United States: Customizing a Modern Records Retention Program

The proliferation of business information, especially in electronic formats, is notorious for creating huge challenges for organizations of all sizes. Researchers estimate that worldwide in 2002, we sent a staggering 31 billion e-mail messages per day,¹ many of which continue to clutter our expensive storage devices. Courts are holding companies and their executives to high standards for retrieval of records of all types, and are imposing severe penalties for spoliation and unexcused failures or delays in production; the consequences include fines as high as $25 million, default judgments, civil contempt and criminal liability (see, e.g., Sarbanes-Oxley Act §§ 802, 1102). And the cost of scouring every computer drive, voicemail system, fax machine memory chip and file cabinet for responsive records, even if no relevant data are ever found, can be substantial and raise the stakes for any dispute, investigation or audit.

Any observer of these developments should appreciate the need for up-to-date information management practices. Companies that can efficiently retrieve records, and safely retain them for durations meeting legal requirements and other business goals, enjoy a competitive advantage. Organizations that cannot will suffer greater costs and risks as electronic discovery and other investigative techniques become more sophisticated and universal. Businesses that have oldfashioned retention policies focused on paper documents—or no enforced policy at all—will face larger problems as time goes on.

This article focuses on the process for creating a modern retention program, which is much more than filing a standard policy in a compliance binder or on an Intranet site. There is little benefit from posting a boilerplate document yet continuing to follow records, file server and back-up practices that immediately and permanently violate it.

Instead, a company’s legal, information technology (IT) and records management (RM) personnel should work together to assess what types of information are being generated; how records of valuable information are or can be stored, searched and retrieved; and how long records should be kept to meet legal requirements as well as other business objectives. Based on this assessment, the team can construct a program in which each person in the organization plays a role in properly creating and retaining a variety of records. Senior officers can then communicate—in no uncertain terms—that all personnel are responsible for implementing the program on an ongoing basis.

The key insight for designing a modern program is that business records should be viewed much like other assets of the organization. That is, they have value to the extent and only to the extent that they can be used to achieve the business’s goals and meet its legal responsibilities. Records that cannot be readily accessed, or that are kept after any legal or business requirement has expired, are not worth much if anything to the company after the costs of storage and review are considered. So the program’s twin goals are to enhance the efficient search and retrieval of information, and to retain records of such information so long as there is a legal or business need to keep them.

The following are suggestions for the main steps in crafting a contemporary records retention program for a business organization. These steps are elaborated in a number of resources, including the forthcoming Sedona Guidelines on retention policies for electronic information and records, as well as publications by the International Organization for Standardization (notably ISO 15489), the Association of Records Managers and Administrators (ARMA) and the American National Standards Institute (ANSI).

The first step is to understand what types of information are being created or acquired by the company. People in different business units and locations keep different kinds of documents. The human resources, tax, marketing, manufacturing, R&D and other departments all generate and exchange their own records, which they may store in personal files, computers, shared servers, storage media or other devices. In addition, the IT and RM departments may tend centralized records and may periodically copy them for emergency back-up.

If functions have been outsourced or enabled via the Internet, third parties like contractors, website developers or Internet service providers may have custody of the company’s information in duplicate or even original formats. In the e-mail era, any addressee may possess copies of information created and transmitted by others within or outside the organization. Finally, an assessment should be made of the related "metadata"—for example, the name, author, location and creation or revision date of a document, which data may be accessed separately from the document itself.

Because the value of information depends on whether it can be efficiently used, developing a modern program also requires an awareness of the company’s IT and RM potential. The team should confirm what capabilities and alternatives their company has for retrieving and searching records, for retaining them for required durations, and for destroying them. For each type of record, a determination should be made of what format (electronic or hard-copy) in what location will be "authoritative," in the sense that one version can be efficiently retrieved, searched and retained, while other copies of the same record can be eliminated.

The team must also come to grips with the tension between the aims of the retention policy and the ever-expanding technical capabilities of IT systems. For example, unified message systems (UMS) may facilitate search and retrieval of data from voicemail. But unless a company’s business is founded on oral conversations, it may not benefit from long-term archiving of UMS voicemail that would need to be produced and pored over at considerable cost in later disputes.

Lawyers run the next leg of this relay by identifying the federal, state, local and foreign mandates for retention of various documents. The legal input comes in three main varieties. First, there are statutes, regulations, contracts and consent decrees that expressly require retention of records (e.g., 29 C.F.R. § 1910.1020 (OSHA employee medical reports must be kept for 30 years after employee termination)). Second, there are statutes of limitation or repose that, in the absence of grounds for tolling, define the period for filing suits by or against the organization (e.g., Cal. Code of Civil Procedure § 337 (four years for breach of written contract)). Third and most important, there is an over-arching requirement that records not be destroyed when related litigation, audits or investigations have commenced or are reasonably foreseeable (see, e.g., Zubulake v. UBS Warburg LLC ("Zubulake IV"), 220 F.R.D. 212 (S.D.N.Y. 2003); Rambus, Inc. v. Infineon Technologies AG, 220 F.R.D. 264 (E.D.Va. 2004)).

The latter rule against spoliation cannot be reduced to a standard provision or automatic instruction. So two essential elements of the retention program must be to facilitate communication that a claim has been made or is foreseeable, and to enable legal, IT and RM personnel to order and implement the immediate suspension of destruction of any potentially relevant records. Such data, even if never produced, should be segregated and preserved so as to ensure their integrity.

The express legal mandates are only the minimum requirements for records retention. Above all, a healthy dose of reasonableness should be administered; thus, even if there is not a specific legal mandate, a court may determine that a gun manufacturer should not destroy product safety complaints after three years (see Lewy v. Remington Arms, 836 F.2d 1104 (8th Cir. 1988)) or that an amusement park should not discard records after the end of a summer season (see Reingold v. Wet ’N Wild Nevada, Inc., 944 P.2d 800 (Nev. 1997)). Business and legal personnel should consider whether the company will reduce exposures or protect value by keeping data for longer periods (even indefinitely). For example, records relating to distribution of pesticides may only be legally required to be kept for two years following shipment (40 C.F.R. § 169.2), but a seller may decide to retain them for some longer period to address the prospect of contract or tort claims.

The preceding steps lay the foundation for a document often called a retention schedule. Such a table identifies, for each type of valuable record a particular company creates or acquires, (a) the location and format of the authoritative record, (b) the custodian of that record and (c) the time period for retention of that record in the absence of a suspension order. The program will more likely be effective if the legal and business requirements are customized (and simplified) to reflect the specific documents the organization actually uses, rather than relying on individual employees to construe generic or legal categories. The retention schedule then becomes part of a retention policy that defines what roles are played by any employee who creates or acquires records, by any employee who has custody of records, and especially by key employees in the legal, IT and RM departments.

The technologies that support the retention program should also be brought to bear on any ethical walls or similar prohibitions on access to particular data kept by the company. If a confidentiality agreement (or the hiring of an employee from a rival) requires or induces the organization to prevent certain types of information from reaching certain personnel, the IT and RM functions may be able not only to accomplish that restriction but also to produce documentation evidencing which individuals do and do not have access to restricted records.

The program should be inaugurated or renewed with a message from senior management, underscoring that compliance is a core value of the organization on which employee performance will be measured. The message on records retention may be accompanied by a reminder of the appropriate and inappropriate ways to express ideas and create company communications in the first place, particularly presentations, voicemail and e-mail.

The IT and RM departments may need to make changes in the ways and locations in which records are stored, backed up and destroyed. Special sensitivity is required for records that are relevant to claims pending or threatened at the time the policy is launched. Periodic training sessions, reminders and audits aimed at continuous compliance will be viewed more favorably by courts and prosecutors than would the jarring initiation of the very same activities in the looming shadow of a claim.

Because records, laws and IT and RM capabilities will change, the program must be kept up to date. Because personnel and product lines will change, regular enforcement and education should be part of the organization’s hygiene. What will not change, however, is the need to meet legal requirements and achieve business goals through the efficient retrieval and retention of vital data.

For additional information regarding legal aspects of record retention please contact Robert A. James2 at rjames@pillsburywinthrop.com or 415.983.7215; or Charles Ragan3 at chuck.ragan@pillsburywinthrop.com, 415.983.1709.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.