January is a great time to think about reducing clutter. Many of us start the New Year with a personal plan to get organized, throw out stuff that no longer matters, and to accumulate less junk going forward. It’s a nice plan – and it usually falls apart by mid-February. Still, the idea of getting organized and reducing “clutter” is also a goal of many companies. One way to do this is by implementing or updating a record retention program. For companies without a program already in place, this means starting from scratch. For companies with a program, it means a serious “soup to nuts” review and how (not if) the program needs to be updated.
The benefits of a well thought out record retention program cut across every part of the business, including all staff groups, and especially within the Legal Department which usually takes the lead in record retention issues. Whether you are based in the U.S. or a different country, whether you are a generalist, or specialize in litigation, M&A, commercial agreements, compliance, intellectual property, corporate secretary, or employment law, a good record retention program can make your job much easier and reduce risk to the company. This edition of “Ten Things” discusses the basics of what is needed to put a record retention program into place or update an existing one:
- Why have a program? There is no requirement that you have a record retention program. Other than regulatory requirements or litigation holds, a company is free to keep or dispose of whatever records it wants, whenever it wants to. Despite this, I think all companies should have a record retention program in place, regardless of size. Small companies may need only a relatively simple program, while large companies will need more complicated policies tied to the complexity of their business. Here are just a few benefits of a record retention program:
- Reduce storage costs (e.g., storing data, emails, and paper costs money).
- Reduce litigation/regulatory costs and risk, including a process to implement a litigation hold, as well as a “road map” showing where to find things when disputes arise or when discovery requests come in.
- Mitigate risks from a data breach, i.e., getting rid of personal data as soon as possible and knowing where the data is that you need to protect.
- Improve speed/accuracy of record retrieval, including locating documents for tax purposes, M&A deals, contract management, and corporate governance.
- Customize your program. Unless your business is pretty simple, you cannot create an effective record retention program by simply downloading schedules off the Internet (though those schedules can be useful benchmarks). You need to customize your program to the particular needs of your company. For example, understanding the type of businesses your company is involved in, where the company operates, its culture, the types of technology used throughout the company, and the different regulatory environments it operates in, will all be part of creating the program. The best way to start the process is to recruit a cross-functional team from the different parts of the business to help you answer these questions and develop the program. You must speak with employees in numerous parts of the business to understand record creation, storage, how records are used, and risks, all on a country-by- country basis. Limiting your focus to just the U.S. for example will make you miss many important things and your program will not be relevant to employees working outside the country. You also need to win over two key parts of the company to create a successful program: the IT department and the C-Suite. The IT group will be invaluable in terms of where records are kept, how they are accessed, and how they can best be managed. The C-Suite must buy into the importance of having (and enforcing) a records retention program. If they do not, then the program will just be another piece of paper. Two things will help you in your effort to win these groups over: the ability to lower costs and lower risk. Repeat these often.
- Figure out what you have and where you keep it. This is the most crucial task in creating your program and you and the team should spend the bulk of your upfront time understanding and identifying:
- The types of records created by your company. Remember, not everything is electronic – don’t forget the paper! Signed documents, handwritten notes, calendars, policies, HR files, marketing materials, memos, correspondence, presentations, corporate minutes, Board of Director meeting materials, etc. all need to be accounted for. You will be surprised by how much paper is generated by your company.
- Where the records are located. You need to really dig out all the places where company records are stored. The IT department can help you here. Be sure to consider: computers (office/home/laptops), servers, back-up tapes, document management systems, shared drives, email (server and local files), company webpages (external and intranet), social media accounts, CD ROMs, flash drives, instant messaging, audio and video recordings, off-site storage, corporate secretary, etc.
- Don’t forget your vendors. If your company uses outside vendors (e.g., consultants, accounting, legal, call center), you must ensure that your record retention program accounts for your records held/created by these vendors.
- Records you “want” to keep/Records you “have” to keep. Once you have identified the types of records your company has and where they are located, you need to figure out what do you keep and for how long? There are two categories here: (a) records you want to keep; and (b) records you have to keep. Records you want to keep are records with no legal obligation to keep but are important to how your company runs its business. These are records with long-term business value, such as emails or presentations that memorialize important decisions and activities, explain contracts, discuss future strategic activities, and so forth. These may be documents that, from a “cultural” standpoint, your company expects to have access to several years after they are created. The only way to identify these types of records is to ask lots of questions across the entire business. Records you “have” to keep are records subject to legal or regulatory requirements. Almost every country has requirements about keeping tax records (e.g., IRS), employment records (e.g., Department of Labor), compliance records (e.g., Sarbanes-Oxley), safety records (e.g., OSHA), environmental records (e.g., Clean Water Act), and other statutory/regulatory requirements. And don’t forget that some legal requirements call for your company to get rid of records after a certain time (e.g., EU Data Privacy Directive). Getting this right requires research on your part as you need to identify and understand the different legal and regulatory requirements applicable to your company’s business and the record retention requirements under each. This is an area where outside counsel can add a lot of value.
- Prepare your written policy/schedules. After identifying the types of records your company has, and any applicable retention periods, it’s time to start drafting (or updating) your record retention policy. Your policy needs to be realistic and driven by business needs. A policy that fails to account for either of these is destined to fail. For example, if your company is small with a simple business, the policy and schedules need to be short and straightforward. A complicated, overly-long policy is not necessary and is unlikely to get much traction with the business. Likewise, if your company has 100,000 employees, operating several heavily regulated businesses, located in 75 countries, you’re not going to be able to get away with a five page policy. Even so, regardless of how complicated your business may be, focus on preparing a policy that is as simple to read and understand as possible under the circumstances. Use plain language and avoid “legalese” to the extent possible. Start with a good summary of the policy, explaining what the company is trying to accomplish and why and set out some basic record retention guidelines for the most common records and documents right up front (i.e., a “quick start” guide). Make the document easy to find (intranet site) and easy to navigate (hyperlinks, definitions, good topic index, searchable, etc.). If you have employees operating in foreign countries take extra care to ensure the policy makes sense to them. Use focus groups of employees if needed. Prepare schedules covering different types of records with easy to follow charts setting out the type or category of record, along with how long the record should be kept (and if applicable, the maximum amount of time the record can be kept). Finally, be sure to document “how” the policy was created or amended as this may be important in litigation. If the other side challenges your policy, you’ll want a solid record of why your policy is the way it is, how it was created, and how it was rolled-out, enforced, and updated.
- Roll it out properly. A successful record retention policy or update needs to be rolled-out to the company in proper fashion. A successful roll-out requires that the senior executives of the company buy into the need and value of having such a policy. If they view it as important, this “tone from the top” will cascade down and compliance by the rank and file will go up substantially. If the senior executives don’t buy in, then compliance will be spotty. Identify a “champion” from each business unit and staff group whose tasks are to (a) help roll out and “evangelize” the policy and its importance to their co-workers, (b) help enforce the policy, and (c) be part of the team that provides feedback and regularly reviews the policy for revisions. You also need to create or update training programs, ensuring they explain: the purpose of the policy, how each employee can help ensure success, key obligations under the policy, and where to go with questions or concerns. This training can be live, on-line or a mix of both (e.g., a webcast). The policy should become part of the on-boarding process for new employees. When I was general counsel we had an annual “record retention week” to remind all employees and management about the policy and encourage compliance. Finally, it is a good idea to test the policy with one group first to see what works and what doesn’t, and then make decisions about how best to roll it out to the entire company (e.g., “knife-edge,” phased, etc.).
- Litigation hold process. Ironically, the most important part of your record retention program is knowing when and how to suspend it. Devising and implementing a proper “litigation hold” process must be a priority. In the U.S., once you anticipate a reasonable chance of litigation, you have a duty to preserve records relevant to the dispute. Typically, this occurs when you receive a lawsuit or subpoena, but the obligation can attach earlier under the right circumstances, e.g., a letter from a customer raising a substantial dispute and stating that a lawsuit is likely if the matter is not resolved. If you know you are going to file a lawsuit in two weeks, then the process is likely triggered on your side, even if the other side has no idea a lawsuit is coming. Failure to put a hold into place can lead to claims of spoliation of evidence and, at worst, to fines, sanctions, and even an instruction to the jury that they can infer that you destroyed records because they were “bad” for your side. All of this means you need to create a reasonable process to:
- Know when a litigation hold attaches.
- Give notice to the right employees to stop deleting or destroying any records relating to the dispute along with some type of acknowledgement from each such employee that they understand and will comply.
- Send regular reminders to those employees (each requiring an additional acknowledgement).
- Have a conversation with the IT team about the affected systems and ensuring any regular deletion is suspended.
- Set a process for dealing with records belonging to employees who leave the company and ensuring their files and laptop hard drive are not deleted or wiped clean.
What goes into a proper litigation hold process can take up an entire post, so for now just note that whatever process you put into place, it will have to pass the “giggle” test with the judge and the other side, i.e., the process must be reasonable, enforceable, trackable, and implemented in a timely manner when the obligation to preserve is triggered. Telling the judge, “Well, we sent everyone an email telling them not to delete stuff” is not going to cut it. In fact, the better process now is to have a tool to automate the hold process.
- Email. If you deal with record retention, you know that one of the biggest problem areas is email. I use to tell folks that if an atomic war broke out on earth the only things left would be cockroaches and every stupid email anyone at your company ever wrote. There are two key problems with email with respect to record retention: (a) if employees can save emails to their hard drive then whatever retention process you put into place re the server will not reach those emails, and (b) people treat email like a fleeting private conversation and not like a potentially public business communication which is what it is – meaning they often don’t write exactly what they mean to say or they say it in a way that is not professional in quality or tone. Both (a) and (b) are challenges for the in-house lawyer. With respect to the latter, frequent training of your fellow employees in “writing” smart emails, presentations, instant messages, etc. should be standard procedure. Employees need to know that email is a business document and the company expects employees to prepare them with that in mind. With respect to the former, I admit that I could never come up with a great solution. I suspect that technology is probably starting to catch up with the email storage problem, meaning better and more flexible email archiving tools, the ability to require that employees only use the server for storing emails (and not their hard drives), and tools to flag old emails for determination whether the email needs to be retained or deleted under the policy. Your record retention policy should have a section dedicated to email management. This is definitely an area where speaking with outside vendors might be useful.
- Enforce it/Review it. If your company does not enforce its record retention policy, numerous problems arise, including failing to take advantage of cost savings, risk reduction, and increased efficiency in locating records. You need a set process to enforce the policy. Determine who is responsible for (a) following up on the policy with the different business and staff groups on a regular basis, (b) ensuring data is destroyed when it is time, (c) managing litigation holds, (d) working with the IT department, (e) ensuring new people step up to help manage the policy when others step away or leave the company, (f) publicizing the policy, (g) answering questions, and (h) ensuring that when problems are uncovered they are quickly fixed and appropriate discipline (if any) is meted out. Additionally, Legal should work with Internal Audit to periodically audit different groups and parts of the policy to determine what is and what is not working. Lastly, no policy remains relevant in all situations. Establish a process to review the policy annually (with the cross-function team) and discuss whether any changes are needed: in the policy (e.g., new government regulation affects a retention period), in the training, in the enforcement, etc. Feedback from employees (especially those outside the home country) is crucial here, as are the results of any audits. Once again, the culture of your company along with its day-to-day business needs will help you fine-tune the policy. For example, if your company has an expectation that marketing presentations from the last five years need to be available to the business, then it makes no sense to have a policy that requires the destruction of marketing presentations that are more than three years old.
- Additional Resources. Record retention is a complex and challenging process. There are sources available to help you prepare and manage your policies. Here are a few:
- Sedona Conference – Guidelines for Managing Records (and more).
- ARMA Recordkeeping Principles.
- International Organization for Standardization (“ISO”).
- Outside counsel.
- American Bar Association resources.
- Association of Corporate Counsel (US and International divisions).
- Colleagues at other companies (or search the Internet for sample policies)
- Vendors specializing in record retention programs (evaluation, implementation, etc.).
A well prepared and thought out record retention policy can be a very helpful tool for the company and for Legal. There is no one-size-fits-all policy. If your company is small enough, you may decide no policy is needed other than compliance with any government or regulatory requirements. That’s fine. Don’t make your life harder than you have to. Where it is clear a company will benefit from a record retention policy, it is an area where Legal can show value, strategic thinking, and leadership. Put updating or creating a policy on your “To Do” list for 2016. Stay flexible and focused on what can really work given how your company operates. Don’t be deaf to concerns from the business about the policy. Build an inclusive group to help you create and manage the policy – and remember the needs of your business and/or employees located outside the home country. Finally, be sure that your policy is defensible as prudent and reasonable. A good record retention policy can pay big dividends for your company.
January 18, 2016
(If you find this blog useful, please click “follow” in the top right so you get all new posts automatically, pass it along to colleagues or friends, and “Tweet” it. “Ten Things” is not legal advice or legal opinion. It is intended to provide practical tips and references to the busy in-house practitioner and other readers. You can find this blog and all past posts at www.TenThings.net. If you have questions or comments, please contact me at either email@example.com or firstname.lastname@example.org).
My first book, “The Evolution of Professional Football,” is available for sale on Amazon and at www.SterlingMillerBooks.com.