back to haunt the company later? Note: the purpose of a document retention policy is not to keep documents, but to make sure they get destroyed according to policy before someone outside the company decides to use it against you. The big issues seems to be backups and documents stored on peoples desktop/laptops. You don't want those email server backup tapes from 2 years ago to be found, and you don't want to find out that the CFO was saving -every- email they ever got on their laptop."

According to Arthur Andersen's Employee Handbook

[Rude+Turnip]

Documents should be retained for the amount of time it takes to walk from your desk to the paper shredder.

Depends (not the adult diaper)

[the_rev_matt]

Depends on the document. Depends on the business. There is no one size fits all answer to this one. I know that in financial services, there are SEC mandated time frames for document retention as well as strict rules on how to dispose of documents as well.

Re:Depends (not the adult diaper)

[carlos_benj]

There is no one size fits all answer to this one.

I'm having a hard time deciding if you're referring back to your subject line with that one...

nothing to hide

[MathJMendl]

If companies have nothing to cover and nothing to hide, why should they be concerned about their deletion to begin with? Then again, I am sure paper memos are not kept forever, and if they can avoid lawsuits legally by deleting documents I would probably do the same in their position, as to not assist my prosecutors.

Re:nothing to hide

[A+Big+Gnu+Thrush]

What if you have decades of banal email to dig through when a lawsuit comes up? All that data will be thrown back at you in court, which means you have to potentially prepare a defense for all of it -- even if it's never used against you. Legal expenses can be costly.

Re:nothing to hide

[rho]

The problem isn't that simple, normally. In any organization of some size, there will be embarrassing documents floating around: created on demand from the CEO, or by a rogue employee, these things will happen. Multiply this by years and years, and you end up with the potential for massive problems if they are discovered.

Go look up some of your old Usenet posts on Google Groups... you'll see some and say, "wow, I was a real idiot then." It's the same principle, different scale when you're dealing with a company with 50K employees.

Re:nothing to hide

[A+Big+Gnu+Thrush]

I work at a Fortune 100 company and documents and emails older than one year are automatically deleted. The email is pretty easy to enforce because we use Lotus Notes. The deletion takes place on the server copy and the deletes are replicated down to the local copy.

Document files are a little more difficult. Everyone is encouraged to store files on the server in secure folders. This is enforced culturally because if a hard drive fails and the user wants data back, they are told it should have been on the server where it is backed-up (and deleted at the appropriate time).

BTW, these procedures have proven very important as the company has defended itself in against anti-competitive suits as well as race-discrimination suits.

Re:nothing to hide

[alkali]

The reason a company with nothing to hide should nevertheless have a document retention policy is because there are exactly two alternatives: (1)keep every document until the heat death of the universe, or (2)dispose of documents on an ad hoc basis (that is, whenever the mood strikes you). The first alternative is just not feasible. The second opens the door to inferences of bad faith, because you'll never be able to explain at some later date why you retained some documents and not others, which purportedly might have been incriminating.

A document retention policy might also be advisable for the additional reason that it's not a good idea to have documents lying around when both the authors and recipients are long gone from the company (perhaps even deceased), and no one at the company understands what the documents mean or why they were prepared. At that point, there's no benefit to retaining the documents: they can serve only as potential ammunition for an adversary in a lawsuit. An adversary can draw erroneous inferences even from innocently prepared documents, and if you can't put the author on the witness stand to say, "That's not what I meant," what do you do?

(Note that so-called "ancient" documents -- which in federal court means documents more than 20 years old, see Fed. R. Evid. 803(16) -- are ordinarily admissible as evidence just like testimony from an eyewitness even though they are hearsay.)

Re:nothing to hide

[Skapare]

Having something to hide is not necessarily the same as having done something illegal. Often times you may wish to hide personal and/or confidential information that might be used against you. An example is a list of your customers. That could be used against you by your competitors. Of course you have to have such a list somewhere all the time, but sometimes paper copies are made for certain staff to work with, such as someone assigned to call each customer and make sure they are happy. Once the project is done, that paper copy left lying around poses a risk. If it is just tossed into the trash, your competitor could retrieve it using an age old technique of dumpster diving. So the document should be destroyed by some means appropriate for its level of sensitivity. This is one of the things document retention policies are about.

Some documents may even be appropriate to destroy every copy. Personal correspondence can include some or all of the above mentioned information. It doesn't have to be illegal to be justfiable for the shredder or incinerator (or both).

On the other hand, I've heard of a company actually doing just the opposite. They generated massive quantities of false and misleading documents (probably illegal). Then when the lawyers came marching in to do discovery, guess what they have to sift through.

Re:nothing to hide

[StenD]

The email is pretty easy to enforce because we use Lotus Notes. The deletion takes place on the server copy and the deletes are replicated down to the local copy.

And what about local mail archives?

Re:nothing to hide

[A+Big+Gnu+Thrush]

The goal of document retension policy and procedure is not to guarantee the deletion of every email or document, but instead to demonstrate a standard practice for handling these things. Lotus Notes mail isn't special in that regard. My mail file is set to keep everything on the local copy. If I delete something from my server replica or if document retension deletes something, it still is in my local copy.

But the company is insulated. If sub peonaed (sp?) they could produce a year of email, demonstrate the policy and the practice that implements the policy, and -- I believe -- their obligation would be fulfilled. IANAL. TINLA.

The point of my post was just to show _how_ the policy was implemented from a technical standpoint. It would be very difficult to guard against local archives or stop people from printing everything out and storing it at home or in their desk drawer.

Assuming you are legit...

[Em+Emalb]

you shouldn't have any worries, so keep it as long as you like.

However, and from the sounds of things, someone there wants some info to go away ;-), it would be best to ask your legal representation. We here posting to you in response can only tell you what our companies do, and here is my response to that.

The company I work for does insurance claims. We have paper trails all the way back to the early 80's, and backups of EVERYTHING from around 95 on. The premise here is that if it is important then, chances are decent that it could be again someday.

hthal

Premature discussion

[Skyshadow]

I rather suspect that this discussion is premature, and that thanks to our good friends at Enron and Anderson you're going to see a serious change in the way the laws effect this area.

Personally, I think that corps shouldn't be allowed to destroy documents for at least 3-5 years -- all they're doing is covering their sins. Enron's a good example; they're destroying the evidence that they knew they were perpetrating a fraud against their investors. Destruction of the documents could mean that, as usual, the little guys get screwed and assholes like Ken Lay walk due to lack of evidence.

Pretty disgusting.

Re:Premature discussion

[Skyshadow]

Good question; I suppose the only thing you could do is set up huge potential fines and jack up rewards and protections for whistleblowers.

I think what's happening to Andersen now might be a deterant, at least in the short run, to some of these other accounting firms -- all these guys have is reputation, so when it's exposed that they're dirty it hurts their biz... I almost expect that the next big corporate failure Andersen will be involved with will be their own.

I'm very glad to have saved everything ...

[dave-man]

since a customer has become very unhappy with us and their version of events makes us a real bad guy. Fortunately, I *do* have every e-mail we exchanged over the last two years, all the documents we delivered, their comments, the schedule material they generated, and other bits of dross and minutia. The timelines and copies of everything (now on CD) have become a gold mine to our counsel and may well help us come to some graceful agreement on the issues without ending up in arbitration.

The solution is simple

[nullard]

While this might not work for everyone, I NEVER delete an e-mail and I log all of my instant messages. My policy regarding destruction of data? If it can be used against you, don't write it. Document retention (and destruction) policies are cover-ups at best. Remember when those guys went driving around shooting people with paintballs and videotaped it? Rather than having them agree to erase the tape after X days, why make it in the first place. I don't destroy digital records of my life. Why not? I sure as hell wouldn't be stupid enough to record anything I'm ashamed of doing.

Re:Cover WHAT?

[modus]

Encrypting doesn't necessarily help. Sure, it prevents the court from reading your documents, but it doesn't prevent the court from putting your ass in jail for contempt of court after they subpoena your key/passphrase/whatever from you.

And if you destroy your key as the feds are coming through the door, that's just like shredding documents -- They'll put you in jail for destroying evidence.

(And yes, well encrypted data is indistinguishable from random data, but it's not going to be too hard for a state's attorney to argue that the huge pile of random data on your HDs is encrypted data, not your /dev/urandom souvenir collection).

Re:Cover WHAT?

[nomadic]

One word: encrypt.

Encryption wouldn't do much in this case; if the FBI comes in with a warrant, they're going to want them decrypted. What are you going to say to them? "Uhhh, they're unreadable, because they've all been encrypted. And we lost the key."

Of course, encryption makes it easier to obstruct justice, but the people involved generally place more value on their own freedom and career rather than their company's welfare (as they should).

See your lawyers, and hurry

[quistas]

Depending on the industry you work in, you may be required to retain all relevant documentation for years -- in the LD telecom world, I had to maintain a database that had 3 years of collections data, including writeoff and delinquent amount information, but when I build a similar beast elsewhere, I got away with 6 months.

Seriously -- if you don't check with the legal types on what the information is and what it relates to, you could be legally liable for obstruction of justice/personal harm. The lecture I got on this turned my hair curly. Make the lawyers earn their money and break down what you can and can't destory, and when. If you've got any kind of assets to protect, this is a must.

-- q

Re:See your lawyers, and hurry

[ajs]

Do check with your lawyer, but I think the topic here is more related to internal documentation, not customer records. Obviously when you get into customer records, there are many legal hurdles that would not apply to, for example, internal email.

Re:Cover WHAT?

[rho]

One word: encrypt.

Useless in a legal situation. The court will subpoena key to unlock the files.

The other side.

[www.sorehands.com]

People will always save (on their own) documents to protect themselfs. So any policy will be useless.

If you destroy a document, then the other side makes a statement, it would be hard for you do show proof that the statement is false, because you destroyed your evidence.

Tax documents

[wiredog]

IIRC, tax documents should be kept for seven years, in case of an IRS audit.

If you knowingly destroy evidence of a crime, even on someone else's orders, you've just committed Obstruction of Justice, and possibly Conspiracy to Obstruct Justice. Those are what all the Watergate conspriators went to jail for.

Big Holes Electronically

[4of12]

My large organization is probably a lot like many others.

We have a fairly extensive policy for managing records that has been developed over decades in a world dominated by paper.

There has been some effort to extend those policies into the electronic arena as well.

But I think the sheer volume of electronic records is making the certain impracticalities of those policies show.

Things like having people periodically review material and decide what to keep and what to archive and what to destroy - this requires more human time than any reasonable person is willing to commit. And, if the corporation thinks about the real costs of having a live human review those e-documents, they'll probably come to the same conclusion.

And I won't even mention the complications of moss-covered media that has stuff on it that no one has really inventoried carefully.

I have 8mm tapes from 7-8 years ago that I haven't looked at. There's several GB of stuff on it, but even I couldn't tell you what it all is.

It's probably includes the 12 page document that Oliver North faxed to me about the impending Enron collapse that was initiated by the Whitewater deal. 8)

Honest Business Practices and Copyright

[GemFire]

This merely shows the sad state of affairs our corporations have made for themselves. If a company operatates completely within the law there is no reason to worry about old documents coming back to haunt the business.

Looking at it from another point of view, all of those documents are automatically protected under copyright. Copyright is an agreement between creators and the public - the creator gets an exclusive right to use the work for a time but then it belongs to the public domain. All of those destroyed documents are a form of theft from the public!

Re:Honest Business Practices and Copyright

[GemFire]

Are you referring to the copyright comment?

Check Title 17 of the U.S. Code - copyright is inferred into anything fixed in a tangible medium (like paper or bits on a harddrive) and expires, if published, 95 years after publication, or life of the author + 70 years whether published or not, or 120 years after creation. That means that a corporate document created today becomes public property no later than the year 2123 even if it was never published in any manner.

I believe this is an incredibly stupid way to do copyright. Copyright protection should require registration and the placement of 'best' copies with the Library of Congress - as the law read prior to the 1976 revision. Office memoes, in that case, would not have copyright protection and would, therefore, not become public property after the expiration of that date.

It's kind of like trade secret vs. patents. The patent, while it protects more fully, has an expiration date. A trade secret can, maybe, be kept forever, but when it becomes known is public domain. The patent becomes public domain at the end of its term.

Because everything fixed in a tangible medium is protected by copyright law (and the only way to escape this protection is to clearly state the work is freely given to the public domain) all of these works, including office memoes will eventually belong to the public domain. Destruction of these creations, something protected in Europe through an author's moral rights, hasn't any such protection in the United States. A painter who walked into a gallery in the U.S. and destroyed his own painting could be held accountable for the destruction (especially if he'd already sold the painting). Therefore, a company who destroys works also destined for the public domain should also be held accountable so long as copyright law applies.

A radical suggestion

[markmoss]

Run your business honestly, and keep the docs forever to prove it!

Re:A radical suggestion

[alcmena]

I take it that you've never suggested to management that a bug, in the project you've been working on, be fixed, only to have that suggestion declined. That bug may have been completely harmless, and management may have been fully justified in saying ignore it. However, lawyers can use that information against you. That (plus several others that people here have pointed out) is why it is a good idea to destroy documents in a timely manner.

Re:A radical suggestion

[markmoss]

I've also seen plenty of cases where it turned out later that bug _really_ had to be fixed. If you can't find the previous records, you wind up duplicating several days, possibly even weeks, of work tracking it down...

Technological demands

[swb]

The technical demands for electronic documents would seem to dictate some of this. For example, we've been converting from Netware/Groupwise/Win9x to Win2k/Exchange/Win2k here. It doesn't change word-type documents, but it does change the email system and the backup system.

Sometime today I plan to decomission the Netware backup system -- derack the equipment and potentially reuse it in some other location as soon as next week. This will make all of our old backup tapes unreadbale, as our Win2k backup system uses not just different software but different physical media -- I can't read DLT7000 on a LTO Ultrium tape drive. I *think* I can read an ArcServe tape on BE 8.6, but the files are backed up as Netware-compressed and can't be restored but to a netware server. Once we decomission our last netware server (within a few months), all of those tapes are worthless without the infrastructure to restore the data.

The email system again is another matter, I need even more infrastructure and software to manage it (presuming I can restore it). Netware administrator, Groupwise installed (client and server), and so on.

Even so, we don't even keep old backup tapes. We have a 5 week rotation (1 full per week with daily incrementals). I used to keep old tapes, but they were unreliable (especially the DATs) and the software isn't always available. We USED to keep them (1 full per month), but I found myself with a shitpile of tapes that needed storing and a big blank media bill.

Eventually word/powerpoint and other apps will obsolete themselves to where the data, even if you can read the media, isn't usable. I know that we purge our email system daily of older > 6 months emails and we chase after users to ditch old documents as server space gets tight.

I can't imagine the tech demands of constant archiving of everything. I'd need to give half of my budget to EMC just to try to stay ahead.

Re:Technological demands

[watanabe]

"I can't imagine the tech demands of constant archiving of everything. I'd need to give half of my budget to EMC just to try to stay ahead."

This is partly because you don't use standards compliant systems. I have all my non-junk e-mail going back to 1994 saved, from a variety of HP, Solaris, Irix and Linux machines across maybe nine e-mails. It's all in instantly recognizable mbox format. If you are going to go with Netware, Win2k, etc. Then of course you are going to have these problems! The companies that make those systems make their profits selling new versions of software.

Maybe it would save your company money to choose a system which does not build in 2 year obsolescence into its business plan.

Re:Technological demands

[crimoid]

mbox or no mbox... if you are required to save everything for a long time you will either need to spend a fortune (ala EMC) and keep it readily available OR go to some permanent archive (CD-ROM, etc.).

The Samuel Goldwyn rule

[h00pla]

When asked by a secretary if she could destroy old documents that were just taking up space, Samuel Goldwyn, the movie mogul replied:
Go ahead but just make sure you make copies of everything first

What you all are missing.

[RazzleFrog]

A lot of people have posted that as long as you are legit then you shouldn't have to worry but that is just naive. The truth is that a well trained lawyer can take any document and manipulate the information to fit their needs. Add to that information taken out of context can be given uneducated scrutiny by the press and the general public resulting in a disaster.

To me, the best policy is whatever your legal requirements are and that's it. Destroy everything else.

Re:What you all are missing.

[Samrobb]

Another poster further down made a good point - you either hang on to every document, forever, or you discard some of them. As soon as you discard or destroy anything, there's a question of why you did so. Was it because you had no further use for the document in question, or because you had something to hide?

Document retention policies help answer that question. If your company policy is to destroy electronic copies of anything more than 12 months old, then when you end up in court and someone asks you "Why don't you have these documents any longer? Perhaps they were destroyed because they were incriminating evidence, hmm?!?" you can honestly tell them "I have no idea. Company policy is that anything older than 12 months gets erased, so we shredded the backup tapes 3 years ago."

Re:What you all are missing.

[Ian+Bicking]

While a trained lawyer can take any document out of context and manipulate, your trained lawyer has the opportunity to put that document back in context -- if other documents are still available. Documents -- especially electronic documents -- can be saved from destruction fairly easy. Do you think an employee is more likely to save the vast number of documents that help prove good intentions, or the one document that does not?

Also, documents can be useful to the company itself. While for the most part, you are innocent until proven guilty and thus less evidence is better, a document can provide evidence of any number of things that the company would want to keep. For instance, employee theft, that someone independently created something before or in parrallel with another company, etc.

Also, you should be honest about who you are protecting. Are you protecting the company, or some of the employees of the company? Enron's destruction of evidence does not seem to be to protect the company. The company is nearly dead, and the company is made up of the shareholders, not the executives. Any document destruction at this point is clearly not to the benefit of the company.

Come on now

[Zen+Mastuh]

We keep hearing the "If you have nothing to hide, then you have nothing to worry about" argument in all media formats, especially slashdot. Shouldn't this apply to corporations and government agencies as well? The proper way for the Feds to handle Enron would have been to send in armed agents to sieze hard drives and filing cabinets, rather than give them months to destroy everything. The same policy should be applied to Cheney's handling of his dirty oil company dealings. The same should have been applied to the Reagan/Bush administration during the Iran/Contra days. This biased application of forceful seizure of evidence has our prisons full of private citizens while crooked pols and crooked execs stroll around in search of their next scam.

If you need a Document Retention policy for any reason other than reducing storage space, it's time to check your ethics.

Re:Come on now

[jgerman]

Hmmm just like the raid on a completely innocent Steve Jackson Games for writing a game about black hat hacking? That company almost went out of business because of that fiasco. No, the government should not have that kind of power.

Speak for yourself...

[Wateshay]

Some of us don't have anything to hide, and so we don't have a pressing need to make sure documents get destroyed in a timely fashion. On the other hand, comprehensive records can be very useful at some point to prove that you don't have anything to hide.

One of the biggest reasons in the business world (other than CYA) to destroy documents is due to space requirements. Ten years worth of paper trail can easily take up a small warehouse. With the advent of computer based storage, though, it is much more practical to keep comprehensive records for much longer lengths of time.

Re:According to Arthur Andersen's Employee Handboo

[kevinank]

As Richard Nixon learned first hand, a couple of months backlog can be a ...um... excruciating source of embarrassment.

I'm surprised at the question though. Are companies really so worried about their business practices that they must destroy evidence in order to remove liability? I should imagine that internal auditors would be more effective at keeping a company out of trouble than any policy of document destruction.

Hard problem

[ajs]

The problem is hard on many levels. For example, many small companies have the, "we have nothing to hide" attitude, because they're not able to think in terms of large business dealings where years of internal email could be dragged out into court and used out of context.

Once you convince a company that document "retention" is valuable, many managers will immediately declare themselves exempt because they feel that they will one day need that email from a vendor thanking them for buying the Widget 10,000 last week.

What I think the industry really needs is some kind of software that manages information archives in a way that lets people specifically call out information that needs to be preserved as annotation. In this way, you could keep all of the headers of all of the mail and all of the filenames of all of the documents on a fileserver, but only keep the annotations (which may include some key points from an original).

I know that I would find this more useful than the usual way that people annotate documents (named folders).

Re:Hard problem

[The+Man]

Once you convince a company that document "retention" is valuable, many managers will immediately declare themselves exempt because they feel that they will one day need that email from a vendor thanking them for buying the Widget 10,000 last week.

This is a major policy problem in a much wider scope than a document retention/destruction policy. The problem of politically powerful individuals within a company declaring themselves exempt from various policies is a serious one. Ask any systems administrator about it - when you come up with any policy and present it at a meeting, everyone will approve it and say it sounds like a great idea. Later, each person will individually approach you and say that the policy is a great idea for everyone else but the he'she should personally be exempt because of some special circumstance or other that, of course, doesn't apply to anyone else.

If your company is like that (that is, it's like mine), don't even bother with written policies, on document retention or anything else. Even if you own the company or are the CEO and thus powerful enough to force the approval of policies like this, nobody will actually follow them anyway. Your best bet is probably to institute some boilerplate policy you get from your corporate lawyers, post it conspicuously, and make sure everyone agrees to it in writing. As I said, there's no point in trying to make anyone follow it - they won't. But in this case at least you can try to offload all liability on the individual employees who don't bother to follow the policy. It probably won't work especially in the case of SEC troubles or similar, but it's easy and cheap to do.

Honestly, why can't people just accept that they're NOT special?

Re:Hard problem

[Tony-A]

Honestly, why can't people just accept that they're NOT special?
Because they ARE special. From the CEO to the mailboy.

Re:privacy vs crime

[rho]

Not all corporations are Enron. Most of them aren't even all that big. Don't paint with such a wide brush.

Are you saying that corporations should disclose everything? Research, development, patents in developent? Everything?

It's like engineering: there will be tradeoffs. For the 100s of decent corporations, there will be a big Enron blight that mucks it up. Should we punish everybody because of one asshole?

Got something to cover?

[Jeppe+Salvesen]

This is a non-discussion. Basically, the question is this:
"I'm making profit by breaking or flexing the law to such extent that my business would not survive the lighting in a courtroom. I know this is immoral. To further improve my profits, I wish to know what a good balance between keeping mails for reference and deleting mails for protection is. Do I keep compromising information for a few months? A year?"

Folks - give your worst advice possible.

Re:Got something to cover?

[ajs]

Not at all. The problem is most obvious with email, so I'll use that as an example.

Let's say that your company has done nothing wrong, but the SEC thinks that you might have been leaking information to financial institutions, in order to affect your stock price.

That's a pretty serious charge, but if you're innocent you have nothing to worry about, right? Well, it turns out that you have an employee that sent a seemingly innocent comment to his friend at such a company, but now, in light of the charges, it could be seen as an indication that such activity did exist and widen the investigation. This costs you in terms of legal expenses, time, credibility, etc.

Having old documents taken out of context can be truly damning, and it's just not worth the expense. Much better to destroy what could be used against you later.

Re:Got something to cover?

[tsprad]

Isn't this a two-edged sword? What if that "friend" remembers, and is willing to testify, that that "Seemingly innocent comment" wasn't so innocent at all? Wouldn't it be helpful to have documentation of the comment *and the context* to support your argument that he remembers it wrong?

Re:Got something to cover?

[benwb]

How about when one of your competitors sues you in a tactical lawsuit designed to uncover your intellectual property? There's probably just enough basis for the lawsuit so that a judge will order a discovery order (Look their making a suspiciously similar product- we just want to make sure that their not stealing our IP, wink wink). Sure they'll get the end result anyway even if you've implemented a document retention policy, but they won't get the research that failed and you've since gotten rid of... which is probably what they're after in the first place, since you've probably patented or specified as a trade secret the results.

Re:Got something to cover?

[ryanvm]

Let's say that your company has done nothing wrong, but the SEC thinks that you might have been leaking information to financial institutions, in order to affect your stock price. [..] Well, it turns out that you have an employee that sent a seemingly innocent comment to his friend at such a company, but now, in light of the charges, it could be seen as an indication that such activity did exist and widen the investigation.

That's a pretty thin case for moral justification of destroying documents. And just because you don't believe that such an act constitutes leaking of financial information does not make it so.

I'm going to have to agree with the original poster. Unless your concern is security related (i.e. information theft), there really isn't a valid reason to be destroying documents for most law-abiding corporations.

Sure it sounds kinda creepy in an Orwellian sort of way - but if a corporation is not doing anything illegal, they should have nothing to hide.

Re:Got something to cover?

[alcmena]

"Sure it sounds kinda creepy in an Orwellian sort of way - but if a corporation is not doing anything illegal, they should have nothing to hide."

Isn't that the same quote the government uses to constantly erode our privacy? There are many non-illegal things corporations would like kept from the public. Just as there are many non-illegal things the public would like kept from the government and corporations.

Re:Got something to cover?

[crawling_chaos]

There's an angle to this you may not be considering. Mass document retention can be used as against you if you are sued. The following happened at a friend's former employer:

1. Worker leaves company on bad terms and decides to sue for discrimination.
2. Discovery begins. Lawyers for former employee discover that the sysadmin has backup copies of the email system for the entire tenure of the former employee, over five years!
3. Accusing company of "broad widespread discrimination" including the passing of (race|sex)ist jokes in electronic mail, the lawyers demand the complete e-mail records of the company: on paper
4. Judge grants request, is upheld on appeal.
5. Firm is obstinate and goes through with it, even though the costs of restoring and printing the e-mails exceeded the former employee's settlement offer.
6. Firm wins lawsuit, but is still out the dollars, since we don't have loser pays.

This firm had nothing to hide, but was still burned badly by a poorly thought out document retention policy. Needless to say, they have since changed policies.

Please note that my friend had just taken over the IT department when this happened. He was not the individual suing.

Re:Got something to cover?

[Danse]

The Constitution guarantees an individual's right to privacy. It makes no such guarantees regarding corporations, nor should it. I sincerely hope that we see increased scrutiny and regulation of the accounting industry after this mess is over. What Enron execs did was so incredibly wrong that it should not be allowed to go unpunished, and it certainly shouldn't be allowed to happen again.

Re:Got something to cover?

[ajs]

That's a pretty thin case for moral justification of destroying documents.

What made you think that I was making a "moral justification"?! This is a simple cost/benefit thing. If you keep the old stuff, you'll get screwed in court. The least harmful thing that will happen is you will have to wade through every document your company ever produced every time someone sprained your ankle on your front step. And no-fair trying to do it ahead of time! No one will buy that you didn't miss anything, and they will send in their team to work with your team to do it all over again.

And just because you don't believe that such an act constitutes leaking of financial information does not make it so.

You're turning my example into a straw-man. I stated as an axiom that it was innocent email for the purpose of the example. It was not a matter for debate.

Yes, you could construct an alternate scenario where something seems innocent, but is not. That is an interesting scenario, I suppose, but not related to what I was saying.

Unless your concern is security related (i.e. information theft), there really isn't a valid reason to be destroying documents for most law-abiding corporations.

The simplest reason is that the government should not be able to impose on your average company the massive overhead of saving everything forever, and then dealing with that mound of dung every time someone decides to drag them into court.

Re:Got something to cover?

[haruharaharu]

Wouldn't it be helpful to have documentation of the comment *and the context* to support your argument that he remembers it wrong?

The point is that getting the context is a major hassle and not always possible. Better to avoid the problem entirely

Re:Got something to cover?

[cduffy]

Would you argue that any individual operating a business forfeits his right to privacy in all matters relating to that business? If so, why?

If not, why would you argue that this individual forfeits his rights if he is involved in the operation of a corporation but not if he is involved in the operation of a sole proprietership?

The accounting industry isn't so unregulated as you suggest -- those who don't use GAAP (Generally Accepted Accounting Procedures, as determined by the Financial Accounting Standards Board) are obligated to disclose that fact to involved parties. I don't invest in companies that don't use GAAP (my employer, while privately owned, does), and I suggest that you don't either. Accountants who claim to use GAAP but don't are already subject to severe penalties, including losing their licenses and prosecution for fraud. I'm sure more than a few unethical accountants have lost their ability to work and seen jail time as a result of the Enron debacle.

I hardly think that individuals willing to risk their livelihoods (by risking their licenses) and jail time for fraud would be deterred by any new regulation you (or anyone else) might suggest. While adding new legal measures to those that already exist might seem like an attractive "quick fix", I doubt they'll do anyone any good in this case.

I dunno, it all seems backward

[Mike+Hicks]

It all seems backward to me. Destroying documents to get rid of any evidence of accountability.. What's up with that?

Certainly, there's a lot of stuff that isn't bad, but it can be viewed as bad in the context of history.. Lawrence Lessig got in trouble when he was appointed as Special Master in the Microsoft case because of an e-mail he wrote regarding the ease of installation (or lack thereof) of Netscape versus Internet Explorer, and the trouble installing the software caused..

It was just a silly e-mail to a friend, but it got blown out of proportion.

On the other hand, there have been instances in the past of very important and incriminating documents being kept by employees who felt that twinge of conscience and decided they shouldn't go in the shredder.

Document retention policies, in my opinion, should be based around keeping `important' documents (however that is defined), and shredding the lesser ones, in order to save space. No need to keep the e-mail regarding today's lunch outing, but it's a good idea to keep that list of patients...

An excellent example of why to destroy documents

[fo0bar]

As usual, everything in the universe eventually ends up hitting jwz at some point. This story (read: rant) is a perfect example on how something as trivial as non-company-related-email lists set up by a few employees can land them and the company in hot water.

Re:privacy vs crime

[Lord+Omlette]

Ok...

Then if a time limit must be placed on document life, what about tying it to the statute of limitation on fraud?

No set answer

[nowt]

There's no easy answer.

It depends on what the regulations say governing a particular record type.

DOL, IRS, DOT, OSHA, EPA, etc. all have their own requirements for record retention times.

Probably the best thing anyone/business can do is discern what these are and keep only these items along with any record that's pertinent after time. But fulfilling legal recordkeeping requirements should be the top priority in such a review.

Equally Important

[Compulawyer]

As important as it is to destroy documents you no longer need/want on a timely basis, it is equally important to PRESERVE those you need. Obligations to retain documents arise from statutes (tax code for example), to business needs (yes, its old, but we still need the information), to rules of court (no matter WHAT your retention policy is, if you are in a lawsuit, or even threatened with one, you had better not discard ANYTHING related to the subject of the suit).

There is a legal principle called spoliation, which is a $5 word for destroying evidence. You can find that the mere fact you destroyed something hurts much more than whatever was in the document would have hurt.

You need a system!

[YouAreFatMan]

One of the big problems is pack-rat syndrome, where everybody keeps everything "just in case". No one is sure whether they can safely delete/destroy the document.

The U.S Army uses a system called MARKS (Modern Army Recordkeeping System) which includes destruction procedures. Every record within the MARKS system is supposed to have a disposition which indicates when it is to be destroyed. The system is designed so that there is no ambiguity about when to destroy the file (e.g., "destroy 1 year after expiration"). Any half-awake clerk can follow the instructions.

Usually the person creating the document knows it's proper scope, and can specify the disposition. Then anyone who receives the file just follows the instructions.

Necessary for any similar system for private companies would be
1) publish guidelines/SOPs/regulations for dispositions
2) make sure document authors specify destruction dispositions on all documents
3) publish SOPs for regularly purging documents
4) auditing to make sure that destruction dispositions are followed

The best way would to be to have some automation in there -- document creation tools modified to automatically insert this information, automated purging, automated auditing. Otherwise you're just adding a lot of workload to people who probably don't give a flying f--- about document destruction.

Here's a good rule of thumb.

[Graff]

Any material relating to a crime must not be destroyed or you will be guilty of obstructing justice and other related crimes. This is true as long as the statute of limitations has not run out on the crime committed. Some crimes, such as murder, have no statute of limitations and therefore the materials relating to the crime can never be destroyed without committing another crime.

That being said, if the penalties for obstruction of justice are less than that of the crime being committed then of course it's a good idea to destroy them immediately. It's just not legal to.

So, if you commit a crime and it's minor then save the evidence until the statue of limitations is up. If it's a major crime then you will possibly get in less trouble if all the evidence is destroyed immediately. Just remember that crimes tend to be cumulative so, for example, you could be convicted of both robbery and obstruction of justice and get a longer jail time or more penalties than if you never destroyed the evidence.

What's your credit card number

[drew_kime]

After all you have nothing to hide, right?

And your mother's maiden name, while you're at it. And your home address, SSN, birth certificate.

Nothing to hide, right?

Oh, and that letter you wrote to your realtor telling him the absolute lowest price you would accept for the house you're selling. I'm in the market for a new house and I could really use that information.

Besides, you have nothing to hide.

Re:What's your credit card number

[arkanes]

I'd submit that a publiclly traded company, or, indeed, any buisness entity, has and should have a lower expectation of privacy than a private individual. That said, I can't really see any reason for a document retention policy other than to cover up potential wrongdoing - altho I do agree that, given enough "enemy" lawyers, they'll find SOMETHING to nail you for, no matter what.

Document Retention

[cnladd]

There are actually several issues to consider when dealing with "document retention".

First off, one of the poster's arguments is a bit flawed. The poster states that the purpose of a document retention policy isn't to ensure that the document is kept, but to ensure that it's destroyed before it could be used in court, etc. This is incorrect. A good document retention policy covers both of those scenarios, as well as several others.

There are several good reasons why a document must be retained for a certain (or indefinate) amount of time - including legal reasons. Many businesses - even entire industries such as banking, telecom, finance, insurance, etc - must keep some records indefinately. In some cases, documents may need to be kept for a certain minimum amount of time - say three years or seven years - before being destroyed. In cases such as these, it's to satisfy certain legal or industry requirements, after which the prime reason for destruction is usually the cost of retention.

And yes, retention does cost money. You have to factor in the cost of paper (acid free, for those docs that aren't stored electronically), storage (environmentally controlled), disaster recovery (in cases the storage site burns down), media (for those docs that are stored electronically) and hardware to read the media.

Like you said, however, there are also valid reasons to ensure that some documents are not retained. In particular, e-mails. My company, for example, has a document retention policy stating that e-mail servers are not backed up. E-mail older than 45 days is automatically deleted. You're not allowed to auto-copy incoming e-mail to an alternate location or mailbox, to ensure that copies are kept elsewhere.

At a past client, e-mail servers were torn down monthly, had replacement hard drives installed, and had the server software reinstalled from scratch - importing in e-mail that is less than 30 days old. The old hard drives were shipped off to a destruction facility (managed by the client). All old servers had all media removed and shipped to the same facility. Any server or PC that was repurposed also had media replaced - again, the old media shipped off for destruction.

The most important thing about any document retention policy, however, is due dilligence. In every scenario - whether ensuring the destruction of past e-mails, the retention of legally sensitive documents, or the security of those documents - a good policy should cover everything.

Re:Document Retention

[Catbeller]

At a past client, e-mail servers were torn down monthly, had replacement hard drives installed, and had the server software reinstalled from scratch - importing in e-mail that is less than 30 days old. The old hard drives were shipped off to a destruction facility (managed by the client). All old servers had all media removed and shipped to the same facility. Any server or PC that was repurposed also had media replaced - again, the old media shipped off for destruction.

What in the hell for, if not to hide illegal practices? Okay, in case a competitor gets a hand on a hard drive -- but why wouldn't the competitor just copy the files?

What a waste of hardware!

Re:Document Retention

[Waffle+Iron]

At a past client, e-mail servers were torn down monthly, had replacement hard drives installed, and had the server software reinstalled from scratch - importing in e-mail that is less than 30 days old. The old hard drives were shipped off to a destruction facility (managed by the client). All old servers had all media removed and shipped to the same facility. Any server or PC that was repurposed also had media replaced - again, the old media shipped off for destruction.

I'll bet that the dress code at that company also requires all of the sysadmins to wear tin foil hats.

Re:several ways

[Skyshadow]

who in the hell would go to pr0n sites at work

Sales guys. Seriously, I've noticed that most of the really successful sales guys also tend to be a little, er, overinterested in that sort of thing.

I interned at a internal help desk at a major workstation maker. Mostly just "can't get my email" type stuff, but one time an engineer called and told me he had a "friend" who couldn't stop looking at porn at work. He was afraid of being discovered and getting fired, so he wanted a filter put on his machine to block out porn sites (no filter available; we used the company's UN*X boxes on the desktop, not Windows).

So, for some people it's a problem. For others... well, it's just them.

Big in Financial World

[Tazzy531]

At where I used to work, there was a annual "Document Day." Basically, it is used to 1) clean the office and get rid of junk 2) delete documents that have been over 12 months old or have already been dealt with. It may seem illegal, but this is common practice in large corporations and especially financial companies. We're not talking about shredding documents to hide evidence, but shredding documents so that it cannot be used against you at some point later on. Emails, that may seem quite innocent can later be turned around and used against you.

For example, let's just say that you had a friend working at a competitor company. One day you go out to lunch and plan this over email that you would wait for him in his lobby. Years later, you still have that email. Now your company is being sued for stealing proprietary technology from the other company and the people higher up claim that no employee of that company has ever entered the rival company. This email that you used to make plans could potentially be used against you and your company.

It's a crazy crazy world...

There was always a joke running around the office of how a technophobe manager would print out his emails so that he could shred them. :-)

Re:Big in Financial World

[david+duncan+scott]

We're not talking about shredding documents to hide evidence, but shredding documents so that it cannot be used against you at some point later on.

Now there's a fine distinction. "Obstruction of justice? No sir, we prefer to think of it 'avoiding complications'..."

Re:privacy vs crime

[rho]

That's an interesting idea... on the surface it sounds good.

The only problem I can imagine with it right off hand is that it creates an "unfunded mandate". It costs $$$ to store stuff. I dunno what the statute of limitation on fraud is, but let's say 7 years. With a large corporation, that can add up quickly to massive costs. Corps will pass this cost down to consumers, or appeal to legislators for some kind of funding or tax break to fulfill this requirement.

That's not including the personnel overhead to manage and maintain this requirement.

Re:According to Arthur Andersen's Employee Handboo

[RazzleFrog]

I should imagine that internal auditors would be more effective at keeping a company out of trouble

I am guessing you have never worked as an internal auditor or known someone who worked as an internal auditor. They don't typically review accounting policies. They are more procedure oriented.

Even if the internatl auditors did know about this problem, they would have just reported to the board of directors who most likely would have filed the report in the cabinet with the sharp cutting teeth.

Personal Documents and Scanners

[mschaef]

Something I've wondered about, along these lines, is scanning documents (bills, etc.) into a computer as they're received. From that point, the paper copy could be thrown away if the electronic copy was sufficiently 'official'. It seems like the electronic documents would also be a lot easier to organize, sort, and retain. Possible legal issues have kept me from doing so.

-Mike

The Reasons for Having a Document Retention Policy

[ajknott]

This begs the question: Why would a large company want to keep / destroy documents?

Why keep documents:

1. The company May need the data in the future. (who erases old source code?)

2. Legal & regulatory laws & rules. The SEC, IRS, FDA, etc... requires many companies need to keep certain documents (e.g. Tax returns) for a specified amount of time (usually 1n10 years)

Why destroy all old documents:

1. There are many many documents in a large company, all the e-mails, reports, memos, meeting minutes, etc... Not all of these documents are to the long term benefit of the company, even if the creator / reciever believes it to be. Without examining each document, the executives do not know what is benign and what is catastrophic.

2. Retaining documents can be expensive. A compnay of 100 people could fill multiple closets, a company of 10,000 could fill warehouses. Yes, imaging solutions exist but are not cheap. Office space is not free.

3. If a company destroys only selected, possibly damaging information, it appears suspicious. If a company has a policy and consistantly follows it to destroy all old documents (shred, delete, burn backups, etc...) then if old information is not available, it is because of the policy.

Three words for Enron et. al.

[ImaLamer]

"Norton Wipe Info"

Actually anything that provides DoD standard wiping.

Make sure to have the program make at least ten FULL passes. Next step: shred the hard drive.

Linux'rs... don't forget that by default 'shred' may not actually 'delete' the files you are trying to get rid of. So if for example you've got "Enron Accounting Data - John look at this something is going down big at the company.txt" you may want to make sure it's deleted.

Btw, I've used Norton's Wipe Info to remove things such as accounting files if I ever sold the computer or hard drive. In the past version there was a "Send To" option, but now it's gone. Anyone know why that is? Also, after I bought System Works for 2002, I noticed that there is no longer a "Wipe Free Space" option in either Wipe Info or Speed Disk. What gives?

Re:Three words for Enron et. al.

[StenD]

Also, after I bought System Works for 2002, I noticed that there is no longer a "Wipe Free Space" option in either Wipe Info or Speed Disk. What gives?

Where are you looking? I'm running SW 2002 Speed Disk right now, and in the Properties|Options dialog, at the bottom are Security Options: Verify Writes and Wipe Free Space.

Re:Three words for Enron et. al.

[Phork]

to wipe a whole drive in linux, or just 1 partition, i would say the thing to use would be dd. dd if=/dev/urandom(or /dev/random if your really paranoid) of=/dev/. doing that 10 times ought to work fairly well. To make it go quicker, use /dev/zero instead of /dev/urandom, but it wont be as secure.

Re:Three words for Enron et. al.

[ImaLamer]

I think one of us is confused.

I have neither Properties|Options nor a "Security Options".

In fact, the only options I've got are "Global Options"

Presumption of Guilt

[coyote-san]

If the Enron or Arthur Andersen execs walk, I wouldn't be surprised to see a legal presumption of guilt when documents are shredded prematurely or despite an explicit and lawful order to retain them.

The theory is simple and precedence is well-established - if a cop sees you see him then bolt, that's grounds for a reasonable presumption that you're guilty of *something* and the cops can stop and question you. It's not enough to throw you in jail, but you can be stopped and questioned while the guy who didn't flinch walks.

Same thing here - if you're deleting records that the state says you need to keep for N months, the burden in civil court (which only requires a "preponderance" of evidence anyway - 51%) is on you to prove that those documents weren't "smoking gun" evidence in support of the plantiff's case, not on them to prove they were.

If you're deleting records despite a lawful order, you have to prove that the documents were not incrimidating and that it didn't constitute obstruction of justice or contempt of court.

Of course this is something that would have to be handled on a case-by-case basis already... but the courts already do this when deciding admissibility of evidence discrediting a witness. If somebody has been convicted of perjury, the jury should know it because it's reasonable to ask whether they're lying again. If somebody has been shredding documents when they shouldn't have been, that again directly challenges their credibility elsewhere.

My big question...why?

[JoeShmoe]

Why on earth do we want to be considering the destruction of any document in this age of near infinite storage?

I mean, what if the government adopted this policy. What if instead of keeping old documents until they could be declassified the government went ahead and destroyed them? Would we tolerate it? Then why would we tolerate it from business that are for the most part just like little governments?

Paper copies I understand getting rid of. For some companies just a years worth of records fills a small warehouse. But storage space is just so darn cheap and optical media is perfectly suited for long term archiving.

What if thirty years from now (in a fictional paradise) Microsoft went out of business and then the document stores were "declassified". We would finally be able to see exactly what they knew or didn't know about their monopolistic practices. Shouldn't we want to know the inside story so like good little students of history we could either avoid or repeat it (depending on your point of view)?

Our government has done and continues to do some bad, bad things. I mean the CIA implanted a microphone and 20 pounds of batteries in a friggin cat in the hopes he would perch outside the KGB headquarters...radiation testing on humans, stuff like that. But companies can do things that are just as bad.

I think they should pass a law that requires companies to store copies of all documents in escrow with an independant third-part for as long as they are in business. After that, anyone who wants a copy should be able to get it. Of course, some of the stuff will be "classified". If Company B purchases Company A they don't want Company A's secret recipie for sale. Customer billing information would need to be kept secret. But eventually, after enough time, the information would be abandoned and then it should be returned to the public so they can have a full and complete knowledge of what was going on.

How are we going to understand how Enron got away with it for so long if we let the wolf guard the chicken coop?

- JoeShmoe

.

Re:My big question...why?

[JoeShmoe]

How are businesses like governments? Well, for starters they have a system of leadership that ranges from dictator (sole proprietor) to republic (board members and executive). Sometimes they are wise and good, and others are corrupt cheats.

They pass/enforce business policies that affect their domain. The United States doesn't pass or enforce laws on the rest of the world, only on the United States. Likewise, if Company puts a "law" in their employment contracts that says they own the rights to any ideas you develop while working for them, you have to accept it to move to a different "country". Many large companies even have private "territory" where US laws don't apply. On business campuses they can search cars in their parking lots or employee areas any time they wish. They can also do things like require you pass lie detectors to remain a "citizen".

Finally, they have income, expenses, trade and "gross national products" that are in many cases larger than hundreds of real world nations.

Bottom line, they have money, they have power, and they have the potential to abuse their position and devestate themselves and their "citizen" employees.

Enron employees might as well wish they were Argentinian citizens. At least when countries go bankrupt, they usually get bailed out. Who's going to feed and cloth those 60-year-olds who put twenty years into Enron only to see their savings and retirement vanish into some executive's swiss bank account?

Also documents means that...documents. They can't transcribe every conversation. You can't scan every post-it. But for pete's sake...if you have a server with a bunch of e-mail and policy documents you can easily mirror it.

As far as workload/expenses is concerned, there is no need to target the lowely sole proprietor with a sewing shop. Start with the major corporations. Treat the information like money and use the same level of protection. Banks don't let big customers play with the accounts of smaller customers no matter home much they bully.

The point is that there need to be some Freedom of Information Act that applies to these major corporations. Corporations are given so many privaledges and benefits the least they can be asked is to keep accurate records. Should they go down the tubes society has a right to know why because society is who granted that corporation their charter in the first place.

- JoeShmoe

.

Re:My big question...why?

[JoeShmoe]

First, if I am my own little "government", then why should my information be viewed by people outside of my "country" beyond what is already required by law?

Why do we have the United Nations? Because at some point there may arise an issue between two company/countries and there needs to be a higher source to examine them. And re-read what I said, I did not say anyone should be able to READ this information. I said it should be maintained in case the company goes out of business. If that happens, we need forensics. We need to be able to retrace the last steps to identify any wrongdoing and hopefully make changes to the system to keep it from happening.

Your statements about stockholders have the legal right to inspect the books, this is exactly what I'm talking about. If you have companies maintain their own books...they can cook them or keep two sets. Stockholder say "hire an outside auditor" thinking they can keep an eye on things. But guess what? Said outisde auditor is getting paid huge consulting fees which suddenly makes themm a little less picky about profitable business ventures. This is what I'm talking about...the wolf guarding the chicken coop.

Right now, Enron is shaping up to be a big game of fingerpointing. Documents have been shredded. Why? Because the companies themselves were asked to hold evidence agains them. The FBI is now faced with the prospect of having to try and recover files from wiped drives and overwritten backup tapes. How can this be allowed to happen again?

Bottom line, I think we both agree on several changes that should be made to keep Enron from happening again, but as an information packrat, I can't help but find the very concept of "delete" offensive. Coincidentally, I'm against the death penalty for the same reason. You can't undo mistakes. Too many times in my life I've seen important work get stuck in the wrong pile and end up costing someone dearly. I don't have any problem with locking people or documents up ad infinitum but when you take that irreversible step and delete them I find it impossible to prove there will never arise a situation where someone would say "there's been a mistake, we need this person/paper back".

- JoeShmoe

.

They already broke existing law

[drew_kime]

There is evidence that people both at Enron and Anderson destroyed documents after being explicitly told by a judge not to destroy anything. I'm not suggesting that some new regulations might not be in order, but I always prefer to improve enforcement of existing regs before we start considering new ones.

Re:Cover WHAT?

[Detritus]

Encryption can be used to solve the problem of old documents and email on backup tapes. The idea is to store everything in encrypted form. The electronic documents are destroyed by destroying the associated key. You would need a fairly sophisticated system to automatically generate and manage the keys. Plus, you have to make sure that the keys don't end up on the regular backup tapes. There isn't anything illegal about doing this. You still need a document retention policy/schedule and you better not nuke all of your keys if you see the feds talking to the receptionist.

Re:privacy vs crime

[rho]

You're being overly exact: I don't equate Enron with a person. I'm using an analogy. Because one kid stabs another in a cyber-cafe, does that mean we should punish all kids by instigating a curfew?

It shouldn't be any different in the case of Enron: the board and executives should be held accountable by their shareholders. Unfortunately, the end that I see has Democrats giving the major players in this scandal a free ride (immunity) in the hopes of sticking it to George Bush and the Republicans. It will become a political game, rather than a legal matter between the top-brass and the truly injured: the employees and shareholders of Enron.

Double-edged sword

[Ldir]

This has also been a hot issue where I work. Our legal department recently mandated a draconian policy of automatically deleting ALL e-mail after nine months. We are not allowed to file any electronic correspondance unless we print it out and save the paper.

This may be a good policy when you have something to hide. In the IT world, in my experience (and the experience of most of my peers it seems), old e-mail has helped way more often than it hurts us. If you use e-mail to document conversations, meetings, etc., a lot of disputes get resolved pretty quickly when you pull out an old e-mail and say, "See, here's what you said." or "See, here's what we said we would do."

This doesn't happen if we have to print "important" e-mails. Why? Two reasons. First, you usually don't know a year or two in advance which e-mails are going to be important some day. We may generate a thousand messages plus over the course of a project. Most of them are routine, or are only of passing interest. Every once in a while, however, there will be a design decision (or more likely a design compromise) that one party has conveniently forgotten.

Conversely, if someone can show us that we did, in fact, agree to do something, then we will commit to doing it. Our memories are cloudy too, and we do believe in delivering what we said we would.

The second reason paper filing doesn't work for most of us is that it's extra work. Want to file an e-mail - drag it to a folder. Done. Need to file a paper document - remember to print it, interrupt whatever you're doing to leave your desk, find the right folder (if there's room in the cabinet), file it. If you're on the road, remember to go back later, once you're back in the office, and follow the steps above. This works OK if you're an executive with a secretary dedicated to such tasks. Around here, at least, that perk has become too expensive for all except the most senior management. And, even though paper filing doesn't take much effort for a single document, it is a lot of work for hundreds of e-mails, it requires filing space that is in short supply, and it requires a degree of discipline that most people don't seem to have. Finally, even if you have a good paper filing system, it's much easier to search electronic files quickly.

This is exactly why electronic files are so dangerous in litigation - if you can search them quickly, so can your adversary. By prohibiting them, however, you reduce productivity across the entire company and increase costs. I'm not convinced that the legal eagles balanced the immediate cost benefits against the possible future risk. They only consider the dark side.

On a related note, I know I just read an article (here?) about how electronic documents have a life of their own thanks to widespread forwarding. Your retention policies may be almost meaningless if your correspondants keep everything.

Re:Double-edged sword

[markmoss]

I quite often have to refer back to projects that were closed out a few years ago. E.g., a few months ago I had a customer saying something like, problems have popped up with this latching SMT relay, costing around $100K in replacement boards and service calls -- why did I ever pick it? I go back to look things up and find a pretty clear trail of checking every SMT relay on the market -- this was the only latching relay available in 1998 that actually withstands SMT process temperatures, although just barely -- the circuit didn't seem entirely trustworthy, so why don't we go to this alternate circuit, that also costs less? -- and the customer turned that change down...

In other words, given the customer's determination to implement a circuit designed in the early 1960's in surface-mount parts, that was the best part available, and probably still is. It wasn't good enough, but they wouldn't let me re-design to avoid it, and I've got their e-mails to prove it. We cranked out my more reliable design based around a 74HC 74 IC real fast, and they ate the cost.

Without e-mails, I barely remembered this particular case out of several others, and the actual decision makers at both companies were gone...

Why destroy? - Answered

[maggard]

Lots of folks are posting "If you've nothing to hide then why destroy material?" (the implication being only criminals care about privacy, encryption, document trails, etc.).

Here's why:

• It costs to maintain old material
• Lawyers have learned to grab this stuff first off and supplying it costs a lot (not just for big cases, the ones that any business gets subjected to)
• The less material you've got laying around the less you need to secure, the less chance of it getting pilfered

Finally there are required retention and documentation times for many industries as well as "best practices" by many professionial organizations and certifying bodies.

Don't ask here for information on those but rather your own corporate lawyers as well as run a memo through the various departments for their specific requirements.

So you're against personal encryption too?

[Tenebrious1]

Maybe I have nothing to hide. But I encrypt my documents because I don't care that my personal business is seen by others.

There are issues which were "legitimate" at the time, but later came back to haunt them. GE and the PCBs in the upper Hudson is one. Corning and silicon breast implants are another. Abestos. Lead based paints. Did these companies wish they hadn't destroyed all those documents from scientists saying their products/actions were safe? Or did they end up destroying the "bad" evidence for plausible deniability?

Business destroy documents for lots of reasons. I think it's mostly so CEOs can take a stand and have "plausible deniability" to protect their asses. Luckily, there are always backups somewhere that will come back to haunt them.

Allnighterking

[Allnighterking]

How long to keep a doc.... depends on the doc. Financials and related materials should be kept for 7 + 3 years. The IRS can audit 7 years back, and request documents for support 10 years back. Corprate brain trust documents (like a copy of original trademark forms) should just plain be kept. The note to your secretary about lunch.. destroyed before the wife finds it.

Basically however the rules for maintaining paperwork have been around since Bob Cratchett was doing books for scrooge and before.... why oh why does anyone think that making them bits and bytes instead of pen and ink changes anything.

cross-cut

[ocie]

Just make sure to use a cross-cur shreader. I saw on the news last night folks were taping the enron papers back together. How's that for a crappy job?

Re:cross-cut

[GypC]

Hrm...

It's probably better than tech support...

Gratuitous "balance"

[drew_kime]

" ... Enron ...
... Cheney ... dirty oil company dealings ...
... Reagan/Bush ... Iran/Contra ..."

Clinton! Whitewater!
Clinton! Chinese campaign financing!

Okay, move along, nothing to see here.

Not at all

[ergo98]

If you aren't legally required to maintain records of every email/document/etc, then why SHOULD you? Do you recall the Netscape fiasco where Microsoft subpoenad the history of every email to an employee bitch newsgroup? In that case Netscape had no legal duty to maintain backups and records of every posting, but because they made the mistake of not deleting them frequently suddenly they were required to provide them and were then barred from destroying them: It's an odd circumstance when you don't legally have to archive information, but if someone asks for it then suddenly it's legally protected and you have to defend and explain the context of every message, every word, etc, and of course everyone says something now and then that can be taken out of context (or alternately that they said in the heat of passion but backed down from).

Destroying old information quite simply removes the liability that it potentially represents, even if there is absolutely nothing indicting in it. It can also protect freedoms: Websites aren't legally required to keep IP logs, but if they DO then those IP logs can be subpoenad.

yeh you right!

[Erris]

Having old documents taken out of context can be truly damning, and it's just not worth the expense. Much better to destroy what could be used against you later.

That's why honest companies save the context!

Re:yeh you right!

[Sodium+Attack]

That's why honest companies save the context!

I see. Do you tape and save all your telephone calls where you work?

Re:privacy vs crime

[ninewands]

Unfortunately, in most jurisdictions, fraud is considered an action in tort, which usually carries a 2 year staute of limitations.

If I were designing a document retention policy for a legitimate company, I would have counsel prepare a schedule of all statutes of limitations that could reasonably apply to each of the company's activities. Documents would be classified according to which activity(ies) they were relevant to, and then set the retention period according to the longest statute of limitations for that activity + 2 years (or whatever statute of limitations governs general tort claims in the jurisdiction) for each classification.

This would cover not only the possibility that we might need the docs to prosecute a lawsuit, but also that we might have to defend a tort claim brought under the "discovery rule." (i.e., the statute of limitations doesn't begin to run until the harm is discovered).

Finally, with regard to electronic documents and e-mail, I would try to ensure that users were trained to delete e-mail of a purely personal nature as soon as they read it (small disk quotas for /home help with this on Unix systems). Backups of business e-mails, word processing documents, spreadsheets, databases and the like would be retained just like their paper counterparts.

With a policy like this in place, the company could rest assured that they would always have all the evidence necessary to protect their rights and to defend themselves should it become necessary to do so.

A company operating on the shady side of the bleeding edge of what is and is not legal, like Enron seems to have been doing, would be another question entirely ...

The solution

[Syberghost]

Perhaps this is a minority viewpoint, but it seems to me that if you aren't breaking the law, aren't doing anything unethical, and aren't lying in your electronic communications, you can keep your documents forever and see that as a good thing.

Don't even need that much of a problem

[drew_kime]

Well, it turns out that you have an employee that sent a seemingly innocent comment to his friend at such a company ...

You don't even need that much of a "real" issue for this to become an expensive litigation. I once worked for a law firm. (IANAL, no sensitive info coming out here) We represented one of the parties in a patent infringement suit. Just documenting and sorting the contents of a couple of dozen employees' hard drives -- in order to determine what needed to be provided in the discovery phase -- took a team of three people over a week. If you end up in litigation, someone has to go through everything to see what is covered under "all documents or materials relating to ... "

7 years.....IRS.....Most thigs really....

[Chanc_Gorkon]

I saw one or two comments saying you should retain stuff for 7 years. Thay's what the IRS suggest's (and has a right going back that far too). Also, back when registers used to have a paper journal tape instead of a magnetic means of storing a journal, the company my mom worked for had to keep them for seven years (had a box for every year....it was a small store, so no big deal). Where I work, we seem to need new file rooms once every 2 years. The idiots running the department in question or the feds make them do it even though we have everything back to almost day one on the mainframe. What is a electronic record no good?

Here, in our department (IT at my place of work), we archive everything, but not for reasons you'd think. Almost all reports are archived just in case someone looses their report. You heard it right....LOOSING a report! Sometimes it's even important stuff that get's lost, thrown away or shredded. We had to beg to get a shredder just so we can make sure we shred the jams that have readable data on it. It's important to archive but it's also just as important to make sure that when a report needs shredded, or disposed of, that it's done in a fairly secure manner (burning is best....shreds can be taped if desparate enough....).

Re:Cover WHAT?

[Stephan+Schulz]

When a lawsuit came along we had to turn over the contents of our local email clients as well, so if you saved that message from the boss that said "Screw the client and don't tell them about this problem.", you just cost the company some large sums of money.

Note that this is indeed how it should be! If your company decided to screw the customer, it should pay up. Indeed, with current prices for storage, I think it would be a very reasonable demand that companies archive all internal communication about forever (or at least for 25 years). It's not like a company has a right to privacy.

If you don't want to loose in court, don't use questionable business practices!

Re:privacy vs crime

[jmauro]

Those massive costs are really just the costs of doing business. Think about how many other costs are generated by corporations just doing things. They're all passed on to consumers and for the largers corps {who have the greatest amount of minor issues), costs will be spread out over many, many consumers so the incremental cost to any of them will be very tiny. And who knows the whole procedure could save the corp millions in the future. I think rejecting the idea based on cost is a red herring.

Most of you have it all wrong

First of all, let me give the standard disclaimer that even if you can figure out where I work (which you can't), I speak for myself, and not my company or their legal team. I am not a lawyer, and you consider what I say with the same authority that you give comments coming from your arse.

There's a reason why you need to have these policies, even if you're company is doing nothing wrong. Let's say you're company is sued somewhere down the line, and the court or the lawyers issue a subpoena for all information relating to Company B, which you've had a long-standing relationship with. You need to hand over ALL YOUR DATA. Do you know where all the e-mails you ever sent to the company over the past ten years are? Are there old backup tapes in the closet that you can't read because you don't have the equipment? Well, that's too bad, because if you don't hand over ALL THE DATA, it could look like you're hiding something, and get you (and the company) in hot water. Besides, let's say you're the SysAdmin that has to recover ten years' worth of back E-mails and find all the ones that are relevant, knowing your job may be on the line if you mess up. Not fun, huh?

So, you decide to get rid of data that's really old and no longer relevant. But how do you determine that? How would it look if you got rid of all your old data on an arbitrary date, only to get the subpoena the next day? You wouldn't look much better.

What these policies do set up "Any documents of any type that are older than xxx days get destroyed", regardless of their source. This is looked at much more kindly by the authorities, because it is a policy that is set up in advance, with no prior knowledge of any pending actions. And when you only turn over xxx days of documents, your lawyers can say "We've had this policy in effect for the past y years", it doesn't look as suspicious.

My problem is that, as an engineer, I'm supposed to keep documents past the retention limit (perfect example : patent applications and design information that take years to process.) However, our fscking Notes server is set up to delete ALL e-mails after xxx days, no matter what the source! And I found out the hard way that filing E-mails in folders on the server doesn't do squat, because those are cleaned out too! I have to manually lenghten the retention deadline on EVERY SINGLE DOCUMENT I need to have saved. (Or, save it off of the Notes servers. Not that I've ever done that...) ;)

Yeah, it's a PITA, but it's the price we pay for living in America, land of the Subpoena and home of the Class-Action Lawsuits!

Re:Cover WHAT?

[statusbar]

But in which way is shredding documents different from a 'document retention policy' that effectively shreds the same documents except before the lawsuit?

If you have a 90 day document retention policy, that means every day you are deleting the documents that are 91 days old. If you get a an order from the court, does that mean you have to stop your document retention policy?

It seems the line is very fine....

--jeff

Logical fallacy

[redelm]

Just because all wrongdoers want to {shred docs, use crypto, own guns,} does NOT mean all {doc shredders, crypto users, gunowners,} are wrongdoers. This is a logical fallacy. If all A are B, it does not follow that all B are A.

In a society that presumes innocence, you shouldn't even need to provide counter-examples. But here goes: docs are expensive to store and extremely expensive to retrieve and review even if totally innocent or even exculpatory. Docs are often requested for a fishing expedition unrelated to the complaint. Docs can be misread and misused by attorneys who are by definition extremely partisan.

my experience

[kin_korn_karn]

"Keep everything with a dollar amount on it" is wise for personal use; I would guess that it would be wise for business as well.

The plantiff's lawyers went back to 1937 notes...

[RasTafarii]

from a engineering meeting held in a very old us company that made machine tools where the installation of operator guards was discussed on some type of press they agreed to do it and someone mentioned that if the guards were removed later serious injury could result to the operator.

fast forward to 1985, the press made back in 1937 is still in use at some rundown plant staffed with illegal mexicans, it has not had any decent maintenance in decades and of course all the operator guards were removed to speed up production several owners ago.

some guy puts his hands in the danger zone and the press gets him.

the original company that made the press 48 years ago gets bagged on the grounds that they knew it was a dangerous machine that's why they mounted operator guards on it... the fact that persons unknown decades later removed those guards and no one trained the illegals on safe operation of this old rundown press was beside the point...

being an old family run company, they had records dating back to the founding apparently they never threw anything away and minutes from a 1937 meeting ended up costing them a couple of millions of $.

if the law or regulatory agency does not explictly require you keep the stuff, shred it as soon as you can, wipe the backup tapes as soon as possible and keep only the stuff you have to, the shortest time permitted.

reimage the corp laptops every 6 months to prevent packrat ceo's from keeping every email and their kids who use it at home to surf p0rn sites when dad isn't watching...

Re:According to Arthur Andersen's Employee Handboo

[stinky+wizzleteats]

Considering the mindlessly litigious nature in which business in the US operate, a data control policy is absolutely necessary and in no way reflects the ethics of the organization in question.

There's another side to this too, kids. As someone who does expert testimony in cases involving data stored on personal computers, I can tell you that every individual also has a need for data control measures. Every one of us needs to shred documents, delete files, and scrub file slack space and "empty" space on our disks. Windoze users should also scrub out their swapfiles.

These are realities imposed upon us by the nanny state, which has grown a lot bigger since 9/11.

Just because you're paranoid doesn't mean they're not out to get you.

document retention is kind of like encryption

[Preposterous+Coward]

It's funny how many posters are saying things like "Hey, why shred old documents or delete old e-mail if you have nothing to hide?" Which, IMO, is about as valid as the argument "Why use encryption if you have nothing to hide?" Of course, suggest outlawing or controlling encryption and slashdotters would (rightfully) be up in arms.

Even if you and everyone who works for your company is a Good Guy, there are still reasons you may want to destroy older documents that you're not legally required to keep. You might have an unscrupulous customer or competitor or even employee who decides it would be fun to sue you for some crap. Guess what: Suddenly every e-mail written inside the company, ever, is on display for everyone to see. And those things can be taken out of context. The kind of hyped language that, say, sales guys like to use can easily be interpreted the wrong way. Maybe somebody sends out an e-mail that says "I want you all to do whatever it takes to beat the competition and sell this customer! I mean it, no limits, whatever it takes!" Now, maybe that is evidence that the e-mail writer is condoning corrupt and/or illegal activities. Or maybe it's just typical motivational rah-rah. But your opponent's lawyers would probably have lots of fun with it.

That's just one dumb example, but my point is this: Just because you and your company have righteousness on your side doesn't mean your lives can't be made miserable.

0-days

[mikeee]

Retain nothing, and enact all corporate strategy completely at random, in total ignorance of past history.

It's what you're doing anyway, right?

Re:Actually being a Former Andersen Employee

[standards]

Andersen cannot be held responsible (even though they will) for the illegal acts of a few.

Why the hell not? What happened to self auditing? What happened to rules in regulations that they are to follow to prevent this kind of major scandal?

Let me tell you - if company employees break the law for the company, it's still the company that's breaking the law. Heads should roll - and gross mismanagement should result in long, long prison terms for Andersen management.

Why hire Andersen if they don't even have a handle on how well their working with one of their biggest clients???

Document retention at Enron I should know I worked

[Hangtime]

there. We were all on Exchange Servers so email retention went like this. Anything in the Inbox was deleted in 30 days. Any messages saved in other folders was deleted in one year regardless. You did have the option of saving off to your hard drive but PST files were a no-no. In addition, no external storage devices could be used without a senior VPs approval and an act of Congress. As far as when things started hitting the fan, we were inundated with emails to send any conversations, voice mails, correspondence, etc to the legal counsel's office. Of course, I'm sure that was taken care of in a very professional and ethical manner. So these days I apply for jobs and read slashdot and watch the Enron blaze grow larger and hotter. Al Sharpton was in yesterday, Jesse Jackson will be speaking tomorrow! Oh boy, the circus has come to Houston and it looks like its going to stay awhile.

HT

Re:Cover WHAT?

[Exedore]

so if you saved that message from the boss that said "Screw the client and don't tell them about this problem.", you just cost the company some large sums of money.

If you get an email (or hardcopy) message from your boss saying, "screw the client," you'd damn well better keep it. You know what happens if you don't? That's right, with no documentation pointing upstream, you are now the sacrificial goat. Don't think for an instant that a boss willing to screw a client would treat you any differently.

Better still, if the action your boss proposes is illegal, not only should you keep several copies at home and at work, but you may wish to blow the whistle yourself, depending on your paricular moral compass.

The last thing you should do is destroy the message. When the big, bad boomerang-o-karma comes back your way, you'll have no recourse but to take it squarely in the nads.

Why? Costs.

[Sodium+Attack]

Why would you need to destroy documents, if you're not doing anything wrong?

If you're sued, all your records on the topic can be subpoenaed. If you've never destroyed anything, you have to provide it all to the attorneys of the people suing you. Usually in hard copy.

The time and money it can take to do this, if you haven't been deleting anything, can be immense. It can run literally into the tens of millions of dollars and thousands of person-hours. On the other hand, if you've been deleting old documents regularly, you don't have that much to produce in the first place.

Re:Cover WHAT?

[Cadre]

What about using multiple keys? Encrypt first with the companies public key and then encrypt with the public key of an entity from a foreign entity not under the jurisdiction of the US. You'd have to work up a contract with the foreign entity so that you could somehow get the session key to decrypt the documents if there was a situation where you actually needed them and a subpoena wasn't involved.

Hmm, not sure how well this would work but it's an idea...

Re:Bad idea

[Skapare]

just remember if you are terminated from the position you now hold, you can use the documents you retained against your former employer, assuming there are some juicy tidbits in there.

... there's more to that as well.

[Narcocide]

...and anyway, even if every single document being passed around your company is completely kosher and totally legal and can in no way be manipulated against your company in court, that doesn't mean that it *can't* be manipulated against your company in the marketplace, by other companies, many of which may be evil.

Subject

[Legion303]

Federal government regs say you ("you" being anything under the Department of Education's oversight, anyway) have to keep records for seven years. After that, you're free to turn them into confetti (the records, not the DoEd).

-Legion

Re:Word to the wise: follow retention policies!

[SuiteSisterMary]

Frankly, a lot of what the policies do is set up plausible deniability if the subpoena comes and the documents aren't to be found...

YES! Lets say you have no doc retention policy. Now lets say that you've got backups of your email system going back ten years. But, the one that's six years old, the tapes went bad. You discovered this doing a routine check. So you toss them; it's no big thing. You get sued, and the discovery calls for all of your email backups. So you dutifully turn over all 9 years worth. "But wait," the judge says. "Where's the missing year?" "The tapes were bad, Yo' Honor, so we tossed them a year or so back." "Bullshit," says the judge, as he brings out the obstruction of justice charges. Now, lets take a look at Company B. Company B has clearly stated document retention policies, and follows them to the letter. "Gimme them records!" says the prosecution. So you happily turn over the last six months worth of stuff, and a copy of the official policies that says that everything over six months goes byebye, unless covered by other requirements.

What are the oldest records you have?

[michael_cain]

The large corporation I work for's guidelines on intellectual property matters ("Prove to the court that the development work you did in 1986 led through uninterupted effort to the patent filing in 1993 which issued in 1997 which we're suing for infringement in 2002") are essentially infinite. I have bound laboratory notebooks, with some pages signed by witnesses, going back to 1983. I suspect that many of the old-school R&D companies (Bell Labs, IBM, Motorola) have records going back more than 50 years. I saw an exhibit at the Smithsonian back in the 80s that included bound lab notebooks borrowed from AT&T that had entries dated in the 1890s.

Re:Isn't this premise founded in negligence?

[zangdesign]

Not necessarily. Because a lawsuit can be a strategic weapon as well as a punitive one.

Consider: you want to know more about an opponent's business practices - get inside info, as it were. You file a lawsuit on a minor charge, subpoena ALL records, and in the process of going over the records you gain your insight. You might also find something that can ACTUALLY be used against them, leading to another, more substantiated lawsuit.

The other effects: your opponent now has to devote time, energy, and personnel to securing the records and presenting them in a readable format, costing money that could better be used elsewhere.

Another reason to destroy documents is that business practices are trade secrets. While Company A may do things internally exactly the same way as Company B, A doesn't want B knowing for sure. Those old documents can be a source of information for Company B by way of disgruntled employees, theft, lawsuit, whatever.

Your assumption that the innocent have nothing to hide presumes a benign world where one is safe until one has done something wrong. This is naive - one should never assume that other companies are not out to destroy you totally.

Real World Reasoning

[virg_mattes]

For a large company, a document retention and destruction policy is a necessity, specifically for legal reasons, but not for the reasons you're assuming. Every large company develops huge masses of information, and most of them back up that data to protect against short term loss. However, most companies don't want to keep it forever, so they destroy the old stuff to reduce storage needs, cut down on administrative costs associated with maintaining the records and protect against industrial espionage. The problem lies when the company comes under examination for a lawsuit. If there's a well described and religiously followed document retention policy in place, the court has no reasonable expectation that the company will still have documents that the policy marked for destruction. If on the other hand there is no real policy (or it's badly enforced) this opens up an avenue for liability wherein the corporate controllers say "we don't have documents X or Y because they were destroyed" and the judge then assumes they did it to hide something (and punishes accordingly) or assumes they're lying (and punishes accordingly). Also, when the prosecution or plaintiff asks for certain documents, the policy can limit the scope of the request so that your IT team isn't spending untold hours digging up archived stuff to turn over in satisfaction of a subpoena.

You should be careful not to fall into the logical trap that document destruction is only useful if you have something to hide. In this very litigious society, it's rarely that simple.

Virg

I'm surprised nobody has mentioned Netscape

[alispguru]

For an example of what can happen to you even if you haven't done anything wrong, go look here at what happened to Jamie Zawinski. During their monopoly trial, Microsoft subpoenaed the contents of the bad-attitude and really-bad-attitude internal blow-off-steam newsgroups at Netscape. I never heard of anything that came up in court as a result of it, but the privacy of the users of that list was violated, big-time.

Re:privacy vs crime

[rho]

Not a red herring, I think. As you say, the impact on a larger corporation (Enron-sized) can be amortized over a large customer base.

However, as most people do, you leave out the smaller corporations, which make up the majority of corporations extant today. I don't mean the 2-person LLCs (although they are significant), but the 300-500 employee corporations. Increasing the cost of doing business to these is a problem. They may not have millions of customers, they may only have dozens (albeit rich ones). It is a significant problem.

I'm trying to argue against a backlash on corporations (which, just like regular people, are mostly decent companies just trying to do business) because of one glaring example acted dishonestly or wrongly.

One thing is always true with legislation: while the legislation may or may not work (i.e. punish bad companies), it is guaranteed to cause unforseen problems (i.e. put decent companies out of business).

What this discussion tells me...

[Danse]

I think it's quite clear now that corporations should implement strict data destruction policies. I think it's also quite clear that we need to have strict regulations in place regarding what sorts of data must be retained and for what length of time so that corporations like Enron cannot destroy the evidence of their crimes without facing dire consequences. I sincerely hope that the accounting industry in particular gets reformed and a non-accounting industry oversight group is appointed. If there's any justice in this world, those Enron execs and their Arthur Anderson accomplices will all be strung up for what they did. They should NOT be allowed to get away with their horde of cash while regular Enron employees get the shaft.

PWC's new guidelines

[asv108]

Retention of Firm Documents

1. Policy. All documents (including those kept in an electronic medium) created or received by the Firm that are necessary or appropriate to record or support the Firm's professional work product or administrative functions shall be retained for a Current Period plus six years (the "Retention Period"), subject only to specifically stated exceptions set forth below. Thereafter, they shall not be retained. Business Unit Leaders and Office Managing Partners are responsible for insuring that their units comply with this Policy.

2. Current Period. Current Period means, in most cases, the calendar year during which the document was created, revised or received. In some cases, Current Period means the effective life of the document. Examples of documents falling into the latter category are office leases, personnel files, contracts to which the Firm is a party, engagement letters relating to continuing client engagements, tax planning files and the "permanent file" of a continuing client.

As a general rule, choice of the appropriate Current Period and corresponding date of record retention termination should be made by the person who created or received the document in question, and not by the Records Center. Questions arising in connection with the choice of an appropriate Current Period should be directed to the appropriate Unit, Line of Business or Office Managing Partner, or the Office of General Counsel.

Note that in some situations, the Retention Period will have to be extended on a year-to-year basis, as when the IRS has not closed a particular tax year of a client within the Retention Period (the tax workpapers should be retained until it has).

3. Examples of Current Period Plus Six Years:
Working papers and correspondence files relating to the Firm's report, dated March 13, 1997, on the financial statements of Universal Widgets as of December 31, 1996: Terminate retention after December 31, 2003.
Lease dated November 1, 1993 covering a lease term of February 1, 1994 through January 31, 1995: Terminate retention after December 31, 2001.
Letter dated August 19, 1996: Terminate retention after December 31, 2002.
Permanent files deemed superseded on September 30, 1998: Terminate retention after December 31, 2004.
Tax, litigation, and bankruptcy planning files created in May 1998 covering the three-year period of 1998, 1999 and 2000: Terminate retention after December 31, 2006.

4. Record Type/Retention Period:
ABAS Files
Billing File - 6 years
Correspondence File - 6 years
Financial Statements - 15 years from record year
Permanent/Carry-Forward - "No date" while active, Current + 6 years from the "superseded date."
Reports - 15 years from the "period ending" specified in report
Superseded - Current + 6 years from the "superseded date"
Workpapers - Current + 6 years
TLS Files
Billing File - 6 years
Correspondence File - 6 years
Permanent/Carry Forward - "No date" while active, Current + 6 years from the "superseded date."
Planning - "No date" while active. Current + 6 years from the "superseded date."
Superseded - Current + 6 years from the "superseded date"
Tax Return - 15 years
TLS IAS - 15 years (Tax Return)
Workpapers - 6 years

The following exceptions to the general policy have their appropriate retention periods set forth in parentheses. For permanent retention, consider microfilming or other less bulky storage systems:
(a) Documents pertaining to Firm governance and regulatory matters (permanent).
(b) Agreements and related documents pertaining to mergers or acquisitions by the Firm, as designated by OGC (permanent).
(c) Minutes of meetings of the Firm's Board of Partners and Principals and the Board's Committees, as well as other Firm Committees designated by the Firm's Senior Partner (permanent).
(d) Certain legal or historical files designated by the General Counsel (discretion of OGC).
(e) Firm Policy Releases (until superseded). The partner or director leading the group issuing the policy should ensure that one full historical set of the Releases or Statements issued by it is retained permanently.
(f) Documents (i) relating to threatened or pending litigation involving the Firm or its personnel or (ii) subject to a subpoena (the longer of the termination of the litigation/subpoena matter or the Retention Period - consultation with OGC required before any disposition).
(g) Financial records, including tax returns, of the Firm (discretion of the Chief Financial Officer).

5. Documents To Be Retained for a Period SHORTER than the Retention Period:

(a) Practice Quality review documents, including reports, correspondence, questionnaires, and supporting workpapers that identify or relate to findings or evaluations of specified engagements, offices or individuals (12 months from date of creation, or less when it is determined by the Director, Audit Quality--or his or her counterparts in other Lines of Business--that they have served their intended purpose).

(b) Personnel records of former employees (Current Period plus three years).

(c) Internal administrative documents, such as office financial information (discretion of appropriate Unit, Line of Business or Office Managing Partner).

(d) Engagements terminated before completion, such as audit engagements where no report is issued (Current Period plus three years; all uncompleted engagements should be clearly marked as such).

6. Other Exceptions:

(a) Any person who creates or receives a document or class of documents that he or she believes should be the subject of an exception should refer the matter to OGC.

(b) OGC will notify the appropriate Records Center of any files that must be retained beyond their assigned destruction date due to pending litigation or other reasons. At that time the files will be retained indefinitely, and destruction will require specific approval of OGC.

(c) In reference to E-mails and general correspondence of any type, if the communication is necessary to support PwC work, it should be included in the engagement files, either electronically or in paper form. If it is not necessary to support PwC work, it should not be retained. Desk file or rough file material should be discarded at the end of the engagement.

7. Organization and Timing of Destruction:

Persons responsible for maintenance of Firm files should conduct a review of all files during each December to identify those files that should be destroyed promptly after December 31 of that year. Thereafter, during January of the following year, such documents should be destroyed only upon formal authorization from the designated partner.

Crikey, are you yanks navelgazing, or what?!

[Jeppe+Salvesen]

Not all countries are as lawyer-run as the US of A. (Mind you, the lawyers are not allowed to defend the accused if defense conflicts with matters of national security). Some places, the courts would reject a lot of the crap you guys have to keep up with. They might even scorn you for wasting the time of the court if you got that far.

Granted, torts have given you as customers a lot in terms of safety, but this "document retention policy" is not as important in other countries.

According to popular myth, the US of A has enough lawyers for the entire world if you guys used the courts like the average world population does.

Anyhow, if you didn't have so many litigation concerns, storing documentation for a long period of time can be done relatively cheaply.

I'll ask tomorrow what our document retention policy is. Watch this space.

It's a terrible policy to destroy information

[Nelson]

I can sympathize with the few who are worried about things being taken out of context or used in the public minds to sway opinions. but that's rare and what's more if you have a lawyer picking a your documents trying to make you look dirty you're also going to have a lawyer poking holes at those theories and defending you. The market can be quite forgiving also (Texaco comes to mind)

I'm thinking long termish. First of all, look at the MS case. They are looking at documents from the DR-DOS/Win 3.0 days. These are 10 year old documents and they have an impact on whether justice will be served or not. That very concept is defined by those documents; personally I don't think Gates himself ordered destructive actions towards competitors (so he shouldn't go to jail) but it's clear that there were some and mgmt knew of it.

Further look at the FOIA. There are 50 year old documents that tell us new things about history that are released all the time. I'd hate to think that a major crime could happen and be covered up so easily that in 50 years nobody could figure it out or see the truth.

For the most part, most people don't have anything to hide and shouldn't have to worry. I really have a problem with information destruction by policy, it's too similar to the nazi's burning books. In the digital age there isn't any reason to do it, space isn't a problem.

"Strong Delete" function

[peter303]

Most OS deletes just delink the disk storage from the used-list, but don't erase it. A "strong delete" would write zeros in that storage. Technically you need to write random patterns several times in the old storage to truely erase it.

knowledgebaseless?

[sohp]

If the legal problems and deletion policies keep in the direction they are going, pretty soon companies aren't going to be able to have any sort of knowledge base repository at all. Problem resolution from a bug that was filed 17 months ago? Gone. A bug report gets filed again, there's nothing to document that it's a duplicate, developers spend unproductive time fixing a bug that doesn't exist any more. Design documents for your business process automation system? Gone. A key widgetframmiz inspection gets skipped and your product blows up. Your patient record file from your last visit to the hospital? Gone. That operation you had to remove your spleen, what was the condition that required that?

So the companies will exist in an amnesiatic daze about anything that happened more than 12 months ago that only Joe from accounting who retired last year had in his head?

Your Solution is Oversimple

[virg_mattes]

Your solution doesn't make sense for any but the smallest businesses, due mainly to infrastructure but also for legal considerations. For a large company, storing eternal backups of every piece of data generated represents a gargantuan storage, retrieval and maintenance operation that in the large majority of cases serves no useful purpose. For example, when I worked for a large bank, the IT department spent hundreds of thousands of dollars per year to store the backups and logs that we wanted to keep. It would have been an appalling waste of money and personnel to double that just to keep backups of information that we never needed anyway. Also, such records can be a huge liability to a company in the event of a lawsuit, even assuming that there's no wrongdoing. Simply sifting through all of the records for documentation relevant to a subpoena can consume massive resources, just to prove that none of the email you've stored for the last five years contains anything incriminating. A document retention (and destruction) policy can force a judge to limit the scope of a subpoena, thereby reducing the workload in satisfying the subpoena.

In the corporate world, lawsuits complicate such issues immensely. Don't make the mistake of assuming that the only reason to cover your butt is because you've done something wrong.

Virg

Use Word!!!

[anonymous_wombat]

You can just save all of your documents as Micr@soft Word. The files will become unreadable after a few years anyway. Hmmmm, I wonder if that was designed as a feature?

Understand the real costs and savings

[swb]

We'd been using Groupwise for years because of its ability to do sophisticated calendaring and scheduling. It used to take a secretary several *days* of collecting schedules to schedule a meeting. With Groupwise people were able to schedule meetings without a secretary.

Self-scheduled meetings mean fewer support staff. 3 fewer support staff for one year mean we pay for the cost of the hardware + software in the first years savings. Don't forget the opportunity costs this saves -- we can be more flexible and efficient than we were, giving us greater business opportunities. It's a system that has not only paid for itself but made us money.

Mbox format? Well, we still would have needed GUI clients, more staffing and for what? Better archiving? I think our shareholders would rather get more value and I know I enjoy the pay raises that enhanced profitibility brings more than needless handwringing over standards compliance.

Re:Understand the real costs and savings

[frank_adrian314159]

It used to take a secretary several *days* of collecting schedules to schedule a meeting.

Then you (a) had really big meetings, really often, (b) staff and secretaries so overloaded they couldn't answer a normal E-mail, or (c) really dumb secretaries.

Here's a clue: When you have more than about 5 people, a non-regular meeting can NEVER be scheduled at time convenient for them all. This is true with a fancy-assed calendaring system, as well. You work around it by having the meeting called by a person higher in authority than anyone at the meeting who also delegates the running of the meeting to whomever originally wanted to call it. The participants will then make time for the meeting or delegate.

How About Covering Costs?

[virg_mattes]

> I'm going to have to agree with the original poster. Unless your concern is security related (i.e. information theft), there really isn't a valid reason to be destroying documents for most law-abiding corporations.

How about the bottom line? I worked for a large bank. We spent massive amounts of money for storage space, personnel to maintain records and transport costs to keep data records for data from more than two hundred branches. The idea of retaining twice or three times the data just so that we didn't destroy any backup tapes would have cost more than four IT peoples' salaries.

Sorry, but there are many reasons that are perfectly valid for having a proper document retention and destruction policy in place, and it's only your lack of perspective on how much is involved with data protection that keeps you from seeing them. Don't assume that the only reason corporations destroy data is because they're trying to hide something.

Virg

Re:Actually being a Former Andersen Employee

[5KVGhost]

"Andersen cannot be held responsible (even though they will) for the illegal acts of a few."

Sure they can. Especially now that it looks like as many as 80 employees might have been involved. Do you think they all just got together at lunch one day and decided to make some confetti, just for fun?

Managers in a company with a sizeable bunch of employees wandering around shredding documents illegally are clearly either criminally corrupt or criminally stupid. In either case they'll get no sympathy from me.

Different Spin

[cfulmer]

So, there are two other things to consider:

1. Keeping old records around can be expensive -- not only do you have to keep the media it's on, but you have to make sure you have the ability to read that media, and once you do, that you have the appropriate software and hardware to understand the message itself. Destroying them after you don't really need them any more saves a lot of expense. And, that doesn't even begin to talk about deteriorating backup media.

2. Similarly, part of the problem is in making sure that you have a *complete* record -- you don't want to have a partial record, where the mail to the CFO says "Hey! Let's screw the employees out of their pension," but not the corresponding mail from the CFO that says "That's illegal and immoral. You're fired." So, the idea is not so much to cover up past wrongs, as it is to make sure that you have a true archive.

3. The other thing is that there are some things that are embarassing, but not illegal -- the fact that the CEO didn't retire for health reasons, but was forced out because he got his secretary pregnant, for example.

I don't know about everybody else, but I use my e-mail as a record of what *I've* done, and 9 months (as somebody mentioned earlier) is not far enough back -- heck, every year we have performance reviews, and how am I going to say "This is what I did 11 months ago" if I don't have any record of what I did 11 months ago.

Re:The plantiff's lawyers went back to 1937 notes.

[Zeinfeld]

Huh? That doesn't even make any sense. Why would the company get in trouble for advising proper safety measure?

Often when a story of this type is made to demonstrate a particular political point that does not make sense it is because there is some additional piece of information which we are not being told. The original poster uses language that indicates a certain degree of contempt for the injured workers.

My guess would be that the factory using the machine would have had to do something like ask the manufacturer about removing the guard for the suit to have gone the way it did.

In any case the mere fact that a saftey guard was included would establish that the manufacturer knew that there was a likelihood of injury.

An Exercise for the Honest

[virg_mattes]

Here's an excercise that will demonstrate the need for a document retention policy.

1.) Buy a tape drive for your computer.
2.) Put a tape in and back up the machine.
3.) Store the tape.
4.) Repeat this every day, but don't ever reuse a tape, and don't ever throw any of them away.
5.) 10 years from now, when you've spent $54,750.00 on tapes and have 3,654 of them to store and catalogue, reflect on why document retention policies are a good idea, even for the law-abiding.
6.) For an even more accurate experiment, pay your neighbor $0.02 per day per tape to store them for you, and add that cost to the cost of your backup media.
7.) For one more step, have a random stranger accuse you of making racist comments about him. With an attorney, review your backed-up email for all ten years to prove you didn't. Be sure to add your attorney's cost to your tally, and don't forget the value of the time you'll need to take off of work to do the review.

Starting to get a good picture?

Virg

Re:Oh come on..

[susano_otter]

ie. the same sort of people who gave 12 mill to some bimbo for spilling hot coffee on herself.

Please, try not to be a complete fucking idiot. Everybody else already has a clue.

You can never be too careful...

[Richy_T]

You just can't afford to take chances these days. I have my software set up to delete messages before I even fin

Ugh! But you're right

[HiThere]

This ought to be a vile slander on the legal system. Unfortunately...

We don't back up e-mail or temporary directories. Policy. We keep backups for 6 weeks on a rotating basis. Policy.

I think that what we really need is a hierarchical storage system, but we don't have one. Partially bacause of cost, but I suspect that it's partially policy.

This is particularly stupid as each user has their own hard disk, and there's no policy on erasing it, just on backing it up.

Documents ought to be kept forever (assuming reasonable expense). Otherwise there should be an expiration date on each document, like tape libraries used to have. That lawyers are preventing this should be criminal. Unfortunately being innocent is scant protection.
.

Save donut and vacation/sick announcments

[bluGill]

Where I work we have a deparment wide email list (engineering, covers about 100 people), that someone decided should be preminatly archived. Well it turns out that a list of this size is good for two things: I brought in birthday donuts this morning; and I'm sick today, I'm on vacation, or I'm working from home. All discussions between engineers end up in emails directed only to the engineers involved, CCed to their boss. (much to the relief of the rest of us who are paid to get work done, not sort through email)

DR is a hard problem -- many competing concerns

[werdna]

I am sympathetic to those of my colleagues who have written that an honorable company need not fear anything. I do concur with those who have responded so are, indeed, naive. Documents can be very costly and damaging, even as against the innocent, a "smoking gun document," need not have actually been the murder weapon to cast doubt on the innocence of the innocence. Many are the times a close case swings because of a random, ambiguous and otherwise innocuous document.

On the other hand, my colleagues who have written on the utility of unfiled archives are also correct. Few things are more valuable, and numerous are the times one can "save the day," by a few hours of rummaging to find the "holy grail document."

The problem is that there is no way to have prior knowledge which are the smoking gun documents and which are the holy grail documents. The HG docs can save your life, but the SG docs can kill you. And the likelihood of either situation is rare (although the costs and benefits, respectively, often are astronomical).

Meanwhile, having recent documents around is, simply put, necessary to the efficient operation of a business. That said, e-mails, because of the culture of e-mail use, these days are the single best source of SGDs in modern litigation.

So, a decent (that is responsible) retention policy should balance effectively these competing concerns, even for a truly and genuinely honorable commercial entity. The key idea is this, the retention period should be long enough that the likelihood that the HG-ness of a document will be recognized prior to destruction, and longer than the general utility of having any document handy, but no longer. Guess is somewhere between 18 months and three years, depending on the business.

The retention policy will have exceptions for important instruments, but will require an affirmative effort be made to avoid the axe. Thus, docs identified as HG in nature, after the period, like deeds, source code, contracts with term longer than retention, and special documents are automatically reupped, despite the policy.

Document Retention Law

[cgadd]

I worked for several years with a law firm that specialized in document retention law.

I always assumed it was best to just keep the documents forever. But I now know that documents should be destroyed as quickly as legally possible. A company needs to have a written, established, and formal document retention plan, and needs to follow it precisely.

Suppose a company doesn't have a plan, and isn't legally required to retain some kind of document for any length of time. If they keep 99% of those documents, but happen to have destroyed the one document requested in a lawsuit or investigation, they are in trouble. If they had a formal plan, and had destroyed all similar documents according to the plan, they would be fine.

Check out this site for more than you ever wanted to know about document retention law:

http://www.retman.com/index.htm

suggestion

[taj]

Just^W use^W some common sense^U
^C
^D
EOF
-- no carrier --

Full circle

[Hoi+Polloi]

It finally came down to this. After years of hounding users to make backups now we'll have to hound users to stop backing up their systems!

;)

Mildly off-topic question

[Guppy06]

They had clips of the Enron hearings on the news, and it seemed like in the audience was everybody's favorite movie executive Jack Valenti. Why the hell was he there?

Re:Wrong.

[Danse]

Corporations are considered INDIVIDUALS under the law

You might want to get a bit beyond high school before you start making such claims. In actuality, the courts are divided on the issue. The 3rd and 4th circuits hold that a corporation is an individual. The 2nd and 9th circuits hold that they are not individuals. It's hardly a completely settled issue. In the end I doubt that corporations will be considered individuals for every given situation. There will most likely be compromises and regulations.

Re:This Isn't A Very Good "Ask Slashdot" Subject

[fishbowl]

Don't ask Slashdot.

Ask the professors at your university where you
pursue your business law degree.

Ask the attorney who is retained specifically as
counsel for your company, in regards to each
specific situation.

If you want to do it from your armchair, ask the
American Records Management Association

You may be surprised at how nontrivial the question
of document retention actually is, particularly in
the oil business.

It would not surprise me if the Enron situation ends
in a debacle because it turns out that the government stopped
employees from shredding documents that they were
REQUIRED to destroy. The news media makes it sound
as if any document shredding is a bad thing, but it
could be just as bad if some information that is
required by law or by contract to be kept secret is
accidentally exposed. Mistrial, anyone?

Re:Cover WHAT?

[Kvasir]

As a lawyer in training...

If the documents are already shredded, eg: the court asks for them on day 92 and you can prove the shredding was done on schedule and in accordance with an open policy, then you will almost certainly get away with it.

If the court asks for the documents before the shredding date, even if they ask the day before (and it will generally be fairly obvious they are about to ask), then you will be in contempt of court if they are shredded nonetheless. It would be negligent to *allow* them to be shredded.

Finally we have to remember that documents are kept for good reasons. They are often needed long after they are produced and ongoing relationships with another company (eg: Andersen with Enron) is a clear case where this will be the case (you never really know when you will need to see last years accounts to check a detail in todays).

It is also in companies like Andersen and in their employees and directors' interests to keep many document to save their backs in potential litigation. You need to be able to prove exactly who gave what authority for what decision when. If you can't then you can get screwed over at any stage.

Accountability works both ways. The documents can be your best friends or your worst enemies, and you will rarely know which until something blows up in your face. This is why last minute shredding occured at Andersen (although as Enron's auditors they ought to have known it was about to go into meltdown...).

Oh well.

[rice_burners_suck]

Please allow me to share with you a story about a good friend of mine. He is a doctor, and doctors need to keep patient records.

Since there wasn't enough room to keep "historical" patient records in his clinic, he brought them home one box at a time and stored them in the attic. When the ceiling began to sag, and he feared that the house would cave in, he built a barn out side, and had the documents moved there. When the barn filled up, he built a second one, then a third one, until all three were full. At that point, he got an "annex" downtown, until that filled up with patient records.

At that point, he contacted the state government, to ask them how long he really needs to keep those patient records. Their answer, in his words, was, "When you die, your heirs better be able to produce those patient records."

And that, my friend, is what "to the pain" means. It means I leave you in pain, wallowing in freakish misery forever.

By the way, I would like to add that this is a true story.

xxxxxxxxxx O xxxxxxxxxx H xxxxxxxxxx xxxxxxxxxx W xxxxxxxxxx E xxxxxxxxxx L xxxxxxxxxx L xxxxxxxxxx.

Shreding the Enron Documents

[Zeinfeld]

The point that posters appear to be missing is that despite holding 80 person shredding parties enough has emerged about the activities of Arthur Anderssen and Enron to cause as much damage as could possibly happen. If the investigators can't get someone for fraud they will get them for shredding.

The Enron documents that were shredded are likely the early drafts of the audit report. While it is quite likely that there will be electronic copies of the destroyed documents what the investigators would probably most like to get their hands on would be draft copies with handwritten annotations. It is unlikely in the extreeme that anyone wrote a document that was incriminating on its own, but quite likely that incriminating marginalia existed.

BTW in addition to their involvement in the Sunbeam and Waste Management debacles Anderssen were until recently blacklisted by the UK government who held them responsible for their losses in the Delorean fiasco.

the key..

[Suppafly]

I think the key is really to just keep everything, but not do anything illegal. Or if thats too hard, just keep everything and no document the illegal going's on..

shredder

[isorox]

Make a backup onto CD and put it though a shredder.

I've seen people [try to] put floppys through before.

Re:Oh come on..

[susano_otter]

I still think her settlement was fair. Fact: the coffee is served at dangerously high temperatures. Fact: coffee at that temperature has caused injuries. Fact: McDonald's knew this was the case. Fact: McDonald's had been in trouble for this before. None of these facts are changed simply because McDonald's put itself in this position to save money. If a company says "we could be safe, or we could make more money", and then promptly injures someone, I have no problem fining them hefty chunks of cash.