Slashdot Mirror
Document Retention - How Long is Too Long?
darthtuttle asks: "With
the recent news of document destruction at Enron and the emails that have
been discovered in high profile cases such as MS -vs- DOJ document
retention seems to be a hot item right now. What document retention policies
do people have at their companies, and what steps do companies take to
make sure that documents are destroyed according to the policy when their
time is up so they don't come back to haunt the company later? Note: the
purpose of a document retention policy is not to keep documents, but to
make sure they get destroyed according to policy before someone outside
the company decides to use it against you. The big issues seems to be
backups and documents stored on peoples desktop/laptops. You don't
want those email server backup tapes from 2 years ago to be found, and
you don't want to find out that the CFO was saving -every- email they
ever got on their laptop."
Documents should be retained for the amount of time it takes to walk from your desk to the paper shredder.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
Depends on the document. Depends on the business. There is no one size fits all answer to this one. I know that in financial services, there are SEC mandated time frames for document retention as well as strict rules on how to dispose of documents as well.
this is getting old and so are you
blog
Personally, I think that corps shouldn't be allowed to destroy documents for at least 3-5 years -- all they're doing is covering their sins. Enron's a good example; they're destroying the evidence that they knew they were perpetrating a fraud against their investors. Destruction of the documents could mean that, as usual, the little guys get screwed and assholes like Ken Lay walk due to lack of evidence.
Pretty disgusting.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Encrypting doesn't necessarily help. Sure, it prevents the court from reading your documents, but it doesn't prevent the court from putting your ass in jail for contempt of court after they subpoena your key/passphrase/whatever from you.
/dev/urandom souvenir collection).
And if you destroy your key as the feds are coming through the door, that's just like shredding documents -- They'll put you in jail for destroying evidence.
(And yes, well encrypted data is indistinguishable from random data, but it's not going to be too hard for a state's attorney to argue that the huge pile of random data on your HDs is encrypted data, not your
One word: encrypt.
Encryption wouldn't do much in this case; if the FBI comes in with a warrant, they're going to want them decrypted. What are you going to say to them? "Uhhh, they're unreadable, because they've all been encrypted. And we lost the key."
Of course, encryption makes it easier to obstruct justice, but the people involved generally place more value on their own freedom and career rather than their company's welfare (as they should).
Seriously -- if you don't check with the legal types on what the information is and what it relates to, you could be legally liable for obstruction of justice/personal harm. The lecture I got on this turned my hair curly. Make the lawyers earn their money and break down what you can and can't destory, and when. If you've got any kind of assets to protect, this is a must.
-- q
The technical demands for electronic documents would seem to dictate some of this. For example, we've been converting from Netware/Groupwise/Win9x to Win2k/Exchange/Win2k here. It doesn't change word-type documents, but it does change the email system and the backup system.
Sometime today I plan to decomission the Netware backup system -- derack the equipment and potentially reuse it in some other location as soon as next week. This will make all of our old backup tapes unreadbale, as our Win2k backup system uses not just different software but different physical media -- I can't read DLT7000 on a LTO Ultrium tape drive. I *think* I can read an ArcServe tape on BE 8.6, but the files are backed up as Netware-compressed and can't be restored but to a netware server. Once we decomission our last netware server (within a few months), all of those tapes are worthless without the infrastructure to restore the data.
The email system again is another matter, I need even more infrastructure and software to manage it (presuming I can restore it). Netware administrator, Groupwise installed (client and server), and so on.
Even so, we don't even keep old backup tapes. We have a 5 week rotation (1 full per week with daily incrementals). I used to keep old tapes, but they were unreliable (especially the DATs) and the software isn't always available. We USED to keep them (1 full per month), but I found myself with a shitpile of tapes that needed storing and a big blank media bill.
Eventually word/powerpoint and other apps will obsolete themselves to where the data, even if you can read the media, isn't usable. I know that we purge our email system daily of older > 6 months emails and we chase after users to ditch old documents as server space gets tight.
I can't imagine the tech demands of constant archiving of everything. I'd need to give half of my budget to EMC just to try to stay ahead.
A lot of people have posted that as long as you are legit then you shouldn't have to worry but that is just naive. The truth is that a well trained lawyer can take any document and manipulate the information to fit their needs. Add to that information taken out of context can be given uneducated scrutiny by the press and the general public resulting in a disaster.
To me, the best policy is whatever your legal requirements are and that's it. Destroy everything else.
I'm surprised at the question though. Are companies really so worried about their business practices that they must destroy evidence in order to remove liability? I should imagine that internal auditors would be more effective at keeping a company out of trouble than any policy of document destruction.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
The problem is hard on many levels. For example, many small companies have the, "we have nothing to hide" attitude, because they're not able to think in terms of large business dealings where years of internal email could be dragged out into court and used out of context.
Once you convince a company that document "retention" is valuable, many managers will immediately declare themselves exempt because they feel that they will one day need that email from a vendor thanking them for buying the Widget 10,000 last week.
What I think the industry really needs is some kind of software that manages information archives in a way that lets people specifically call out information that needs to be preserved as annotation. In this way, you could keep all of the headers of all of the mail and all of the filenames of all of the documents on a fileserver, but only keep the annotations (which may include some key points from an original).
I know that I would find this more useful than the usual way that people annotate documents (named folders).
Document files are a little more difficult. Everyone is encouraged to store files on the server in secure folders. This is enforced culturally because if a hard drive fails and the user wants data back, they are told it should have been on the server where it is backed-up (and deleted at the appropriate time).
BTW, these procedures have proven very important as the company has defended itself in against anti-competitive suits as well as race-discrimination suits.
Not at all. The problem is most obvious with email, so I'll use that as an example.
Let's say that your company has done nothing wrong, but the SEC thinks that you might have been leaking information to financial institutions, in order to affect your stock price.
That's a pretty serious charge, but if you're innocent you have nothing to worry about, right? Well, it turns out that you have an employee that sent a seemingly innocent comment to his friend at such a company, but now, in light of the charges, it could be seen as an indication that such activity did exist and widen the investigation. This costs you in terms of legal expenses, time, credibility, etc.
Having old documents taken out of context can be truly damning, and it's just not worth the expense. Much better to destroy what could be used against you later.
What in the hell for, if not to hide illegal practices? Okay, in case a competitor gets a hand on a hard drive -- but why wouldn't the competitor just copy the files?
What a waste of hardware!
If the Enron or Arthur Andersen execs walk, I wouldn't be surprised to see a legal presumption of guilt when documents are shredded prematurely or despite an explicit and lawful order to retain them.
The theory is simple and precedence is well-established - if a cop sees you see him then bolt, that's grounds for a reasonable presumption that you're guilty of *something* and the cops can stop and question you. It's not enough to throw you in jail, but you can be stopped and questioned while the guy who didn't flinch walks.
Same thing here - if you're deleting records that the state says you need to keep for N months, the burden in civil court (which only requires a "preponderance" of evidence anyway - 51%) is on you to prove that those documents weren't "smoking gun" evidence in support of the plantiff's case, not on them to prove they were.
If you're deleting records despite a lawful order, you have to prove that the documents were not incrimidating and that it didn't constitute obstruction of justice or contempt of court.
Of course this is something that would have to be handled on a case-by-case basis already... but the courts already do this when deciding admissibility of evidence discrediting a witness. If somebody has been convicted of perjury, the jury should know it because it's reasonable to ask whether they're lying again. If somebody has been shredding documents when they shouldn't have been, that again directly challenges their credibility elsewhere.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This may be a good policy when you have something to hide. In the IT world, in my experience (and the experience of most of my peers it seems), old e-mail has helped way more often than it hurts us. If you use e-mail to document conversations, meetings, etc., a lot of disputes get resolved pretty quickly when you pull out an old e-mail and say, "See, here's what you said." or "See, here's what we said we would do."
This doesn't happen if we have to print "important" e-mails. Why? Two reasons. First, you usually don't know a year or two in advance which e-mails are going to be important some day. We may generate a thousand messages plus over the course of a project. Most of them are routine, or are only of passing interest. Every once in a while, however, there will be a design decision (or more likely a design compromise) that one party has conveniently forgotten.
Conversely, if someone can show us that we did, in fact, agree to do something, then we will commit to doing it. Our memories are cloudy too, and we do believe in delivering what we said we would.
The second reason paper filing doesn't work for most of us is that it's extra work. Want to file an e-mail - drag it to a folder. Done. Need to file a paper document - remember to print it, interrupt whatever you're doing to leave your desk, find the right folder (if there's room in the cabinet), file it. If you're on the road, remember to go back later, once you're back in the office, and follow the steps above. This works OK if you're an executive with a secretary dedicated to such tasks. Around here, at least, that perk has become too expensive for all except the most senior management. And, even though paper filing doesn't take much effort for a single document, it is a lot of work for hundreds of e-mails, it requires filing space that is in short supply, and it requires a degree of discipline that most people don't seem to have. Finally, even if you have a good paper filing system, it's much easier to search electronic files quickly.
This is exactly why electronic files are so dangerous in litigation - if you can search them quickly, so can your adversary. By prohibiting them, however, you reduce productivity across the entire company and increase costs. I'm not convinced that the legal eagles balanced the immediate cost benefits against the possible future risk. They only consider the dark side.
On a related note, I know I just read an article (here?) about how electronic documents have a life of their own thanks to widespread forwarding. Your retention policies may be almost meaningless if your correspondants keep everything.
If you aren't legally required to maintain records of every email/document/etc, then why SHOULD you? Do you recall the Netscape fiasco where Microsoft subpoenad the history of every email to an employee bitch newsgroup? In that case Netscape had no legal duty to maintain backups and records of every posting, but because they made the mistake of not deleting them frequently suddenly they were required to provide them and were then barred from destroying them: It's an odd circumstance when you don't legally have to archive information, but if someone asks for it then suddenly it's legally protected and you have to defend and explain the context of every message, every word, etc, and of course everyone says something now and then that can be taken out of context (or alternately that they said in the heat of passion but backed down from).
Destroying old information quite simply removes the liability that it potentially represents, even if there is absolutely nothing indicting in it. It can also protect freedoms: Websites aren't legally required to keep IP logs, but if they DO then those IP logs can be subpoenad.
Unfortunately, in most jurisdictions, fraud is considered an action in tort, which usually carries a 2 year staute of limitations.
/home help with this on Unix systems). Backups of business e-mails, word processing documents, spreadsheets, databases and the like would be retained just like their paper counterparts.
...
If I were designing a document retention policy for a legitimate company, I would have counsel prepare a schedule of all statutes of limitations that could reasonably apply to each of the company's activities. Documents would be classified according to which activity(ies) they were relevant to, and then set the retention period according to the longest statute of limitations for that activity + 2 years (or whatever statute of limitations governs general tort claims in the jurisdiction) for each classification.
This would cover not only the possibility that we might need the docs to prosecute a lawsuit, but also that we might have to defend a tort claim brought under the "discovery rule." (i.e., the statute of limitations doesn't begin to run until the harm is discovered).
Finally, with regard to electronic documents and e-mail, I would try to ensure that users were trained to delete e-mail of a purely personal nature as soon as they read it (small disk quotas for
With a policy like this in place, the company could rest assured that they would always have all the evidence necessary to protect their rights and to defend themselves should it become necessary to do so.
A company operating on the shady side of the bleeding edge of what is and is not legal, like Enron seems to have been doing, would be another question entirely
utter rubbish
Well, it turns out that you have an employee that sent a seemingly innocent comment to his friend at such a company ...
... "
You don't even need that much of a "real" issue for this to become an expensive litigation. I once worked for a law firm. (IANAL, no sensitive info coming out here) We represented one of the parties in a patent infringement suit. Just documenting and sorting the contents of a couple of dozen employees' hard drives -- in order to determine what needed to be provided in the discovery phase -- took a team of three people over a week. If you end up in litigation, someone has to go through everything to see what is covered under "all documents or materials relating to
Nope, no sig
from a engineering meeting held in a very old us company that made machine tools where the installation of operator guards was discussed on some type of press they agreed to do it and someone mentioned that if the guards were removed later serious injury could result to the operator.
fast forward to 1985, the press made back in 1937 is still in use at some rundown plant staffed with illegal mexicans, it has not had any decent maintenance in decades and of course all the operator guards were removed to speed up production several owners ago.
some guy puts his hands in the danger zone and the press gets him.
the original company that made the press 48 years ago gets bagged on the grounds that they knew it was a dangerous machine that's why they mounted operator guards on it... the fact that persons unknown decades later removed those guards and no one trained the illegals on safe operation of this old rundown press was beside the point...
being an old family run company, they had records dating back to the founding apparently they never threw anything away and minutes from a 1937 meeting ended up costing them a couple of millions of $.
if the law or regulatory agency does not explictly require you keep the stuff, shred it as soon as you can, wipe the backup tapes as soon as possible and keep only the stuff you have to, the shortest time permitted.
reimage the corp laptops every 6 months to prevent packrat ceo's from keeping every email and their kids who use it at home to surf p0rn sites when dad isn't watching...
"...can you imagine a BEOWULF CLUSTER of these? That'd be some serious power!"
Considering the mindlessly litigious nature in which business in the US operate, a data control policy is absolutely necessary and in no way reflects the ethics of the organization in question.
There's another side to this too, kids. As someone who does expert testimony in cases involving data stored on personal computers, I can tell you that every individual also has a need for data control measures. Every one of us needs to shred documents, delete files, and scrub file slack space and "empty" space on our disks. Windoze users should also scrub out their swapfiles.
These are realities imposed upon us by the nanny state, which has grown a lot bigger since 9/11.
Just because you're paranoid doesn't mean they're not out to get you.
Retain nothing, and enact all corporate strategy completely at random, in total ignorance of past history.
It's what you're doing anyway, right?
Hrm...
It's probably better than tech support...
Andersen cannot be held responsible (even though they will) for the illegal acts of a few.
Why the hell not? What happened to self auditing? What happened to rules in regulations that they are to follow to prevent this kind of major scandal?
Let me tell you - if company employees break the law for the company, it's still the company that's breaking the law. Heads should roll - and gross mismanagement should result in long, long prison terms for Andersen management.
Why hire Andersen if they don't even have a handle on how well their working with one of their biggest clients???
there. We were all on Exchange Servers so email retention went like this. Anything in the Inbox was deleted in 30 days. Any messages saved in other folders was deleted in one year regardless. You did have the option of saving off to your hard drive but PST files were a no-no. In addition, no external storage devices could be used without a senior VPs approval and an act of Congress. As far as when things started hitting the fan, we were inundated with emails to send any conversations, voice mails, correspondence, etc to the legal counsel's office. Of course, I'm sure that was taken care of in a very professional and ethical manner. So these days I apply for jobs and read slashdot and watch the Enron blaze grow larger and hotter. Al Sharpton was in yesterday, Jesse Jackson will be speaking tomorrow! Oh boy, the circus has come to Houston and it looks like its going to stay awhile.
HT
If you get an email (or hardcopy) message from your boss saying, "screw the client," you'd damn well better keep it. You know what happens if you don't? That's right, with no documentation pointing upstream, you are now the sacrificial goat. Don't think for an instant that a boss willing to screw a client would treat you any differently.
Better still, if the action your boss proposes is illegal, not only should you keep several copies at home and at work, but you may wish to blow the whistle yourself, depending on your paricular moral compass.
The last thing you should do is destroy the message. When the big, bad boomerang-o-karma comes back your way, you'll have no recourse but to take it squarely in the nads.
I take drugs seriously.
This firm had nothing to hide, but was still burned badly by a poorly thought out document retention policy. Needless to say, they have since changed policies.
Please note that my friend had just taken over the IT department when this happened. He was not the individual suing.
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
For a large company, a document retention and destruction policy is a necessity, specifically for legal reasons, but not for the reasons you're assuming. Every large company develops huge masses of information, and most of them back up that data to protect against short term loss. However, most companies don't want to keep it forever, so they destroy the old stuff to reduce storage needs, cut down on administrative costs associated with maintaining the records and protect against industrial espionage. The problem lies when the company comes under examination for a lawsuit. If there's a well described and religiously followed document retention policy in place, the court has no reasonable expectation that the company will still have documents that the policy marked for destruction. If on the other hand there is no real policy (or it's badly enforced) this opens up an avenue for liability wherein the corporate controllers say "we don't have documents X or Y because they were destroyed" and the judge then assumes they did it to hide something (and punishes accordingly) or assumes they're lying (and punishes accordingly). Also, when the prosecution or plaintiff asks for certain documents, the policy can limit the scope of the request so that your IT team isn't spending untold hours digging up archived stuff to turn over in satisfaction of a subpoena.
You should be careful not to fall into the logical trap that document destruction is only useful if you have something to hide. In this very litigious society, it's rarely that simple.
Virg
Retention of Firm Documents
1. Policy. All documents (including those kept in an electronic medium) created or received by the Firm that are necessary or appropriate to record or support the Firm's professional work product or administrative functions shall be retained for a Current Period plus six years (the "Retention Period"), subject only to specifically stated exceptions set forth below. Thereafter, they shall not be retained. Business Unit Leaders and Office Managing Partners are responsible for insuring that their units comply with this Policy.
2. Current Period. Current Period means, in most cases, the calendar year during which the document was created, revised or received. In some cases, Current Period means the effective life of the document. Examples of documents falling into the latter category are office leases, personnel files, contracts to which the Firm is a party, engagement letters relating to continuing client engagements, tax planning files and the "permanent file" of a continuing client.
As a general rule, choice of the appropriate Current Period and corresponding date of record retention termination should be made by the person who created or received the document in question, and not by the Records Center. Questions arising in connection with the choice of an appropriate Current Period should be directed to the appropriate Unit, Line of Business or Office Managing Partner, or the Office of General Counsel.
Note that in some situations, the Retention Period will have to be extended on a year-to-year basis, as when the IRS has not closed a particular tax year of a client within the Retention Period (the tax workpapers should be retained until it has).
3. Examples of Current Period Plus Six Years:
Working papers and correspondence files relating to the Firm's report, dated March 13, 1997, on the financial statements of Universal Widgets as of December 31, 1996: Terminate retention after December 31, 2003.
Lease dated November 1, 1993 covering a lease term of February 1, 1994 through January 31, 1995: Terminate retention after December 31, 2001.
Letter dated August 19, 1996: Terminate retention after December 31, 2002.
Permanent files deemed superseded on September 30, 1998: Terminate retention after December 31, 2004.
Tax, litigation, and bankruptcy planning files created in May 1998 covering the three-year period of 1998, 1999 and 2000: Terminate retention after December 31, 2006.
4. Record Type/Retention Period:
ABAS Files
Billing File - 6 years
Correspondence File - 6 years
Financial Statements - 15 years from record year
Permanent/Carry-Forward - "No date" while active, Current + 6 years from the "superseded date."
Reports - 15 years from the "period ending" specified in report
Superseded - Current + 6 years from the "superseded date"
Workpapers - Current + 6 years
TLS Files
Billing File - 6 years
Correspondence File - 6 years
Permanent/Carry Forward - "No date" while active, Current + 6 years from the "superseded date."
Planning - "No date" while active. Current + 6 years from the "superseded date."
Superseded - Current + 6 years from the "superseded date"
Tax Return - 15 years
TLS IAS - 15 years (Tax Return)
Workpapers - 6 years
The following exceptions to the general policy have their appropriate retention periods set forth in parentheses. For permanent retention, consider microfilming or other less bulky storage systems:
(a) Documents pertaining to Firm governance and regulatory matters (permanent).
(b) Agreements and related documents pertaining to mergers or acquisitions by the Firm, as designated by OGC (permanent).
(c) Minutes of meetings of the Firm's Board of Partners and Principals and the Board's Committees, as well as other Firm Committees designated by the Firm's Senior Partner (permanent).
(d) Certain legal or historical files designated by the General Counsel (discretion of OGC).
(e) Firm Policy Releases (until superseded). The partner or director leading the group issuing the policy should ensure that one full historical set of the Releases or Statements issued by it is retained permanently.
(f) Documents (i) relating to threatened or pending litigation involving the Firm or its personnel or (ii) subject to a subpoena (the longer of the termination of the litigation/subpoena matter or the Retention Period - consultation with OGC required before any disposition).
(g) Financial records, including tax returns, of the Firm (discretion of the Chief Financial Officer).
5. Documents To Be Retained for a Period SHORTER than the Retention Period:
(a) Practice Quality review documents, including reports, correspondence, questionnaires, and supporting workpapers that identify or relate to findings or evaluations of specified engagements, offices or individuals (12 months from date of creation, or less when it is determined by the Director, Audit Quality--or his or her counterparts in other Lines of Business--that they have served their intended purpose).
(b) Personnel records of former employees (Current Period plus three years).
(c) Internal administrative documents, such as office financial information (discretion of appropriate Unit, Line of Business or Office Managing Partner).
(d) Engagements terminated before completion, such as audit engagements where no report is issued (Current Period plus three years; all uncompleted engagements should be clearly marked as such).
6. Other Exceptions:
(a) Any person who creates or receives a document or class of documents that he or she believes should be the subject of an exception should refer the matter to OGC.
(b) OGC will notify the appropriate Records Center of any files that must be retained beyond their assigned destruction date due to pending litigation or other reasons. At that time the files will be retained indefinitely, and destruction will require specific approval of OGC.
(c) In reference to E-mails and general correspondence of any type, if the communication is necessary to support PwC work, it should be included in the engagement files, either electronically or in paper form. If it is not necessary to support PwC work, it should not be retained. Desk file or rough file material should be discarded at the end of the engagement.
7. Organization and Timing of Destruction:
Persons responsible for maintenance of Firm files should conduct a review of all files during each December to identify those files that should be destroyed promptly after December 31 of that year. Thereafter, during January of the following year, such documents should be destroyed only upon formal authorization from the designated partner.
I take it that you've never suggested to management that a bug, in the project you've been working on, be fixed, only to have that suggestion declined. That bug may have been completely harmless, and management may have been fully justified in saying ignore it. However, lawyers can use that information against you. That (plus several others that people here have pointed out) is why it is a good idea to destroy documents in a timely manner.
Your solution doesn't make sense for any but the smallest businesses, due mainly to infrastructure but also for legal considerations. For a large company, storing eternal backups of every piece of data generated represents a gargantuan storage, retrieval and maintenance operation that in the large majority of cases serves no useful purpose. For example, when I worked for a large bank, the IT department spent hundreds of thousands of dollars per year to store the backups and logs that we wanted to keep. It would have been an appalling waste of money and personnel to double that just to keep backups of information that we never needed anyway. Also, such records can be a huge liability to a company in the event of a lawsuit, even assuming that there's no wrongdoing. Simply sifting through all of the records for documentation relevant to a subpoena can consume massive resources, just to prove that none of the email you've stored for the last five years contains anything incriminating. A document retention (and destruction) policy can force a judge to limit the scope of a subpoena, thereby reducing the workload in satisfying the subpoena.
In the corporate world, lawsuits complicate such issues immensely. Don't make the mistake of assuming that the only reason to cover your butt is because you've done something wrong.
Virg
You can just save all of your documents as Micr@soft Word. The files will become unreadable after a few years anyway. Hmmmm, I wonder if that was designed as a feature?
So, there are two other things to consider:
1. Keeping old records around can be expensive -- not only do you have to keep the media it's on, but you have to make sure you have the ability to read that media, and once you do, that you have the appropriate software and hardware to understand the message itself. Destroying them after you don't really need them any more saves a lot of expense. And, that doesn't even begin to talk about deteriorating backup media.
2. Similarly, part of the problem is in making sure that you have a *complete* record -- you don't want to have a partial record, where the mail to the CFO says "Hey! Let's screw the employees out of their pension," but not the corresponding mail from the CFO that says "That's illegal and immoral. You're fired." So, the idea is not so much to cover up past wrongs, as it is to make sure that you have a true archive.
3. The other thing is that there are some things that are embarassing, but not illegal -- the fact that the CEO didn't retire for health reasons, but was forced out because he got his secretary pregnant, for example.
I don't know about everybody else, but I use my e-mail as a record of what *I've* done, and 9 months (as somebody mentioned earlier) is not far enough back -- heck, every year we have performance reviews, and how am I going to say "This is what I did 11 months ago" if I don't have any record of what I did 11 months ago.
Please, try not to be a complete fucking idiot. Everybody else already has a clue.
Any sufficiently well-organized community is indistinguishable from Government.
I am sympathetic to those of my colleagues who have written that an honorable company need not fear anything. I do concur with those who have responded so are, indeed, naive. Documents can be very costly and damaging, even as against the innocent, a "smoking gun document," need not have actually been the murder weapon to cast doubt on the innocence of the innocence. Many are the times a close case swings because of a random, ambiguous and otherwise innocuous document.
On the other hand, my colleagues who have written on the utility of unfiled archives are also correct. Few things are more valuable, and numerous are the times one can "save the day," by a few hours of rummaging to find the "holy grail document."
The problem is that there is no way to have prior knowledge which are the smoking gun documents and which are the holy grail documents. The HG docs can save your life, but the SG docs can kill you. And the likelihood of either situation is rare (although the costs and benefits, respectively, often are astronomical).
Meanwhile, having recent documents around is, simply put, necessary to the efficient operation of a business. That said, e-mails, because of the culture of e-mail use, these days are the single best source of SGDs in modern litigation.
So, a decent (that is responsible) retention policy should balance effectively these competing concerns, even for a truly and genuinely honorable commercial entity. The key idea is this, the retention period should be long enough that the likelihood that the HG-ness of a document will be recognized prior to destruction, and longer than the general utility of having any document handy, but no longer. Guess is somewhere between 18 months and three years, depending on the business.
The retention policy will have exceptions for important instruments, but will require an affirmative effort be made to avoid the axe. Thus, docs identified as HG in nature, after the period, like deeds, source code, contracts with term longer than retention, and special documents are automatically reupped, despite the policy.
The Enron documents that were shredded are likely the early drafts of the audit report. While it is quite likely that there will be electronic copies of the destroyed documents what the investigators would probably most like to get their hands on would be draft copies with handwritten annotations. It is unlikely in the extreeme that anyone wrote a document that was incriminating on its own, but quite likely that incriminating marginalia existed.
BTW in addition to their involvement in the Sunbeam and Waste Management debacles Anderssen were until recently blacklisted by the UK government who held them responsible for their losses in the Delorean fiasco.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/