Document retention policy Featured

7:00pm EDT February 28, 2007

As more and more data is stored as electronic files, it is important to know what records should be kept and for how long. A company never knows when a document may be needed when faced with litigation.

U.S. companies now need to keep track of all the e-mails, instant messages and other electronic documents generated by their employees thanks to new federal rules.

The rules approved by the Supreme Court last April require companies involved in federal litigation to produce “electronically stored information” as part of the discovery process when evidence is shared by both sides before a trial. Because of the new rules, an IT employee who copies over old computer files could be committing the equivalent of “virtual shredding” if the old information is called as legal evidence.

Smart Business talked to Jason A. Cherkas, senior network administrator at Tauber & Balser, P.C., about what needs to be kept.

What is a document retention policy?

A document retention policy provides procedures for the regular examination, preservation and destruction of documents received or created in the course of business. Such a policy will identify documents to be maintained and contain guidelines for how long these documents should be kept and/or destroyed. It should be noted that there are different retention periods for human resource, tax and other regulatory hard copy or electronic files. You should consult with a tax or legal professional concerning these requirements.

Why is it important to have a document retention policy?

Since a wealth of information is now being stored electronically, it is necessary to purge data because it is no longer useful and is being maintained beyond its retention period. Purging unnecessary data will not only decrease the need for more storage capacity but will also reduce the length of time necessary to perform backups of company data.

A document retention policy may also protect a company from litigation. On Dec. 1, 2006, new amendments to the Federal Rules of Civil Procedures became effective and addressed how electronically stored information can be exposed during a legal matter. These amendments make it very important for company personnel to know what, where and how data is being stored and destroyed.

Electronic data stored on servers, e-mail mailboxes, tape backups and staff workstations can be subpoenaed for litigious matters; however, if the cost to retrieve data from offsite storage or from an old backup system is deemed too significant, the data may not have to be provided.

What should be included in a document retention policy?

A policy should contain five sections. What: Define what data in hard copy or electronic format your company has. At a minimum, data and software maintained on network servers as well as staff workstations should be included in the policy.

Where: Define where data is stored. An up-to-date record of all hard copy and electronic files should be maintained and made accessible.

When: Define when data can be destroyed off the network. Following the advice of a professional, you should have a set date, preferably on a quarterly schedule, to destroy documents. As a general guideline, electronic and hard copy documents are kept for four to seven years but some are maintained permanently. The retention period for tape backups should be six months to one year.

Who: Define who is responsible for maintaining and destroying documents. This person should keep a record of what is destroyed and how it was destroyed.

How: Hard copy documents should be shredded and electronic documents should be deleted from all systems.

What steps can be taken to ensure the success of a retention policy?

The most common failure with a retention policy is that the policy is not being followed. Your company may follow the policy when it is initially rolled out but adherence to the policy may become lax over time. Another step that needs to be reviewed and one that is often overlooked is the use of backup tapes and offsite hardcopy storage. Consequently, tape backups must be included in the retention policy. Most companies store tapes offsite, which may inevitably contain data that was previously purged from their network. Typically, there is not a need to store tapes older than six months to one year offsite. The same is true for companies that store hard-copy documents offsite, which should be included in the retention policy as well. Educating company personnel on what the retention policy is and the need to comply will ensure its success.

JASON A. CHERKAS is a senior network administrator at Tauber & Balser, P.C., with more than 10 years of experience, including working for a Fortune 100 company before joining T&B. He has been a speaker at numerous IT conferences and was recently certified as as electronic discovery specialist. Reach him at (404) 814-4911 or jcherkas@tbcpa.com.