Document Retention Policies

Seemingly innocuous documents can haunt your company in a courtroom. The best defense is destroying documents. If you do it right, you're legal and safe. If you get it wrong, you may find a judge accusing you of destroying relevant evidence. The answer is a well-formulated document retention policy (DRP).

While I admit that nobody will ever win a business leadership and vision award from the Chamber of Commerce for giving time and attention to the development of a DRP, you need to do it. It's like sleep. You may not feel like it's productive time, but you shouldn't try to live without it.

Especially with information going digital and the price of digital storage way down, it's too easy to keep everything. The problem with that approach is that when you're involved in litigation, you're almost inviting the other side to go fishing through your ancient records. Who knows what evil lurks there?

It only gets worse when you're faced with a subpoena for a document and you have so much data that you can't even find what you need to find. Now, you look recalcitrant. (Throughout this column, I'm going to use the word document broadly to mean any type of record, whether written, digital, audio, visual or whatever).

Let's start with what you wish your DRP could say, but can't. ``When litigation is threatened or filed, immediately review all relevant documents. Upon completion of the review, destroy all documents that are detrimental to our position.''

Somehow, this policy conjures up something having to do with 18 minutes of tape. Let's just say that it didn't work for Nixon and it won't work for you.

No matter what your policy is, it must call for a complete halt to document destruction once litigation is threatened or filed.

If you ignore this rule, you may find yourself accused of spoliation. ''Spoliation'' can be loosely defined as the intentional and wrongful destruction of evidence that is material to an ongoing or imminent litigation matter. If a court feels that you're guilty of spoliation, it has many weapons at its disposal if it wants to sanction you. You don't want to go there. It's an ugly place to be.

In creating your DRP, you're going to have to assemble a team which should consist of a high level executive responsible for the project, your chief information officer (CIO), department heads, tax counsel, regulatory counsel and legal counsel. Ultimately, the CEO should be the one to sign off on the DRP. You need the CIO because one of the considerations is the technological feasibility of what it is you want to do.

An important issue is to what extent you can safely and effectively automate the process. You need department heads so that they have an opportunity to comment on the unique document retention needs of their department.

Your tax and regulatory counsel are there because of tax laws, and if you're in a regulated industry, then those regulations may also impose some very specific requirements. The first principle is that you should be sure to keep everything needed to successfully run your business. This is a pure business issue. What do you need and how long do you need it?

The second principle is that you should never destroy anything that the law requires you to keep. This principle requires you to stop all document destruction once somebody threatens or commences litigation or other legal proceeding against you. You can start again only with the approval of your lawyer.

Subject to the second principle, tax law and regulatory requirements, the general rule is that you can destroy your documents anytime you want. Having said that, if a court ever puts your destruction of documents under scrutiny, it looks much better if you did the destruction in a systematic way based on a schedule and a documented DRP.

It's common sense. If you destroy all e-mail when it's six months old, it's hard to accuse you of spoliation because a year old e-mail is long gone. If you suddenly have a DRP in place the day before a lawsuit is filed -- well, you get the picture.

One pitfall to avoid in creating your DRP is not taking into account the fact that most documents have multiple copies. You have to consider your employees' personal files, local hard drives and backups. It doesn't help to destroy working data if you keep your backups forever.

Another pitfall is not considering what you have out there in the cloud.  In a perfect world you’ll have your DRP in place before you put your stuff in the cloud.  That way you can review the terms of the agreements with vendors providing cloud services before your stuff is out there, and create a DRP that works seamlessly with your cloud vendor.

However, if you’re creating your DRP with your stuff already in the cloud, then you wind up working a backwards incorporating the terms of your existing agreements into your DRP.  It may be too late to have much negotiating power to change those terms (but it couldn’t hurt to try), so you’re probably stuck with what you have for the remaining term of those agreements.

Dealing with backups will probably require your CIO to create backups with the DRP in mind. Depending upon the media that you use for the backup, it may not be possible to selectively destroy parts of the backup. This creates a problem for you if your DRP requires you to destroy e-mail after six months but tax records after seven years, yet they both reside on the same media.

If you think that the prospect of creating a DRP sounds like a boring and thankless task, you're probably right. It is boring and thankless. Still, the penalty for not dealing with the issue could be a long-forgotten memo rising up from the depths to hurt you in a courtroom.