Document Retention Policies

Document Retention Policies
By Sharon D. Nelson, Esq. and John W. Simek

PDF of Sample Document Retention Policy

If you are a health care provider, a financial institution or a brokerage house, you are mired in document retention policies promulgated by the U.S. Securities and Exchange Commission regulations, the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act of 1996. Each act could comprise an article unto itself.

If you are not subject to such precise laws and regulations, count yourself lucky that you can deal with the more generic problems of document retention policies. There are still Occupational Safety & Health Administration requirements and tax records requirements that apply to almost everyone, as well as statutes of limitations to worry about, but otherwise, electronic documents are yours to keep or discard as you deem best. There are lawyers who have become used to simply keeping every form of paper document forever. Old paperwork is warehoused on- or off-site and accessed as needed. Some lawyers routinely establish a five- or 10-year timeline, after which they go through files, discarding all but critical documents such as wills, deeds, the law firm’s own financial and tax documents, intellectual property and corporate documents for active corporations and so forth.

Learning from Mistakes
Lawyers and their clients tend to forget saving unnecessary paper or electronic documents can constitute a significant danger. Consider the disaster that befell The Boeing Co. in 1997. The world’s largest aircraft manufacturer found itself confronted with a class action lawsuit alleging securities fraud. In a deposition, the plaintiffs’ attorney learned Boeing had some 14,000 e-mail backup tapes stored in a Washington, D.C., warehouse. Naturally, he demanded the tapes. The company tried to narrow the scope of discovery but became enmeshed in a snafu of its own devise.

Boeing was unable to tell whose e-mails were on which tapes without restoring the tapes first. The situation was complicated because Boeing used several e-mail systems and its Information Technology department was scattered throughout the world. Not only did Boeing retain far more data than needed, but its retention was woefully disorganized. In the end, it cost Boeing a fortune to restore all the tapes. The unfortunate result was the content of the tapes was sufficiently damning and Boeing concluded the lawsuit by settling for $92.5 million.

The entire misadventure should serve as a warning that electronic document retention policies and the organization of retained documents should be a significant factor in corporate and law firm planning.

Policies Needed
Amazingly enough, in 2000, 83 percent of American Bar Association attorneys who responded to its Litigation Section Survey said their corporate clients had no established procedures to deal with electronic discovery. While the percentage has shifted significantly, many companies still don’t have policies and many more have what might charitably be called “muddled” policies. In most instances, only the largest law firms have any sort of policies at all.

The ones and zeros of the electronic world have complicated a process that was plenty difficult before technology added layers of complexity. It’s a particular bane that backup media often become obsolete, and restoration can be a major task as technologists must recreate an antiquated environment. It does not help that larger law firms and companies tend to have a mish-mash of technology platforms, with a patchwork of incompatible, obsolete and unlinked systems, applications and servers.

Additionally, the data in legacy applications, such as old accounting and e-mail programs, might be hard to restore and search. If you already are reaching for aspirin thinking of your firm or client’s data becoming the subject of litigation, just wait until the flag comes down and your opponent is off and running. It has become standard for depositions to commence with an excruciatingly specific examination of a litigant’s IT structure, right down to home usage and all computing peripherals, to say nothing of backup procedures and DRPs.

If you or your client don’t have a DRP, shame, shame, shame. Now is the time to begin crafting one. One exception to this: If your firm or your firm’s client is currently in the limelight for some alleged misdeed, this is the worst of all possible times to suddenly devise a policy. Inevitably, the policy will be self-serving and give you or your client a very public black eye. Work on the policy in tranquil times, when no litigation appears to be on the horizon.

Creating a DRP
Be forewarned — there is no one-size-fits-all DRP. As you begin to formulate a policy, consider who needs to be involved in the drafting, such as from the financial, legal, technical and other departments. A number of people will have a role to play in drafting a practical policy. If you have outside counsel or an outside Certified Public Accountant, these individuals probably also will need to be involved. Frequently, an independent electronic discovery consultant is engaged as well. To give you general guidance, a sample DRP is included on Page 79. Regard it only as a jumping-off point, as every entity’s needs are different.

The first rule of creating a DRP is simple. If you are governed by federal or state laws or regulations, follow them. If federal and state requirements conflict, obviously follow the more stringent requirements. The second rule is equally simple. If you are governed by internal by-laws, other mandatory procedures or industry standards, abide by them. Now comes the dicey third rule. If you are on your own after following rules one and two, assume all the documents in your possession, paper and electronic, will be the subject of a lawsuit somewhere down the line.

Drafting these policies is no walk in the park. It requires more intensive thought than might appear at first blush. Will it help or hurt you to keep successive drafts of documents? The deeper you delve into policy formation, the more niggling issues will come up. Don’t expect to formulate a sound DRP overnight. Nonetheless, DRPs don’t have to be epic novels. They can be just a few paragraphs.

The longer DRPs are more appropriate for larger firms or companies. The fundamentals of a DRP are these:

Define how, where and how long to store both paper and electronic records, making sure you specify retention periods for specific categories of records.
Consider all forms of electronic data in all devices and media (don’t forget digital printers, copiers and voice mail).
Specify how records are to be destroyed when their retention period has expired (is it automated or are users responsible?).
Detail the circumstances under which the policy should be suspended, such as when a lawsuit is anticipated or in progress, a subpoena has been served or an investigation is known to be underway.
Specify the individuals responsible for enforcing, monitoring and updating the policy.
Define penalties for noncompliance and impose them.
Describe how to organize and catalog stored records so they can be recovered easily.
Make the DRP part of the employee handbook, have employees sign the policy, and update the handbook when the policy is updated.
Review the policy on a regular basis, making the review deadlines part of the DRP itself.
If the documents are electronic and encrypted, log the pass phrases and product version used at the time of encryption.

Enforce Your DRP
OK, so now you have a policy. Home free, right? Maybe not. Arthur Andersen had a DRP in place when catastrophe struck in the form of the Enron investigation. On Oct. 12, 2001, Andersen sent out a memo telling staffers to comply with the DRP, which specified how long employees should keep written and electronic records before destroying them. So how did they get in trouble?

Andersen neglected to tell staffers to retain all documents related to the SEC’s investigation of Enron, an Andersen client. Andersen was well aware of the investigation. As Homer Simpson would say, “Doh.”
It seemed just a tad suspect that Andersen, which had rarely invoked its DRP, suddenly decided to mandate compliance in the midst of the Enron debacle.
It didn’t help Andersen that at least one document in question was, in fact, altered by an Andersen employee.

At the end of the sordid tale, in June 2002, a jury convicted Andersen of obstruction of justice. The moral here is straightforward. If you are going to have a DRP, enforce it in a consistent fashion. Selective enforcement is a sure ticket to a spoliation of evidence or obstruction of justice charge. Be aware that enforcement can be a ticklish business. Studies have shown 10 percent of employees given an order to destroy documents in accordance with a DRP simply will not do so. Sometimes, they believe they will some day need the document for some reason or another. Some are just lazy. Others are naturally disinclined to obey orders. Whatever the reason, it will create headaches, so anticipate the problem as best you can. Periodically, you might wish to conduct audits to make sure the company’s deletion edicts have been followed.

Be aware you are never really out of the woods. Delete all you like, empty recycle bins, format the hard drives, and so on, and forensic technologists still might be able to recover deleted data. It’s therefore essential to convey to your employees not everything should be written or converted to electronic form and that which is written should not be dashed off carelessly, or in a fit of pique. Our entire society has developed the habit of using e-mail as a casual, informal form of correspondence without any regard for the fact it might live on in perpetuity.

Likewise, many people attend meetings with their laptops, keeping copious and often inaccurate notes that might not be in context, might misquote what was said and so on. These transcriptions later might be construed as an accurate description of what happened, no matter how far off the mark they actually were.

Remember too, DRPs have real benefits. They preserve the storage space on the network and on user’s desktops. They optimize network performance. They decrease the chance of having documents used against the company in lawsuits. They force an imposed order and clean up, which can be useful to productivity and for finding needles in a haystack whose size is at least controlled. All this organization will result in limiting the scope of discovery and easing its production, saving time and costs.

When DuPont went through an enterprise-wide reorganization of its corporate records, the company discovered more than 50 percent of the documents the company gathered for discovery between 1992 and 1994 should not have been retained. It estimated it had spent an unnecessary $10 to $12 million in retention and production costs. Ouch. Its revamped DRP calls for a 60-day life for e-mail and a 14-day life for e-mail backup tapes. Every employee is considered a “record custodian” and must sign off on the policy. A four-person Corporate Records Information Management team is responsible for providing guidance and ensuring policy compliance. In 2001, it adopted a system that prompts employees to delete e-mails that are overdue for deletion. The employees are given the option to retain records by entering a retention code; otherwise the e-mails are deleted automatically. The result? The company has noted a marked diminution in the amount of data it must sift through to comply with discovery requests.

One thing the courts have learned is the sheer volume of a company’s data can be overwhelming. Courts have absolutely accepted the need for data management and recognize it’s unthinkable to have data stored and accessible indefinitely. The cost of restoring vast amounts of data from backup media is staggering, and courts are sympathetic to the need for some sort of practical restraint on this process. In particular, the Zubulake v. UBS Warburg opinions have been very helpful in sorting out the confusion (see “Discovery Factor,” October/November 2003 Law Office Computing). Courts have no quarrel with corporations that destroy data in the regular course of business, when there is no anticipation of litigation.

On the other hand, the mere scent of spoliation will generally stiffen a judge’s resolve to determine whether a company has deliberately destroyed documents. In the main, penalties for spoliation have been severe, including stiff fines, prohibiting the testimony of the person responsible for the spoliation, altering legal presumptions to favor the other side and, in extreme cases, dismissal of claims. If the spoliation of evidence rises to the level of obstruction of justice, heaven help you because you are unlikely to find mercy in the courtroom.

Once you know there is a potential for litigation or a lawsuit has been filed, make sure the document retention policy is suspended insofar as the subject matter of the litigation or investigation is concerned. Always err on the side of caution. Make sure all involved parties know which documents, backup tapes and so forth, must be preserved until the litigation or threat of litigation is resolved. Protect yourself by clearly putting such information in dated writings, paper or electronic.

A decade ago, almost no one thought in terms of document retention policies where electronic data was concerned. Even today, the vast majority of companies and law firms have no policy in place. A decade hence, and perhaps much sooner, it’s probable that virtually 100 percent of all business entities will have a document retention policy. As Yogi Berra was fond of noting, “The future ain’t what it used to be.” Where technology is concerned, those are words to live by.

ABOUT THE AUTHOR

Sharon D. Nelson and john W. Simek are the president and vice president of Sensei Enterprises Inc., a legal technology and computer forensics firm based in Fairfax, Va. They can be reached at (703) 359-0700, sensei@senseient.com or www.senseient.com.