Designing A Compliant Record Retention Policy

Editor's Notes

• #2: Records and information management is not a new concept. For years, many companies have had record retention policies in place for years. However, many of those policies were ignored or not consistently followed. In the wake of such notable cases involving Arthur Andersen and KPMG, as well as the Zubulake decisions, records and information management has taken on a new significance in terms of making certain that written policies and procedures are in place and being followed. It is for this reasons that we are ending this seminar on the topic of “Designing a Compliant Record Retention Policy.”
• #3: As the NBI materials indicate, I will be addressing four broad topics. Namely,: Retention Issues Destruction Issues Systems Data Structures & Organization Because these topics depend on large part on who your client is and what their particular production of records and electronically stored information consists of, I have tailored this presentation to set forth selected issues of importance to most lawyers who are asked to counsel their clients on record and information management. The issues that I will be discussing are not exclusive or exhaustive. You should consider other sources that are available from legal and non-legal vendors alike.
• #4: Two sources that I recommend are: ARMA – great resource for tools, white papers, etc. on record and information management “The Lawyers Guide ...” is geared toward record and information management within a law firm.
• #5: Purpose of records retention portion of a records and information management program is to assure maintenance of those records and information that a client must keep to meet either operational or regulatory requirements. For example, if your client warrants its goods for 10 years, then it will need to keep sales records for at least 14 years from the sale date to ensure their accessibility if litigation arises for breach of that warranty. Another example are records necessary to the preparation of tax returns should be maintained in order to address any issues that may arise if an audit is conducted. The other purpose of the record retention portion of a records and information management program is that it ensures the timely and efficient disposal of those records and information that a client does not need or should not maintain. There is no requirement that a client keep all of its records and information indefinitely. Instead, once a client no longer needs a record to meet either operational or legal requirements, then the client is free to dispose of that record or piece of information.
• #6: A records and info. management program basically involves three core items: A formal written policy statement. A records/information retention schedule. Procedures for executing and enforcing the policy and schedule. These documents themselves are not conceptually complex. A policy statement deals with the issues of ownership of the records, staff and employee duties in the context of a record management program, guidance over authorized copies and maintenance locales and responsibility for program maintenance. Sample policies are included in your materials. A records/information retention schedule is fundamentally only a list of record types or categories, along with retention periods for those records. The procedures for implementing the policy are simply instructions for managing the retention and disposition processes. In essence, write a legally compliant policy, choose an appropriate retention period, write some commonsense procedures, and your client is in business with respect to records management .... It’s that easy!!!
• #7: As always, the devil is in the details. Considerations that go into developing retention policies may be complex and in some cases the answers are not obvious. Political and cultural considerations may require negotiation of time periods and adjustments to policies and procedures. Actually implementing the schedule against large collections of paper and electronic documents may prove challenging. So, what are some of the common hurdles that one faces with developing and implementing a records retention program?
• #8: One of the first issues that you may face with a client that has never implemented a record retention program is the common myth of the “permanent record.” In its usual form, the myth arises when an objection is made that a proposed retention period is grossly inadequate because (1) the records have permanent enduring value and (2) some law requires the records to be kept forever. As to the first reason, most business need does not require permanent retention since the actual business utility of most records diminishes rapidly after their creation and use, and commonly drops to zero within a few years. As to the second reason, in the case of general business records, the vast majority of legally mandated retention periods are well under 10 years, as are the limitations periods for theories under which legal action involving such records can be brought. Notable exceptions involve warranty claims, toxic spills, matters involving minor children or trusts and estates. The reality is that though the record may be of supreme importance while the matter is active, at some point that matter is resolved and the record’s usefulness is gone. However, people think differently because they view their own work as important and thus should be retained forever. Also, people don’t know what an appropriate retention period is and they’re concerned about the penalties and consequences of disposing of records. Hence, the “safest” course of action is retain records forever, which has led to the Myth of Permanency. As counsel, you’ll need to work with your client on dispelling this Myth.
• #9: So, how do you combat the Myth of Permanence? The most effective way is to analyze the cost of maintaining the records and information. Storage costs today are not cheap and will continue to grow if a record retention policy is not adopted. Once clients appreciate the cost of maintaining records permanently, they understand the importance and value of document retention program. In addition to analyzing the cost, you should discuss with the client the risks and utility of keeping records and information “permanently.” Ask “Who will care about these records and why, in 25 years?” It is generally revealed that most records have no value beyond 25 years and thus do not need to be retained. Finally, if a client wants to keep records or information for a historical purpose, then a professional archivist or historian should be consulted to separate the wheat from the chaff.
• #10: Another issue that you need to address with your client is the documentation that will be needed to effectively implement a record and information retention program. Core Documents are the policy, the procedures and the retention schedule. Other important documents include: List of users Logs recording transfer from active to inactive Audit trails as to movement of active files Records review and disposition details Maintenance of this other documentation is important: It is evidence of the program’s execution and of the decisions made and actions taken with respect to certain records and information. Serves as a practical, day-to-day purpose, of advising staff of what to do and when. Serves as proof that the retention program is what it is and that the actions comply with the program.
• #11: Another issue that one should consider when designing a record and information retention policy is referred to commonly as “Exception Management.” Both common law and the Zubulake decisions recognize a duty upon a party with notice to ensure that all sources of potentially relevant information are identified and placed “on hold.” Consequently, just as the retention policy identifies and deals with records for disposition, so too must it identify and deal with documents that are to be temporarily excluded from the disposition process. Such duty arises when reasonable notice exists that The records are germane to a lawsuit, regulatory investigation or similar legal inquiry. The records may be needed to preserve or advance the rights of a client or ex-client. The records may be needed to support an authorized audit. Failure to segregate and maintain records and info. when on notice may have serious consequences, as we have discussed all day today. Therefore, the program must include the mechanism for identifying the records and info. that need to be excluded and maintained after notice exists. Don’t let this issue become an excuse not to implement a retention program.
• #12: Another issue that one must remember in designing a compliant record and information management policy is determining what law applies to a client’s records and information. Multiple authorities from multiple sources in multiple jurisdictions may govern a record’s retention. This is especially true with re: to companies that operate in multiple jurisdictions. Thorough research is a must, but is often hampered by varied terminology for the term “records,” such as “books,” “files,” “accounts” and “data.” Also, record retention laws are often quite obscure. Nevertheless, the time and resources needed to perform thorough research should be understated. There is a lot of record keeping and data collection law and it usually requires some digging to find it.
• #13: It is not a good idea to assume that federal requirements trump state requirements. Also, you should not assume that the requirements across various jurisdictions and authorities within those jurisdictions are uniform. Federal and state authorities often exercise some form of concurrent jurisdiction. Within a jurisdiction, agencies and other authorities may well promulgate requirements without regard to any other requirements affecting the same records that may already be in place. Thorough research must be performed with relatively few assumptions being made.
• #14: In terms of destruction issues, you should understand that this aspect of the records and information management system is generally outsourced. Consequently, when advising your clients on which document destruction company they should use, it is important to understand how the destruction companies define “destruction.”
• #15: There are primarily four definitions of destruction: First is the “Sell ‘em” Destruction. In essence, your client is charged to have their documents picked up and then the destruction company sells them to someone else for recycling. Usually, the documents sit out in the rain or wind in loose piles or poorly secured bales before they are actually destroyed by someone else in another city, county or country, after they (or a local investigative reporter) takes a look at them. Second is the “Dump ‘em” Destruction. Under this approach, your client is charged to have their documents picked up and delivered to a landfill, where they again sit unprotected and get blown around.
• #16: Third method is the “Hold ‘em” Destruction. Under this approach, your client is charged to have their documents picked up and then store them with the destruction company until there is enough records to justify the cost of having them physically destroyed. Your client’s documents may or may not be secure while they remain in the staging area waiting for destruction which may be a while. The final method is the “Destroy ‘em” Destruction. Under this approach, the destruction company arrives at your client’s facility with a large truck and grinds up the records right then and there. Your client can monitor the entire process. Needless to say, this is the best approach.
• #17: No matter which approach is selected, it is important that the destruction of records and information be documented. Vendor’s destruction certificates are not usually specific to the necessary detail required to a client’s destruction of particular records or information. Additional documentation, preferably kept in electronic/digital format, is usually necessary. Such documentation would identify the precise records destroyed and have attached to it the vendor’s destruction certificate.
• #18: Record and Information Management is a set of systems, processes and tools that combine to make possible the efficient use and maintenance of all records and information within a client’s organization. It also provides a framework and structure that facilitates application of the client’s records and information management policy and compliance with the records/information retention schedules. Automating the record and information retention functions and using technology wherever possible makes good business sense. This is particularly true for the effective management of e-mail, word processing documents, and other electronically stored information.
• #19: There are many software companies that offer records and information management software. The most widely installed records management vendors among law firms and law offices are the following: Accutrac Elite Information Systems Interwoven Hummingbird MDY Advanced Technologies
• #20: Designing a compliant retention policy requires an understanding of your client’s data structures. Data gathering involves finding out: What records or data exists? – Types of kinds of records, including titles and functional descriptions. What are the mediums? – Do records exist in hard copy, microfiche or electronic format? Where are the records and data? – The locations of the record repositories, such as copy rooms, work stations and conference rooms. What is the operational life? – The period of time the record has real business utility to the client. What is the compliance life? – The period of time the record needs to be maintain to satisfy legal requirements. What is the risk management life? – The period of time a record needs to be maintained in light of notice of a claim, lawsuit, etc.
• #21: Other information you should investigate: When and how information is created or received? How are records distributed and managed during their active life? How and why duplicates are created? - Also, where they can and should end up? How information is circulated vis-à-vis workflow? What is the amount of hard copy and electronically stored information? - # of filing cabinets and boxes, server sizes, virtual servers, home offices, etc. To capture this information, you may need to use different approaches, including interviews, surveys, system generated reports and inventorying of records. No single approach is best. The goal is to learn as much about your client’s data structure as you can, so that you can design a compliant policy that addresses all of those structures.
• #22: The organization structure that a client needs to implement a compliant records and information retention policy will vary. At a minimum, there should be one person who is designated the records manager and that person should be a highly skilled professional who has strong communication skills, is technologically savvy, is a motivator and engages in forward thinking. Additionally, the individual promoted to Records Manager should be provided managerial training. Also, records department staff and end-users must be trained. The goal of training is to inform, to train and to habituate the staff and end-users with respect to record retention and destruction policies and procedures. Training may involve large group sessions, face-to-face training and periodic refresher training and may include you as counsel. Habituation is simply providing a continuous series of reminders (i.e., nagging) to ensure the policy and procedures are being consistently followed. Generally, handled by client. Clients should understand that training their staff will take time.
• #23: Any questions?